OpenAI Codex
Codex governance has two halves — org-side (OpenAI Admin API + Compliance API for prompts, runs, moderation events) and endpoint-side (codex CLI invocations). Arrakis ingests both. This page covers admin-console enablement and endpoint-side MDM delivery of an OTel-aware wrapper.
When to use this
Use this page if your fleet uses OpenAI Codex (CLI or IDE integration). Covers OpenAI Admin Console + Compliance API setup and the MDM-deployed wrapper that injects OTel-aware env into Codex invocations.
3-step Quickstart
- In the Arrakis platform, paste your OpenAI Admin API key under Settings → Integrations → OpenAI.
- Download the tenant-specific Codex MDM payload (wrapper script + MDM profile) from Settings → Integrations → Deployment → Codex.
- Deploy via your MDM and confirm
which -a codexshows the wrapper resolves first.
Where tenant-specific values come from
Sign in to the Arrakis platform → Settings → Integrations → Deployment. The OTLP endpoint, header secret, vendor admin API keys, and per-tool MDM payload templates for your tenant live there.
Reference: full configuration walkthrough
OpenAI Admin Console walkthrough
- Sign in to platform.openai.com as an org admin.
- Settings → Codex → enable for the org.
- Settings → API → Admin keys → create
arrakis-admin-readonly. Scope: read. Paste into Arrakis platform Settings → Integrations → OpenAI. - Settings → Compliance → ensure Compliance API access is enabled (Enterprise plan required). This is the surface Arrakis reads for prompt/response/run history.
- Settings → Authentication → SSO/SCIM.
Deep links: OpenAI Codex docs , OpenAI platform .
Endpoint env vars worth managing via MDM
Be conservative — only the following are widely documented:
| Env var | Purpose |
|---|---|
CODEX_NON_INTERACTIVE | Set to 1 for unattended installs and CI flows |
OPENAI_API_KEY | Per-user or per-machine API token; prefer issuance via SSO + Admin API |
OPENAI_BASE_URL | Override the OpenAI endpoint; useful when egressing through a corporate proxy |
Codex does not currently expose a first-class OpenTelemetry exporter. The Arrakis-recommended pattern is to wrap
codexinvocations with a launcher that exportsOTEL_*env into an OTel-aware sidecar or proxy. See Managed deployment shape below. For any Codex-side telemetry knobs introduced after this page was written, see the OpenAI Codex docs .
Managed deployment shape
Ship a wrapper script via MDM that exports the Arrakis-recommended OTel env (OTEL_EXPORTER_OTLP_PROTOCOL, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, OTEL_RESOURCE_ATTRIBUTES) and then exec’s the real codex binary. This is the same pattern used for Cursor.
PATH ordering matters — install the wrapper directory before the upstream Codex install dir so codex invocations resolve to the wrapper.
The wrapper script bodies (bash, PowerShell), the tenant OTLP endpoint, the bearer token value, and the install paths used in your tenant are provisioned per-tenant in the Arrakis platform under Settings → Integrations → Deployment, or available from Arrakis support.
MDM payloads
Jamf Pro (macOS)
- Files & Processes payload: deliver the wrapper to its install path (provisioned by Arrakis) with mode 0755 and owner root:wheel.
- Custom Configuration Profile (Preference Domain
com.openai.codexif your Codex version reads it; otherwise scope at user-level launchd plist) to setOPENAI_BASE_URLand anyOTEL_*env Arrakis recommends. - Smart Group: scope to developer machines only (membership criteria:
Codex CLI installed).
Microsoft Intune
- macOS: shell-script policy that installs the wrapper and prepends it to PATH so the wrapper resolves first.
- Windows: package the wrapper as a Win32 app (.intunewin). Use Settings catalog to set HKLM env vars under the system Environment key, or set the registry-based env via PowerShell at install.
- Assignment: developer device or user group.
Iru (macOS)
On Iru (formerly Kandji):
- Custom Script library item (install, marked Continuously Enforced) that drops the wrapper into place.
- Custom Profile library item with a launchd plist that sets
OTEL_*env at user-session start.
Generic
- macOS launchd plist setting env at session start.
- Windows scheduled task at user logon to set
HKCU\EnvironmentOTEL_*values.
The exact wrapper install paths, launchd plist file names, and PATH-shim file names used by Arrakis are provisioned per-tenant; copy them from the Arrakis platform under Settings → Integrations → Deployment.
Admin API key issuance and rotation
Same shape as Claude Cowork:
- Read-only Admin API key labeled
arrakis-admin-readonly. - Rotation every 90 days. Create new → update Arrakis → revoke old.
- Paste into Arrakis platform Settings → Integrations → OpenAI.
Egress verification
Cross-link to OTel Collector & Arrakis Endpoint → Verifying connectivity. Run the curl probe from a developer machine. Codex-specific:
- Verify the wrapper resolves first:
which -a codex(macOS/Linux) orwhere.exe codex(Windows) — the Arrakis wrapper must be the first hit. - Verify env propagation: invoke the wrapper with
--versionthen check the OTel collector for a freshservice.name=codexresource record.
Cross-references
- OTel Collector & Arrakis Endpoint
- Claude Code — analogous MDM pattern for native OTel
- MDM Sync & Change Management
- Connectors → Coding Agents
- Offboarding
- Multi-sending OTel
- IdP Integration
- Quarantine