Control MCP server access for your organization - Claude Code Docs

Detailed Analysis

Anthropic has released detailed administrative documentation for Claude Code that outlines how enterprise organizations can control access to Model Context Protocol (MCP) servers within their deployments. The documentation addresses a fundamental tension in AI tooling infrastructure: MCP servers dramatically extend Claude Code's capabilities by connecting it to external services and data sources, but unrestricted access to arbitrary third-party servers presents meaningful security and compliance risks for organizations. By default, any user running Claude Code can connect any MCP server of their choosing, and while Anthropic reviews servers before listing them in its official directory, the company explicitly does not security-audit or manage those servers. The documentation gives administrators a graduated range of restriction patterns, from complete disablement of MCP to permissive denylist-only configurations, allowing organizations to calibrate control to their specific risk tolerance.

The technical mechanism at the center of Anthropic's approach is a managed-mcp.json file deployed to system-level paths through standard enterprise device management tooling such as Jamf, Intune, or Group Policy. When present, this file grants administrators exclusive control, preventing users from adding, modifying, or using any MCP servers outside what the file defines—including plugin-provided servers and claude.ai connectors. This design pattern mirrors how enterprises manage browser extensions or application whitelisting: a centrally deployed configuration takes precedence over user preferences. The documentation pairs this with allowedMcpServers and deniedMcpServers policy fields that can filter servers by URL, command, or name, providing a secondary filtering layer. Critically, the documentation warns administrators not to store API keys in the managed configuration file since any user on a machine can read it, instead directing them toward environment variable expansion, OAuth flows, or per-user credential generation via a headersHelper mechanism.

The distinction Anthropic draws between its allowlist and denylist mechanisms reflects a nuanced understanding of enterprise policy enforcement. The allowlist, when set alongside the allowManagedMcpServersOnly flag in a managed settings source, becomes authoritative and cannot be broadened by individual users. Without that flag, allowlists from multiple settings sources merge, meaning users retain the ability to expand what is permitted. Denylists, by contrast, always merge from every settings source, meaning users can always add their own blocked servers on top of whatever the organization has defined. This asymmetric design gives organizations strong containment capability while preserving some degree of user autonomy for less sensitive configurations.

The documentation's emergence reflects a broader maturation in how AI development tooling is transitioning from individual productivity tools into enterprise software requiring governance infrastructure. MCP, which Anthropic introduced as a standardized protocol for connecting language models to external tools and data, has rapidly grown in ecosystem adoption across multiple AI vendors and platforms. As organizations begin deploying Claude Code at scale across engineering teams, the absence of administrative controls would create meaningful barriers to enterprise adoption, particularly in regulated industries where data handling and third-party integrations require audit trails and access controls. The validation commands Anthropic provides—allowing administrators to confirm that managed configurations are active and that policy-blocked commands return explicit enterprise-policy error messages—indicate that the company is building operational tooling suitable for IT departments, not just developer-facing documentation.

This development connects to a wider pattern in enterprise AI deployment where the technical capability of AI agents must be matched by corresponding governance and security infrastructure. The MCP ecosystem, now spanning hundreds of servers connecting AI models to code repositories, project management tools, databases, and internal APIs, creates an attack surface that security teams must account for. Anthropic's layered approach—combining file-based deployment, policy-based filtering, and audit through usage monitoring—mirrors the defense-in-depth models organizations apply to other privileged software. The explicit acknowledgment that Anthropic itself does not audit third-party MCP servers, even those listed in its official directory, is a significant disclosure that puts the compliance burden squarely on enterprise administrators, reinforcing the need for exactly the kind of organizational controls this documentation describes.