Deploying Managed Claude Code Policies at Scale for Apple MDM
The Challenge: AI-Assisted Development Meets Enterprise Governance in Apple MDM
Claude Code is transforming how developers write, review, debug code and more. But as AI adoption spreads across your organization, a familiar challenge emerges: how do you ensure consistent, compliant AI behavior across every department at scale?
Without cohesive, centralized management, each developer configures Claude Code independently. Security policies get forgotten. Coding standards vary by team. Compliance requirements become suggestions rather than guardrails.
That’s where Addigy’s Apple MDM and Claude Code meet.
How does this fit into my existing Apple device management strategy?
Because Addigy is an Apple-first MDM, you can treat Claude Code policies like any other configuration and deploy them by policy, group or client.
How to Manage Claude Code Policies on Macs with Addigy
IT leaders and MSPs are under pressure to embrace AI-assisted development without losing control of security, compliance, or coding standards. This guide shows how to use Addigy to centrally manage Claude Code policies across every Mac in your fleet.
Claude Code supports a managed policy file that IT, DevOps, and MSP teams can deploy organization‑wide using Addigy’s Apple‑first device management platform. By treating CLAUDE.md like any other configuration in your Apple device management strategy, you can enforce consistent AI behavior across every managed Mac.
Unlike user-level configurations that developers control, managed policies live in a protected system directory:
/Library/Application Support/ClaudeCode/CLAUDE.md
These policies automatically merge with project-level and user-level configurations, but managed policies take precedence for security and compliance directives.
How to deploy Claude.md with Addigy
Addigy makes deploying and maintaining these policy files straightforward across your Mac fleet:
- Custom Scripts – Deploy the CLAUDE.md file to the correct location with proper permissions using shell scripts
- Facts – Monitor which devices have the policy installed and detect drift from your expected configuration
- Policies – Group devices by team or department and deploy tailored policies to each
Step-by-Step: Deploying Claude Code Policies via Addigy
1. Create Your Managed CLAUDE.md
Start with your organization’s requirements. A typical enterprise policy might include:
# Acme Corp - Claude Code Policy
## Security Requirements
- Never output secrets, API keys, or credentials in code suggestions
- Always use parameterized queries for database operations
- Flag any code that disables SSL/TLS verification
## Coding Standards
- Follow Acme's style guide at wiki.acme.com/style
- Prefer TypeScript over JavaScript for new projects
- All public functions require JSDoc comments
## Compliance
- Do not generate code that processes PII without encryption
- Healthcare projects must follow HIPAA data handling patterns
- Log all database mutations for audit trails
## Restrictions
- Do not suggest dependencies with known CVEs
- Avoid deprecated APIs in Apple frameworks2. Create a Custom Script in Addigy
Navigate to Catalog > Smart Software and create a new item:
Installation Script:
#!/bin/bash
# Create directory if it doesn't exist
mkdir -p "/Library/Application Support/ClaudeCode"
# Deploy the managed policy
cat > "/Library/Application Support/ClaudeCode/CLAUDE.md" << 'EOF'
# Your policy content here
# (paste your CLAUDE.md content)
EOF
# Set appropriate permissions
chmod 644 "/Library/Application Support/ClaudeCode/CLAUDE.md"
chown root:wheel "/Library/Application Support/ClaudeCode/CLAUDE.md"
echo "Claude Code managed policy deployed successfully"
Condition (to check if deployment is needed):
#!/bin/bash
POLICY_PATH="/Library/Application Support/ClaudeCode/CLAUDE.md"
EXPECTED_HASH="your-sha256-hash-here"
if [ -f "$POLICY_PATH" ]; then
CURRENT_HASH=$(shasum -a 256 "$POLICY_PATH" | awk '{print $1}')
if [ "$CURRENT_HASH" == "$EXPECTED_HASH" ]; then
exit 0 # Policy is current
fi
fi
exit 1 # Policy needs deployment3. Deploy to Your Fleet
Assign the Custom Software to your target Addigy policies:
- All Developers – For organization-wide standards
- Engineering Teams – For department-specific additions
- Contractors – For stricter compliance requirements
4. Monitor Compliance and Policy Drift with Addigy Facts
Create a Fact to track deployment status:
#!/bin/bash
if [ -f "/Library/Application Support/ClaudeCode/CLAUDE.md" ]; then
shasum -a 256 "/Library/Application Support/ClaudeCode/CLAUDE.md" | awk '{print $1}'
else
echo "missing"
fiThis returns either the policy’s hash or “missing,” letting you verify both presence and version across your fleet.
Outcomes for IT Teams and MSPs
With managed Claude Code policies deployed via Addigy, you get:
- Consistent AI behavior across every managed Mac running Claude Code, aligned with your organization’s policies.
- Enforced security and compliance standards that individual developers cannot override.
- Fleet-wide visibility into which devices have current Claude Code policies using Addigy Facts and reporting.
- Scalable, repeatable governance for AI-assisted development across internal teams and MSP client environments.
