Distributing MCP servers to your organization
Claude provides admin-level controls that allow organizations to distribute MCP servers to their teams through private marketplaces and managed settings. This guide shows you how to use these features to securely deploy Gram-hosted MCP servers across your organization.
Overview
Claude’s admin MCP controls enable:
- Private plugin marketplaces: Create organization-specific marketplaces to distribute approved MCP servers to your team.
- Desktop extension allowlists: Control which MCP extensions your users can access in Claude Desktop.
- Managed MCP settings: Enforce organization-wide MCP server configurations in Claude Code.
- Unified customization: A centralized “Customize” menu for managing plugins, skills, and connectors.
These controls help IT administrators maintain security standards while giving teams access to the tools they need.
Prerequisites
To configure organization-wide MCP distribution, you need:
- A Gram account with an MCP server ready to distribute
- Claude Team or Enterprise plan with admin (Owner or Primary Owner) permissions
Distributing MCP servers with Claude Desktop
Desktop extension allowlist
Organization owners can control which desktop extensions their users have access to through the desktop extension allowlist. This allows you to:
- Upload custom extensions: Add proprietary MCP extensions directly to your organization.
- Manage access: Define which desktop extensions users can install with one click.
- Remove public extensions: Disable access to public desktop extensions based on your security requirements.
Enterprise feature
Desktop extension management is available for Claude Team and Enterprise plans. Contact your account representative to enable this feature.
Setting up the allowlist
To configure the desktop extension allowlist:
- Sign in to the Claude admin console as an Owner or Primary Owner.
- Navigate to Settings > Desktop Extensions.
- Enable or disable public desktop extensions based on your organization’s security standards.
- Upload custom desktop extensions (including your Gram-hosted MCP servers) and make them available to your team.
Once configured, your team members can install approved extensions with a single click through Claude Desktop’s Connectors interface.
Adding a Gram-hosted MCP server to your allowlist
To distribute a Gram-hosted MCP server to your organization:
- In the Gram dashboard, go to your toolset’s installation page.
- Export the server configuration (see Exporting server configuration).
- In the Claude admin console, upload the configuration as a custom desktop extension.
- Add the extension to your organization’s allowlist.
Your team can now install the MCP server directly from Claude Desktop’s extension marketplace.
Distributing MCP servers with Claude Code
Claude Code supports managed settings for centralized organizational control. These settings cannot be overridden by users or projects, making them ideal for enforcing security policies.
Deployment mechanisms
Managed settings can be deployed through several mechanisms:
| Mechanism | Description |
|---|---|
| Server-managed | Delivered via Anthropic’s Claude.ai admin console |
| macOS MDM | com.anthropic.claudecode managed preferences domain (Jamf, Kandji) |
| Windows Registry | HKLM\SOFTWARE\Policies\ClaudeCode (machine-level) or HKCU\SOFTWARE\Policies\ClaudeCode (user-level) |
| File-based | managed-settings.json and managed-mcp.json in system directories |
File-based managed settings locations
- macOS:
/Library/Application Support/ClaudeCode/ - Linux/WSL:
/etc/claude-code/ - Windows:
C:\Program Files\ClaudeCode\
Configuring MCP server allowlists
Use the allowedMcpServers and deniedMcpServers settings to control which MCP servers your organization can use:
{
"allowedMcpServers": [
{ "serverName": "gram-taskmaster" },
{ "serverName": "gram-internal-api" }
],
"deniedMcpServers": [
{ "serverName": "filesystem" }
]
}allowedMcpServers: When set, acts as an allowlist. An empty array[]locks down all MCP servers.deniedMcpServers: Blocklist that takes precedence over the allowlist.
Restricting to managed MCP servers only
For stricter control, enable allowManagedMcpServersOnly:
{
"allowManagedMcpServersOnly": true,
"allowedMcpServers": [
{ "serverName": "gram-taskmaster" }
]
}When enabled:
- Only MCP servers in the managed
allowedMcpServerslist are accessible. - Users can still attempt to add servers, but only admin-defined servers will function.
deniedMcpServersstill applies from all sources.
Plugin marketplace controls
Use strictKnownMarketplaces to define which plugin marketplaces your organization can access:
{
"strictKnownMarketplaces": [
{ "source": "url", "url": "https://plugins.yourcompany.com/marketplace.json" },
{ "source": "github", "repo": "yourcompany/approved-plugins" }
]
}Supported marketplace sources:
| Source type | Example |
|---|---|
| GitHub repository | { "source": "github", "repo": "acme-corp/plugins" } |
| Git repository | { "source": "git", "url": "https://gitlab.example.com/plugins.git" } |
| URL-based | { "source": "url", "url": "https://cdn.example.com/marketplace.json" } |
| NPM package | { "source": "npm", "package": "@acme-corp/claude-plugins" } |
| File path | { "source": "file", "path": "/usr/local/share/claude/marketplace.json" } |
| Host pattern | { "source": "hostPattern", "hostPattern": "^github\\.example\\.com$" } |
Setting strictKnownMarketplaces to an empty array [] prevents users from adding any marketplaces, creating a complete lockdown.
Deploying Gram-hosted MCP servers to your organization
Here’s how to distribute a Gram-hosted MCP server across your organization using Claude Code managed settings:
Step 1: Create the MCP server configuration
Create a managed-mcp.json file with your Gram-hosted MCP server configuration:
{
"mcpServers": {
"gram-taskmaster": {
"command": "npx",
"args": [
"mcp-remote",
"https://app.getgram.ai/mcp/your-toolset-slug",
"--header",
"Authorization: Bearer ${GRAM_API_KEY}"
]
}
}
}Replace your-toolset-slug with your actual toolset slug from the Gram dashboard.
Step 2: Create the managed settings
Create a managed-settings.json file to enforce the MCP server:
{
"allowManagedMcpServersOnly": true,
"allowedMcpServers": [
{ "serverName": "gram-taskmaster" }
]
}Step 3: Deploy to your organization
Deploy the configuration files to the appropriate system directory based on your operating system:
- macOS:
/Library/Application Support/ClaudeCode/ - Linux:
/etc/claude-code/ - Windows:
C:\Program Files\ClaudeCode\
For MDM-managed deployments, configure the settings through your MDM solution (Jamf, Kandji, Intune, etc.).
Step 4: Verify deployment
Users can verify the managed settings are active by running /status inside Claude Code. The output shows active settings sources and their origins (Enterprise managed settings from remote, plist, HKLM registry, or file).
Security considerations
When distributing MCP servers across your organization:
- Authentication: Use managed authentication for Gram-hosted MCP servers to centralize credential management.
- Audit logging: Enable audit logging in Gram to track all tool calls made through your MCP servers.
- Network boundaries: Desktop extensions operate within corporate network boundaries, using existing authenticated contexts without additional firewall rules.
- Zero-trust compliance: Gram-hosted MCP servers support zero-trust architecture with complete control over access, authentication, and logging.
Security best practices
Without proper governance, unauthorized MCP servers can bypass security controls. Use the managed settings and allowlist features to enforce your organization’s security policies.
Comparison of distribution methods
| Feature | Claude Desktop | Claude Code |
|---|---|---|
| Admin controls location | Claude admin console | Managed settings files |
| Distribution mechanism | Desktop extension marketplace | MDM/file-based deployment |
| One-click install | Yes | No (managed automatically) |
| Per-user configuration | Via allowlist | Via managed settings |
| Audit capabilities | Via Gram dashboard | Via Gram dashboard |
What’s next
- Create your first MCP server to distribute to your organization.
- Learn about adding OAuth authentication for secure managed authentication.
- Explore public and private server visibility options for your MCP servers.
Last updated on