Distributing MCP servers to your organization

Claude provides admin-level controls that allow organizations to distribute MCP servers to their teams through private marketplaces and managed settings. This guide shows you how to use these features to securely deploy Gram-hosted MCP servers across your organization.

Overview

Claude’s admin MCP controls enable:

Private plugin marketplaces: Create organization-specific marketplaces to distribute approved MCP servers to your team.
Desktop extension allowlists: Control which MCP extensions your users can access in Claude Desktop.
Managed MCP settings: Enforce organization-wide MCP server configurations in Claude Code.
Unified customization: A centralized “Customize” menu for managing plugins, skills, and connectors.

These controls help IT administrators maintain security standards while giving teams access to the tools they need.

Prerequisites

To configure organization-wide MCP distribution, you need:

A Gram account with an MCP server ready to distribute
Claude Team or Enterprise plan with admin (Owner or Primary Owner) permissions

Distributing MCP servers with Claude Desktop

Desktop extension allowlist

Organization owners can control which desktop extensions their users have access to through the desktop extension allowlist. This allows you to:

Upload custom extensions: Add proprietary MCP extensions directly to your organization.
Manage access: Define which desktop extensions users can install with one click.
Remove public extensions: Disable access to public desktop extensions based on your security requirements.

Enterprise feature

Desktop extension management is available for Claude Team and Enterprise plans. Contact your account representative to enable this feature.

Setting up the allowlist

To configure the desktop extension allowlist:

Sign in to the Claude admin console as an Owner or Primary Owner.
Navigate to Settings > Desktop Extensions.
Enable or disable public desktop extensions based on your organization’s security standards.
Upload custom desktop extensions (including your Gram-hosted MCP servers) and make them available to your team.

Once configured, your team members can install approved extensions with a single click through Claude Desktop’s Connectors interface.

Adding a Gram-hosted MCP server to your allowlist

To distribute a Gram-hosted MCP server to your organization:

In the Gram dashboard, go to your toolset’s installation page.
Export the server configuration (see Exporting server configuration).
In the Claude admin console, upload the configuration as a custom desktop extension.
Add the extension to your organization’s allowlist.

Your team can now install the MCP server directly from Claude Desktop’s extension marketplace.

Distributing MCP servers with Claude Code

Claude Code supports managed settings for centralized organizational control. These settings cannot be overridden by users or projects, making them ideal for enforcing security policies.

Deployment mechanisms

Managed settings can be deployed through several mechanisms:

Mechanism	Description
Server-managed	Delivered via Anthropic’s Claude.ai admin console
macOS MDM	`com.anthropic.claudecode` managed preferences domain (Jamf, Kandji)
Windows Registry	`HKLM\SOFTWARE\Policies\ClaudeCode` (machine-level) or `HKCU\SOFTWARE\Policies\ClaudeCode` (user-level)
File-based	`managed-settings.json` and `managed-mcp.json` in system directories

File-based managed settings locations

macOS: /Library/Application Support/ClaudeCode/
Linux/WSL: /etc/claude-code/
Windows: C:\Program Files\ClaudeCode\

Configuring MCP server allowlists

Use the allowedMcpServers and deniedMcpServers settings to control which MCP servers your organization can use:


{
  "allowedMcpServers": [
    { "serverName": "gram-taskmaster" },
    { "serverName": "gram-internal-api" }
  ],
  "deniedMcpServers": [
    { "serverName": "filesystem" }
  ]
}

allowedMcpServers: When set, acts as an allowlist. An empty array [] locks down all MCP servers.
deniedMcpServers: Blocklist that takes precedence over the allowlist.

Restricting to managed MCP servers only

For stricter control, enable allowManagedMcpServersOnly:


{
  "allowManagedMcpServersOnly": true,
  "allowedMcpServers": [
    { "serverName": "gram-taskmaster" }
  ]
}

When enabled:

Only MCP servers in the managed allowedMcpServers list are accessible.
Users can still attempt to add servers, but only admin-defined servers will function.
deniedMcpServers still applies from all sources.

Plugin marketplace controls

Use strictKnownMarketplaces to define which plugin marketplaces your organization can access:


{
  "strictKnownMarketplaces": [
    { "source": "url", "url": "https://plugins.yourcompany.com/marketplace.json" },
    { "source": "github", "repo": "yourcompany/approved-plugins" }
  ]
}

Supported marketplace sources:

Source type	Example
GitHub repository	`{ "source": "github", "repo": "acme-corp/plugins" }`
Git repository	`{ "source": "git", "url": "https://gitlab.example.com/plugins.git" }`
URL-based	`{ "source": "url", "url": "https://cdn.example.com/marketplace.json" }`
NPM package	`{ "source": "npm", "package": "@acme-corp/claude-plugins" }`
File path	`{ "source": "file", "path": "/usr/local/share/claude/marketplace.json" }`
Host pattern	`{ "source": "hostPattern", "hostPattern": "^github\\.example\\.com$" }`

Setting strictKnownMarketplaces to an empty array [] prevents users from adding any marketplaces, creating a complete lockdown.

Deploying Gram-hosted MCP servers to your organization

Here’s how to distribute a Gram-hosted MCP server across your organization using Claude Code managed settings:

Step 1: Create the MCP server configuration

Create a managed-mcp.json file with your Gram-hosted MCP server configuration:


{
  "mcpServers": {
    "gram-taskmaster": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://app.getgram.ai/mcp/your-toolset-slug",
        "--header",
        "Authorization: Bearer ${GRAM_API_KEY}"
      ]
    }
  }
}

Replace your-toolset-slug with your actual toolset slug from the Gram dashboard.

Step 2: Create the managed settings

Create a managed-settings.json file to enforce the MCP server:


{
  "allowManagedMcpServersOnly": true,
  "allowedMcpServers": [
    { "serverName": "gram-taskmaster" }
  ]
}

Step 3: Deploy to your organization

Deploy the configuration files to the appropriate system directory based on your operating system:

macOS: /Library/Application Support/ClaudeCode/
Linux: /etc/claude-code/
Windows: C:\Program Files\ClaudeCode\

For MDM-managed deployments, configure the settings through your MDM solution (Jamf, Kandji, Intune, etc.).

Step 4: Verify deployment

Users can verify the managed settings are active by running /status inside Claude Code. The output shows active settings sources and their origins (Enterprise managed settings from remote, plist, HKLM registry, or file).

Security considerations

When distributing MCP servers across your organization:

Authentication: Use managed authentication for Gram-hosted MCP servers to centralize credential management.
Audit logging: Enable audit logging in Gram to track all tool calls made through your MCP servers.
Network boundaries: Desktop extensions operate within corporate network boundaries, using existing authenticated contexts without additional firewall rules.
Zero-trust compliance: Gram-hosted MCP servers support zero-trust architecture with complete control over access, authentication, and logging.

Security best practices

Without proper governance, unauthorized MCP servers can bypass security controls. Use the managed settings and allowlist features to enforce your organization’s security policies.

Comparison of distribution methods

Feature	Claude Desktop	Claude Code
Admin controls location	Claude admin console	Managed settings files
Distribution mechanism	Desktop extension marketplace	MDM/file-based deployment
One-click install	Yes	No (managed automatically)
Per-user configuration	Via allowlist	Via managed settings
Audit capabilities	Via Gram dashboard	Via Gram dashboard

What’s next

Create your first MCP server to distribute to your organization.
Learn about adding OAuth authentication for secure managed authentication.
Explore public and private server visibility options for your MCP servers.

Last updated on January 15, 2026