Claude Cowork Setup

Cowork runs in Claude Desktop, not the Claude Code CLI. Install is an MCP server config in ~/Library/Application Support/Claude/claude_desktop_config.json, not a plugin-marketplace install. This page covers the real flow that gives every Cowork MCP tool call policy enforcement from your Agent Keeper dashboard, same policy engine Claude Code uses, same configuration.

What this is NOT

❌ Not a Claude Code plugin. There is no /plugin install command in Cowork, that command only exists in the Claude Code CLI.
❌ No PreToolUse hooks. Claude Desktop (where Cowork runs) does not support the hook system Claude Code uses. Enforcement runs at the MCP proxy layer, not a hook.
❌ No slash commands. Commands like /agentkeeper:connect are for the Claude Code plugin. Cowork connects via the MCP gateway config instead.

For the Claude Code CLI plugin, see /docs/claude-code-plugin.

Install (individual developer)

One command. Installs the agentkeeper-mcp-gateway binary (cosign-verified), writes your config file, wires Claude Desktop's MCP through the gateway, and tells you when to restart.

$ curl -fsSL https://YOUR_AGENTKEEPER_URL/install-gateway.sh | AGENTKEEPER_API_KEY=ak_live_YOURKEY bash

Replace ak_live_YOURKEY with your key from Settings → API Keys. After the install finishes, quit and relaunch Claude Desktop, MCP config is read only at app start.

Prefer an interactive prompt? curl -fsSL https://YOUR_AGENTKEEPER_URL/install-gateway.sh | bash without the env var will ask for your API key on the terminal and fall through to the same config + configure-ide flow. Hit Enter to skip setup and finish manually later.

configure-ide is idempotent, safe to re-run. It backs up your existing claude_desktop_config.json, migrates any MCP servers you had into the gateway's routing table, and writes a single mcpServers entry pointing at the gateway.

Install (fleet, Kandji / Jamf / MDM)

One custom script per Mac. Installs the gateway binary, drops a root-owned fleet config at /etc/agentkeeper-mcp-gateway/config.json, and invokes configure-ide as the logged-in user. Safe to re-run on any MDM schedule (Kandji: Run daily or Run every 15 minutes; Jamf: Recurring Check-in). configure-ide is idempotent and self-heals any drift.

Kandji deployment guide

Step 3, drop-in custom script that reuses the gateway binary from Step 2 and wires Claude Desktop for every fleet Mac.

Jamf deployment guide

Same pattern for JAMF Pro / JAMF Now, one policy script for the whole fleet.

Enterprise install (pinned version + cosign verify)

Pin <version, sha256>, fetch from GitHub Releases, verify cosign signatures. The reproducible path for security-sensitive deployments.

What you get

Policy parity with Claude Code

The same claude_code_policies row drives both Claude Code CLI hooks AND every MCP tool call Cowork makes. Configure once, enforce everywhere.

Path read/write blocking

~/Documents/PHI/** globs apply to filesystem.read_file, Google Drive reads, Postgres queries, any MCP tool with a path-like argument.

PII / PHI / secrets detection

Every MCP tool argument is scanned in-band. SSN, credit cards, AWS keys, Stripe keys, prompt-injection patterns, custom-blacklist terms, 32+ signatures.

Tool / server allowlists

Block entire MCP servers (github), specific tools (mcp__slack__post_message), or flip into allowlist mode (only mcp__linear is approved).

Zero customer-data exposure

Gateway runs local. Policy engine returns verdicts only, file contents, chat history, and PHI never leave the machine.

Full audit trail

Every MCP call Cowork makes is logged to your dashboard with verdict, pattern, severity, and tool context. SOC 2 / HIPAA / EU AI Act ready.

What gets enforced

Every MCP tool call Cowork makes is evaluated against your org's claude_code_policies row before the call reaches the upstream server. Configure gateway policies at /gateway/policies.

Dimension	Example
Blocked read paths	~/Documents/PHI/** blocks filesystem.read_file, read_multiple_files, directory_tree
Blocked write paths	/etc/** blocks filesystem.write_file, move_file to that destination, edit_file
Blocked tools / skills	blocked_skills: ["mcp__github"] blocks every GitHub MCP tool
Allowlist mode	allowed_skills_only: ["mcp__linear"], only Linear tools pass
Blocked commands	blocked_commands: ["rm -rf", "curl"] blocks desktop-commander.execute_command hits
Domain allowlist	allowed_domains: ["github.com"] restricts fetch.fetch, brave-search
PII / PHI detection	SSN, credit card, AWS/Stripe keys, phone, email, 32+ patterns
Prompt-injection detection	Override, persona hijack, jailbreak, credential request patterns
Custom blacklist	Org-specific terms (project codenames, internal URLs) flagged per call
Fail-open safety	Network error or 5xx from the policy engine never blocks Cowork

How a Cowork tool call flows

# Task: “Summarize Q4-financials.xlsx and email the board”

1.Cowork agent decides to call filesystem.read_file(path=“~/Documents/Q4-financials.xlsx”)

→ Claude Desktop sends JSON-RPC to the agentkeeper-mcp-gateway proxy

→ Gateway POSTs {server_name, tool_name, params} to YOUR_AGENTKEEPER_URL/api/v1/mcp/evaluate

→ Server adapts the call to an EvaluateRequest and runs evaluatePolicy()

→ Verdict: PASS (path is outside blocked_read_paths)

→ Gateway forwards to the upstream filesystem MCP server

2.Cowork decides to call gmail.send_email(body=“... with SSN 123-45-6789 ...”)

→ Gateway intercepts, posts to evaluate

→ Detection engine catches SSN pattern in body

→ Verdict: BLOCK, response returned to Cowork as MCP error

→ Event logged to your dashboard with pattern + severity + tool context

Optional: the `agentkeeper-security` MCP server

In addition to the gateway's wire-level enforcement, Agent Keeper ships an explicit MCP server that Cowork's agent can call voluntarily during its task, four tools for sensitivity classification, PII checks, recipient verification, and audit logging. These are agent-directed (Cowork chooses when to call them), not enforcement gates. The gateway is the primary layer; these are a complementary signal.

Tool	Purpose
`agentkeeper_check_sensitivity`	Classifies file content as public / internal / confidential / restricted
`agentkeeper_classify_data`	Tags arbitrary data blobs, PII type, confidence, handling recommendation
`agentkeeper_verify_recipient`	Confirms email / domain is in the allowed recipients list before external share
`agentkeeper_log_action`	Structured audit log entry, action type, files, policy context

These tools register behind the gateway automatically when configure-ide runs. If you want them visible as a distinct mcpServers entry in your claude_desktop_config.json, contact support, we can ship that in a future release.

Detection patterns

Every MCP tool argument and response string is scanned in-band on the evaluation server. Base patterns below; custom-blacklist terms are configured per-org at /gateway/policies.

•Social Security Numbers (SSN)

•Credit card numbers (Luhn validated)

•Email addresses

•Phone numbers (US / international)

•Passport numbers

•Bank account / routing numbers

•Tax IDs

•AWS access keys (AKIA…)

•Stripe secret keys (sk_live_…)

•GitHub / Slack API tokens

•PEM private keys

•Database connection URIs

•JWT tokens

•IP addresses

•Prompt-injection text (instruction override, persona hijack, jailbreak)

•Custom keyword patterns (org-configured)

Dashboard connection

The gateway needs an API key to reach your dashboard. Get one from Settings → API Keys and either export it as AGENTKEEPER_API_KEY or drop it into the fleet config at /etc/agentkeeper-mcp-gateway/config.json:

{
  "api_key": "ak_live_…",
  "api_url": "https://YOUR_AGENTKEEPER_URL"
}

Connected mode adds

✓Central policy management, edit rules at /gateway/policies, every laptop picks up changes on the next 30s sync
✓Dashboard audit trail, every MCP call evaluated, with pattern, severity, and verdict
✓Unified fleet view, Cowork machines appear alongside Claude Code workstations
✓Compliance exports, structured audit logs for SOC 2, HIPAA, EU AI Act reviews

Verify the install

Three quick checks. If any fail, see Kandji → Troubleshooting.

1.Binary installed: /usr/local/bin/agentkeeper-mcp-gateway --version prints a version line.
2.Claude Desktop config rewired: inspect ~/Library/Application Support/Claude/claude_desktop_config.json , an mcpServers entry should have command set to the gateway binary.
3.Policy round-trip: restart Claude Desktop, ask Cowork to read a file under a blocked path (e.g. a path matching ~/Documents/PHI/**). Cowork should receive a block response, and the event should appear in your MCP Gateway dashboard within seconds.

Cowork vs Claude Code, same policies, different install

	Cowork (Claude Desktop)	Claude Code (CLI)
Install mechanism	MCP gateway binary + configure-ide	Plugin install OR push-hooks
Config location	~/Library/Application Support/Claude/claude_desktop_config.json	~/.claude/settings.json
Enforcement layer	MCP wire proxy, gateway intercepts every tool call	PreToolUse / UserPromptSubmit HTTP hooks
Policy source	claude_code_policies (same row)	claude_code_policies
Dashboard	Same unified fleet view	Same unified fleet view
Deploy both?	Yes, one policy drives both	Yes, one policy drives both

Enterprise fleets typically deploy both. The install mechanics differ, but the policy row is shared, edit once, enforce everywhere.

MCP Gateway overview , architecture, config schema, CLI reference
Kandji deployment , Step 3 covers the fleet install for Cowork
Enterprise install , pinned version + cosign verify path
Claude Code CLI plugin , the hook-based flow for the CLI (not Cowork)