Agent Keeper
Docs

Team Policies

Enforce security policies across all Claude Code workstations in your organization.

Policy types

Configure each policy in the dashboard under Settings → Policies. Policies apply to every connected workstation in the org.

Security Level

strict (default), moderate, minimal, or paranoid, controls detection sensitivity

Auto Block

When enabled, threats are blocked. When disabled, threats are warned only

Blocked Tools

Prevent specific tools from executing (e.g., block WebFetch, WebSearch)

Blocked Commands

Block bash commands containing specific strings (e.g., "rm -rf", "curl | bash")

Blocked Write Paths

Prevent file writes to sensitive paths (e.g., /etc/*, ~/.ssh/*)

Sensitive Read Paths

Warn when reading sensitive files (logged but not blocked)

Require Sandbox

Enforce sandbox mode for all Claude Code sessions

Allowed Git Remotes

Restrict which repositories Claude Code can operate in

Web Fetch Control

Enable/disable web fetching, restrict to allowed domains

Log All Tool Calls

Record every tool call in the activity feed (not just threats)

MCP Skill Controls

Block specific MCP skills, or restrict to an allowlist

Group policy overrides

When connected to an Identity Provider (Entra ID, Okta, Google Workspace), you can set per-group policy overrides. These layer on top of the org default, most restrictive wins.

Example

The org default allows WebFetch, but the contractors group has WebFetch blocked. Contractors cannot use WebFetch; everyone else can.

See Identity Providers for IDP setup instructions.

Warn-only tools

Some tools can be downgraded from block to warn. The tool executes, but the event is flagged. Useful for noisy patterns where you want visibility without disruption.

ModeBehavior
BlockTool call is denied. Event is logged as a threat.
WarnTool call executes. Event is flagged in the activity feed.
AllowTool call executes. No event is generated.

Policy message

Set a custom message that is injected into every Claude Code session in your org. Use it for org-wide reminders or compliance notices.

  • "All code must be reviewed before merging."
  • "Do not commit secrets or credentials to version control."
  • "This workstation is monitored per company policy."

How to configure

  1. 1.Go to Settings → Policies in the Agent Keeper dashboard
  2. 2.Toggle and configure each policy
  3. 3.Changes take effect within 30 seconds (cached)
  4. 4.Policies apply to all connected workstations in the org

Plan availability

Team Policies are available on Pro, Team, and Enterprise plans.