This course builds the client security onboarding you run in the pre-kickoff window. It follows a realistic client context, a financial services firm with specific compliance requirements, through each layer of Claude Code's governance model.
You'll start with managed-settings.json, the policy file that sits above every other settings layer. Deployed by IT via MDM, Group Policy, or the admin console, it cannot be overridden by any user or project setting. The course covers:
- Which controls to set before anyone logs in, authentication method, MCP allowlist, org-wide CLAUDE.md instructions
- The three delivery mechanisms (server-managed, MDM, file-based) and which fits different client IT environments
- How to write org-level CLAUDE.md instructions that enforce policy without over-restricting and degrading Claude's output quality
The course then covers the rest of the governance stack:
- The permission system: how Claude Code categorizes operations into allow, ask, and deny, and where an admin draws those lines for a regulated environment
- Sandboxed bash execution and filesystem scoping, including how to answer the 'is Claude Code sandboxed?' question accurately (the answer depends on configuration and whether dev containers are in use)
- SSO via SAML 2.0 or OIDC, SCIM provisioning, and IP allowlisting
- Data retention controls: the difference between the no-training opt-out, custom retention, and Zero Data Retention, three separate mechanisms that answer three different questions from a security team
- SOC 2 Type II, HIPAA, and where client-side controls layer in alongside Anthropic's own compliance posture
The practice exercise: complete a security onboarding questionnaire for the sample client persona. If you have admin access to a Claude Enterprise tenant, walk through the managed-settings and SSO/SCIM configuration there. The completed questionnaire is your course artifact.
Time In Skilljar (Measured) 1 Hour 8 Minutes
Practice & Artifact Building (Estimated Time In Skilljar) 40 Min