Intune Onboarding Overview

End-to-end onboarding workflow for IT admins deploying thoth governance through Microsoft Intune.

Use this guide when your IT or security team is onboarding thoth governance across employee endpoints managed by Microsoft Intune.

ℹ

Audience

This runbook is for your IT admins and security engineers. Employees should not need to configure anything manually.

What thoth changes on endpoints

After onboarding, Claude Desktop behavior remains familiar to employees, but MCP traffic is governed:

thoth evaluates MCP tool calls against policy.
Session intent controls are enforced.
Audit-ready governance telemetry is emitted.

Onboarding values from thoth

Your thoth onboarding provides:

tenant_id
apex_domain
user identity mapping strategy for THOTH_USER_ID (must be valid email)

⚠

Do not mix tenant IDs

thoth tenant ID: provided by thoth onboarding and used for policy scope.
Azure tenant ID: your Microsoft Entra tenant used for Graph API auth.

Prerequisites checklist

thoth onboarding values are available and validated.
Intune permissions allow script and app assignment management.
Claude Desktop is already deployed to endpoint groups.
Node.js baseline is present on endpoint groups.
thoth binary baseline is present on endpoint groups.

Recommended Intune onboarding model

Use three staged assignments:

Baseline dependencies: ensure thoth, node, and npx are present.
Config deployment: deploy thoth-config.json with onboarding values.
Setup script: wrap Claude config and enable governed MCP runtime.

This separation lets your team rotate onboarding values without rebuilding installation baselines.

Canonical config template

Use a managed config payload equivalent to:

{
  "tenant_id": "YOUR_THOTH_TENANT_ID",
  "apex_domain": "atensecurity.com",
  "agent_id": "filesystem-safe",
  "environment": "production",
  "allowed_paths": {
    "macos": "/Users/{{USERNAME}}",
    "linux": "/home/{{USERNAME}}",
    "windows": "C:\\Users\\{{USERNAME}}"
  }
}

{{USERNAME}} is a runtime placeholder resolved by setup scripts on each endpoint.

⚠

Credential handling

Treat onboarding values as sensitive operational configuration. Store them in your MDM or CI secret systems and do not commit customer-specific values to source control.

Platform paths at a glance

Platform	Config file	Claude config target
macOS	`/Library/Application Support/Thoth/thoth-config.json`	`~/Library/Application Support/Claude/claude_desktop_config.json`
Linux	`/etc/thoth/thoth-config.json`	`~/.config/Claude/claude_desktop_config.json`
Windows	`C:\ProgramData\Thoth\thoth-config.json`	`%APPDATA%\Claude\claude_desktop_config.json`

Rollout pattern

Use staged assignment scope:

Test group (single device per platform).
Pilot group (5-15% of each platform fleet).
Broad production rollout.

Validate each stage with:

thoth health --json
thoth status