Claude Desktop Fleet Configuration

This guide is the headless path for fleet rollout.

Use it when you want policy and endpoint operations driven by CLI/API/GitOps instead of a UI workflow.

For full IaC orchestration patterns (Terraform, Pulumi, Argo CD, API workflows), see GitOps Headless Control Plane.

Choose the right guide

Browser-first architecture

Prerequisites

• thoth binary available for endpoint runtime.
• thothctl available for control-plane bootstrap.
• Admin bearer token for GovAPI.
• MDM delivery path in place (Jamf or Intune).
• Tenant DNS routes reachable (enforce, grid, and control-plane host).

Step 1 — Bootstrap control-plane settings (headless)

Run this from a secure CI runner or admin workstation:

thothctl bootstrap \
  --tenant-id "<tenant>" \
  --apex-domain "atensecurity.com" \
  --auth-token-file /secure/path/workos.jwt \
  --compliance-profile soc2 \
  --webhook-url "https://siem.company.com/thoth/events" \
  --test-webhook \
  --mdm-provider jamf \
  --mdm-config-file ./jamf-provider.json \
  --start-sync

For Intune, switch --mdm-provider intune and pass an Intune config JSON.

This command can:

• update tenant policy settings,
• test webhook delivery,
• upsert MDM provider config,
• start MDM inventory sync.

Step 2 — Generate governed Claude config artifact

Create a governed claude_desktop_config.json artifact from your base config:

thoth wrap-config \
  --tenant-id "<tenant>" \
  --enforcement-mode progressive \
  --env THOTH_USER_ID="managed-user@company.com" \
  --env THOTH_APEX_DOMAIN="<apex-domain>" \
  --output governed_claude_config.json \
  base_claude_config.json

Use your normal review process for this file in Git (PR + approvals).

Step 3 — Distribute through Jamf or Intune

Deploy two artifacts through MDM:

1. thoth binary
2. governed_claude_config.json

Target paths:

Keep tenant/runtime values in managed secrets or profile variables, not in repo plaintext.

Step 4 — Manual enrollment for unmanaged endpoints

For sandboxes or unmanaged hosts:

curl -fsSL https://install.atensecurity.com/thoth | sh
 
export THOTH_TENANT_ID="<tenant>"
export THOTH_USER_ID="analyst@company.com"
export THOTH_APEX_DOMAIN="<apex-domain>"
export THOTH_ENV="prod"
 
CONFIG_PATH="$HOME/Library/Application Support/Claude/claude_desktop_config.json"
 
thoth wrap-config \
  --tenant-id "$THOTH_TENANT_ID" \
  --enforcement-mode progressive \
  --env THOTH_USER_ID="$THOTH_USER_ID" \
  --env THOTH_APEX_DOMAIN="$THOTH_APEX_DOMAIN" \
  --output "$CONFIG_PATH" \
  "$CONFIG_PATH"

The proxy registers the endpoint and continues periodic check-ins automatically.

Step 5 — Validate health and policy coverage

On endpoint:

thoth health --json
thoth status

Control-plane checks:

# List MDM providers
curl -sS -H "Authorization: Bearer $THOTH_ADMIN_BEARER_TOKEN" \
  "https://<tenant>.<apex-domain>/<tenant>/thoth/mdm/providers"
 
# List endpoints
curl -sS -H "Authorization: Bearer $THOTH_ADMIN_BEARER_TOKEN" \
  "https://<tenant>.<apex-domain>/<tenant>/thoth/endpoints"

Expected outcomes:

• endpoint registration is healthy,
• governed MCP servers are visible in thoth status,
• policy decisions are consistent with configured mode,
• check-ins continue on schedule.

Native SIEM/PAM integration (no UI dependency)

Use the control-plane integration APIs to register and sync platform integrations in automation pipelines.

• Integration create/list/sync routes live under /:tenant-id/governance/integrations.
• MDM providers and sync routes live under /:tenant-id/thoth/mdm/*.

This lets operations run from CI/CD and existing security tooling instead of a standalone console.

Rollout strategy

Use staged rollout:

1. Canary (1-5 endpoints)
2. Pilot (5-15% of fleet)
3. Full deployment

If behavior regresses, use existing ops playbooks:

• Rollback
• Incident Response