← back to docs

Onboarding your team

Push one bearer to your team via Claude for Teams managed settings. Five minutes, override-proof, devs do nothing.

Onboarding your team

Metric AI is built for teams using Claude for Teams or Enterprise. The canonical rollout is one paste into the Claude.ai admin console — every developer’s claude install picks up the bearer at next startup, and that’s it. No per-machine work.

Two override-proof paths covered below + a fallback for orgs that don’t have either yet.

ApproachBest forSetup time
1. Claude.ai admin consoleClaude for Teams / Enterprise — recommended2 min once
2. MDM / system pathOrgs without Claude for Teams that still want override-proof rollout10–30 min once
3. Per-user ~/.claude/settings.jsonOne-off dev evaluating the product30 sec / dev

One bearer per org, not per dev. Admins generate the token once in the dashboard and the same value reaches every team member. Per-user attribution still works because Claude Code attaches user.email to every span automatically. Simpler to manage, easier to audit, rotation is one click.


If your org is on Claude for Teams or Claude for Enterprise, the admin console pushes managed settings — including the org ingest token — to every team member’s claude install with no file deployment. This is what we built the product around.

Steps (under 5 minutes total)

  1. Generate the org token. Sign into the dashboardAdminSettingsOrg ingest tokenGenerate. The plaintext is shown once — copy it now along with the rendered managed-settings.json snippet.
  2. Add your team to Members. Same panel → Members → add each teammate’s email so they can sign into the dashboard. (The dashboard signs in via email-OTP; the members table is the gate.)
  3. Open Claude.ai admin consoleClaude CodeManaged settings (path may differ by plan tier).
  4. Paste the snippet (the dashboard already filled in your bearer):
    {
      "env": {
        "CLAUDE_CODE_ENABLE_TELEMETRY": "1",
        "CLAUDE_CODE_ENHANCED_TELEMETRY_BETA": "1",
        "OTEL_METRICS_EXPORTER": "otlp",
        "OTEL_LOGS_EXPORTER": "otlp",
        "OTEL_TRACES_EXPORTER": "otlp",
        "OTEL_EXPORTER_OTLP_PROTOCOL": "http/json",
        "OTEL_EXPORTER_OTLP_ENDPOINT": "https://otlp.metric-ai.nativekloud.com",
        "OTEL_EXPORTER_OTLP_HEADERS": "Authorization=Bearer <YOUR_ORG_TOKEN>",
        "OTEL_RESOURCE_ATTRIBUTES": "deployment.environment=prod"
      }
    }
  5. Save. Settings fetch on each claude startup. Devs do nothing locally — the bearer is already there next time they run a session.

Verification

Each user runs /status in claude and sees:

Enterprise managed settings (remote)   ← from admin console (carries the bearer)

Within ~30 seconds of activity, spans land in the dashboard. Within 15 minutes, daily costs roll into the Usage tab.

Rotation

Click Rotate in the dashboard. Previous token is revoked immediately. Update the snippet in the Claude.ai admin console with the new bearer; on next claude startup every dev picks up the new value. Sessions running mid-rotation see ingest 401s until they restart — there’s no graceful overlap window (one bearer at a time, by design).


2 · MDM / system path (orgs without Claude for Teams)

For orgs that don’t (yet) have Claude for Teams but still want managed-settings rollout, push the file to each developer machine via your existing MDM (Jamf, Kandji, Intune, Group Policy, Ansible, Puppet, NixOS modules, etc.). Same effect: override-proof, devs can’t disable.

File-based managed settings paths

OSPath
macOS/Library/Application Support/ClaudeCode/managed-settings.json
Linux / WSL/etc/claude-code/managed-settings.json
WindowsC:\Program Files\ClaudeCode\managed-settings.json

All three platforms also support a drop-in directory (managed-settings.d/) — files are merged alphabetically; use numeric prefixes (10-telemetry.json, 20-security.json) for control.

Quick install (macOS, file-based)

sudo mkdir -p "/Library/Application Support/ClaudeCode"
sudo curl -L \
  https://raw.githubusercontent.com/radekdymacz/metric-ai/main/scripts/managed-settings.json \
  -o "/Library/Application Support/ClaudeCode/managed-settings.json"
sudo chmod 0644 "/Library/Application Support/ClaudeCode/managed-settings.json"

Edit the file to inject your org bearer into OTEL_EXPORTER_OTLP_HEADERS. The org token is shared — every developer machine gets the same value.

MDM templates

Anthropic ships starter templates for the major MDM platforms at: github.com/anthropics/claude-code/tree/main/examples/mdm

Drop our env block in and deploy through your existing MDM channel.


3 · Per-user ~/.claude/settings.json (single dev, fallback)

For a single developer evaluating Metric AI before rolling out to the team — or in environments where neither admin console nor MDM is available. Each dev writes the same org token into their own ~/.claude/settings.json. Not override-proof; devs can edit or remove it. Move to path 1 or 2 as soon as you have more than a couple of seats.

mkdir -p ~/.claude
cat > ~/.claude/settings.json <<'JSON'
{
  "env": {
    "CLAUDE_CODE_ENABLE_TELEMETRY": "1",
    "CLAUDE_CODE_ENHANCED_TELEMETRY_BETA": "1",
    "OTEL_METRICS_EXPORTER": "otlp",
    "OTEL_LOGS_EXPORTER": "otlp",
    "OTEL_TRACES_EXPORTER": "otlp",
    "OTEL_EXPORTER_OTLP_PROTOCOL": "http/json",
    "OTEL_EXPORTER_OTLP_ENDPOINT": "https://otlp.metric-ai.nativekloud.com",
    "OTEL_EXPORTER_OTLP_HEADERS": "Authorization=Bearer <YOUR_ORG_TOKEN>",
    "OTEL_METRIC_EXPORT_INTERVAL": "30000",
    "OTEL_RESOURCE_ATTRIBUTES": "team=core,deployment.environment=dev"
  }
}
JSON

Replace <YOUR_ORG_TOKEN> with the value from the dashboard. Restart any running claude session. Within 30 seconds of next activity, spans land.

A template lives at scripts/dev-settings.json in the repo. The dashboard’s Quickstart tab (admin-only) renders it with your real token already filled in.


Visibility

Whichever path you choose, end users can:

  • Run /status in claude to see active configuration layers and origins (Enterprise managed settings (remote) / (file) / (HKLM)).
  • Read the file contents directly on disk (the JSON isn’t encrypted).

End users cannot:

  • Override managed values from ~/.claude/settings.json or project settings — Claude Code silently ignores conflicts.
  • Disable telemetry by setting CLAUDE_CODE_ENABLE_TELEMETRY=0 if the managed layer enforces =1.

The bearer in OTEL_EXPORTER_OTLP_HEADERS is the org’s secret. With managed settings (paths 1 & 2), devs never see it directly.


Per-project labels

You can override OTEL_RESOURCE_ATTRIBUTES per-project by dropping a .claude/settings.json into the repo root:

{
  "env": {
    "OTEL_RESOURCE_ATTRIBUTES": "customer=acme,project=billing-rewrite,team=platform"
  }
}

Project settings layer between user and managed; the result is (managed) ∪ (user) ∪ (project). The dashboard segments by these tags automatically.


Revoke a teammate

In the dashboard Admin → Settings:

  1. Members → click remove on their row to drop them from the org. They can no longer sign into the dashboard. (Dashboard sign-in is gated by membership; once removed, the OTP login screen rejects emails not in any org.)
  2. If they leave the company entirely and you want to invalidate the token they may have copied locally, click Rotate on the org ingest token. Push the new bearer through your admin-console / MDM channel; the old one stops authenticating ingest immediately.

There’s no per-user revocation — that’s the trade-off for one bearer per org. If your security model demands per-user revocability, consider Claude for Enterprise SCIM-driven seat management for the dashboard side, and rotate the org token whenever someone leaves.