Skip to main content
Section navigation

Claude Cowork on macOS

Install the systemprompt-cowork credential helper on macOS, apply the .mobileconfig managed-preferences payload via Jamf or Intune for Mac, and verify the sync. Covers Developer ID notarisation, Keychain-backed credentials, launchd schedules, and Secure Enclave mTLS.

On this page

Prerequisites - Read the general deployment reference first for the architecture, auth tiers, manifest shape, and audit schema. This page covers macOS-specific mechanics only.

Pick the right binary

Mac chip Target triple File
M-series (M1, M2, M3, M4) aarch64-apple-darwin systemprompt-cowork
Intel x86_64-apple-darwin systemprompt-cowork

Both builds are Developer ID-signed and notarised. Gatekeeper accepts them on first run without a prompt, so scripted rollout works without manual trust steps. The notarisation ticket travels with the binary - no need to strip quarantine or whitelist the subprocess.

Install

Three moves: verify, install, print the MDM payload.

# 1. Verify the hash against SHA256SUMS from the release page
shasum -a 256 systemprompt-cowork

# 2. Install into a stable path with the right mode
sudo install -m 0755 systemprompt-cowork /usr/local/bin/systemprompt-cowork

# 3. First-run bootstrap
systemprompt-cowork install \
  --gateway https://cowork-gateway.example.com \
  --print-mdm macos

The install call does five things in one invocation:

  1. Creates /Library/Application Support/Claude/org-plugins/ with system ownership (falls back to ~/Library/Application Support/Claude/org-plugins/ if not elevated).
  2. Fetches /v1/cowork/pubkey from the gateway.
  3. Pins the Ed25519 public key into ~/Library/Application Support/systemprompt/systemprompt-cowork.toml.
  4. Persists the gateway URL into the same TOML.
  5. Prints the .mobileconfig payload for distribution.

Confirm with:

systemprompt-cowork validate

Every line should be [ok]. Expect one [warn] on the cached JWT before first login; it clears on the next inference call.

The .mobileconfig payload

A .mobileconfig is an Apple property list an MDM product installs into the managed-preferences store. The payload below is the exact shape Cowork reads. Replace the UUIDs with fresh ones from uuidgen, sign through the MDM signing certificate, and push.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadIdentifier</key>
  <string>com.example.cowork-gateway.profile</string>
  <key>PayloadUUID</key>
  <string>A1111111-1111-1111-1111-111111111111</string>
  <key>PayloadDisplayName</key>
  <string>Claude Cowork gateway policy</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadScope</key>
  <string>System</string>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>
      <string>com.anthropic.claudefordesktop</string>
      <key>PayloadIdentifier</key>
      <string>com.example.cowork-gateway.content</string>
      <key>PayloadUUID</key>
      <string>B2222222-2222-2222-2222-222222222222</string>
      <key>PayloadDisplayName</key>
      <string>Cowork managed preferences</string>
      <key>inferenceProvider</key>
      <string>gateway</string>
      <key>inferenceGatewayBaseUrl</key>
      <string>https://cowork-gateway.example.com</string>
      <key>inferenceCredentialHelper</key>
      <string>/usr/local/bin/systemprompt-cowork</string>
      <key>inferenceCredentialHelperTtlSec</key>
      <integer>3600</integer>
      <key>inferenceGatewayAuthScheme</key>
      <string>bearer</string>
    </dict>
  </array>
</dict>
</plist>

PayloadType = com.anthropic.claudefordesktop is the preference domain Cowork reads on launch. The Apple Configuration Profile Reference documents the outer Configuration structure.

Local install for testing

sudo profiles install -path=./cowork.mobileconfig
defaults read /Library/Managed\ Preferences/com.anthropic.claudefordesktop | head

The defaults read output should echo all five keys. If it does not, the profile scope is wrong or the PayloadType does not match.

Fully quit Cowork (right-click tray icon → Quit; confirm no Claude.app in Activity Monitor) before relaunching. Cowork reads managed preferences once on process start.

Jamf Pro

Wrap the .mobileconfig with a Custom Schema entry from the Jamf Custom Schema docs so preferences are editable in the Jamf Pro UI rather than by pasting XML. A Jamf policy needs two lines of bash to deploy the binary:

# Drop the signed binary at /usr/local/bin/ then run --apply
install -m 0755 /tmp/systemprompt-cowork /usr/local/bin/systemprompt-cowork
/usr/local/bin/systemprompt-cowork install \
  --gateway "$4" \
  --apply

$4 is the Jamf script parameter carrying the gateway URL. The policy runs as root, which is what system-scope ownership needs. install --apply is idempotent - re-running on a configured machine refreshes the pinned pubkey and gateway URL without disturbing the cached JWT, which matters because Jamf re-runs policy scripts on every check-in.

Intune for Mac

Push the .mobileconfig via a Custom Configuration Profile targeted at the Mac device group. For the binary, package it as a macOS LOB app (PKG) that runs the install as root, then add a separate shell-script policy that runs systemprompt-cowork install --apply --gateway <url> on every check-in.

launchd for periodic sync

The credential helper runs on every inference call (keeping the JWT fresh). Manifest sync is separate. A launchd agent is the right shape.

systemprompt-cowork install --emit-schedule-template macos
# writes: com.systemprompt.cowork-sync.plist
launchctl bootstrap gui/$UID ~/Library/LaunchAgents/com.systemprompt.cowork-sync.plist
launchctl print gui/$UID/com.systemprompt.cowork-sync

Edit the plist before loading to adjust the interval or run account.

mTLS with Secure Enclave

For the mTLS tier in regulated environments, the device certificate belongs in Secure Enclave-backed storage, not on the filesystem. Apple Silicon Macs use the Secure Enclave; Intel Macs rely on the T2 chip for equivalent hardware-backed key storage.

The binary reads an OS keystore reference, not a raw private key. Set SP_COWORK_DEVICE_CERT_LABEL via MDM to point at a Keychain item. The private key stays inside hardware; the binary signs challenges through the Keychain API and the certificate is extracted only for its public portion.

Issuance rides on the existing corporate PKI - Jamf, Intune, or a user-driven systemprompt-cowork enrol flow requests a cert from the internal CA at enrolment. Revocation is immediate: flag the cert in the CRL and the next /v1/auth/cowork/mtls call returns 403.

Verification checklist

  • systemprompt-cowork validate returns all [ok] lines, org-plugins path resolved at system scope.
  • defaults read /Library/Managed\ Preferences/com.anthropic.claudefordesktop echoes all five keys.
  • Cowork launches without showing Anthropic's sign-in screen.
  • systemprompt-cowork sync succeeds and prints sync ok: N installed, 0 updated, 0 removed.
  • One row appears in audit_events per Cowork chat turn with the expected user_id and tenant_id.

Troubleshooting

  • validate reports scope: user. install ran without sudo. System-scope path is the one Cowork reads first; user-scope falls through silently, leaving the UI looking empty. Re-run under sudo.
  • "credential helper failed" in Cowork. The binary printed something other than one JSON line. Run systemprompt-cowork directly; anything on stdout beyond a single JSON line breaks the contract.
  • sync fails "manifest signature verification failed". The gateway's signing key rotated. Delete [sync] from ~/Library/Application Support/systemprompt/systemprompt-cowork.toml and re-run install --gateway <url>.
  • Chat works but no plugins visible. Sync ran against user-scope path while Cowork reads system-scope. Reconcile with validate and re-run install under sudo.

Where to go next