diff --git a/examples/mdm/README.md b/examples/mdm/README.md
new file mode 100644
index 00000000..1d8e6dfc
--- /dev/null
+++ b/examples/mdm/README.md
@@ -0,0 +1,28 @@
+# MDM Deployment Examples
+
+Example templates for deploying Claude Code [managed settings](https://code.claude.com/docs/en/settings#settings-files) through Jamf, Iru (Kandji), Intune, or Group Policy. Use these as starting points — adjust them to fit your needs.
+
+All templates encode the same minimal example (`permissions.disableBypassPermissionsMode`). See the [settings reference](https://code.claude.com/docs/en/settings#available-settings) for the full list of keys, and [`../settings`](../settings) for more complete example configurations.
+
+
+## Templates
+
+> [!WARNING]
+> These examples are community-maintained templates which may be unsupported or incorrect. You are responsible for the correctness of your own deployment configuration.
+
+| File | Use with |
+| :--- | :--- |
+| [`managed-settings.json`](./managed-settings.json) | Any platform. Deploy to the [system config directory](https://code.claude.com/docs/en/settings#settings-files). |
+| [`macos/com.anthropic.claudecode.plist`](./macos/com.anthropic.claudecode.plist) | Jamf or Iru (Kandji) **Custom Settings** payload. Preference domain: `com.anthropic.claudecode`. |
+| [`macos/com.anthropic.claudecode.mobileconfig`](./macos/com.anthropic.claudecode.mobileconfig) | Full configuration profile for local testing or MDMs that take a complete profile. |
+| [`windows/Set-ClaudeCodePolicy.ps1`](./windows/Set-ClaudeCodePolicy.ps1) | Intune **Platform scripts**. Writes `managed-settings.json` to `C:\Program Files\ClaudeCode\`. |
+| [`windows/ClaudeCode.admx`](./windows/ClaudeCode.admx) + [`en-US/ClaudeCode.adml`](./windows/en-US/ClaudeCode.adml) | Group Policy or Intune **Import ADMX**. Writes `HKLM\SOFTWARE\Policies\ClaudeCode\Settings` (REG_SZ, single-line JSON). |
+
+## Tips
+- Replace the placeholder `PayloadUUID` and `PayloadOrganization` values in the `.mobileconfig` with your own (`uuidgen`)
+- Before deploying to your fleet, test on a single machine and confirm `/status` lists the source under **Setting sources** — e.g. `Enterprise managed settings (plist)` on macOS or `Enterprise managed settings (HKLM)` on Windows
+- Settings deployed this way sit at the top of the precedence order and cannot be overridden by users
+
+## Full Documentation
+
+See https://code.claude.com/docs/en/settings#settings-files for complete documentation on managed settings and settings precedence.
diff --git a/examples/mdm/macos/com.anthropic.claudecode.mobileconfig b/examples/mdm/macos/com.anthropic.claudecode.mobileconfig
new file mode 100644
index 00000000..35aea626
--- /dev/null
+++ b/examples/mdm/macos/com.anthropic.claudecode.mobileconfig
@@ -0,0 +1,56 @@
+
+
+
+
+ PayloadDisplayName
+ Claude Code Managed Settings
+ PayloadDescription
+ Configures managed settings for Claude Code.
+ PayloadIdentifier
+ com.anthropic.claudecode.profile
+ PayloadOrganization
+ Example Organization
+ PayloadScope
+ System
+ PayloadType
+ Configuration
+ PayloadUUID
+ DC3CBC17-3330-4CDE-94AC-D2342E9C88A3
+ PayloadVersion
+ 1
+ PayloadContent
+
+
+ PayloadDisplayName
+ Claude Code
+ PayloadIdentifier
+ com.anthropic.claudecode.profile.BEFD5F54-71FC-4012-82B2-94399A1E220B
+ PayloadType
+ com.apple.ManagedClient.preferences
+ PayloadUUID
+ BEFD5F54-71FC-4012-82B2-94399A1E220B
+ PayloadVersion
+ 1
+ PayloadContent
+
+ com.anthropic.claudecode
+
+ Forced
+
+
+ mcx_preference_settings
+
+ permissions
+
+ disableBypassPermissionsMode
+ disable
+
+
+
+
+
+
+
+
+
+
diff --git a/examples/mdm/macos/com.anthropic.claudecode.plist b/examples/mdm/macos/com.anthropic.claudecode.plist
new file mode 100644
index 00000000..0a8f8432
--- /dev/null
+++ b/examples/mdm/macos/com.anthropic.claudecode.plist
@@ -0,0 +1,11 @@
+
+
+
+
+ permissions
+
+ disableBypassPermissionsMode
+ disable
+
+
+
diff --git a/examples/mdm/managed-settings.json b/examples/mdm/managed-settings.json
new file mode 100644
index 00000000..adf6ff2f
--- /dev/null
+++ b/examples/mdm/managed-settings.json
@@ -0,0 +1,5 @@
+{
+ "permissions": {
+ "disableBypassPermissionsMode": "disable"
+ }
+}
diff --git a/examples/mdm/windows/ClaudeCode.admx b/examples/mdm/windows/ClaudeCode.admx
new file mode 100644
index 00000000..703155fe
--- /dev/null
+++ b/examples/mdm/windows/ClaudeCode.admx
@@ -0,0 +1,28 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/examples/mdm/windows/Set-ClaudeCodePolicy.ps1 b/examples/mdm/windows/Set-ClaudeCodePolicy.ps1
new file mode 100644
index 00000000..84cb1cf6
--- /dev/null
+++ b/examples/mdm/windows/Set-ClaudeCodePolicy.ps1
@@ -0,0 +1,28 @@
+<#
+Deploys Claude Code managed settings as a JSON file.
+
+Intune: Devices > Scripts and remediations > Platform scripts > Add (Windows 10 and later).
+ Run this script using the logged on credentials: No
+ Run script in 64 bit PowerShell Host: Yes
+
+Claude Code reads C:\Program Files\ClaudeCode\managed-settings.json at startup
+and treats it as a managed policy source. Edit the JSON below to change the
+deployed settings; see https://code.claude.com/docs/en/settings for available keys.
+#>
+
+$ErrorActionPreference = 'Stop'
+
+$dir = Join-Path $env:ProgramFiles 'ClaudeCode'
+New-Item -ItemType Directory -Path $dir -Force | Out-Null
+
+$json = @'
+{
+ "permissions": {
+ "disableBypassPermissionsMode": "disable"
+ }
+}
+'@
+
+$path = Join-Path $dir 'managed-settings.json'
+[System.IO.File]::WriteAllText($path, $json, (New-Object System.Text.UTF8Encoding($false)))
+Write-Output "Wrote $path"
diff --git a/examples/mdm/windows/en-US/ClaudeCode.adml b/examples/mdm/windows/en-US/ClaudeCode.adml
new file mode 100644
index 00000000..0c3eef51
--- /dev/null
+++ b/examples/mdm/windows/en-US/ClaudeCode.adml
@@ -0,0 +1,31 @@
+
+
+ Claude Code
+ Claude Code policy settings
+
+
+ Claude Code
+ Managed settings (JSON)
+ Configures managed settings for Claude Code.
+
+Enter the full settings configuration as a single line of JSON. The value is stored as a REG_SZ string at HKLM\SOFTWARE\Policies\ClaudeCode\Settings and is applied at the highest precedence; users cannot override these settings.
+
+Example:
+{"permissions":{"disableBypassPermissionsMode":"disable"}}
+
+For the list of available settings keys, see https://code.claude.com/docs/en/settings.
+
+If your configuration is large or you prefer to manage a JSON file directly, deploy C:\Program Files\ClaudeCode\managed-settings.json instead (see Set-ClaudeCodePolicy.ps1).
+
+
+
+
+
+
+
+
+
+
diff --git a/examples/settings/README.md b/examples/settings/README.md
index 9bc4f381..34e60cae 100644
--- a/examples/settings/README.md
+++ b/examples/settings/README.md
@@ -1,6 +1,6 @@
# Settings Examples
-Example Claude Code settings files, primarily intended for organization-wide deployments. Use these are starting points — adjust them to fit your needs.
+Example Claude Code settings files, primarily intended for organization-wide deployments. Use these as starting points — adjust them to fit your needs.
These may be applied at any level of the [settings hierarchy](https://code.claude.com/docs/en/settings#settings-files), though certain properties only take effect if specified in enterprise settings (e.g. `strictKnownMarketplaces`, `allowManagedHooksOnly`, `allowManagedPermissionRulesOnly`).
@@ -26,6 +26,10 @@ These may be applied at any level of the [settings hierarchy](https://code.claud
- Before deploying configuration files to your organization, test them locally by applying to `managed-settings.json`, `settings.json` or `settings.local.json`
- The `sandbox` property only applies to the `Bash` tool; it does not apply to other tools (like Read, Write, WebSearch, WebFetch, MCPs), hooks, or internal commands
+## Deploying via MDM
+
+To distribute these settings as enterprise-managed policy through Jamf, Iru (Kandji), Intune, or Group Policy, see the deployment templates in [`../mdm`](../mdm).
+
## Full Documentation
See https://code.claude.com/docs/en/settings for complete documentation on all available managed settings.