Claude Cowork desktop architecture overview (original) (raw)
This article explains how Claude Cowork runs on member devices and the admin controls available for restricting its scope on managed devices.
Claude Coworkâs two execution environments
Claude Cowork uses two execution environments on each member's device:
Admin controls for managed devices
Two MDM keys let you restrict Cowork's scope on managed devices. Both are device-level settings applied through your MDM solution, not from organization settings.
The organization-wide Cowork toggle in Organization settings > Cowork (Enable for your organization) controls whether Cowork is available at all. The device-level controls above only apply when Cowork is enabled.
Frequently asked questions
What happens if a member's device can't start the VM?
Cowork continues running file and web tools while the VM is unavailable. Shell commands and code execution report "workspace unavailable" until the VM recovers.
Does Cowork activity show up in audit logs?
Can endpoint detection (EDR) tools inspect activity inside the VM?
No. The VM is isolated from host-based security tools by design. If your compliance posture depends on endpoint visibility, account for this before rolling out Cowork.
Related Articles
Install Claude DesktopDeploy Claude Desktop for macOSGet started with Claude CoworkUse Claude Cowork safelyUse Claude Cowork on Team and Enterprise plans