Use this reference to understand the currently supported keys in managed-settings.json.
For deployment methods, see Configuring enterprise-managed settings.
Precedence rules
When multiple settings sources are present, settings earlier in this list take precedence over settings later in the list:
- MDM-managed settings
- Server-managed settings
- File-based settings
- User-level settings
Supported keys
| Key | Type | Accepted values | Purpose |
|---|---|---|---|
permissions.disable | string | "disable" | Disables bypass or YOLO-style allow-all behavior |
permissions.model | string | "auto" | Sets auto model selection as the default for new conversations |
enabledPlugins | object | Key format: PLUGIN-NAME@MARKETPLACE-NAME; value: true (enable) or false (disable) | Enables or disables specific plugins by key |
extra | object | Named marketplace objects; supported source types: "github", "git", "directory" | Adds plugin marketplaces that users can access |
strict | array | Array of marketplace objects; supported source types: "github", "git", "url", "npm", "file", "directory", "hostPattern", "pathPattern" | Restricts plugin installation to explicitly listed marketplaces |
telemetry | object | enabled (boolean), endpoint (string), protocol ("http/json" or "http/protobuf"), captureContent (boolean), lock (boolean), serviceName (string), resource (object), headers (object) | Configures OpenTelemetry export for VS Code |
Example configuration
The following example shows these keys in one managed settings file.
{
"permissions": {
"disableBypassPermissionsMode": "disable",
"model": "auto"
},
"enabledPlugins": {
"my-plugin@agent-skills": true
},
"extraKnownMarketplaces": {
"agent-skills": {
"source": {
"source": "github",
"repo": "OWNER/REPO"
}
}
},
"strictKnownMarketplaces": [
{
"source": "github",
"repo": "OWNER/REPO"
}
],
"telemetry": {
"enabled": true,
"endpoint": "https://otel-collector.example.com",
"protocol": "http/protobuf",
"captureContent": false,
"lockCaptureContent": true,
"serviceName": "copilot",
"resourceAttributes": {
"deployment.environment": "production"
},
"headers": {
"Authorization": "Bearer TOKEN"
}
}
}
enabledPlugins
Defines plugins that are automatically installed or blocked for all enterprise users. Each entry uses the format PLUGIN-NAME@MARKETPLACE-NAME as the key, with a boolean value: true to require the plugin to be enabled, or false to require it to be disabled. See About enterprise-managed plugin standards.
extraKnownMarketplaces
Defines additional plugin marketplaces available to users. Each entry is a named marketplace object containing a source property. The following source types are supported:
"github"— requiresrepoinOWNER/REPOformat; optionalref(branch, tag, or SHA) andpath(subdirectory)"git"— requiresurl; optionalrefandpath"directory"— requirespath
See About enterprise-managed plugin standards.
strictKnownMarketplaces
Restricts plugin installation to only the marketplaces explicitly defined by the enterprise. An empty array means complete lockdown. Each entry is a marketplace object with a source property indicating the source type. The following source types are supported:
"github"— requiresrepoinOWNER/REPOformat; optionalrefandpath"git"— requiresurl; optionalrefandpath"url"— requiresurl; optionalheadersobject"npm"— requirespackage"file"— requirespath"directory"— requirespath"hostPattern"— requireshostPattern(regex matching marketplace hosts)"pathPattern"— requirespathPattern(regex matching marketplace paths)
permissions
disableBypassPermissionsMode
Prevents users from enabling bypass mode (also known as "YOLO mode") in Copilot CLI and VS Code. Bypass mode lets an agent run commands, access files, and fetch URLs without asking for approval.
When you set disableBypassPermissionsMode to "disable", users cannot turn on bypass mode in either client:
- In Copilot CLI, the
--yoloand--allow-allcommand-line options and the/yoloand/allow-allslash commands are blocked. Individual flags such as--allow-all-toolsand--allow-all-pathsare not blocked. - In VS Code, the global auto-approve setting (
chat.tools.global.autoApprove), also known as "YOLO mode," is turned off and cannot be re-enabled.
model
Sets auto model selection as the default for new conversations in Copilot CLI. See About Copilot auto model selection.
When you set permissions.model to "auto", new sessions use Auto model unless the user specifies a different model on a per-conversation basis.
telemetry
Configures OpenTelemetry export, routing Copilot usage data to a collector of your choice.
When you set the telemetry property, Copilot telemetry is sent to the endpoint you specify. The following sub-properties are supported:
enabled: Set totrueto turn on telemetry export, orfalseto turn it off.endpoint: The URL of your OTLP collector (for example,https://otel-collector.example.com).protocol: The transport protocol for telemetry export. Accepted values are"http/json"and"http/protobuf".captureContent: Set totrueto include prompt and response content in the telemetry payload, orfalseto exclude it.lockCaptureContent: Set totrueto prevent users from changing thecaptureContentsetting.serviceName: A label for the telemetry service name (for example,"copilot").resourceAttributes: An object of OpenTelemetry resource attributes to attach to all exported telemetry (for example,{"deployment.environment": "production"}).headers: An object of HTTP headers to include with each telemetry request (for example, anAuthorizationheader for your collector).