Policy enforcement
The Enterprise Manager pushes policy directives to Stacklok Desktop that control which features are visible and whether users can override them. This page describes how each directive affects the desktop app.
How it works
On startup, Stacklok Desktop fetches the policy configuration from the
Enterprise Manager. Each directive contains a value and an enforcement
level:
enforced- the setting is locked. The corresponding UI control is hidden to prevent confusion, since the user cannot change it.default- the setting is applied as a default. The user can override it locally.
Stacklok Desktop caches the configuration and re-fetches it periodically. Changes take effect the next time the app polls the Enterprise Manager.
Directives
The following directives affect Stacklok Desktop:
| Directive | What it controls | Hidden when |
|---|---|---|
help_menu | The help menu (? button) | value is false |
playground | The Playground tab | value is false |
non_registry_servers | Installing servers not in the registry | value is false |
registry | The registry URL in Settings | enforcement is enforced and value is set |
Help menu
When help_menu is set to false, the help button is hidden from the
navigation bar.
Playground
When playground is set to false, the
Playground tab is removed from the
app. See
Stacklok Desktop policies for
how to configure this directive.
Custom MCP servers
When non_registry_servers is set to false, users cannot install MCP servers
from sources outside the configured registry (Docker images, source packages, or
custom URLs). Only servers from the registry are available. See
Non-registry servers policy
for configuration details.
Registry
When registry is set with enforcement: "enforced", the registry settings tab
in Settings is hidden. The registry URL is locked to the value configured by
the admin, and users cannot change it. This also prevents the app from
redirecting users to the registry settings tab on first launch.
When enforcement is "default", the registry settings tab remains visible and
the configured URL is used as a default that users can override.
See Registry policy for configuration details.
Startup behavior
When Stacklok Desktop launches:
- The app shows a loading screen ("Starting Stacklok Desktop") while it fetches the policy configuration.
- If the user is not authenticated, the app redirects to the sign-in screen.
- After authentication, the app applies the policy directives and shows the main interface with the appropriate features visible.
If the Enterprise Manager is unreachable during startup, Stacklok Desktop enters degraded mode and uses the cached configuration.
Next steps
- Enterprise Manager policies to configure the directives described on this page
- Degraded mode to control client behavior when the Enterprise Manager is unreachable