Enterprise Deployments
This page covers everything needed to deploy Grok Build in enterprise environments, including network requirements, configuration management, authentication options, security controls, and the data lifecycle.
Network requirements
All connections use HTTPS (port 443).
Required
These hosts are needed for core functionality:
| Host | Purpose |
|---|---|
cli-chat-proxy.grok.com | Inference proxy, settings |
auth.x.ai | OAuth2/OIDC authentication |
If using enterprise OIDC, also allow your IdP's domain (e.g., login.microsoftonline.com).
Additional
These hosts support additional features and can be blocked without affecting core authentication and inference:
| Host | Purpose | Impact if blocked |
|---|---|---|
api.x.ai | xAI API (direct API-key path) | Only needed when using api_key auth instead of the inference proxy |
code.grok.com | Remote session sync, sharing, WebSocket relay | Sessions stay local-only; share links unavailable |
assets.grok.com | Profile images, UI assets | User avatars won't load; no functional impact |
x.ai | CLI binary downloads via curl | bash install script | Use npm install -g @xai-official/grok as an alternative that doesn't require this host |
storage.googleapis.com | Fallback CDN for CLI binaries | Only needed if x.ai is unreachable during curl | bash install |
The x.ai and storage.googleapis.com hosts are only needed for the shell-script installer and in-app grok update. If your environment uses npm for distribution (npm install -g @xai-official/grok), neither host is required.
TLS
All connections use TLS 1.2 or TLS 1.3, enforced by rustls (no OpenSSL dependency). Root certificates are loaded from the OS trust store. There is no option to disable TLS. For TLS-inspecting proxies, install the proxy's CA certificate into the OS trust store.
Proxy support
The CLI honors standard proxy environment variables (HTTPS_PROXY, HTTP_PROXY, NO_PROXY). The HTTP connection pool keeps idle connections open for 90 seconds by default (GROK_POOL_IDLE_TIMEOUT_SECS), and inference requests use SSE streaming where the per-chunk idle timeout defaults to 600 seconds. Set proxy idle timeouts to at least 10 minutes to avoid premature disconnects during long model responses.
Configuration
Grok loads configuration from five layers, lowest to highest priority:
| Priority | Source | Purpose |
|---|---|---|
| 1 (lowest) | /etc/grok/managed_config.toml | System-wide managed config |
| 2 | ~/.grok/managed_config.toml | Per-user managed config |
| 3 | ~/.grok/config.toml | User preferences |
| 4 | ~/.grok/requirements.toml | User-level pinned settings |
| 5 (highest) | /etc/grok/requirements.toml | System-level pinned settings |
Settings in requirements.toml cannot be overridden by lower layers, remote settings, or user config — use it for compliance-critical policies. All layers support [[version_overrides]] for version-conditional patches and $VAR expansion.
System-level policy for MDM and fleet deployments
The highest-priority configuration layer is /etc/grok/requirements.toml. This is the recommended mechanism for organizations managing Grok at scale via Mobile Device Management (MDM), golden images, configuration management tools, or onboarding scripts.
Common deployment patterns:
- MDM / endpoint management — Push the TOML files directly into
/etc/grok/on managed workstations. - Golden images / AMIs — Bake the policy files into base images used for developer laptops or CI runners.
Values pinned in requirements.toml use a fail-closed "pin" mechanism: they cannot be overridden by user config.toml, environment variables, remote settings, or lower-priority layers. This makes /etc/grok/requirements.toml the authoritative source for compliance-critical policies such as disabling telemetry, enforcing sandbox profiles, restricting tools, or pinning specific feature flags.
Claude Code compatibility (optional)
Organizations that already use Claude Code and have deployed its managed-settings.json file via MDM can continue to rely on that file. Grok reads a subset of policies from it (permission rules, MCP server allowlists, a few telemetry/feedback flags, and marketplace restrictions) for compatibility.
Grok's own /etc/grok/requirements.toml always takes precedence over the Claude managed-settings.json file. The Claude compatibility layer is only relevant for mixed Claude + Grok environments; pure Grok deployments should use requirements.toml + config.toml.
Authentication
Grok Build supports four session authentication methods:
| Method | Trigger | Refreshable | Best for |
|---|---|---|---|
| Browser OIDC | grok login (default) | Yes | Interactive terminals with a browser |
| Device code | grok login --device-auth | Yes | SSH sessions, containers, headless hosts |
| External auth provider | auth_provider_command in config | Yes | Corporate IdPs, custom token brokers |
| API key | XAI_API_KEY env var or model.api_key in config | No | Scripts, CI/CD, headless automation |
When multiple credentials are available, Grok resolves them per model: model.api_key > model.env_key > active session token > XAI_API_KEY.
Enterprise OIDC
Organizations with a corporate identity provider (Entra ID, Okta, Auth0, etc.) can configure Grok to authenticate directly against it:
Text
[auth.oidc]
issuer = "https://login.yourcompany.com"
client_id = "your-client-id"
Or via environment: GROK_OIDC_ISSUER and GROK_OIDC_CLIENT_ID. The flow uses PKCE and supports refresh_token grants for automatic renewal.
External auth provider
Point Grok at an executable that produces a token on stdout:
Text
[auth]
auth_provider_command = "/usr/local/bin/your-auth-provider"
The command must print either a bare token string or JSON: {"access_token": "...", "refresh_token": "...", "expires_in": 3600} (refresh_token and expires_in are optional). When the token expires, Grok re-runs the command with GROK_AUTH_EXPIRED=1 set. Interactive login allows up to 300 seconds for the command to complete. Background token refresh uses a 10-second timeout; if the command hangs (e.g., waiting for interactive input), Grok kills it and reports the failure.
API key
For CI/CD and headless automation, set the XAI_API_KEY environment variable — no config file needed:
Bash
export XAI_API_KEY="xai-..."
grok -p "Review this diff" --output-format json --always-approve
On persistent developer workstations, you can instead bind a key to a specific model in ~/.grok/config.toml:
Text
[model.grok-build]
api_key = "xai-..."
[models]
default = "grok-build"
See Headless & Scripting for output formats and CLI flags.
Device code
For environments without a browser (SSH, containers, cloud devboxes), device code login follows RFC 8628:
Bash
grok login --device-auth
Grok prints a URL and a short user code. Complete login on any device with a browser.
Security controls
Sandbox
The sandbox is applied once at process startup and is irreversible. It uses Landlock on Linux (kernel 5.13+) and Seatbelt on macOS.
| Profile | Filesystem read | Filesystem write | Child network | Use case |
|---|---|---|---|---|
off | Unrestricted | Unrestricted | Allowed | No sandbox (default) |
workspace | Everywhere | CWD, /tmp, ~/.grok/ | Allowed | Normal development |
devbox | Everywhere | Everything except /data | Allowed | Cloud devbox environments |
read-only | Everywhere | ~/.grok/ and tmp only | Blocked | Code review, auditing |
strict | CWD and system paths only | CWD, /tmp, ~/.grok/ | Blocked | Untrusted repositories |
Set the profile with --sandbox workspace or pin it in requirements.toml under [sandbox] profile.
Certain directories are always write-protected regardless of profile: ~/.ssh, ~/.gnupg, ~/.grok/auth, ~/.aws, ~/.config/gcloud, ~/.azure.
In read-only and strict profiles, child processes are blocked from making network connections via a seccomp BPF filter. This enforcement is Linux-only; on macOS, child network blocking is not currently enforced.
Custom profiles can be defined in ~/.grok/sandbox.toml or .grok/sandbox.toml:
Text
[profiles.my-profile]
extends = "workspace"
restrict_network = true
deny = ["/secrets"]
Permissions
The permission system controls which tool calls the model can execute, independent of the sandbox. When the model requests a tool, checks run in order: PreToolUse hooks, policy rules (deny > ask > allow), built-in fast paths, then the prompt policy. See Modes and Commands for the basic ask and always-approve modes.
For enterprise and CI environments, two additional modes are relevant:
| Mode | Behavior | Typical use |
|---|---|---|
dontAsk | Silently deny anything without an explicit allow rule | Headless, CI, high-security |
acceptEdits | Auto-approve file edits; prompt for shell commands | Semi-automated workflows |
Set via --permission-mode in headless mode (e.g., grok -p "..." --permission-mode dontAsk; accepts default, dontAsk, acceptEdits, bypassPermissions, plan) or [ui] permission_mode in config for persistent use (accepts ask, always-approve).
Always-safe operations
Certain read-only operations are auto-approved without prompting in all modes, including dontAsk: read_file, list_dir, grep, web_search, todo_write, and a curated set of safe shell commands including ls, cat, pwd, date, whoami, hostname, uptime, ps, head, tail, wc, sort, uniq, tr, cut, grep, git status, git branch, git log, git diff, git ls-files, git show, git rev-parse, cargo check, and kubectl get/logs/describe. Shell commands are parsed per-segment — ls && rm -rf / will auto-approve ls but block rm.
Policy rules
Fine-grained allow/deny rules target specific tool types with glob patterns. Deny rules always take precedence over allow rules.
Bash
grok -p "Review the API changes" \
--permission-mode dontAsk \
--allow 'Bash(git *)' \
--allow 'Bash(gh *)' \
--allow 'Read' \
--allow 'Grep' \
--deny 'Bash(rm -rf *)'
Supported tool filters: Bash, Edit, Read, Grep, MCPTool, WebFetch. Rule syntax: Bash(git *) matches any command starting with git; Edit(**/*.rs) matches Rust files; MCPTool(my-server__*) matches MCP tools from a specific server.
Rules can also be set in ~/.grok/config.toml:
Text
[permission]
rules = [
{ action = "allow", tool = "bash", pattern = "git *" },
{ action = "allow", tool = "read" },
{ action = "deny", tool = "bash", pattern = "*" },
]
Dangerous commands
rm, chmod, chown, chgrp, chattr, kill, pkill, killall, and git push always prompt in ask mode, even if the user has whitelisted them. In always-approve mode, they are auto-approved like all other commands. To block them in always-approve mode, add explicit deny rules.
Combining permissions with sandbox
Permissions control what the model is allowed to request. The sandbox controls what the process can do even if a command is approved. For untrusted code, combine dontAsk + narrow allow rules + --sandbox strict.
Privacy & data lifecycle
Data lifecycle
A session moves data through six phases:
- User input — prompt and file content assembled locally.
- Transport — sent over TLS 1.2/1.3 to the inference proxy.
- Inference — the proxy forwards to the model. ZDR organizations route through a dedicated service identity that skips logging.
- Tool execution — happens locally in the user's sandboxed environment.
- Response — streams back over the same TLS connection.
- Session end — no prompts, code, or responses are persisted at the inference layer for ZDR organizations. Local session history is stored in
~/.grok/.
Zero Data Retention
ZDR is enforced at the team level. When enabled for a team or enterprise, zero data retention occurs when using Grok Build.
Last updated: May 24, 2026