Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.mcpmanager.ai/llms.txt

Use this file to discover all available pages before exploring further.

MCP Manager is the control point for MCP in your organization — but it is one layer of a defense-in-depth strategy, not the whole thing. A gateway governs everything that flows through it: identity, which tools are exposed, what data may pass, and a complete audit trail. The job of an enterprise rollout is to make sure MCP traffic actually goes through the gateway — and then to use the controls inside MCP Manager to lock down what happens there. This page covers both halves: where MCP Manager fits in your stack, and the levers admins have.
The in-platform controls below are gated by capabilities (for example Disable and enable hosts, Basic gateway management, Manage feature provisioning settings, Manage integrations). Access depends on the capability granted to your role, not on any fixed role name. See the capabilities reference.

Where MCP Manager fits: defense in depth

Think of MCP governance as a stack. MCP Manager is the enforcement and visibility layer in the middle; the layers around it exist to ensure clients can only reach servers by going through it.
  • Endpoint layer (MDM / EDR). Your device-management and endpoint-protection tooling controls which apps run on managed machines and can allowlist MCP Manager’s network traffic.
  • AI client layer (connector allowlists). Enterprise and team tiers of the major AI clients let an admin restrict which connectors users may add.
  • MCP Manager (the gateway). The single governed path where identity, tool exposure, content rules, and logging are enforced.
  • Your servers. Reachable only through the gateway when the layers above are configured to funnel traffic to it.

Funneling all MCP usage through the gateway

The most common enterprise question is: what stops a user from just adding their own MCP server directly in their AI client and bypassing the gateway entirely? MCP Manager governs what passes through it, so the answer is to ensure clients can only reach the gateway. This is done at the layers around MCP Manager:
  • Client-side connector allowlists. The team and enterprise tiers of clients like Claude, ChatGPT, and Cursor let administrators control which connectors users can add. Allow only your MCP Manager gateway URL, and a user can no longer wire up an arbitrary MCP server in that client. (This is how Usercentrics runs internally — MCP Manager is the only permitted Claude connector.)
  • Endpoint management (MDM / EDR). Manage which AI clients and configurations are present on company devices, and use EDR allowlisting so only MCP Manager’s egress traffic is permitted.
  • Network controls and static egress IPs. MCP Manager can present static egress IP addresses, so you can allowlist its traffic at the firewall and have sensitive upstreams accept connections only from the gateway. Managed servers can be locked to that static IP directly.
MCP Manager cannot, on its own, stop someone from running an MCP client on an unmanaged personal device outside your control — no gateway product can. That is precisely why the surrounding endpoint and client-allowlist layers matter: together they ensure that on the devices and clients you do manage, the gateway is the only path. Treat MCP Manager as the enforcement point, and the client/endpoint controls as what funnels traffic to it.

What MCP Manager governs on the device — and what it doesn’t

MCP Manager governs the MCP connection: which servers and tools an app or agent can reach through the gateway, as whose identity, with what data allowed to pass, and a log of every call. It does not control what an AI client does locally on the machine it runs on. When the client is a desktop app — Claude Desktop, for example — local behavior such as reading files on disk, accessing the clipboard, or taking screenshots happens on the device, outside any MCP server, so it never traverses the gateway and is not something MCP Manager can see or stop. Those local behaviors belong to the endpoint layer — your MDM/EDR and OS-level policy, which decide what an app may do on a managed device. The two are complementary: MCP Manager governs everything that flows through MCP, and your device tooling governs what runs on the machine. (Local MCP servers are the exception that proves the rule — when a tool is an MCP server running on the workstation, routing it through a workstation server brings it back under the gateway’s governance.)

Lockdown levers inside MCP Manager

Once traffic flows through the gateway, these are the controls admins own directly:
LeverWhat it locks downWhere
Allowed apps & agentsStandardize on some clients and block others — e.g. allow Claude org-wide, block ChatGPT — and cut off any single agent.Apps & Agents
Teams & rolesWho can reach which gateway, and what each person is allowed to do with it.Roles · Teams
Feature provisioningWhich tools, resources, and prompts a gateway exposes at all — fail-closed, so only allowlisted capabilities pass.Feature Provisioning
Identity scheme per serverWhether each server uses each user’s own identity or a shared service account.Identity Controls
Gateway rulesWhat data may flow — PII redaction, secret blocking, prompt-injection defense.Gateway Rules
SSO & SCIMCentralized sign-in and automatic provisioning/deprovisioning from your IdP.SSO · SCIM
Break-glass togglesInstantly disable an identity, connection, host, server, or gateway during an incident or offboarding.Runtime Protections
Log export to SIEMStream every call to your own observability/SIEM for retention and monitoring.Export to SIEM
Together these answer the governance questions an enterprise security review asks: who can use which tools, as whose identity, with what data allowed to pass, provably logged, and instantly revocable.
1

Pilot in a single gateway

Stand up one gateway with a small set of servers and a pilot team. Start with the picker URL and a simple topology — see Gateway Deployment Strategies.
2

Make the gateway the only allowed connector

In your AI clients’ admin settings, restrict connectors to the MCP Manager gateway URL. Reinforce with MDM/EDR on managed devices so the gateway is the only reachable path.
3

Wire up identity

Connect SSO so everyone signs in through your IdP, and turn on SCIM so team membership — and deprovisioning — sync automatically.
4

Provision tools and apply rules

Use feature provisioning to expose only the tools each gateway needs, and add gateway rules for PII and injection on the gateways that handle sensitive data.
5

Turn on logging export and expand

Forward logs to your SIEM, confirm the audit trail meets your requirements, then expand to more teams — splitting into per-team or per-use-case gateways as needs diverge.

Further reading

Gateway Deployment Strategies

Choosing a gateway topology — organization-wide, per team, per server, or per use case.

Apps & Agents

Allowing some clients and blocking others, and disabling a specific app or agent.

SSO

Delegating sign-in to your organization’s identity provider.

SCIM

Automatic user provisioning and deprovisioning from your IdP.

Architecture & Trust

How the gateway path is secured — encryption, isolation, and static egress IPs.

Capabilities

The permissions behind every lockdown lever on this page.