[BUG]
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
OTEL_* env vars deployed via remote managed settings (Claude.ai admin console enterprise policy) sync correctly to every machine but are not applied to sessions for most of our org, while non-sensitive env vars from the same env block apply fine. The gating appears to be the managed-settings trust-approval flow, which fires unpredictably mid-session, is easily missed, sometimes results in only partial application after approval, and surfaces zero diagnostics when settings are pending or unapplied.
Our published policy env block:
{
"env": {
"CLAUDE_CODE_ENABLE_TELEMETRY": "1",
"CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS": "1",
"FORCE_AUTOUPDATE_PLUGINS": "true",
"OTEL_EXPORTER_OTLP_ENDPOINT": "https://otel-collector.<vendor>.example.com:443",
"OTEL_EXPORTER_OTLP_HEADERS": "X-Vendor-Token=<REDACTED>",
"OTEL_EXPORTER_OTLP_PROTOCOL": "http/protobuf",
"OTEL_METRICS_EXPORTER": "otlp",
"MANAGED_SENTINEL": "1"
}
}
(MANAGED_SENTINEL was added by us as a control during debugging. Endpoint/header redacted; it is a third-party SaaS OTLP collector reached over HTTPS with token auth in a custom header.)
Evidence chain:
- Sync works:
/statusshows "Enterprise managed settings (remote)" in Setting sources, and~/.claude/remote-settings.jsoncontains ALL keys including the four OTEL_* vars. - Selective application: in the same session,
CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS,FORCE_AUTOUPDATE_PLUGINS, andQM_MANAGED_SENTINELare all present in the environment; all four OTEL_* vars are absent. - The approval prompt exists but is unreliable: one user received the "Managed settings require approval / ...could allow execution of arbitrary code or interception of your prompts and responses" prompt mid-session (presumably on the hourly sync), listing FORCE_AUTOUPDATE_PLUGINS, OTEL_EXPORTER_OTLP_ENDPOINT, and MANAGED_SENTINEL. Most users report never seeing it.
- Inconsistent partial state: on a machine where the prompt WAS approved at some point, the sentinel and FORCE_AUTOUPDATE_PLUGINS apply but the OTEL_* keys still do not — despite appearing in the same approval list.
- No diagnostics:
/doctorreports no managed-settings or telemetry issues,/statusshows no pending-approval indicator, and there is no way for a user or org admin to discover that synced settings are sitting unapplied.
Impact: org-wide engineering telemetry (usage/cost attribution) silently broken for nearly all users despite a correctly published and correctly synced policy. We are working around it by mirroring the OTEL env vars into user-scope settings, which bypasses the consent prompt entirely — arguably a worse security outcome than a reliable approval flow.
Related but distinct: #31944 (approval re-triggering / not persisting), #16383 (managed env load order), #46204 (silent telemetry init failure on managed accounts).
What Should Happen?
- Env vars present in remote-settings.json either apply, or their pending/blocked state is clearly surfaced in /status and /doctor (e.g. "3 managed settings pending approval — restart to review").
- The approval prompt appears reliably at session start when approval is pending, rather than only unpredictably mid-session.
- Approval is all-or-nothing per prompt: if a user accepts a list of keys, all listed keys apply (after restart at most).
- Approval state persists across sessions and policy syncs.
- Documented guidance for enterprise admins rolling out OTEL config via remote policy, including the approval UX their users will see.
Error Messages/Logs
No errors anywhere — that is part of the bug.
/doctor: no managed-settings or telemetry warnings (only unrelated MCP auth / plugin items)
/status: shows "Enterprise managed settings (remote)" as loaded; no pending-approval indicator
$ cat ~/.claude/remote-settings.json | jq '.env'
# contains all 8 keys including all four OTEL_* vars (verified on multiple machines)
$ env | grep -iE 'OTEL|AGENT_TEAMS|AUTOUPDATE|SENTINEL|TELEMETRY'
CLAUDE_CODE_ENABLE_TELEMETRY=1 # traced to leftover in user's own ~/.claude/settings.json, NOT managed layer
CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1
FORCE_AUTOUPDATE_PLUGINS=true
MANAGED_SENTINEL=1
# all four OTEL_* vars absent
Steps to Reproduce
- In a Claude.ai enterprise org, publish a remote managed policy whose
envblock contains both benign keys (e.g.MY_SENTINEL=1) and OTEL_* exporter config (endpoint, headers, protocol, metrics exporter). - On a member machine, wait for sync (or restart); confirm
~/.claude/remote-settings.jsoncontains all keys. - Start a session; run
env | grep -iE 'OTEL|SENTINEL'. - Observe the sentinel applied and OTEL_ absent — unless/until an approval prompt happens to fire mid-session and is accepted, and in at least one observed case the OTEL_ keys remained unapplied even after approval while sibling keys from the same prompt applied.
Claude Model
Not sure / Multiple models
Is this a regression?
Yes, this worked in a previous version
Last Working Version
Unconfirmed — suspected ≤2.1.168 (behavior appears tied to the v2.1.169 security change re: untrusted settings configuring OTEL without trust confirmation)
Claude Code Version
2.1.173 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Other
Additional Information
- Auth: Claude Team/Enterprise account (organization-managed), NOT Anthropic API key — relevant because #46204 suggests the managed/enterprise account path has distinct telemetry behavior.
- Managed settings delivery: remote policy via Claude.ai admin console only; no MDM file-based managed-settings.json on these machines (the /Library/Application Support/ClaudeCode/ path does not exist).
- Install: native installer, darwin-arm64 (Apple Silicon).
- Screenshot of the mid-session approval prompt attached.
- Diagnostic suggestions: pending-approval visibility in /status and /doctor; a
claude telemetry statusstyle command (also requested in #46204); log approval grants/invalidations somewhere debuggable. - Happy to provide redacted remote-settings.json, timestamps, or run a bisect across versions on request.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗