Enterprise-managed client governance: disable bypass-permissions (yolo) mode [Public Preview] (#61714)

Co-authored-by: Tim Pope <code@tpope.net>
Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com>

Author: 3 people

content/copilot/concepts/agents/about-enterprise-plugin-standards.md

@@ -17,7 +17,7 @@ redirect_from:
 
 > [!NOTE] This feature is in {% data variables.release-phases.public_preview %} and subject to change.
 
-Enterprise-managed plugin standards allow administrators to **define and enforce policies for plugin availability**. By configuring a `settings.json` file in the enterprise's `.github-private` repository, administrators can specify which plugin marketplaces are available to users and which plugins are installed automatically.
+Enterprise-managed plugin standards allow administrators to **define and enforce policies for plugin availability**. By configuring a `{% data variables.copilot.managed_setting_file %}` file in the enterprise's `.github-private` repository, administrators can specify which plugin marketplaces are available to users and which plugins are installed automatically.
 
 ## Where plugin standards apply
 
@@ -30,14 +30,14 @@ Users must upgrade to a supported client version for these standards to be appli
 
 ## How plugin standards work
 
-Enterprise plugin standards use a configuration file stored in your enterprise's `.github-private` repository. The configuration is defined in a `settings.json` file at the following path: `.github/copilot/settings.json`.
+Enterprise plugin standards use a configuration file stored in your enterprise's `.github-private` repository. The configuration is defined in a `{% data variables.copilot.managed_setting_file %}` file at the following path: `.github/copilot/{% data variables.copilot.managed_setting_file %}`. This file was previously called `settings.json`, which is still supported.
 
 For plugin standards, the file can define:
 
 * **Known marketplaces**. Plugin marketplaces that are available to users for browsing and installing plugins.
 * **Default-enabled plugins**. Specific plugins that are automatically installed when users authenticate.
 
-When a user authenticates to {% data variables.product.prodname_copilot_short %} in a supported client, the client queries an API endpoint that reads the `settings.json` from the enterprise's `.github-private` repository. The policies defined in the file are then applied to the user's session.
+When a user authenticates to {% data variables.product.prodname_copilot_short %} in a supported client, the client queries an API endpoint that reads the `{% data variables.copilot.managed_setting_file %}` file. The policies defined in the file are then applied to the user's session.
 
 ## Why use enterprise-managed plugin standards
 

content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/configure-enterprise-plugin-standards.md

@@ -2,7 +2,7 @@
 title: Configuring enterprise plugin standards
 shortTitle: Configure plugin standards
 allowTitleToDifferFromFilename: true
-intro: 'Configure enterprise plugin standards by defining a `settings.json` file in your enterprise''s `.github-private` repository.'
+intro: 'Configure enterprise plugin standards by defining a `{% data variables.copilot.managed_setting_file %}` file in your enterprise''s `.github-private` repository.'
 permissions: Enterprise owners
 versions:
   feature: copilot
@@ -16,9 +16,8 @@ category:
 
 You can apply settings to control users' available plugin marketplaces and default-installed plugins. These settings apply to users on your enterprise's {% data variables.product.prodname_copilot_short %} plan. For more information, see [AUTOTITLE](/copilot/concepts/agents/about-enterprise-plugin-standards).
 
-1. In your enterprise's `.github-private` repository, navigate to the `.github/copilot/` directory. If you don't have a `.github-private` repository yet, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/prepare-for-custom-agents).
-1. Create or edit the `settings.json` file at `.github/copilot/settings.json`.
-1. Add your plugin policy configuration to the file. The `settings.json` file supports the following top-level properties:
+{% data reusables.copilot.create-managed-settings %}
+1. Add your plugin policy configuration to the file. The `{% data variables.copilot.managed_setting_file %}` file supports the following top-level properties:
 
    ```json copy
    {

content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/disable-automatic-commands.md

@@ -0,0 +1,36 @@
+---
+title: Disabling automatic command approval in Copilot clients
+shortTitle: Disable automatic commands
+allowTitleToDifferFromFilename: true
+intro: 'Disable yolo mode to stop agents from running commands without approval.'
+permissions: Enterprise owners
+versions:
+  feature: copilot
+contentType: how-tos
+category:
+  - Configure Copilot
+  - Manage Copilot for a team
+---
+
+> [!NOTE] This feature is in {% data variables.release-phases.public_preview %} and subject to change.
+
+You can prevent users from using modes that enable automatic approval of agent commands in {% data variables.copilot.copilot_cli_short %} and {% data variables.product.prodname_vscode_shortname %}. The `disableBypassPermissionsMode` setting is defined in your enterprise's `{% data variables.copilot.managed_setting_file %}` file and applies to users on your enterprise's {% data variables.product.prodname_copilot_short %} plan.
+
+This setting blocks users from using:
+
+* The `--yolo` or `--allow-all` flag
+* The `/yolo` or `/allow-all` command
+* All runtime paths that enable combined bypass mode
+
+This setting does **not** block individual flags such as `--allow-all-tools` or `--allow-all-paths`.
+
+{% data reusables.copilot.create-managed-settings %}
+1. Add the following property.
+
+   ```json copy
+   {
+     "permissions": {
+       "disableBypassPermissionsMode": "disable"
+     }
+   }
+   ```

content/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/index.md

@@ -7,6 +7,7 @@ versions:
 children:
   - /prepare-for-custom-agents
   - /configure-enterprise-plugin-standards
+  - /disable-automatic-commands
   - /monitor-agentic-activity
   - /enable-copilot-cloud-agent
   - /block-agentic-features

content/copilot/how-tos/copilot-cli/set-up-copilot-cli/configure-copilot-cli.md

@@ -267,7 +267,9 @@ This flag combines:
 * `--allow-all-paths` (disable path verification).
 * `--allow-all-urls` (disables URL verification).
 
-> [!TIP] During an interactive session, you can also enable all permissions with the `/allow-all` or `/yolo` slash commands.
+During an interactive session, you can also enable all permissions with the `/allow-all` or `/yolo` slash commands.
+
+{% data reusables.copilot.disable-bypass %}
 
 ## Further reading
 

content/copilot/how-tos/copilot-cli/use-copilot-cli/allowing-tools.md

@@ -79,6 +79,8 @@ For details of the supported tool kinds, see [AUTOTITLE](/copilot/reference/copi
 
 The following command-line options give {% data variables.copilot.copilot_cli_short %} permission to use all available tools.
 
+{% data reusables.copilot.disable-bypass %}
+
 * `--allow-all-tools` — Full access to the available tools.
 
 * `--allow-all`  or `--yolo` — Equivalent to using all of the `--allow-all-tools`, `--allow-all-paths`, and `--allow-all-urls` options when starting the CLI.

data/reusables/copilot/create-managed-settings.md

@@ -0,0 +1,2 @@
+1. In your enterprise's `.github-private` repository, navigate to the `.github/copilot/` directory. If you haven't set a `.github-private` repository as your enterprise's source of agent configuration, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-agents/prepare-for-custom-agents).
+1. Create or edit the `{% data variables.copilot.managed_setting_file %}` file. (This file was previously named `settings.json`, which is also supported.)

data/reusables/copilot/disable-bypass.md

@@ -0,0 +1 @@
+> [!NOTE] If you have a {% data variables.copilot.copilot_business_short %} or {% data variables.copilot.copilot_enterprise_short %} license, these commands may be blocked by an enterprise administrator.

data/variables/copilot.yml

@@ -254,3 +254,6 @@ copilot_workspace_short: 'Workspace'
 
 # BYOK
 copilot_byok_supported_features: '{% data variables.copilot.copilot_chat_short %}, {% data variables.copilot.copilot_cli_short %}, and {% data variables.product.prodname_vscode_shortname %}'
+
+## File for enterprise client management
+managed_setting_file: 'managed-settings.json'