№ 03Learn With Darin · Field Guide

Claude Cowork: a practitioner’s field guide.

Anthropic's autonomous knowledge-work agent: the one that lives inside Claude Desktop, reads your files, runs your scheduled tasks, and operates your computer on your behalf. What it does, what it shouldn't, and the trust posture you need to make it useful.

Updated May 2026 ~30 min read Pro / Max / Team / Enterprise
Part 01

What Cowork actually is

Cowork is Anthropic's positioning of "Claude Code power for knowledge work": a desktop-resident agent that reads and writes your files, calls your work apps via connectors, and runs work autonomously while you do something else. It launched in research preview at the end of January 2026 and went generally available across macOS and Windows on April 9, 2026, with concurrent enterprise controls.

It's not a separate app. Cowork lives inside the Claude Desktop app, as a top-level mode you can switch into from the regular consumer Claude experience. Same window, different relationship to your machine. You're still talking to Claude; you've just given Claude permission to do more than answer.

The mental model that works:

  • The consumer Claude app is a smart conversation partner that lives in a sandbox.
  • Claude Code is a coding agent in your terminal that operates on a repo.
  • Claude Cowork is a knowledge-work agent on your desktop that operates on your files, calendar, email, docs, and (with permission) the screen.

Where Cowork is genuinely different from "ChatGPT but with file access" is the primitive set: Connectors, Plugins, Projects, Scheduled Tasks, Routines, Dispatch, and Computer Use. None of those primitives are unique to Cowork in isolation. But the way they compose is.

Note Cowork is the only Anthropic surface, as of May 2026, that combines local file access, scheduled autonomy, a connector ecosystem, and Computer Use in one place. The consumer app has subsets; Claude Code has a different subset. Cowork is the union.

Who Cowork is for

Three audiences, in order of fit:

  1. Knowledge workers with recurring multi-source synthesis tasks: analysts, ops folks, researchers, anyone whose week includes "read the same five sources every Monday and produce a brief." Cowork's Scheduled Tasks and Routines are the killer features here.
  2. Teams who want a shared agentic surface, like sales ops, RevOps, and legal ops. The connector ecosystem (Apollo, Clay, Outreach, DocuSign, FactSet, etc.) is built for these workflows.
  3. Engineering teams as a complement to Claude Code, for when the work isn't "edit a repo" but "look at this dashboard, summarize the issue, file a ticket, then write the fix in Code."

Cowork is not a great fit if your work is: pure conversation (use the consumer app), pure code (use Claude Code), or pure mobile-first (Cowork is desktop-anchored and the mobile companion is read-mostly).

Part 02

Getting started

Install

Cowork ships inside Claude Desktop. Steps:

  1. Install Claude Desktop from claude.com/download on Mac (Apple Silicon required) or Windows (x64).
  2. Sign in with a Pro, Max, Team, or Enterprise account. Free does not get Cowork.
  3. In the desktop app's left sidebar, switch to the Cowork mode.
  4. First-run setup: pick a default Project location (a folder Cowork will treat as its home), grant initial folder permissions, optionally connect your first Connector.

That's it. The first-run experience is intentionally lightweight. Cowork wants you to start with one task, not configure twenty things upfront.

The five primitives, in order of importance

The features that matter, ranked by how often you'll touch them:

  1. Projects: workspaces. The thing you organize work around.
  2. Connectors: Cowork's link to your other apps.
  3. Plugins: bundles of conventions, slash commands, and MCP servers per use case.
  4. Scheduled Tasks & Routines: autonomy. The thing that makes Cowork qualitatively different from chatting.
  5. Computer Use: the escape hatch when nothing else covers what you need.
Part 03

Projects

A Cowork Project is a dedicated workspace tied to a folder on disk. Each Project carries its own:

  • Working folder (where Cowork reads and writes files by default).
  • Connector permissions (which Connectors are enabled, scoped to this Project).
  • Plugin set (which Plugins are loaded, again per-Project).
  • Scheduled Tasks and Routines bound to the Project.
  • Conversation history.

The mental shift from the consumer Claude app's "Projects": consumer Projects are conversation contexts; Cowork Projects are workspaces with state on disk. They aren't the same thing, even though Anthropic uses the same word for both.

Tip The first Project you create should be unambitious. Pick one repeating workflow you do every Monday morning. Build it as a Project. Add a Scheduled Task. Wait a week. Then build the second one. Cowork's value compounds with use; trying to model your whole work life in a single setup session is the most common failure mode.

Project hygiene

  • One Project per workflow, not per topic. "Weekly competitive brief" is a Project. "Marketing" is a category that contains many Projects.
  • Keep the folder narrow. Cowork reads everything in the folder. If you point it at ~/Documents you'll get worse, slower behavior than if you point it at ~/Documents/work/competitive-brief.
  • Treat the Project folder as Cowork-managed. Files Cowork creates have semantic meaning to it. Don't restructure them by hand without a reason.
Part 04

Connectors

Connectors are Cowork's official integrations into other apps. As of May 2026, the available roster includes:

  • Google Workspace: Gmail, Calendar, Drive, Docs.
  • Communications: Slack, Microsoft Teams (preview), Zoom.
  • Documents & legal: DocuSign, LegalZoom, Harvey.
  • Sales & outreach: Apollo, Clay, Outreach.
  • Research & data: Similarweb, MSCI, FactSet.
  • Web: WordPress.
  • Custom: any MCP server (see Plugins below).

The list is growing. By the time you read this, expect more.

The permission model

Connectors auth via OAuth through Anthropic's brokered flow. When you enable Gmail, you grant Anthropic an OAuth token scoped to your Gmail account; Cowork then uses that token (with your live user identity) to call Gmail on your behalf. Two implications worth understanding:

  1. Connector tokens are stored per-account. Connecting Gmail in your personal Pro account does not connect it for your Team account, even if both accounts log into the same email.
  2. Connector access is mediated, not granted to the model directly. Cowork sends Claude an abstract description of what's available; Claude proposes actions; Cowork executes them via the connector with your identity. The model never holds your token.

Scope-of-trust framing

The most important question to ask before enabling a Connector: what is the worst-case if Cowork acts wrongly within this Connector's scope?

  • Read-only Connectors (Calendar, Drive, FactSet) are generally low risk. Worst case: Cowork reads something you didn't intend it to. That's awkward but reversible.
  • Read/write Connectors with revocable actions (Gmail drafts, Calendar events) are medium risk. Worst case: Cowork sends an email, files an event, makes a change you have to undo. Annoying but not catastrophic.
  • Read/write Connectors with hard-to-reverse actions (DocuSign signatures, Outreach send actions, anything that touches an external party) are high risk. Worst case: Cowork commits you to something. Treat these like production database writes. Gate behind explicit confirmation, never automate via Routines.
Warn The "high risk" tier above is exactly where Cowork's connectors are most powerful and most footgun-prone. Never wire DocuSign or external send-actions into a Routine without a manual approval gate. The convenience isn't worth the recovery cost when (not if) the agent misjudges.
Part 05

Plugins

Plugins are bundles. The mental model: a Plugin is a "work theme" that ships custom slash commands, Skills, Connectors, and MCP servers as a single install. Where a Connector is one tool, a Plugin is a coordinated set of tools plus the conventions for how to use them.

Examples (real or expected, depending on when you read this):

  • Sales Ops Plugin: bundles Apollo + Outreach + Clay connectors, custom /find-prospects, /draft-outreach slash commands, and Skills for sales-style email drafting.
  • Legal Ops Plugin: bundles DocuSign + Harvey + LegalZoom, with redaction and contract-review Skills.
  • Engineering Triage Plugin: bundles GitHub MCP, your incident-management tool, and Skills for incident summarization.

Plugins can be installed from a public marketplace (Anthropic's curated list) or from private marketplaces on Team and Enterprise plans. Private marketplaces let an admin author and distribute org-specific Plugins. That's the right primitive for "every analyst on our team should have these connectors and these conventions."

MCP support

Cowork is a first-class MCP host: any MCP server can be added as a Connector via the Plugins surface. If a tool you use exposes an MCP server (or you've built one for your own internal tools), Cowork can use it. This is the extension lever for everything Anthropic doesn't ship a Connector for.

Practical advice: start with first-party Connectors before MCP. Built-in Connectors are integrated, audited, and have proper UI for permissions. Custom MCP servers are powerful but ship the burden of operating them onto you.

Part 06

Scheduled Tasks, Routines, and Dispatch

This is the part of Cowork that's qualitatively different from "ChatGPT plus connectors." Three primitives, layered:

Scheduled Tasks

Shipped February 2026, desktop-bound. You give Cowork a task description and a schedule (daily, weekly, custom cron). Cowork runs the task when the desktop app is running. If your laptop is closed, the task waits for the next launch.

Authoring is straightforward. Most people discover it via typing "schedule" before the task description in a Cowork conversation:

schedule: each weekday at 8am, read my unread Gmail
since 6pm yesterday, summarize anything important,
write a brief to ~/work/inbox-brief.md, and surface
anything that requires my response in <5 bullet points>.

Cowork parses this, confirms the schedule with you, and from then on runs it on schedule. The output goes wherever the prompt tells it to: a file, a draft email, a Slack message, etc.

Routines

Shipped April 14, 2026 in research preview. Cloud-hosted automation: the same idea as Scheduled Tasks but runs on Anthropic's infrastructure, not your laptop. Routines can fire when your laptop is closed, when you're traveling, when you're not at your desk.

Tradeoffs vs Scheduled Tasks:

  • Routines work without the desktop app being open. Scheduled Tasks don't.
  • Routines can't access local files (the cloud sandbox isn't your machine). Scheduled Tasks can.
  • Routines can use Connectors. So can Scheduled Tasks.
  • Routines have their own quota separate from interactive Cowork usage; Scheduled Tasks count against your interactive quota.

The split is roughly: local-state tasks → Scheduled Tasks; pure-Connector tasks → Routines.

Dispatch

Dispatch is the workflow layer that connects Cowork on the desktop to Claude on mobile. From your phone, you can hand off a task to your desktop's Cowork to run. From the desktop, you can dispatch a task to a Routine. The naming is doing some work: dispatching a task means "send this off to run elsewhere," not "execute this directly."

Day-to-day Dispatch use cases:

  • "On my walk I think of a research task. Send it to Cowork on my laptop to run when I'm back."
  • "While I'm in this meeting, dispatch the ETL summary I do every Friday."
  • "Triage these 12 emails into 'action,' 'fyi,' 'nope,' dispatched from mobile while I'm in the car."
Tip The single most underrated workflow with Dispatch is to use it during meetings. Catch yourself thinking "I should look into X," and Dispatch sends it to your desktop Cowork as a deferred task. By the time the meeting ends, the answer is waiting for you.
Part 07

Computer Use

Computer Use is Cowork's escape hatch for things no Connector covers. Claude controls your screen (clicking, typing, opening apps, navigating windows) the same way you would. As of May 2026 it's in research preview for Pro and Max plans, available in both Cowork and Claude Code on macOS and Windows.

How it works

  1. You enable Computer Use in Settings (per-Project, gated by an explicit user confirmation).
  2. Claude takes screenshots of your screen, identifies UI elements, and proposes actions: click here, type this, press that key.
  3. Each action is executed via OS-level UI automation (Apple Accessibility on Mac, UI Automation on Windows).
  4. You can watch in real time, intervene if needed, or task-switch and let it run.

The permission model

  • Per-app permission: Claude asks before opening or interacting with each application the first time.
  • Per-folder permission: file system access still goes through the regular Cowork "always allow this folder?" gate.
  • Deletion is gated separately: Cowork prompts for explicit confirmation before any file deletion, even within an allowed folder. This is one of the strongest safeguards.
  • Shell commands run in an isolated VM, not on your machine directly. Code Claude wants to execute is sandboxed.
Warn Here's the asymmetry that's caught security-minded users: Computer Use does not have per-action permission checks the way Cowork's other tools do. Once you've enabled Computer Use for a Project and approved an app, Claude can take an arbitrary sequence of UI actions in that app. That's the whole point (you can't approve every click), but it means you have to trust the high-level instruction at a different level than you'd trust "send this email."

When Computer Use is the right tool

  • Apps without Connectors that you must use (corporate intranets, old web apps, internal SaaS).
  • Multi-step UI flows with no API equivalent.
  • One-off tasks where wiring a Connector isn't worth it.

When it isn't

  • Any task where a Connector exists. The Connector is auditable, the Computer Use isn't.
  • Anything involving credentials Claude didn't see you type.
  • Anything that ought to be reversible but isn't (transferring funds, sending DMs, deleting things).
  • Anything the human would do by clicking through a security warning. Claude won't, but the fact you're considering it means: don't.
Part 08

Enterprise controls

Cowork's GA on April 9, 2026 brought a meaningful set of enterprise controls. The full list:

Role-based access (RBAC)

  • Admins create groups in the admin console (or via SCIM sync from your IdP).
  • Each group is assigned a custom role defining which Cowork capabilities its members can use.
  • Capabilities can be enabled or disabled per-group: Cowork itself, specific Connectors, Computer Use, Routines, Plugins from a private marketplace, etc.
  • Practical pattern: Sales group gets the Sales Ops Plugin and CRM Connectors but not Computer Use; Engineering group gets MCP and Computer Use but not the legal Connectors.

Group spend limits

  • Per-group caps on Cowork usage (interactive + Routines combined).
  • Soft caps trigger warnings; hard caps gate access.
  • Useful for departmental cost attribution and for keeping a stress-test deployment from blowing your monthly bill.

Usage analytics

  • Per-user, per-group, per-Connector usage breakdowns.
  • Surfaces who's using what, which Connectors are getting traction, and who needs onboarding (low usage often = stuck setup).

OpenTelemetry

Cowork emits OpenTelemetry events for everything:

  • Tool and connector calls (which Connector, what it did).
  • Files read and modified.
  • Skills invoked (and which Plugin authored them).
  • Whether each AI-initiated action was approved manually or automatically.
  • Computer Use actions, with target application and action type.

OTel events are compatible with standard SIEM pipelines, including Splunk, Cribl, and any OpenTelemetry-conformant collector. A shared user-account identifier correlates OTel events with records from Anthropic's Compliance API, so you can build a single audit picture across SIEM and the platform's own audit log.

OpenTelemetry export is on Team and Enterprise plans.

SCIM and SSO

Standard SAML / OIDC SSO and SCIM provisioning. Standard fare for Enterprise, but worth confirming because some teams' first attempt is to spin up Cowork without going through their IdP, then migrate later. Migrating later is harder than starting in the right place.

Part 09

Limits and what they mean

Plan availability

  • Free: no Cowork.
  • Pro / Max: full Cowork including Connectors, Plugins, Scheduled Tasks, Routines, Computer Use (preview).
  • Team: Cowork with shared admin controls, group spend limits, OpenTelemetry, private Plugin marketplace.
  • Enterprise: all of Team plus RBAC, SCIM, custom roles, advanced compliance integration.

Quota model

  • Interactive Cowork shares your overall Claude usage budget (the same 5-hour rolling window your consumer Claude conversations use).
  • Routines have a separate cloud-execution quota.
  • Connector calls don't add to the AI quota directly but are subject to the connected service's own rate limits.
  • Computer Use sessions count as interactive Cowork usage for quota purposes.

What Cowork can't do

  • Replace Claude Code for code. Cowork can read and reason about code, but Claude Code's repo-aware loop, hooks, and subagent model are tighter for development. Use Code in Cowork for "look at this code and explain"; reach for Claude Code for "edit this codebase."
  • Operate when the desktop app is closed (for Scheduled Tasks specifically). Routines exist precisely to fill that gap, but they don't have local filesystem access.
  • Be your default mobile assistant. Mobile Cowork is read-mostly. You can dispatch tasks and review status, but interactive Cowork remains a desktop-anchored experience.
  • Run unattended over long horizons. A Scheduled Task that fails at 3am still fails. Cowork retries some failures but isn't a robust workflow engine. For mission-critical scheduled work, build it in your normal infrastructure and have Cowork augment it, not own it.
Part 10

Best practices

i.

Start with one repeating workflow, not a system.

The trap is sitting down on Day 1 to "set up Cowork for everything." Pick the single most boring, most-recurring task on your week, the one you wish would just do itself. Build a Project. Set a Scheduled Task. Live with it for a week. Iterate. Then build the second one. Cowork's value compounds; a thoughtful first Project beats five rushed ones.

ii.

Read the run logs religiously, especially in the first month.

Every Cowork action (every Connector call, every file write, every Computer Use click) is in the activity log under Settings → Activity. Read it. Look for actions you didn't expect. Calibrate your trust. Six weeks of attentive log-reading buys you years of being able to set Routines and walk away.

iii.

Treat Computer Use as a research-preview feature, not a default tool.

Even when it ships out of preview, the per-action permission asymmetry remains. Use Computer Use deliberately, for tasks that genuinely need it, with a Project's folder scope clearly defined. Don't make it your everyday hammer; Connectors and MCP cover most cases more auditably.

iv.

Never wire external send-actions into Routines without confirmation.

Routines run when you're not watching. If a Routine drafts an external email or files a contract, gate the send-action behind a manual review. The prompt pattern: "draft, save to Drafts folder, alert me on iPhone, do not send." Reversibility is the design constraint.

v.

For teams: define group roles before you onboard, not after.

The "everyone gets everything, we'll tighten it later" pattern produces a permission audit later that's harder than starting tight. Give each group only the Connectors and Plugins they need for their work; expand from there. The org's first Cowork-related security review will go better.

vi.

Wire OpenTelemetry to your SIEM on day one.

It's a lot easier to enable OTel forwarding now and configure dashboards over time than to retrofit it after an incident. Even if no one's looking at the SIEM data initially, the data being there means future-you can answer questions about "what did Cowork do last Tuesday."

vii.

Use Plugins to encode "the way our team works."

If five people on your team all need the same five Connectors and one Skill, that's a Plugin. The private Plugin marketplace on Team and Enterprise is the right primitive for "this is how Marketing Ops uses Cowork." Build it once, distribute, evolve. Saves the per-user setup tax that otherwise becomes a wall.

viii.

When escalating a task, escalate to Claude Code or the consumer app, not just to bigger Cowork prompts.

Cowork is a great agent, but it's not the right tool for everything. If you find yourself fighting it for code-heavy work, switch to Claude Code on the same project folder. If you find yourself fighting it for purely conversational thinking, switch to the consumer Claude app's chat. Anthropic ships three surfaces because there are three relationships you can have with the model.

Part 11

Troubleshooting playbook

The patterns to recognize. Each one has a short fix.

"Cowork can't see my file"

The folder isn't in Cowork's allowed list, or the file is in a folder that is allowed but inside a sub-folder Cowork hasn't been told to look at. Check Settings → Cowork → Folders. Re-grant or expand the folder permission. Symlinks across boundaries are particularly common: a symlink target outside the allowed folder won't be readable even if the link itself is.

"My Scheduled Task didn't run"

The desktop app needs to be running for Scheduled Tasks to fire. If your laptop was closed at the scheduled time, the task waits and fires on the next launch, or doesn't fire if "skip missed" is enabled in the task config. For tasks that absolutely need to run on schedule regardless of laptop state, use a Routine, not a Scheduled Task.

"My Routine returned empty"

Routines run in the cloud and don't have local file access. If your prompt asks the Routine to "read my notes" or "check the project folder," it can't. Move that part to a Scheduled Task, or surface the data the Routine needs via a Connector that has a cloud equivalent (Drive, Gmail, etc.) instead of a local file.

"A Connector keeps failing"

Token expiration is the most common cause. OAuth tokens expire and don't always re-issue smoothly. Settings → Connectors → click the failing Connector → reauthorize. If reauthorization succeeds but the next call fails, the upstream service is throttling. Check the run log for rate-limit messages.

"Computer Use is taking actions I didn't expect"

Stop the session immediately (the toolbar's emergency stop, or close the desktop app). Review the activity log: every action is recorded, including the screenshot Claude was looking at when it decided. Tighten the prompt's framing ("do not modify X," "ask before opening Y") and re-run with a smaller, more constrained scope. Computer Use without scope discipline is the highest-volatility part of Cowork.

"Cowork dispatched a task and I can't find it"

Dispatched tasks show up in the dashboard's Tasks view. If you dispatched from mobile to desktop, the desktop has to be online to receive. Otherwise the task is queued and executes on next launch. The dashboard shows status: queued, running, succeeded, failed, manual-action-required.

"My organization's audit log doesn't show what I expected"

Two log surfaces, two formats:

  • Anthropic Compliance API: the canonical audit log. Pull-based, rich detail, retains for the contract period.
  • OpenTelemetry export: push-based, real-time, formatted for your SIEM.

Don't expect them to be identical. The OTel events are higher-frequency and more granular; the Compliance API is the legal-grade record. Correlate them via the shared user-account identifier.

"A Connector got disabled and I don't know who did it"

If you're on Team or Enterprise, an admin may have disabled the Connector group-wide. Check with your admin. Otherwise, expired tokens occasionally surface as a "disabled" status: re-authorize and see if the connector returns.

Part 12

Closing thought

Cowork is the most ambitious agent surface Anthropic has shipped, and the one most likely to genuinely change knowledge work. It's also the one most likely to embarrass you if you treat it like a clever search engine. The defining trait isn't intelligence. It's permission. You're handing the model the keys to your filesystem, your inbox, your calendar, and (on Computer Use) your screen. The leverage is enormous; the failure modes are real.

Cowork is not a smarter Claude. It's a Claude that can do things. Treat the gap accordingly. — TWD

The good news: Anthropic has done a thoughtful job on the permission model. Per-folder gates, per-app prompts, deletion confirmation, OTel export, RBAC for orgs: the bones are right. The failure modes that remain are mostly user-side: too-broad folder grants, Routines wired to external send-actions, Computer Use enabled in haste, group roles set as "everyone gets everything because it's easier."

Build the trust slowly. Start with one Project. Read the logs. Add Connectors deliberately. Use Routines for things you'd be willing to read about in your morning brief if they went sideways. Save Computer Use for last, when nothing else fits.

And keep an eye on the changelog at claude.com/product/cowork. Cowork is moving faster than this guide can keep up with. Connectors, Plugins, and Skills get added monthly; permissions models get refined; the Computer Use research preview will leave preview at some point. Treat this guide as the May 2026 snapshot it is.