Finished reading? Continue your journey in AI with these hand-picked guides and tutorials.
Boost your workflow with our browser-based tools
Share your expertise with our readers. TrueSolvers accepts in-depth, independently researched articles on technology, AI, and software development from qualified contributors.
TrueSolvers is an independent technology publisher with a professional editorial team. Every article is independently researched, sourced from primary documentation, and cross-checked before publication.
Claude's new computer use and Dispatch features officially launched this month, and the capability is real: Claude can now point, click, and navigate your Mac on your behalf while you send instructions from your phone. But the feature comes with access restrictions, a safety architecture that works differently than most users will assume, and reliability numbers that define a specific early adopter profile. Understanding all three determines whether you should enable it today or hold off.
Anthropic's official blog, published on March 23, 2026, characterizes computer use as "still early compared to Claude's ability to code or interact with text" — an unusually candid opening for a product launch post. The capability itself is straightforward: when Claude is working in Cowork or Claude Code and needs to complete a task that no connector covers, it takes direct control of your browser, mouse, keyboard, and screen to get it done.
Dispatch, which launched a week earlier on March 17, 2026, is the companion feature that makes this genuinely useful for working professionals. It creates a single continuous thread between your Claude mobile app and your desktop. You send a task from your phone, your Mac executes it, and you pick up the finished work when you're back at your computer. Anthropic's launch demo showed Claude autonomously exporting a pitch deck as a PDF and attaching it to a calendar meeting invite, the kind of connector-bridging task that previously required manual steps between apps.
The two capabilities are separate but designed to work together. Cowork functions without Dispatch, and Dispatch without computer use is still useful for connector-based tasks. The full marketed experience, assigning a task from your couch and returning to find it done on your desktop, requires both features active simultaneously.
Claude follows a strict priority order when handling tasks. Connectors come first: if a Slack or Google Calendar integration covers what you need, Claude uses it. If not, the browser is the next option. Direct screen control, what most people mean when they say "computer use," is the third and last resort. This hierarchy matters both for speed and for understanding where the capability actually sits in Anthropic's product thinking.
Most announcement coverage describes what Claude computer use can do. The detail that matters more for anyone considering enabling it is how it runs, specifically where it runs in relation to Cowork's existing safety layer.
Anthropic's official support documentation specifies that computer use "runs outside the virtual machine" Cowork normally uses for file work. Standard Cowork operations, pulling files, running commands, processing documents, happen inside a sandboxed Linux VM on your Mac. Computer use reaches past that containment layer and interacts with your real desktop. This means the protections that surround Cowork's normal file operations do not extend to screen-control operations.
Anthropic has built layered safeguards into the system: Claude must ask for explicit permission before accessing each new application, certain categories of apps (investment platforms, cryptocurrency) are blocked by default, and users can add any app to a permanent blocklist. Claude takes screenshots to understand screen state, which means anything visible on your display, documents left open, browser tabs, is visible to Claude during a session. The company trains Claude to refuse risky operations like fund transfers and to flag signs of external manipulation, but the documentation is explicit that these guardrails are not absolute.
The prompt injection threat deserves specific attention. The "Use Cowork safely" documentation states that web content is "a primary vector for prompt injection attacks," meaning malicious instructions embedded in websites, documents, or emails that Claude encounters during a task. A documented real-world case from security analysis found that a Word document with 1-point white text, invisible to a human reader, successfully tricked Cowork into uploading financial files to an attacker's account. The instruction was invisible but Claude could read it.
Anthropic's transparency page confirms that with new safeguards in place, only 1.4% of attacks were successful against Claude Opus 4.5 in browser environments, down from 10.8% with previous safeguards. That represents genuine progress. But independent security benchmarking by Gray Swan found that the attack success rate climbs to 33.6% after 10 attempts against Opus 4.5, and to 63% after 100 attempts. Anthropic itself states that prompt injection "is far from a solved problem, particularly as models take more real-world actions."
Computer use runs outside the virtual machine that protects Cowork's normal file operations, and Dispatch removes the last natural safeguard that existed when you were watching. Before computer use, a human observer sitting at the keyboard was a passive check on anything Claude encountered. Dispatch eliminates that check: you assign a task from your phone, you walk away, and Claude operates your desktop while you're absent. An email with embedded malicious instructions processed during an overnight scheduled Dispatch task encounters no VM containment and no human review simultaneously. Neither feature creates this exposure alone. Together, they compound it in a way that no official announcement framing makes clear.
The practical recommendations from Anthropic's own safety documentation follow from this architecture: create a dedicated folder for Cowork to work within rather than granting broad file access, keep backups of important files before any session, block sensitive apps proactively before enabling computer use, and restrict browser access to sites you trust. These are not generic caution disclaimers; they reflect the actual exposure surface.
Computer use is available on Pro and Max plans only; Team and Enterprise plans do not have access at this time. The feature is macOS only. We have not found a specific timeline from Anthropic for Windows support; the documentation notes it is coming without committing to a date.
The subscription structure breaks down as follows: according to current pricing data, Pro costs $20 per month, Max 5x costs $100 per month, and Max 20x costs $200 per month, with Team accounts starting at $25 per seat per month billed annually. The distinction between Pro and Max is primarily usage volume, not feature access; both tiers have computer use available.
The Team exclusion is the part of the access structure that deserves examination. Team accounts already have Cowork access, so the gap is not about feature maturity. Anthropic's Cowork product page states explicitly that "Cowork activity is NOT captured in Audit Logs, Compliance API, or Data Exports" and warns organizations not to use Cowork for HIPAA, FedRAMP, or financial services regulated workloads. Adding screen-level desktop control to an activity layer that is already excluded from compliance infrastructure would make Cowork unusable in any regulated environment. The exclusion protects organizations from deploying a capability that would immediately create audit and compliance gaps they cannot manage.
Beyond compliance, the all-or-nothing organization toggle means there are no per-user or per-role controls during this research preview. An administrator enabling computer use for one employee enables it for all.
Pro subscribers at $20/month have access to computer use right now; Team subscribers paying five times more per seat do not: a pricing-access inversion that reflects compliance risk, not feature priority. The feature exists and works. What Anthropic has determined is that deploying it in organizational environments without audit log support would create more problems than it solves. Individual Pro subscribers, operating outside enterprise compliance requirements, face no such constraint.
Setup requires updating both Claude Desktop and the Claude mobile app to their latest versions. From the desktop app, go to Settings, then General, and look for the Computer use toggle under Desktop app settings. Once enabled, open a Cowork or Claude Code session and assign a task involving an app that has no connector. Claude will prompt you to approve access to that application before proceeding.
Pairing the mobile app for Dispatch uses a QR code scan and completes in seconds. The Dispatch interface lives in the left pane of the mobile app. Worth knowing: there is no visible "Dispatch" button to press. Sending a task from Cowork on your phone automatically becomes a dispatched task.
You can use Cowork without Dispatch, but the combined Dispatch plus computer use experience is the full workflow being marketed. Early testing results point to approximately 50% completion rates on complex multi-step tasks. We note this figure represents a small early-user sample and will shift as the capability matures. Simple tasks, file searches, single-document summaries, pulling data from a connected source, succeed far more reliably. Some basic app interactions, opening Safari directly or launching Terminal, occasionally fail even on simple commands.
The most effective starting approach is using computer use for tasks where a connector almost exists but doesn't quite: an internal company dashboard, a specialized tool your team uses, a form in a web app that has no API integration. These are exactly the gaps the three-tier hierarchy was designed to fill. Scheduled tasks through Dispatch are useful but require your computer to stay awake and the Desktop app to remain running. If the machine sleeps, the task stops.
The field of desktop AI agents expanded rapidly in the weeks surrounding this launch. OpenAI Operator, Meta's Manus (recently acquired from its original creators), and OpenClaw each offer overlapping but distinct capabilities.
The priority order Claude follows for task routing, starting with connectors, then the browser, and finally direct screen control, tells a more honest story about the current state of computer use than any benchmark does. The hierarchy is not incidental; it reflects that direct screen interaction is slower, more error-prone, and harder to secure than purpose-built connector paths. This ordering suggests that Anthropic views screen-based automation as a necessary bridge to a world of better connectors, not as the destination itself, though the company has not stated this explicitly.
OpenAI Operator operates within a managed virtual browser environment and focuses primarily on web-based task automation. It is easier to start with for non-technical users and requires less trust configuration. Claude's computer use extends beyond the browser to any desktop application, which is more powerful and considerably more complex to deploy safely.
Manus runs entirely in the cloud, executing tasks inside its own isolated Linux sandbox rather than touching your local machine. Because Manus works in a remote environment, your files travel to a contained cloud space during task execution rather than being processed on your physical desktop. This creates a different risk profile: cloud exposure instead of local exposure. OpenClaw, which preceded this launch and whose creator subsequently joined OpenAI, supports macOS, Windows, and Linux and offers flexibility to use local models, but requires more technical configuration than any of the cloud-based options.
The connector-first design means screen control is, by Anthropic's own architecture, a last resort. For users whose work is centered in apps that have Claude connectors, Slack, Gmail, Google Drive, Notion, GitHub among the 38 or more available, computer use may rarely activate at all. That is by design, and it is worth knowing before expecting computer use to become a dominant part of your daily Claude interactions.
Anthropic explicitly recommends starting with apps you trust and not working with sensitive data during this research preview period. That guidance is accurate but not specific enough to be actionable. The decision to enable computer use depends on four variables: your subscription plan, your operating system, the sensitivity of your work, and your risk tolerance for experimental tooling.
This is the profile for which computer use is clearly ready. Tasks like pulling together a competitive analysis using local files, navigating an internal dashboard without an API, filling in a spreadsheet across multiple sources, and organizing folders fall within what the capability handles reliably. Start by granting Claude access to a dedicated working folder rather than your entire file system, block any apps containing personal or financial data before enabling the toggle, and keep backups of files you cannot afford to lose. Cowork requires explicit permission before permanently deleting anything, which provides a meaningful safety check.
The combination of outside-VM execution, Dispatch's unattended operation, and the current state of prompt injection defenses makes this profile a clear candidate to wait. The attack success rate in browser environments drops to 1.4% with current safeguards, but that figure rises sharply with repeated attempts and does not account for the full screen-control surface. If your work touches healthcare records, financial accounts, legal documents, or personal data belonging to others, the current guidance from Anthropic is explicit: don't use computer use with those applications.
Computer use is not available to you yet. The access gap reflects compliance infrastructure constraints, not feature immaturity. The practical path forward is to maximize connector use across the 38 or more available integrations, which handle the most common professional app categories, and to revisit computer use access once Anthropic extends it to organizational plans with appropriate audit and compliance tooling.
Computer use is macOS only at this time. Windows support is noted as coming in Anthropic's documentation without a committed timeline. There is nothing to enable yet.
The feature's real value right now is narrower than the announcement framing suggests, and more useful than skeptics might expect. It fills a specific gap: the app on your workflow that has no connector, the form you fill weekly in a tool with no API, the internal dashboard your team has built without any integration support. For that gap, and for users who fit the first profile above, it is worth enabling and testing this week. For everyone else, the more productive move is to build out connector coverage while the capability matures. Before your first Cowork session, a Claude setup guide covering the configuration steps most new users skip is worth reading to make the most of what's already available.
The task stops. Dispatch requires both the Claude Desktop app to be running and your computer to be awake for any execution to continue. If the machine sleeps mid-task, Claude cannot proceed. Scheduled tasks follow the same rule: they only run during periods when the desktop app is active. Before starting any long-running or scheduled Dispatch job, disable sleep mode for that session or use a utility that keeps your Mac awake. There is currently no mechanism for Claude to queue a paused task and resume automatically when the computer wakes.
Cowork has persistent memory that helps Claude understand your workflow patterns and preferences across sessions. That memory excludes sensitive categories by default: passwords, financial details, and health information are not retained. You can view everything Cowork has retained, edit specific memory entries, and delete any or all of it at any time through the settings. This is worth doing periodically if you have run sessions involving work you do not want Claude to carry forward, even if that information falls outside the excluded categories.
Not currently. The exclusion applies to the entire research preview period and reflects the audit log gap that exists at the Cowork activity level: Cowork is not captured in audit logs, the Compliance API, or data exports, and Anthropic explicitly advises against using it for regulated workloads. Adding screen-level desktop control to that infrastructure without compliance tooling would create exposure most organizations cannot manage. The practical path for Team and Enterprise users is full connector deployment across available integrations while monitoring for when Anthropic extends computer use access to organizational plans.
Claude requests explicit permission before accessing each application, and you must approve each one individually before Claude can interact with it. Some categories are blocked by default with no override option: investment platforms and cryptocurrency applications fall into this group. You can add any app to a blocklist through settings, which prevents Claude from ever requesting access to that application. Claude also takes screenshots to understand screen state during computer use sessions, which means any information visible on your display at the time of a session is visible to Claude within the applications you have approved. Closing sensitive tabs and apps before starting a computer use session is the most straightforward way to manage this exposure.