OpenAI Codex Takes Over Windows: What the @Computer Command Means for Agentic Developer Workflows

Codex doesn’t just write code anymore. It clicks buttons, reads screens, and operates your Windows machine while you watch from your phone.

OpenAI has expanded Codex with autonomous desktop control for Windows and macOS. The @computer command activates a computer-use mode that lets the agent perceive graphical interfaces and take action on them, opening applications, navigating menus, running terminal commands, interacting with browser windows. According to OpenAI’s developer documentation, Codex can “see and operate graphical user interfaces on macOS or Windows.” The Verge confirms the expansion specifically: “OpenAI’s Codex can now control your Windows computer, too.” The mobile layer adds a second dimension. ChatGPT on iOS and Android now lets developers monitor Codex tasks running on a host machine, issue steering instructions mid-task, and approve or halt actions before they execute. That’s asynchronous oversight at the desktop level from a device that’s nowhere near the machine. For solo developers and distributed engineering teams, it’s a meaningful operational shift.

Why does this matter? The audience for this feature isn’t someone who wants AI to type for them. It’s developers managing multiple long-running agentic tasks across environments, CI/CD pipelines, test runners, deployment scripts, build processes, who want to check in without sitting at a workstation. The mobile approval layer is specifically designed for that workflow. The catch is that enabling OS-level agent access is a permission decision, not just a feature toggle. An agent that can interact with any GUI element on your machine can, in principle, interact with any GUI element on your machine. Enterprise IT and security teams evaluating Codex computer use will need to define what guardrails exist around application scope, session duration, and action logging before this goes anywhere near production infrastructure.

Codex has been accumulating surface area steadily. Goal Mode reached general availability in late May, giving Codex the ability to break long-horizon objectives into multi-step execution plans. The Dell on-premises partnership extended that capability to air-gapped enterprise environments. Windows computer use is the next expansion, moving from the terminal into the full graphical layer of the operating system. Each step has increased the attack surface and the trust requirement. The mobile remote layer is architecturally interesting because it introduces an approval checkpoint that wasn’t present in earlier Codex iterations, which suggests OpenAI is aware that autonomous OS control needs a human-in-the-loop mechanism even when the human is on a different device.

Two model retirements are also in the pipeline. Multiple reports indicate OpenAI will retire GPT-4.5 from its ChatGPT consumer interface on June 27, 2026, following a 30-day sunset period, with o3 following on August 26, 2026, after a 90-day window. Both models are reported to remain fully available via the API, the retirements affect ChatGPT’s consumer product, not API access. That distinction matters: teams running GPT-4.5 or o3 through API integrations don’t face a forced migration on these timelines. Teams using them through ChatGPT’s interface do. For migration planning context, the developer migration coverage from May 29 has the full picture.

Don’t expect the mobile steering feature to eliminate latency concerns at production scale. Real-time task approval requires a developer to be available and responsive, which is fine for supervised development workflows but doesn’t fit automated pipelines where the whole point is unattended execution. The feature’s value is highest for tasks where a human wants to stay in the loop but doesn’t want to be physically present. That’s a real use case. It’s also a narrower one than the announcement framing suggests.

Wait for your security team’s assessment before enabling @computer in any environment where Codex can reach production systems. The capability is real. The permission model governing it is still the developer’s problem to define.