Enterprise settings

You can centrally manage specific features of Cursor through device management solutions to ensure it meets the needs of your organization. When you specify a Cursor policy, its value overrides the corresponding Cursor setting on users’ devices. Settings editor showing that the ‘Extensions: Allowed’ setting is managed by the organization. Cursor currently provides policies to control the following admin-controlled features:
PolicyDescriptionCursor settingAvailable since
AllowedExtensionsControls which extensions can be installed.extensions.allowed1.2
AllowedTeamIdControls which team IDs are allowed to log in. Users with unauthorized team IDs are forcefully logged out.cursorAuth.allowedTeamId1.3

Configure allowed extensions

The extensions.allowed Cursor setting controls which extensions can be installed. This setting accepts a JSON object where keys are publisher names and values are booleans indicating whether extensions from that publisher are allowed. For example, setting extensions.allowed to {"anysphere": true, "github": true} allows extensions from Anysphere and GitHub publishers, while setting it to {"anysphere": false} blocks Anysphere extensions. To centrally manage allowed extensions for your organization, configure the AllowedExtensions policy using your device management solution. This policy overrides the extensions.allowed setting on users’ devices. The value of this policy is a JSON string that defines the allowed publishers. If you want to learn more about extensions in Cursor, refer to the extensions documentation.

Configure allowed team IDs

The cursorAuth.allowedTeamId Cursor setting controls which team IDs are permitted to log into Cursor. This setting accepts a comma-separated list of team IDs that are authorized for access. For example, setting cursorAuth.allowedTeamId to "1,3,7" allows users from those specific team IDs to log in. When a user attempts to log in with a team ID that is not in the allowed list:
  • They are forcefully logged out immediately
  • An error message is displayed
  • The application prevents further authentication attempts until a valid team ID is used
To centrally manage allowed team IDs for your organization, configure the AllowedTeamId policy using your device management solution. This policy overrides the cursorAuth.allowedTeamId setting on users’ devices. The value of this policy is a string containing the comma-separated list of authorized team IDs.

Group Policy on Windows

Cursor has support for Windows Registry-based Group Policy. When policy definitions are installed, admins can use the Local Group Policy Editor to manage the policy values. To add a policy:
  1. Copy the Policy ADMX and ADML files from AppData\Local\Programs\cursor\policies.
  2. Paste the ADMX file into the C:\Windows\PolicyDefinitions directory, and the ADML file into the C:\Windows\PolicyDefinitions\<your-locale>\ directory.
  3. Restart the Local Group Policy Editor.
  4. Set the appropriate policy values (e.x. {"anysphere": true, "github": true} for the AllowedExtensions policy) in the Local Group Policy Editor.
Policies can be set both at the Computer level and the User level. If both are set, Computer level will take precedence. When a policy value is set, the value overrides the Cursor setting value configured at any level (default, user, workspace, etc.).

Configuration profiles on macOS

Configuration profiles manage settings on macOS devices. A profile is an XML file with key/value pairs that correspond to available policy. These profiles can be deployed using Mobile Device Management (MDM) solutions, or installed manually.

String policies

The example below demonstrates configuration of the AllowedExtensions policy. The policy value starts empty in the sample file (no extensions are allowed). 
<key>AllowedExtensions</key>
<string></string>
Add the appropriate JSON string defining your policy between the <string> tags. 
<key>AllowedExtensions</key>
<string>{"anysphere": true, "github": true}</string>
For the AllowedTeamId policy, add the comma-separated list of team IDs: 
<key>AllowedTeamId</key>
<string>1,3,7</string>
Important: The provided .mobileconfig file initializes all policies available in that version of Cursor. Delete any policies that are not needed. If you do not edit or remove a policy from the sample .mobileconfig, that policy will be enforced with its default (restrictive) policy value. Manually install a configuration profile by double-clicking on the .mobileconfig profile in Finder and then enabling it in System Preferences under General > Device Management. Removing the profile from System Preferences will remove the policies from Cursor. For more information on configuration profiles, refer to Apple’s documentation.

Additional policies

The goal is to promote current Cursor settings as policies and closely follow existing settings, so that the naming and behavior are consistent. If there are requests to enact more policies, please open an issue in the Cursor GitHub repository. The team will determine if there is already a corresponding setting for the behavior or if a new setting should be created to control the desired behavior.

Frequently asked questions

Does Cursor support configuration profiles on Linux?

Support for Linux is not on the roadmap. If you’re interested in configuration profiles on Linux, open an issue in the Cursor GitHub repository and share details about your scenario.