Enterprise
Cursor Enterprise Deployment Patterns: MDM, Package Managers & Cloud Distribution
Cursor can be deployed to developer machines via MDM, a package manager or direct installation from cursor.com/downloads. MDM lets IT enforce policies and automate updates on macOS (via Omnissa Workspace ONE or Kandji) and Windows (Intune/Group Policy). Cursor's cloud distribution system is an alternative for syncing hooks without MDM — it pushes to all members when they log in.
On this page
- What deployment methods does Cursor Enterprise support?
- How do we deploy Cursor via MDM?
- How do we distribute hooks to all team members?
- How does Cursor work behind a corporate proxy or VPN?
- How do we control Cursor update cadence on managed machines?
- Does self-hosting Cursor's cloud agents keep the model inside our network?
- What governance knobs control cloud agents at the org level?
What deployment methods does Cursor Enterprise support?
Three methods cover the full range of enterprise fleet management: MDM for policy-enforced deployment, package manager scripts for developer-controlled installs, and direct download for smaller teams or rapid rollouts.
- Method
- MDM (Workspace ONE, Intune, Kandji)
- Best for
- Enforced deployment, policy management, auto-updates
- Who manages it
- IT / security team
- Method
- Package managers (Homebrew, winget, Chocolatey, apt)
- Best for
- Developer-controlled install, scripted provisioning
- Who manages it
- Developer or DevOps
- Method
- Direct download (cursor.com/downloads)
- Best for
- Manual install, fast pilots, small teams
- Who manages it
- Individual user
| Method | Best for | Who manages it |
|---|---|---|
| MDM (Workspace ONE, Intune, Kandji) | Enforced deployment, policy management, auto-updates | IT / security team |
| Package managers (Homebrew, winget, Chocolatey, apt) | Developer-controlled install, scripted provisioning | Developer or DevOps |
| Direct download (cursor.com/downloads) | Manual install, fast pilots, small teams | Individual user |
Cursor does not push or manage files through your MDM — your IT team owns that configuration.
How do we deploy Cursor via MDM?
Cursor documents MDM deployment for three vendors: Omnissa Workspace ONE, Microsoft Intune (Windows and macOS) and Kandji. Download the relevant build from cursor.com/downloads and follow your vendor's standard app deployment workflow. Cursor does not push or manage files through your MDM — configuration and update cadence are owned by your IT or security team.
Getting Cursor onto a machine (this article) is a different layer from enforcing which team members can log in and which models or extensions they can use. See Identity & Access Management for AllowedTeamId, AllowedExtensions and WorkspaceTrust policies.
How do we distribute hooks to all team members?
Hooks — scripts that run at specific points in the Cursor agent workflow — can reach developer machines three ways:
- Project hooks: commit
.cursor/hooks/to the repo so every engineer gets them on clone. - MDM-based distribution: deploy hook files through your existing MDM tooling as a managed package or script.
- Cursor cloud distribution: configure hooks in the Enterprise admin dashboard and Cursor automatically delivers them to every client machine when a team member logs in. No MDM required.
Cloud distribution is the simplest option for teams already on Enterprise — it eliminates a separate MDM configuration step and keeps hooks in sync as you update them.
How does Cursor work behind a corporate proxy or VPN?
Most corporate proxies work transparently. The common failure mode is a network that blocks HTTP/2 — ZScaler is a documented example. If developers report slow connections or auth failures, enable HTTP Compatibility Mode under Cursor Settings → Network to fall back to HTTP/1.1.
- HTTP/2 blocked
- Enable HTTP Compatibility Mode (Settings → Network → HTTP/1.1).
- Proxy auth required
- Cursor respects system proxy settings; check that env vars or OS proxy config are set.
- Certificate inspection (MITM)
- Add your internal CA to the system trust store; Cursor uses the system TLS stack.
- Private connectivity
- For VPC-routed or on-prem scenarios, see Enterprise Private Connectivity.
How do we control Cursor update cadence on managed machines?
By default Cursor auto-updates on each launch. For fleets that require controlled rollouts, manage updates through your MDM by deploying specific build versions and disabling the auto-update mechanism via MDM policy. Cursor publishes builds for all platforms at cursor.com/downloads; version history is available for pinning.
Does self-hosting Cursor's cloud agents keep the model inside our network?
This is the single most common enterprise misconception. Self-hosted or private workersCloud-agent machines that run inside your own network so they can reach internal systems; the model inference still calls external providers. move the cloud-agent container — the runtime that clones your repo, runs commands and executes the agent loop — onto your own infrastructure. They do not move model inference. The container still calls Cursor's model providers over the network for every completion.
The agent container (the sandbox where code runs) can live in your network so it can reach internal Git, package registries, build systems and self-hosted MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. servers.
Model inference is still external — the container makes outbound calls to the model providers Cursor uses. No weights run on your hardware.
If your goal is "no source code or prompts leave our network for inference," private workersCloud-agent machines that run inside your own network so they can reach internal systems; the model inference still calls external providers. alone do not deliver that. Pair them with the data-handling and privacy controls in your Cursor Enterprise agreement.
What you do gain from a private worker is network reachability and isolation. Because the container runs where your internal services live, the agent can clone from an internal-only Git host, pull from a private registry and call an MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. server that is not exposed to the public internet — none of which a Cursor-hosted worker can reach.
- Agent container (clone, run, edit)
- Your network, when you self-host private workersCloud-agent machines that run inside your own network so they can reach internal systems; the model inference still calls external providers..
- Internal Git / registries / MCP
- Your network — reachable only because the container is co-located.
- Model inference (completions)
- External — outbound calls to Cursor's model providers, always.
- Model weights
- Never on your hardware; self-hosting does not ship weights.
Self-hosting relocates the execution sandbox, not the model.
What governance knobs control cloud agents at the org level?
Cloud agents run with broad capability by default, so the Enterprise admin dashboard exposes per-org controls that constrain what a run can reach, how long it lasts and where it can land. Set these before you turn agents loose on real repos.
- Knob
- Domain allow-lists
- What it controls
- Which external hosts the agent's environment may reach over the network.
- Why it matters
- Prevents exfiltration and pulls from untrusted hosts; the agent can only talk to approved domains.
- Knob
- Run-time caps
- What it controls
- Maximum wall-clock duration (and effective spend) per agent run.
- Why it matters
- Stops runaway loops and bounds cost on long autonomous tasks.
- Knob
- Environment isolation
- What it controls
- Whether each run gets a fresh, sandboxed container with no shared state.
- Why it matters
- Keeps one run's secrets and artifacts from leaking into the next.
- Knob
- Branch control
- What it controls
- Which branches an agent may push to and whether it can open PRs directly.
- Why it matters
- Keeps agents off protected branches; forces human review via PR.
- Knob
- MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. toggles
- What it controls
- Which MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. servers and tools the agent is allowed to call.
- Why it matters
- Limits the agent's blast radiusHow much breaks if a change goes wrong; the scope of potential damage. to vetted integrations only.
- Knob
- Model selection
- What it controls
- Which models the org permits agents to use.
- Why it matters
- Enforces approved providers and controls cost/quality tradeoffs.
| Knob | What it controls | Why it matters |
|---|---|---|
| Domain allow-lists | Which external hosts the agent's environment may reach over the network. | Prevents exfiltration and pulls from untrusted hosts; the agent can only talk to approved domains. |
| Run-time caps | Maximum wall-clock duration (and effective spend) per agent run. | Stops runaway loops and bounds cost on long autonomous tasks. |
| Environment isolation | Whether each run gets a fresh, sandboxed container with no shared state. | Keeps one run's secrets and artifacts from leaking into the next. |
| Branch control | Which branches an agent may push to and whether it can open PRs directly. | Keeps agents off protected branches; forces human review via PR. |
| MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. toggles | Which MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. servers and tools the agent is allowed to call. | Limits the agent's blast radiusHow much breaks if a change goes wrong; the scope of potential damage. to vetted integrations only. |
| Model selection | Which models the org permits agents to use. | Enforces approved providers and controls cost/quality tradeoffs. |
Configure these in the Enterprise admin dashboard before granting cloud-agent access broadly.
Domain allow-lists and MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. toggles govern what the agent container can reach — they do not change the fact that inference is external.
If a private worker is in scope, confirm the worker still honors org-level domain allow-lists and branch control; co-location does not exempt it from governance.
Frequently asked questions
Which MDM vendors does Cursor officially document?
Cursor documents deployment guides for Omnissa Workspace ONE, Microsoft Intune (Windows and macOS) and Kandji. For other vendors, the process follows standard macOS .pkg or Windows .exe/MSI deployment.
Does Cursor support silent installation for mass deployment?
Yes, through MDM tools that support silent deployment flags. Cursor's standard installers (.pkg for macOS, .exe for Windows) accept the usual silent install arguments your MDM uses for other enterprise software.
What is the difference between hook deployment and identity policy deployment?
Hook deployment distributes scripts that run during agent workflows. Identity policies (AllowedTeamId, AllowedExtensions, WorkspaceTrust) control who can log in and what features they can access. Both can go through MDM, but Cursor's cloud distribution handles hooks without needing MDM at all.
Can we prevent developers from installing Cursor outside the managed version?
Enforce this through your MDM by blocking sideloaded .app installs on macOS or using Windows application control policies. Cursor itself does not enforce a single managed-install channel.
Does self-hosting Cursor mean the model runs on our servers?
No. Self-hosting or private workers run only the cloud-agent container inside your network so it can reach internal Git, registries and MCP servers. Model inference stays external — the container still calls Cursor's model providers, and no model weights run on your hardware.
Sources & last verified
- Cursor - Deployment Patterns
- Cursor - Identity & Access Management
- Cursor - Downloads
- Cursor - Enterprise
Cursor ships frequently. Facts verified against primary sources on June 25, 2026.