Hey, thanks for digging into this before rollout. That’s a solid request.
In short, both the CFBundleIdentifier and the Developer ID signature are legit. Cursor is distributed and auto-updated via ToDesktop, which is the desktop app packaging platform we use. That’s why the bundle ID is com.todesktop.230313mzl4w4u92, and the Developer ID / Team Identifier VDXQ22DGB9 under Hilary Stout belongs to ToDesktop, not Anysphere directly. The build is properly code-signed and Apple notarized, with a stapled notarization ticket. You can verify locally:
codesign -dv --verbose=4 /Applications/Cursor.app
spctl -a -vvv /Applications/Cursor.app
For MDM, this is a normal setup. The bundle ID com.todesktop.230313mzl4w4u92 and TeamIdentifier=VDXQ22DGB9 are stable and don’t change between releases, so you can build your allowlist or deployment config around those values.
One note since you’re doing a detailed MDM rollout. There’s a known bug with helper bundles: Cursor Helper (GPU).app, Cursor Helper (Plugin).app, and Cursor Helper (Renderer).app have a code signing Identifier that doesn’t match their CFBundleIdentifier. The signature still uses the stock com.github.Electron.helper instead of com.todesktop.230313mzl4w4u92.helper.*. The main Cursor Helper.app is signed correctly, the issue is only with those three helpers. The signature is still valid and notarized, but if your MDM rules or firewall or TCC match helpers by code signing Identifier, you might get surprises. Details and repro here: Stale Electron codesign Identifier on macOS Cursor Helper bundles
We’ve confirmed the bug on our side, but we don’t have a fix timeline yet. The MDM workaround is to match helpers by TeamIdentifier VDXQ22DGB9, not by their code signing Identifier.
On the point that the main signature uses a third-party identity instead of com.anysphere.*, fair feedback, I’ll pass it to the team. I can’t promise we’ll change the signing setup, so for deployment please rely on the identifiers above.
If anything in MDM doesn’t match for a specific requirement string, send the details and we’ll take a look.