Hey,
We’re looking into how we can manage extensions across our team.
Right now, developers can pretty much install anything, which is raising some red flags for supply-chain risks and data exfiltration. We need a way to completely lock down extension installs and only allow a specific list of pre-approved tools.
How should we handle that?
Hi Joshua!
Cursor does support extension allowlisting. For a Teams plan, the two options are:
1. MDM Policy (recommended for full lockdown) If your team uses a device management solution (macOS MDM, Windows Intune/Group Policy), you can push the AllowedExtensions policy to all managed devices. This is the strongest approach because it overrides any local user changes — developers can’t bypass it. See: Deployment Patterns — MDM Configuration
2. Local extensions.allowed setting You can configure the extensions.allowed setting in each developer’s settings.json. The format is a JSON object where keys are publisher names or full extension IDs:
{
"anysphere": true,
"github": true,
"esbenp.prettier-vscode": true
}
Only explicitly listed publishers/extensions are allowed; everything else is blocked. However, without MDM enforcement, developers can edit this setting themselves. So this works best when combined with MDM to lock down the config file, or in environments where you trust developers to follow policy.
Full details on the format and behavior: Identity and Access Management — Allowed Extensions
The admin dashboard also has a centralized extension allowlist configuration, but that’s available on the Enterprise plan. If your team grows into needing centralized management without MDM, that would be an option to consider down the line.
You may also find this related thread helpful: Does Cursor Support Locking Extensions with extensions.allowed?
Let me know if you have questions about the setup!
Thanks, this gives the clarity I need.