Cursor
Cursor does not expose a first-class OpenTelemetry exporter, so Arrakis ships a Python hook that customers deploy to every developer endpoint via MDM. This page covers MDM delivery, hook configuration, and egress verification only.
When to use this
Use this page if your fleet uses Cursor. Covers MDM-deployment of the Arrakis-shipped Cursor hook and egress verification. Vendor-side admin (privacy mode, audit-log export) is on the Connectors page.
3-step Quickstart
- In the Arrakis platform, download the tenant-specific Cursor hook artifact from Settings → Integrations → Deployment → Cursor (signed; verify the signature before MDM packaging).
- Deploy the hook to your fleet via your MDM (Jamf / Intune / Iru) and configure tenant environment variables from the Arrakis platform.
- Verify egress connectivity from a developer endpoint using the connectivity probe in OTel Collector & Arrakis Endpoint → Verifying connectivity.
Where tenant-specific values come from
Sign in to the Arrakis platform → Settings → Integrations → Deployment. The OTLP endpoint, header secret, vendor admin API keys, and per-tool MDM payload templates for your tenant live there.
Reference: full configuration walkthrough
Hook overview
The Arrakis Cursor hook is a Python file that runs alongside Cursor. It captures prompts, tool calls, and run metadata, batches them, and posts to the Arrakis ingest endpoint. Configuration is delivered via tenant-specific environment variables (covering ingest endpoint, bearer token, and log level) provisioned by the Arrakis platform.
The signed hook artifact, the env-var names used to configure it, and their values are published per-tenant. Sign in to the Arrakis platform → Settings → Integrations → Deployment → Cursor to download the latest signed hook and copy current values, or contact Arrakis support. Verify the artifact signature before MDM packaging.
MDM payloads
Jamf Pro (macOS)
- Files & Processes payload: drop the hook into its install directory (mode 0755 for the Python file, mode 0644 for support files; owner root:wheel).
- Custom Configuration Profile: set the tenant-specific environment variables in the user-session environment via a launchd plist.
- Smart Group: scope to machines with Cursor installed.
Microsoft Intune
- macOS: shell-script policy that installs the hook and writes a launchd plist for the env vars.
- Windows: Win32 app (.intunewin) installs the hook to its Program Files location. Settings catalog policy sets HKLM env vars under the system Environment key.
- Assignment: developer device or user group.
Iru (macOS)
On Iru (formerly Kandji):
- Custom Script library item (install) — marked Continuously Enforced so a missing hook is re-installed.
- Custom Profile library item — launchd plist setting the tenant-specific env vars at user-session start.
Generic
- macOS launchd plist setting env at session start; install the hook from the signed download.
- Windows: scheduled task at user logon to set
HKCU\Environmentenv vars; install the hook via PowerShell.
The hook install directory paths, launchd plist file names, and the exact env-var names used in your tenant are provisioned per-tenant in the Arrakis platform under Settings → Integrations → Deployment, or available from Arrakis support.
Egress verification
Egress is the only data-plane piece for Cursor — the hook posts directly to the Arrakis ingest. Verify:
- The hook is installed in its expected path (cross-check with the MDM’s “files present” report).
- The tenant env vars are set in the user session:
launchctl getenv <env-var>(macOS) orGet-ChildItem Env:<env-var>(Windows), substituting the env-var names provisioned for your tenant. - The hook can reach the ingest. Run the standard probe from OTel Collector & Arrakis Endpoint → Verifying connectivity substituting
<tenant-ingest-host>with the configured ingest hostname.
Troubleshooting matrix:
| Symptom | Likely cause |
|---|---|
| Hook absent | MDM scope did not include the device, or install script failed |
| Env var unset | Custom Profile / Settings-catalog policy not applied; force a sync (see MDM Sync) |
401 Unauthorized | Bearer token wrong or rotated — re-pull from the Arrakis platform |
| Connection refused / timeout | Egress firewall does not allowlist the ingest host |
| TLS verification failed | Corporate TLS-inspection proxy intercepting; allow the ingest host through inspection |
Vendor-side complement
Privacy mode and audit-log export are configured on the Cursor admin dashboard. See Connectors → Coding Agents (Cursor row) for the vendor-side requirements and how Arrakis consumes the audit-log export.