Deploy Capsule Security hooks for AI coding assistants across your fleet using Tanium. This guide covers deployment for Cursor, Windsurf, GitHub Copilot, and Claude Code on both Windows and macOS using Tanium Deploy packages.
- Access to the Tanium Console with administrative privileges
- Tanium Deploy module enabled
- A Capsule Security account with admin access
- Target endpoints managed by Tanium
Deploy the Cursor hooks configuration using a Tanium Deploy package.
- Log in to the Capsule Security portal
- Navigate to Settings > Integrations
- Locate the Cursor integration
- Download the
hooks.jsonfile
Log in to the Tanium Console
Navigate to Tanium Deploy > Packages
Click Create Package and configure:
- Name: Capsule Security – Cursor Hooks (Windows)
- Description: Deploys Capsule Security hooks configuration for Cursor
Upload the
hooks.jsonfile to the package filesSet the Command to run the following script:
cmd.exe /c mkdir "C:\ProgramData\Cursor" & copy /Y "hooks.json" "C:\ProgramData\Cursor\hooks.json"Create a Deployment:
- Navigate to Tanium Deploy > Deployments
- Click Create Deployment
- Select the Capsule Security – Cursor Hooks (Windows) package
- Target the appropriate Computer Groups or use a Tanium question to filter endpoints
- Configure the schedule:
- Type: Single or Recurring
- Restart required: No
- Deploy
Navigate to Tanium Deploy > Packages
Click Create Package and configure:
- Name: Capsule Security – Cursor Hooks (macOS)
- Description: Deploys Capsule Security hooks configuration for Cursor on macOS
Upload the
hooks.jsonfile to the package filesSet the Command to run the following script:
#!/bin/bash HOOKS_DIR="/Library/Application Support/Cursor" mkdir -p "$HOOKS_DIR" cp hooks.json "$HOOKS_DIR/hooks.json" chmod 644 "$HOOKS_DIR/hooks.json" exit 0Create a Deployment targeting macOS endpoints using the appropriate Computer Groups
After deployment, restart Cursor on target devices, then:
- Open Cursor Settings
- Navigate to the Hooks tab
- Confirm the hooks are listed and enabled
Deploy the Windsurf hooks configuration using a Tanium Deploy package.
- Log in to the Capsule Security portal
- Navigate to Settings > Integrations
- Locate the Windsurf integration
- Download the
hooks.jsonfile
Log in to the Tanium Console
Navigate to Tanium Deploy > Packages
Click Create Package and configure:
- Name: Capsule Security – Windsurf Hooks (Windows)
- Description: Deploys Capsule Security hooks configuration for Windsurf
Upload the
hooks.jsonfile to the package filesSet the Command to run the following script:
cmd.exe /c mkdir "C:\ProgramData\Windsurf" & copy /Y "hooks.json" "C:\ProgramData\Windsurf\hooks.json"Create a Deployment:
- Navigate to Tanium Deploy > Deployments
- Click Create Deployment
- Select the Capsule Security – Windsurf Hooks (Windows) package
- Target the appropriate Computer Groups or use a Tanium question to filter endpoints
- Configure the schedule:
- Type: Single or Recurring
- Restart required: No
- Deploy
Navigate to Tanium Deploy > Packages
Click Create Package and configure:
- Name: Capsule Security – Windsurf Hooks (macOS)
- Description: Deploys Capsule Security hooks configuration for Windsurf on macOS
Upload the
hooks.jsonfile to the package filesSet the Command to run the following script:
#!/bin/bash HOOKS_DIR="/Library/Application Support/Windsurf" mkdir -p "$HOOKS_DIR" cp hooks.json "$HOOKS_DIR/hooks.json" chmod 644 "$HOOKS_DIR/hooks.json" exit 0Create a Deployment targeting macOS endpoints using the appropriate Computer Groups
After deployment, restart Windsurf on target devices, then:
- Open Windsurf Settings
- Navigate to the Hooks tab
- Confirm the hooks are listed and enabled
Deploy the GitHub Copilot hooks configuration using a Tanium Deploy package.
- Log in to the Capsule Security portal
- Navigate to Settings > Integrations
- Locate the GitHub Copilot integration
- Download the
hooks.jsonfile
Log in to the Tanium Console
Navigate to Tanium Deploy > Packages
Click Create Package and configure:
- Name: Capsule Security – GitHub Copilot Hooks (Windows)
- Description: Deploys Capsule Security hooks configuration for GitHub Copilot in VS Code
Upload the
hooks.jsonfile to the package filesSet the Command to run the following PowerShell script:
$userProfiles = Get-ChildItem "C:\Users" -Directory | Where-Object { $_.Name -notin @('Public', 'Default', 'Default User') } foreach ($profile in $userProfiles) { $hooksDir = Join-Path $profile.FullName "AppData\Roaming\Code\User\hooks" if (-not (Test-Path $hooksDir)) { New-Item -ItemType Directory -Path $hooksDir -Force | Out-Null } Copy-Item -Path "hooks.json" -Destination "$hooksDir\hooks.json" -Force } Write-Output "Capsule hooks configuration deployed successfully." exit 0Create a Deployment:
- Navigate to Tanium Deploy > Deployments
- Click Create Deployment
- Select the Capsule Security – GitHub Copilot Hooks (Windows) package
- Target the appropriate Computer Groups
- Deploy
Navigate to Tanium Deploy > Packages
Click Create Package and configure:
- Name: Capsule Security – GitHub Copilot Hooks (macOS)
- Description: Deploys Capsule Security hooks configuration for GitHub Copilot on macOS
Upload the
hooks.jsonfile to the package filesSet the Command to run the following script:
#!/bin/bash for USER_HOME in /Users/*/; do USERNAME=$(basename "$USER_HOME") if [ "$USERNAME" = "Shared" ] || [ "$USERNAME" = ".localized" ]; then continue fi HOOKS_DIR="$USER_HOME/Library/Application Support/Code/User/hooks" mkdir -p "$HOOKS_DIR" cp hooks.json "$HOOKS_DIR/hooks.json" chmod 644 "$HOOKS_DIR/hooks.json" chown "$USERNAME" "$HOOKS_DIR/hooks.json" done exit 0Create a Deployment targeting macOS endpoints using the appropriate Computer Groups
After deployment, restart VS Code on target devices, then:
- Right-click in the Chat view and select Diagnostics
- Confirm the hooks are loaded and enabled
Deploy the Claude Code managed settings configuration using a Tanium Deploy package.
- Log in to the Capsule Security portal
- Navigate to Settings > Integrations
- Locate the Claude Code integration
- Click Install and select your target platform
- Download the
managed-settings.jsonfile
Log in to the Tanium Console
Navigate to Tanium Deploy > Packages
Click Create Package and configure:
- Name: Capsule Security – Claude Code Hooks (Windows)
- Description: Deploys Capsule Security managed settings for Claude Code
Upload the
managed-settings.jsonfile to the package filesSet the Command to run the following script:
cmd.exe /c mkdir "C:\Program Files\ClaudeCode" & copy /Y "managed-settings.json" "C:\Program Files\ClaudeCode\managed-settings.json"Create a Deployment:
- Navigate to Tanium Deploy > Deployments
- Click Create Deployment
- Select the Capsule Security – Claude Code Hooks (Windows) package
- Target the appropriate Computer Groups
- Deploy
Navigate to Tanium Deploy > Packages
Click Create Package and configure:
- Name: Capsule Security – Claude Code Hooks (macOS)
- Description: Deploys Capsule Security managed settings for Claude Code on macOS
Upload the
managed-settings.jsonfile to the package filesSet the Command to run the following script:
#!/bin/bash SETTINGS_DIR="/Library/Application Support/ClaudeCode" mkdir -p "$SETTINGS_DIR" cp managed-settings.json "$SETTINGS_DIR/managed-settings.json" chmod 644 "$SETTINGS_DIR/managed-settings.json" exit 0Create a Deployment targeting macOS endpoints using the appropriate Computer Groups
After deployment, restart Claude Code on target devices, then:
- Run
/hooksin Claude Code to confirm all hooks are listed - Start a session and verify events appear in the Capsule Security portal
After deploying packages, monitor status in the Tanium Console:
- Navigate to Tanium Deploy > Deployments
- Select the relevant deployment
- Review the deployment status:
- Complete: Configuration successfully deployed
- Pending: Deployment waiting for endpoint check-in
- Failed: Review error details and retry
You can also use Tanium Interact to ask questions across your fleet to verify deployment:
- Windows (Cursor):
Get File Exists[C:\ProgramData\Cursor\hooks.json] from all machines - Windows (Windsurf):
Get File Exists[C:\ProgramData\Windsurf\hooks.json] from all machines - Windows (Claude Code):
Get File Exists[C:\Program Files\ClaudeCode\managed-settings.json] from all machines - macOS (Cursor):
Get File Exists[/Library/Application Support/Cursor/hooks.json] from all machines - macOS (Windsurf):
Get File Exists[/Library/Application Support/Windsurf/hooks.json] from all machines - macOS (Claude Code):
Get File Exists[/Library/Application Support/ClaudeCode/managed-settings.json] from all machines
- Tanium packages run as SYSTEM (Windows) or root (macOS) by default
- Cursor, Windsurf, and Claude Code use system-level paths — deploy to Device computer groups
- GitHub Copilot uses user-level paths — the deployment scripts iterate over all user profiles to cover each user on the endpoint
- For GitHub Copilot CLI users, create an additional package targeting
%USERPROFILE%\.github\hooks\hooks.json(Windows) or~/.github/hooks/hooks.json(macOS) - Use Tanium Computer Groups or saved questions to target specific OS versions or departments
- All four integrations can be deployed as separate packages and assigned independently
- For recurring enforcement, configure deployments with a recurring schedule
For help with deployment:
- Email: support@capsule.security
- Include: Your organization ID, Tanium environment details, and any error messages