Your organization has adopted the use of ThreatLocker, a powerful endpoint security software. Depending on how you use your workstation, you may interact with ThreatLocker regularly or hardly at all. Here's what to be aware of.
What is ThreatLocker?
ThreatLocker primarily helps secure your device via Application Control - ensuring unknown and potentially malicious applications are prevented from running. In some environments, additional capabilities may be enabled:
- Automatic administrative elevation, allowing standard (non-admin) user accounts to perform approved tasks without requiring admin credentials.
- Management of external storage devices - ensuring you can write data only to trusted devices while preventing untrusted ones from acting on your computer.
This guide contains examples of the macOS ThreatLocker agent - for examples of the Windows interface, click here.
Menu Bar Item
You'll know ThreatLocker is installed when you see its icon in your menu bar. Click it to bring up this menu:
- Blocked Items: bring up a window showing recent ThreatLocker blocks
- Rest History: clear your block history for a fresh start
- Rapid Check-in: instructs ThreatLocker to check in every few seconds for five minutes. This is primarily used during troubleshooting.
- Quit: Closes the ThreatLocker menu extra. Please note that ThreatLocker will continue operating in the background.
Application Control
Is an application not launching when you double-click it? Certain applications may be blocked by your organization if they've been flagged as malicious or against company policy. When ThreatLocker blocks anything, from an application installer to an app patching itself in the background, you may see a notification like this:
While you won't always see a popup, you can always click the ThreatLocker menu extra's Blocked Items button to bring up a window with a list of recently blocked elevation or execution requests:
You'll see a quick overview of the time of the event, the path for the item, the called process, user, action type, and the action taken by ThreatLocker. If the process or application that was blocked is business-critical and you'd like to request that it be allowed on your workstation, click the View button on the left of the item.
Please note that not all items will have a "View" button next to them - certain types of commands or blocked applications cannot be escalated. When blocked, these items will not notify you, they will just be silently blocked.
Please fill out the form detailing the blocked item and why it should be permitted. If you can, also specify whether you believe the blocked item should be allowed solely for your computer or if it would benefit your entire organization. In the lower field, enter your email address so your request can be reviewed. Finally, click the Send a request button to submit the form for consideration.
Reviews can take some time to complete - if possible, please test new applications on your workstation and submit requests well before they're needed in production. Every organization will have slightly different standards and Acceptable Use Policies, so please be patient while the review is in progress. If the application is approved for your device, you'll receive a confirmation notification and email:
Troubleshooting
If you're deploying a new application within your organization, let your IT team know before you begin testing the installer. A test device can be put into Installation Mode, which will allow your installers to run and make the changes included in their packages while logging all the items that would have been blocked. Those items can then be reviewed after installation and the first launch of the application is complete for approval.
Remember, internet access is required for the submission of approval requests and updating ThreatLocker's rules once a request is approved.
Certain authentication prompts for macOS may no longer present an option for TouchID or Apple Watch biometric authentication. This is expected behavior, but full biometric support may be possible in a future version of macOS.
If you have any questions about ThreatLocker or wish to explore using some of its optional features in your environment, please reach out to your Account Manager.
Comments
0 comments
Please sign in to leave a comment.