Category filter
Deploy ThreatLocker to macOS devices with Hexnode UEM
ThreatLocker, a zero-trust endpoint protection platform, provides robust cybersecurity solutions to organizations, ensuring continuous verification and protection against potential threats. ThreatLocker protects endpoints from a wide variety of threats, including phishing, malware, ransomware, rootkits, password attacks, and IoT attacks. This document will assist you through the step-by-step process for deploying ThreatLocker to macOS devices with the help of Hexnode UEM guaranteeing strong protection against cybersecurity threats.
How to deploy ThreatLocker
ThreatLocker can be deployed to macOS devices using Hexnode’s Scripts policy. Deploying ThreatLocker to devices involves configuring System Extensions, Notification Settings, and Web Content Filtering. You can use a single policy or separate ones to configure the System Extension, a configuration profile with Notification Settings and Web Content Filtering, and the ThreatLocker app installation script. In this document, we will configure all these settings in a single policy.
Follow these steps to deploy ThreatLocker to macOS endpoints:
ThreatLocker installation script
- In the Hexnode UEM portal, navigate to Policies > New Policy > macOS.
- Select Scripts from the left menu and click on Configure.
- Click on Choose Scripts and choose the ThreatLocker installation script. The script should be modified to include your Group Key which can be obtained from the ThreatLocker portal.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102#!/bin/bashGroupKey="xxxxxxxxxxxxxxxxxxxxxxxx"# Check if the script is run with administrative privilegesif [ "$(id -u)" != "0" ]; thenecho "This script must be run as root or with sudo."exit 1fi# Function to remove ThreatLocker app only if it exists in the Applications directorycleanup() {if [ -d /Applications/ThreatLocker.app ]; thenecho "Cleaning up: Removing ThreatLocker application"rm -rf /Applications/ThreatLocker.appelseecho "Application not installed"fi}# Function to check system extension statecheck_system_extension_state() {extensionIdentifier="com.threatlocker.app.agent"extensionStates=$(systemextensionsctl list | grep "$extensionIdentifier")activatedEnabledFound=falsewhile IFS= read -r line; doif [[ $line == *"activated enabled"* ]]; thenecho "ThreatLocker installed."return 0elif [[ $line == *"activated waiting for user"* ]]; thenecho "ThreatLocker installed; waiting on user input to permit system extension."return 1fidone <<< "$extensionStates"return 2}# Start of the script's main logicif [ -d /Applications/ThreatLocker.app ]; thenecho "ThreatLocker already installed. Checking status..."if pgrep -x "ThreatLocker" > /dev/null; thencheck_system_extension_statecase $? in0) echo "ThreatLocker is running."exit 0;;1) echo "Action required: waiting on user input to permit system extension.."exit 1;;2) open /Applications/ThreatLocker.app --args -groupKey $GroupKeyecho "Starting ThreatLocker..."sleep 15check_system_extension_state;;esacelseopen /Applications/ThreatLocker.app --args -groupKey $GroupKeyecho "Starting ThreatLocker..."sleep 15check_system_extension_statefielseecho "Downloading and installing ThreatLocker..."# Make API call and extract version numberResponse=$(curl -H "InstallKey: $GroupKey" -s -w "%{http_code}" -o /tmp/threatlocker_version.json https://api.threatlocker.com/getgroupkey.ashx)if [ "$Response" -ne 201 ]; thenecho "Unable to retrieve version number or invalid group key."exit 1fiVersion=$(awk -F ':' '/URL/ {print $2}' /tmp/threatlocker_version.json | tr -d '"')if [ -z "$Version" ]; thenexit 1ficurl --output "/private/var/tmp/ThreatLocker.app.zip" "https://updates.threatlocker.com/repository/mac/$Version/ThreatLocker.app.zip"unzip -qq /private/var/tmp/ThreatLocker.app.zip -d /Applicationschown -R root:wheel /Applications/ThreatLocker.appif [ ! -d /Applications/ThreatLocker.app ]; thenecho "Unable to download ThreatLocker."exit 1fiopen /Applications/ThreatLocker.app --args -groupKey $GroupKeyecho "Installing ThreatLocker..."sleep 15check_system_extension_stateresult=$?if [ $result -eq 0 ]; thenecho "ThreatLocker installed successfully."elif [ $result -eq 1 ]; thenecho "Action required: User must permit system extension."exit 1elseecho "An error occurred during installation."cleanupexit 1fifi
- Click on Configure.
- Once the script is added, a window will show up to configure the installation settings based on the requirements. Here, we are setting the script to execute on subsequent user log on.
Configure System Extensions
- Select System Extensions under Configurations from the left menu and click on Configure.
- Under the Team Identifiers section, enter
MSY54GN4KF
as the identifier and click on Add.
Configure Web Content Filtering and Notification Settings
Web Content Filtering and Notification Settings can be configured using Hexnode’s Deploy Custom Configuration feature.
- Under the macOS tab, navigate to Configurations > Deploy Custom Configuration.
- Click Configure.
- Click on Choose File and upload the .mobileconfig, .xml, or .plist file. You can either use the configuration profile given below or create your own custom configuration profile using any profile creator tools.
- Click OK.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>PayloadContent</key><array><dict><key>FilterDataProviderBundleIdentifier</key><string>com.threatlocker.app</string><key>FilterDataProviderDesignatedRequirement</key><string>anchor apple generic and identifier "com.threatlocker.app" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = MSY54GN4KF) </string><key>FilterGrade</key><string>inspector</string><key>FilterSockets</key><true/><key>FilterType</key><string>Plugin</string><key>PayloadDisplayName</key><string>Web Content Filter</string><key>PayloadIdentifier</key><string>com.apple.webcontent-filter.F1181281-7161-4DD4-8274-C93347FDB7A5</string><key>PayloadType</key><string>com.apple.webcontent-filter</string><key>PayloadUUID</key><string>F1181281-7161-4DD4-8274-C93347FDB7A5</string><key>PayloadVersion</key><integer>1</integer><key>PluginBundleID</key><string>com.threatlocker.app</string><key>UserDefinedName</key><string>ThreatLocker</string></dict><dict><key>NotificationSettings</key><array><dict><key>BadgesEnabled</key><true/><key>BundleIdentifier</key><string>com.threatlocker.app.UIAgent</string><key>CriticalAlertEnabled</key><false/><key>NotificationsEnabled</key><true/><key>ShowInCarPlay</key><true/><key>ShowInLockScreen</key><true/><key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict></array><key>PayloadDisplayName</key><string>Notifications</string><key>PayloadIdentifier</key><string>com.apple.notificationsettings.2E51FC87-6849-4B09-960A-434EEFCD0F14</string><key>PayloadType</key><string>com.apple.notificationsettings</string><key>PayloadUUID</key><string>2E51FC87-6849-4B09-960A-434EEFCD0F14</string><key>PayloadVersion</key><integer>1</integer></dict></array><key>PayloadDisplayName</key><string>ThreatLocker Notifications and Web Content Filtering Configuration</string><key>PayloadIdentifier</key><string>FD9F7BD2-89AE-46E9-8902-F96E3A32AEBA</string><key>PayloadType</key><string>Configuration</string><key>PayloadUUID</key><string>FD9F7BD2-89AE-46E9-8902-F96E3A32AEBA</string><key>PayloadVersion</key><integer>1</integer></dict></plist>
Associate target device
- Navigate to Policy Targets and select the Devices, Device Groups, Users, User Groups, or Domains you would like to associate the policy with.
- Click on Save.
What happens at the device end?
Once the ThreatLocker app is successfully deployed on macOS devices through Hexnode UEM, the devices will be added to the Threat