Company logoHelp Center
Visit www.threatlocker.com

Deploying ThreatLocker to MAC with Hexnode MDM

2 min. readlast update: 12.23.2025

Note: For organizations deploying to a large amount of endpoints, ThreatLocker recommends using a staggered deployment approach. Organizations that deploy to a large number of endpoints at once may experience increased bandwidth usage as macOS Core and application definitions are downloaded to each endpoint. QOS can be used to limit bandwidth to macapps.threatlocker.com.

 

Under Policy Management, create a new policy and use a blank template: 

 

Give the policy a name and switch to the macOS tab.

 

Once macOS is selected, scroll down and select “Deploy Custom Configuration".

Use the link below to download the ThreatLocker MDM profiles.   

https://static.threatlocker.com/deployment/A/ThreatLocker-MDM-Files.zip

From the downloaded file above, extract the two .mobileconfig files: 

  • ThreatLocker Configuration 

  • ThreatLocker Startup & Lock  

BOTH files should be added to your MDM as separate configuration profiles.  

Note: To allow for correct remote installation of the ThreatLocker agent on MacOS, have both MDM profiles deployed to all Mac devices before the ThreatLocker agent installation is attempted.  MDM configuration profiles automatically set rights and preferences for the ThreatLocker Agent without requiring admin credentials.  These profiles do not install any software on your Macs, they only set needed rights & preferences.  Remote MacOS installation using an RMM without using an MDM will require permissions for the agent to be granted manually  

Next, switch to scripts and upload the MDM deployment article from the ThreatLocker portal into the Hexnode portal.

To see where to get the latest version of our MDM script, please see the 'RMM Deployment' section of Deploying ThreatLocker | ThreatLocker Help Center (kb.help)

Be sure to modify the script to include your GroupKey, which can be found here

 

Set the script to execute on subsequent user log on.

 

Once the script is uploaded, save the policy. On the Policy Management screen, select the policy, click on Manage, and then click on Associate targets. Select the machines you would like to associate with this policy.

 

Once the policy is applied, the next time a user logs in, ThreatLocker will be installed.

Was this article helpful?