MAC Agent Release Notes | ThreatLocker Help Center

Note: Reminder to run Learning Mode after installation before securing endpoints for the minimum recommendation of 5-7 days.

Version 3.0

02/21/2024 - Beta

New Features

Introducing Ringfencing for Mac!

Reduce the chance of a cyberattack by limiting what your applications can do, whether trying to interact with another application, your files, data, or the internet. By limiting what software can do, ThreatLocker® Ringfencing™ can reduce the likelihood of an exploit being successful or an attacker weaponizing legitimate tools such as Zsh or Terminal. Contact your Account Manager or a Cyber Hero for more information on this exciting addition to the Mac line of ThreatLocker products.

Improvements

Starting in the Mac 3.0 release, TL hash will no longer be included in the Unified Audit Logs for Mac applications. Sha256 will be used exclusively for Hash conditions and rules.

Bugs and Fixes

Resolved a typo in the Error Log
Resolved an issue where the Install Assistant would not run when ThreatLocker was installed
Resolved an issue where a Deny was not logged in the Unified Audit when a user failed to enter credentials during an Elevation request

Version 2.8.2

04/17/2024 - Beta

Bugs and Fixes

Improved the installation process when using a PKG installer, and no user is logged in during the installation

Version 2.8.1

04/11/2024 - Live

Bugs and Fixes

Resolved an issue from 3.0 Beta, where Sudo would not elevate even with an elevation policy in place

Version 2.8.0

04/01/2024 - Live

New Features

Manage Local Administrator Settings will allow all local administrators to be removed from the administrator group, with exceptions, via ThreatLocker. On the Computers Page, in the upper left 3-dash menu, a new setting for Manage Local Administrator Settings now exists. A toggle to enable or disable this feature, as well as define the level at which local administrators will be removed, from the Organization level down to the computer level. Exceptions will ensure that only intended local administrators have permissions on specific endpoints. Enabling this feature without including an exception will ensure that ALL local administrators are removed from the local administrators' group for all endpoints. This feature is available for Mac and Windows administrator groups

Improvements

Improved the process of removing application definitions and the impact on system performance

Bugs and Fixes

Resolved an issue on 3.0 Beta, where Discord was permitted via the core files policy
Resolved an issue with the ThreatLocker logo disappearing from the tray after updating from 2.7.10
Resolved an issue from 2.7.10, where open notifications from ThreatLocker would cause the Agent to crash

Version 2.7.10

03/28/2024 - Live

Bugs and Fixes

Resolved an issue in which the tray could not be re-opened using Spotlight Search or through Terminal
Resolved an issue in which tray notifications were not being displayed after switching users without logging out
Resolved an issue in which permitting an application using custom rules resulted in a blocked application
Resolved an issue in which Approval Requests were not being sent from a blocked file notification
Resolved an issue in which running Setup Assistant with Elevation resulted in being stuck in a loop
Resolved an issue in which some customers experienced high CPU usage
Resolved an issue with Elevation and Discord
Resolved an issue where, in certain circumstances, some executes may have been Denied in Learning Mode

Version 2.7.9

03/19/2024 - Live

Bugs and Fixes

Resolved an issue with continually growing RAM usage from version 2.6

Version 2.7.8

03/15/2024 - Live

Bugs and Fixes

Added a cache size limit to reduce the impact on RAM usage

Version 2.7.7

03/14/2027 - Live

Bugs and Fixes

Resolved an issue where the Install Assistant would not run when ThreatLocker was installed
Resolved an issue where rapidly and repeatedly pressing the Reload button on the tray would cause it to work incorrectly
Resolved an issue with the Blocked Items Tray where the sort feature was not working as intended

Version 2.7.6

03/06/2024

Improvements

Improvements to the Mac Agent Installer to validate group key prior to all installation actions

Version 2.7.5

Live

Improvements

Added the ability to create custom permit policies if the execute function is XProtect

Bugs and Fixes

Resolved an issue where the Mac Agent would intermittently stop checking in

Version 2.7.4

Beta

Improvements

Improvements to the Mac Agent Installer to validate group key prior to all installation actions

Version 2.7.3

02/07/2024 - Live

Bugs and Fixes

Resolved an issue where the Mac agent downloaded the full policy list more often than intended. Full policy downloads will now only be performed on the first installation

Version 2.7

02/07/2024 - Live

Bugs and Fixes

Resolved an issue with Tamper Protection where updating the agent would not start until the endpoint was rebooted
Resolved an issue with incremental file updates related to an empty file version
Resolved an issue with mismatched local hostnames from Sharing > Local Hostname

Version 2.6.2

02/05/2024 Updated - Live

Improvements

Improved Unified Audit logging to include network and server information, including interface, when available
Continued performance optimizations, including reducing memory usage and reducing resource utilization
Removed the "Force the program to run as a standard administrator" function in Elevation control as it is not currently Mac-compatible
To improve the functionality of app bundles, CodeResource file types will now be seen as executables
ThreatLocker has added Storage Control and Tamper Protection monitoring to Exchange Data syscall events
ThreatLocker will now display notifications when 'sudo' is called from a non-admin user Terminal
ThreatLocker has added default Elevation for Xcode

Bugs and Fixes

Resolved an issue with the Mac Agent related to Learning Mode and explicit deny policies not working as intended
Resolved an issue where Built-In policies were not downloading to endpoints as expected
Resolved an issue with Tamper Protection set to disabled but blocking the reading of ThreatLockerStorage.db file
Resolved an issue with the integration for Addigy related to Addigy Identity
Resolved an issue where Addigy installation would assign System if no user is logged in
Resolved an issue from 2.3 and 2.4 where some users would get stuck on a loading screen after enabling Elevation
Resolved an issue where the initial Learning Mode would be set to 0 days
Resolved an issue where if the PKG is blocked by ThreatLocker, the Installer would need to be quit manually before PKG could run again
Resolved an issue with 2.3, which caused high memory usage
Resolved an issue from 2.1, which caused high CPU when opening large applications
Resolved an issue where clicking "do not show' would not stop the ThreatLocker Tray from repeating a popup
Resolved a rare issue where an explicit deny policy would not prevent the executable when in Learning Mode
Resolved an issue where closing the Tray from Terminal was not working as intended
Resolved an issue where some core files would not elevate when the endpoint was in Elevation Mode

Version 2.5

12/27/2023 - Live

Improvements

Improved Unified Audit logging to include network and server information, including interface, when available

Bugs and Fixes

Resolved an issue where ThreatLocker was causing excessive data usage
Resolved an issue where the Mac Agent would show a permit or deny on an install action type
Resolved an issue with the Mac Agent where logs were collected when Tamper Protection was enabled
Resolved an issue with Mac Agent Application Requests related to how Full Path and Process were added to the incorrect field

Version 2.4

11/28/2023 - Live

Improvements

Added the option to Allow Silent Uninstall, which allows ThreatLocker to be uninstalled on Mac Groups and Mac Computers without end-user interaction
A popup Maintenance Mode timer is now available, allowing users to end a timed Maintenance Mode prior to the timer expiring
Improved Unified Audit logging to include file move events on Mac OS
Improved the Mac Elevation Password requirements to a minimum of (15) characters, a maximum of (64) characters, and a requirement to include at least two (2) uppercase letters, base 10 digits (0 through 9), and non-alphanumeric characters
A popup Maintenance Mode timer is now available, allowing users to end a timed Maintenance Mode prior to the timer expiring

Bugs and Fixes

Resolved an issue where Elevation was not providing elevated credentials as expected
Resolved an issue where deleting or disabling a policy would require a reboot
Resolved an issue with Mac custom rules where certificates were set to Equals and not Contains

Version 2.3

11/03/2023 - Live

Bugs and Fixes

Resolved an issue with Mac where the full path of the process was not logged
Resolved an issue where Mac SHAs were not checked when using certificates
Resolved an issue with the Mac timestamps for blocked files
Resolved an issue with the Mac Security Agent crashing when attempting to Elevate

Version 2.2

10/23/2023 - Live

Bugs and Fixes

Resolved an issue with Path/Process Rules not processing as intended

Version 2.1

10/17/2023 - Live

Due to database changes to facilitate incremental (Built-In) Application updates, machines updated to 2.1 cannot downgrade to previous versions. Please view our KB on Uninstalling ThreatLocker from Mac computers for guidance if downgrading your 2.1 version is necessary

New Features

Mac Agent now downloads Built-In Applications

Improvements

Mac baselines will now recover progress when the Agent crashes
Mac policies will now be downloaded incrementally when policies are deployed
Mac policies will no longer record or show serial numbers
Mac now has the option to use the "Don't Update" ThreatLocker version (used for troubleshooting and not recommended as a setting for traditional use)

Bugs and Fixes

Resolved an issue with multiple rescans on Mac Baseline
Resolved Mac issue where baseline scans would not complete
Resolved an issue with Mac Rescan Baseline failing to complete
Resolved an issue with Mac Baseline and Storage Control logs
Resolved an issue with Mac Baseline not starting on 2.1.0.349
Resolved an issue causing the Mac Baseline not to process completely
Resolved an issue with Mac "System" users, which caused Elevation blocked prompts when logged in as an administrator
Resolved an issue with Mac Agent where the agent could be stopped and/or uninstalled while Tamper Protection was enabled
Resolved an issue with Mac where policies based on SHA256 and execute would not process correctly
Resolved an issue with Mac Storage Control where Do Not Monitor or Log policies were still logging
Resolved Mac issue where user creation or deletion would fail when using administrator credentials
Resolved Mac issue where some executables were not gathered during baselining
Resolved an issue with Mac where an offline computer did not update to the correct maintenance period when intended
Resolved an issue with usernames and Elevation Requests with the MAC Agent
Resolved an issue that allowed Mac end-users to move ThreatLocker into the trash, as it doesn't uninstall the files
Resolved an issue in Mac when a user is prompted for Elevation but ThreatLocker does not elevate the file. This is now logged without a Policy Action
Resolved an issue with Mac login, causing an unexpected Elevation popup
Resolved an issue where the Mac ThreatLocker Tray would not restart when a user logged out and a new user logged in
Resolved MAC issues with high CPU demands when baselining
Resolved an issue where the wrong Mac storage policy was matched
Resolved an issue with Uninstall on Mac related to turning Tamper Protection on, off, and then back on again
Resolved an issue causing Mac computers to get stuck on the loading screen during reboot
Resolved an issue with Mac baselining related to .dylib file types
Resolved a Mac issue related to Group Level USB, and UNC deny policies blocking as expected but showed that the matched a different policy
Resolved an issue that prevented users from viewing the Blocked Items page
Resolved an issue where Mac users were prevented from using SUDO commands in the Terminal

Version 2.0

7/11/2023 - Live

Bugs and Fixes

Resolved an issue with MAC where PKG files did not prompt for Elevation
Resolved an issue from 2.0.0.313 where hashes were logged but not visible
Resolved an issue with MAC high CPU usage during the baseline process
Resolved an issue with MAC machines failing to upgrade or downgrade versions successfully
Resolved an issue with the visibility of Elevation credentials and Tamper Protection mode.
Resolved an issue where Tamper Protection was causing MAC machines to freeze
Resolved an issue with custom rules not matching
Resolved an issue with Learning Mode causing real denies rather than simulated ones
Resolved an issue where the Application Name was not visible in the Unified Audit
Resolved an issue with machines failing to upgrade or downgrade versions successfully
Resolved an issue where Tamper Protection was causing machines to freeze
Resolved an issue with install events that do not include all needed information (hashes, certificates, etc.)
Resolved an issue where Learning Mode would be affected by loss of internet connection
Resolved an issue that caused users to wait up to 3 seconds to change a system setting after that setting was initially changed
Resolved an issue in the tray where the 'Don’t Show Again' option was malfunctioning due to how information was stored in the database
Resolved an issue that allowed users to run Sudo commands with Elevation
Resolved an issue related to how installed pkg files associate with policies when the policies contain a *(wildcard)
Resolved an issue where some files were reported as executing when Installer.app was only reading the file
Resolved an issue where CPU usage would remain high after a heavy task is performed (for example, XCode build)
Resolved an issue where the tray would crash when the 'Reload' button was clicked quickly and repeatedly
Resolved an issue where the uninstall command did not remove /Applications/ThreatLocker.app file when running it as a non-admin user. This process will require a password when trying to remove the file
Performance improvements
Resolved an issue where approved notifications would show before the Agent had received new policies

Improvements

Improved high CPU usage by requiring a short 5-minute delay prior to starting a new rescan after having already started the rescan baseline sequence
Improved the logging and visibility of SHA256 hashes for MAC
Improvements to Network Control, including inbound connections, are now being monitored. This can be changed in the products section
Improved and simplifies the uninstall process
Improved the Unified Audit to include and Install Action Type for new or modified executable files
The full path is now displayed in the Blocked Items Window
Improved caching for filesystem and application events for faster response and less CPU usage
Elevation Control – limited functionality (see notes below)
Elevated Policies – limited functionality (see notes below)
Added ability to turn modules on and off
TL Tray - View Button is hidden for Explicit Deny Policies

New Features

Added Learning Mode (Hash Only) to the MAC
Added three hard-coded process exclusions to the MAC agent to reduce unneeded Unified Audit Logs. BackupD, MDSync, and Bird will continue to run in the background but not be monitored by ThreatLocker
Added the Install action for MACs
Added the ability for the MAC computer groups to turn products on and off
Added the ability to detect installing pkg files from the command line
Added ability to Elevate additional system settings for MacOS 13.0-13.4, including:

Network Settings
Login Items
Sharing Settings
Time Machine Settings
Privacy & Security Settings

The Elevation improvements that were added for MacOS 13.3 are coming soon to MacOS 13.1 and MacOS 12
Elevation Control may not support all elevation request types. If you find that elevation shows a password prompt without the ability to request elevation, please document and report to a Cyber Hero
Silent elevation is not currently supported

Version 1.1

3/22/2023

Known Limitation: Endpoints must be placed into Learning Mode during any updates to software. We are currently in the process of addressing the limitation and should have a solution shortly.

Bugs and Fixes

Resolved an issue with process caching, resulting in duplicate logging

Improvements

Improved baseline scanner detection of executables

Version 1.0

2/9/2023

Bugs and Fixes

Removed the Excluded Processes options section from the Computer Groups page
Removed the "Attach a copy of the file with the request" feature from the Request Popup
Solved an issue where some requests would fail to open
Solved an issue where policy versions would not update during automatic downloads
Solved an issue where the MAC agent would not upgrade or downgrade
Solved an issue where maintenance modes were not being stored during the reboot
Solved an issue in which the MAC Agent would crash when saving to the database
Solved an issue in which a machine with a maintenance mode set in the future would incorrectly appear as unsecured

New Features

Added MAC uninstaller
Added "Apple Fabric" as an interface to storage policies

Improvements

Improved the reporting and downloading mechanisms around MAC check-ins with policy numbers and approvals

1/31/2023

Known Bugs

ThreatLocker Tray - No popup for Maintenance Modes
Default Deny and Storage Control products are enabled by default and cannot be disabled

Bugs and Fixes

Application Control - Resolved an issue preventing the ability to set a policy for a specific interface
Application Control - Resolved an issue where the Default Deny policy was not created by default
Storage Control - Resolved an issue preventing the ability to use Apple’s storage interface in policy
Resolved an issue requiring policy deployment to approve via Approval Request
Resolved an issue where .pkg files were not treated as executables and were not able to be blocked using Default Deny
Resolved an issue where request Notifications relied on Apple's Notification Center and were not instant on a block
Resolved an issue where the blocked items in the ThreatLocker Tray didn't show in the correct order
Resolved an issue where processes did not work when used in Custom Rules

1/9/2023

Known Bugs

.pkg files are not treated as executables and are not able to be blocked using Default Deny
Request Notifications rely on Apple's Notification Center and are not instant on a block
Blocked items in the Tray don't show in the correct order
Unable to set an Application Policy for a specified Interface
Apple's storage interface cannot be used in Storage Policies
Default Deny Policy isn't created automatically
Approval Requests don't automatically trigger a Policy Download, and Policy Deploy is required
Processes do not work when used in Custom Rules
Default Deny and Storage Control products are Enabled by default and cannot be Disabled
Users don't receive a popup for active Maintenance Modes and can't end them from the Mac

New Features

Mac Agent will install into the specified group and Check In to the Portal every minute
The application and file actions are uploaded to the Portal every minute
Upon Installation, a Baseline will run on the Mac, logging all files into the Unified Audit
Learning Automatic <Group> and Learning Automatic <Computer> will create Policies based on the Baseline and Simulated Denies (Green Denies) for the Default Deny Policy (e.g., Default - MAC)
Application Definitions can be created using hashes and custom rules
Tamper Protection Disabled, Learning, Installation, and Monitor Maintenance Modes are supported
Full auditing of the read, write, move, and delete of files on external devices and specified local drive folders
Ability to deny access to storage locations based on interface type or specified paths
Supports authentication using Authorization Hosts on a Windows device using NAC
Updates the IP address for NAC objects used by a Windows device
Tamper Protection is on by default and prevents users from disabling or removing ThreatLocker

1/4/2023

Known Bugs

Approving via Approval Request requires policy deployment
Unable to disable products
Application Control - Unable to set policy for a specific interface
Application Control - Default Deny policy is not created by default
Storage Control - Unable to use Apple's storage interface in policy
ThreatLocker Tray - No popup for Maintenance Modes

New Features

Baselining applications during ThreatLocker installation
Automatic Learning to Computer and Groups
Permitting applications by Hash as well as Custom Rules when attached to a policy
Application Control Default Deny Policy at the bottom of the policy hierarchy to secure machines and only permit what is explicitly allowed
Supports Learning Mode, Installation Mode, and Monitor Only
Storage Control supports auditing of external storage, custom paths, and specified local folders
Monitor and deny storage for all external storage as well as specified local folders
Network Access Controls (NAC) supports Authorization Hosts as well as updating IPs for objects
Tamper Protection to stop unauthorized users from disabling ThreatLocker