Beginning in Portal version 2.0.1, ThreatLocker administrators will have the option to enable their users to self-approve applications.
Self-Approval is only supported by ThreatLocker version 9.2 and greater. Please update all computers to 9.2 if you would like to use this feature.
While convenient, giving end users the ability to install applications that haven't been evaluated for safety can introduce risk into an IT environment, and it is not recommended. This option should be used with caution, and only applied for users that can be trusted.
As an added layer of protection, applications can only be self-approved on a temporary basis. Once self-approved, an Approval Request will be visible in the Response Center > Approvals page under a new Status called 'Self-Approved' so admins can review what has been self-approved and easily change a self-approved application from a temporary permit to a permanent permit if desired.
Setting Up Self-Approval
An Application Control policy set to 'Deny' 'All Applications,' such as the default policy set at each computer group, also includes the option to 'Allow User to Self-Approve and Create a Temporary Policy.' We recommend creating a group just for self-approval and limiting its membership to only those users who require this ability.
Please Note: ThreatLocker Policy Hierarchy is Global > Global-Groups > Entire Organization > Individual Computers > Computer Groups
If this option were set at any level higher than the Computer Group level, it would prevent all Computer Group-level policies from applying, resulting in unnecessary steps before end users can run approved software.
Navigate to Application Control > Policies.
Select the desired group to enable self-approvals on from the 'Applies To' dropdown at the top of the screen. In our example, we have selected our Windows group.
Scroll to the bottom of the list and select the Default policy.
The Edit Policy sidebar will open from the right.
Scroll to the bottom of the sidebar to the 'End User Experience' area. By default, 'Show Notification and Allow User to Request' will be toggled on, and 'Allow User to Self-Approve and Create a Temporary Policy' will be toggled off.
Toggle on 'Allow User to Self-Approve and Create a Temporary Policy'. An expiration bar will populate. Slide the bar to select from 1 hour to 30 days, which will set the policy for the self-approved applicatoin to expire after the selected time.
To apply Ringfencing to the temporary policy, toggle on 'Apply Ringfencing to Temporary Policy' and select the checkbox next to the areas you wish to have all self-approved applications Ringfenced from.
By leaving 'Show Notification and Allow User to Request' toggled on, and toggling on 'Allow User to Self-Approve and Create a Temporary Policy', end users will have both options to send an Approval Requst and to Self-Approve.
If the 'Show Notification and Allow User to Request' option is toggled off, the end user will only have the option to Self-Approve.
Once all desired configurations have been set, click the blue 'Save' button in the bottom left corner of the sidebar.
Deploy Policies to push this change down to the endpoints.
Once deployed, when the affected endpoints experience a file that is blocked by the Default policy, the end user will receive a popup where they can Self-Approve.
After the end user selects 'Self-Approve' they will be presented with a CAPTCHA they must successfully complete before they can run the application.
Executable files and browser extensions that are part of a built-in will use the Built-In Application and not require Installation Mode so the user can now run the Self-Approved application.
Browser extensions will have a hash only rule created, and not require Installation Mode, so the user can now run the Self-Approved application.
Setup, installer, or .msi files will have Installation Mode enabled, so the user can now install the Self-Approved application, and ThreatLocker will catalog the files that are installed and created and create a new application.
For all file types, a temporary permit policy at the computer level will be created in the ThreatLocker Portal which will expire at the end of the expiry time selected on the Default policy. This policy is visible on the Application Control > Policies page, named Temp_Hostname_filename.
Please Note: This policy is located at the Computer level, so be sure to select the computer name from the 'Applies To' dropdown.
Investigating Self-Approved Applications
Navigate to the Response Center > Approvals page.
Select 'Self-Approved' in the status dropdown.
All Self-Approved applications will be listed. Select the Self-Approved item to open the Approval Request sidebar. The self-approved file can be run through the ThreatLocker VDI for testing, and if desired, a permanent policy can be created from this Approval Request.