Help CenterNote: For organizations deploying to many endpoints, ThreatLocker recommends using a staggered deployment approach. Organizations that deploy to many endpoints at once may experience increased bandwidth usage as macOS Core and application definitions are downloaded to each endpoint. QOS can be used to limit bandwidth to macapps.threatlocker.com
This article includes instructions for how to deploy the ThreatLocker agent to Mac computers using Addigy. You will be taught to create a new policy containing all the necessary information to easily deploy ThreatLocker. The policy we create can be used to deploy the ThreatLocker agent to devices that already exist within your Addigy account or new devices.
Creating New Smart Software to Deploy ThreatLocker
In the Addigy portal, navigate to the ‘Catalog’ page using the left-hand menu. From here, selecting ‘Catalog’ will populate a popout menu with different options. Select ‘Software’ from this menu.
Once in the ‘Software’ page, select the ‘New’ button.
You will now be brought to a page titled ‘New Smart Software’. Here, insert a name for the software you will be creating.
Now, from within the ThreatLocker portal, select the ‘Install Computer’ button. This button can be found in the top right of every page.
It can also be located by navigating to the ‘Devices’ page using the left-hand side of the portal, then selecting the ‘Install Computer’ button on the top left side of the page.
On the ‘Download Installer’ popup screen, change the deployment method from ‘Manual Deployment’ to ‘MDM (macOS)’. Select the ‘Installation Script’ button.
Selecting the ‘Installation Script’ button will open a new web page with the script. Copy this script and paste it into the ‘Installation Command’ section of the ‘New Smart Software’ page in your Addigy portal.
Near the beginning of the script, you will notice that the value of the GroupKey is incorrect.
This MUST be entered manually. If you do not know how to locate the GroupKey for the organization you will be deploying your machines to, please consult the following article:
MAC Agent Group Key Location | ThreatLocker Help Center
Once the correct group key has been entered, select the save button at the bottom of the page.
Import the ThreatLocker Configuration Profile to Permit the System Extension
From within the ‘Catalog’ page, select the ‘MDM Profiles’ tab. Select the ‘New’ button here.
A new page will open titled ‘New MDM Profile’. Select the ‘Custom Profile’ button.
Use the following link to download the ThreatLocker Configuration Profile. Unzip the file after it downloads, and you will be provided with a .mobileconfig file that can be used for profile creation.
https://static.threatlocker.com/deployment/A/ThreatLockerConfigurationProfile.zip
After selecting the ‘Custom Profile’ button, you will be brought to a new page. Select the button labeled ‘Select .mobileconfig file’ to upload the ThreatLocker Configuration Profile.
Select the .mobileconfig file from your machine.
This will populate the contents of the configuration profile onto this page. Once this has been uploaded, select the ‘Create Profile’ button at the bottom of the page to save the profile.
Now, within your list of MDM profiles, you will now be able to view the ThreatLocker Configuration Profile.
Adding the Smart Software and MDM Profile to a Policy
Navigate to the Policies page, then select ‘New Policy’.
Selecting the ‘New Policy’ button will open a popup window. Here, insert the name of your policy and select the ‘Save’ button.
Once ‘Save’ is selected, you will be brought to the newly created policy. Navigate to the ‘Profiles’ section and select the ‘ThreatLocker Configuration Profile’ from the list of profiles.
Select the ‘Add/Remove’ button and select ‘Add to Policy’ from the dropdown list.
A popup confirming that the item you have chosen will be included in the next deployment will appear. Select ‘Confirm’ to continue.
You should now see the ‘ThreatLocker Configuration Profile’ status change from ‘Not in policy’ to ‘In policy’.
Note: The Configuration Profile needs to be installed onto the Mac devices before the script is run. Otherwise, permissions for the agent must be granted manually.
Next, navigate to the ‘Software’ page. Select the deployment script that you created from the list.
Select the ‘Add/Remove’ button, then select ‘Add to policy’.
Again, make sure to select confirm for the popup signifying that you will be adding one item to the next deployment.
The status should also be changed for your ThreatLocker Deployment Script as it will now say ‘In policy’ instead of ‘Not in policy’.
You have now finished configuring your policy. To apply this policy to new computers you will be adding to Addigy, make sure that this policy is selected when you are prompted to ‘Select a Policy’ during the initial setup.
You can also navigate to your available devices using the ‘Devices’ page and select an existing machine that you would like to add this policy to.
In the machine’s informational page, select the policies button.
This will provide you with the list of available policies that you can add to your machine. Make sure you select the ‘Save’ button once the policy has been selected.
To deploy the policy automatically, navigate to the ‘Policies’ page, then select the policy you wish to deploy from the list of created policies.
Select the ‘Deploy Now’ button to deploy this policy to all machines that have received it.
Select ‘OK’ in the ‘Deploy Policy?’ popup window.
The policy will now deploy and begin installing ThreatLocker onto the machines.
You should now be able to see your new machines populated within the ‘Devices’ page of your organization.
