Help CenterNote: For organizations deploying to a large amount of endpoints, ThreatLocker recommends using a staggered deployment approach. Organizations that deploy to a large number of endpoints at once may experience increased bandwidth usage as macOS Core and application definitions are downloaded to each endpoint. QOS can be used to limit bandwidth to macapps.threatlocker.com
Below, you will find the steps for MAC deployment through Microsoft Intune.
Step 1: Import Configuration Profile for ThreatLocker
In the Intune portal, head to Devices > macOS Devices > Configuration and click on Create > New Policy.
Select the 'Templates' profile type and 'Custom' template name in the' Create a Profile' pane.
Use the link below to download the ThreatLocker MDM profiles.
From the downloaded file above, extract the two .mobileconfig files:
-
ThreatLocker Configuration
-
ThreatLocker Startup & Lock
BOTH files should be added to your MDM as separate configuration profiles.
Under the ‘Basics’ Tab Name the first profile.
Under the ‘Configuration settings’ tab, import the first ThreatLocker .mobileconfig file from the above link
Under the ‘Assignments’ tab, assign this profile to the MacOS groups for which you are deploying ThreatLocker
Review and create the first profile.
Repeat those steps for the second configuration profile.
Note: To allow for correct remote installation of the ThreatLocker agent on MacOS, have both MDM profiles deployed to all Mac devices before the ThreatLocker agent installation is attempted. MDM configuration profiles automatically set rights and preferences for the ThreatLocker Agent without requiring admin credentials. These profiles do not install any software on your Macs, they only set needed rights & preferences. Remote MacOS installation using an RMM without using an MDM will require permissions for the agent to be granted manually.
Step 2: Import Deployment Script for ThreatLocker
Note: If the script does not deploy as intended, ThreatLocker highly recommends recreating the script on a macOS device. Due to the differences in how Windows encodes the script, recreating the script on a macOS device should cause the script to run without the potential issue. Once the script has been recreated make sure to name the Script as Threatlocker_Install.Sh
Download the MDM deployment script from the ThreatLocker portal and save it as “ThreatLockerDeploymentScript-MDM.sh”
To see where to get the latest version of our MDM script, please see the 'RMM Deployment' section of Deploying ThreatLocker | ThreatLocker Help Center (kb.help)
Locate your GroupKey and replace it in the code "xxxxxxxxxxxxxxxxxxxxxxxx".
Save the file as ThreatLocker_Install.sh
From Intune, Navigate to Devices > macOS > Shell Scripts > Select Add
Name the script ThreatLocker Deployment Script and Select Next
Under Upload script, navigate to the ThreatLocker_Install.sh file
Select the following options:
- Run the script as a signed-in user: No
- Hide script notifications on devices: Yes
- Script frequency: Every 1 day (this can be reduced to 15 minutes for testing)
- Max number of times to retries if script fails: 3 times
Add to the Same Group as the Configuration Profile has been added.
Select Next > Add
You can monitor the deployment through the script overview:
