Help CenterNote: For organizations deploying to several endpoints, ThreatLocker recommends using a staggered deployment approach. Organizations that deploy to several endpoints at once may experience increased bandwidth usage as macOS core and application definitions are downloaded to each endpoint. QOS can be used to limit bandwidth to macapps.threatlocker.com
Below, you will find the steps for MAC deployment through Kandji. The blueprint we will be creating can be applied to devices that are already enrolled within your Kandji profile, or to new ones.
Creating a Blueprint
Navigate to ‘Blueprints’ using the left-hand menu within your Kandji portal.
Within the ‘Blueprints’ page, select the ‘+ Add Blueprint’ button located in the top right-hand corner of the page.
A popup window titled ‘Create Blueprint’ will now be displayed. Select ‘Start from scratch’ from the available selections.
Now, enter a name for your Blueprint. You can optionally add a description as well. Once all fields have been filled out to your liking, select ‘Create Blueprint’ at the bottom of the page.
You will now be able to view your newly created Blueprint from within the Blueprints page.
Creating a Custom Profile to Deploy ThreatLocker
Note: The Configuration Profile needs to be installed onto the Mac devices before the script is run. Otherwise, permissions for the agent must be granted manually.
Navigate to ‘Library’ using the left-hand menu within your Kandji portal.
Now in ‘Library’ select the ‘+ Add Library Item’ located in the top right-hand corner of the page.
In the ‘Add Library Item’ page, select ‘Custom Profile’. This can be found under the ‘General’ section or by utilizing the search bar provided.
After selecting ‘Custom Profile’, select the ‘Add and configure’ button, which is located at the bottom right-hand side of the page.
Now, you can configure your custom profile. Create a title for the profile. You can also remove everything but ‘Mac’ from the ‘Install on’ section.
Next, select the ‘+ Assign’ button to the right of ‘Blueprint’ to assign the Blueprint you have created to this profile.
At the bottom of the page, you will see a ‘Profile Details’ section. Select the link provided below to download the ThreatLocker Configuration Profile:
Once this file is unzipped, you will be provided with a .mobileconfig file that can be uploaded into the space provided. Drag the file into the area or select ‘click to upload’ to locate the .mobileconfig file from your machine.
Once the ThreatLocker Configuration Profile is uploaded, you will see it populate on the page. Select the ‘Save’ button in the bottom right corner of the screen to save and add your custom profile to the Library.
Creating a Custom Script to Deploy ThreatLocker
Navigate to the ‘Library’ page using the left-hand menu.
Select the ‘+ Add Library Item’ button located in the top right-hand side of the page.
In the ‘Add Library Item’ page, select ‘Custom Scripts. This can be found under the ‘General’ section or by utilizing the search bar provided.
Once ‘Custom Scripts’ has been chosen, select the ‘Add and configure’ button that is found in the bottom right-hand side of the page.
From within the Custom Scripts configuration page, add a title for your script. Once done, use the ‘+ Assign’ button to the right of ‘Blueprint’ to assign the same Blueprint to this script as you did the profile.
Within the settings section, you can keep the ‘Execution Frequency’ set to ‘Run once per device’. You also do not need to enable ‘Self Service’.
You will now see a section titled ‘Script Details’. This section offers you an area to insert a script into the provided field. To find this script, log into your ThreatLocker portal and navigate to the ‘Install Computer’ button. This button can be found in the top right-hand corner of every page.
It can also be found in the top left corner of the ‘Devices’ page.
On the ‘Download Installer’ popup screen, change the deployment method from ‘Manual Deployment’ to ‘MDM (macOS)’. Select the ‘Installation Script’ button.
Selecting the ‘Installation Script’ button will open a new web page with the script on it. Copy and paste this script into the provided section of the Kandji page.
Near the beginning of the script, you will notice that the value of the GroupKey is incorrect.
This MUST be entered manually. If you do not know how to locate the GroupKey for the organization you will be deploying your machines to, please consult the following article:
Once the correct group key has been entered, select the save button at the bottom of the page.
Adding a Profile or Script to an Existing Blueprint
If you already have an existing Blueprint that you would like to add the ThreatLocker Configuration Profile or MDM script to, start by navigating to the ‘Blueprints’ page using the left-hand menu.
Select your Blueprint from within the page.
Now, within the page for your chosen Blueprint, select the ’Edit assignments’ button shown on the far-right side of the page.
Selecting this button will populate a list of all library items on your account. From here, you can either search for your newly created custom profiles and scripts, or search for them manually. Click and drag your choices, then select the ‘Save’ button once this is done.
This will now be added to your existing Blueprint.
Enrolling a Device with a New Blueprint to Deploy ThreatLocker
To enroll a device, using the left-hand menu on the page, select ‘Enrollment’.
Within the ‘Enrollment’ page, select ‘Manual Enrollment’.
From here, you will see that a link is provided for the enrollment portal, which is unique to your account. When a user navigates to this enrollment link, they will be asked to enter an enrollment code. This enrollment code is specific to each Blueprint within your environment. Once the code is entered, users will receive a profile download for the Blueprint the code was attached to.
Once this is downloaded and the device is visible within your Kandji portal, the ThreatLocker download will begin, and you should soon see it within your ThreatLocker portal as well.