The Login Settings Page provides a central location to manage where and how your administrators are able to access the ThreatLocker Portal. Here, you can set Organization-wide restrictions on which Countries or IP addresses your users can log in from, restrict MFA options, Allow SSO, and override the MFA restrictions for specific users.
Login settings can be accessed from the 'Login Attempts' pane of the Health Center or the Login Settings through the 'Additional Options' on the Administrators page.
Both paths will open the same side panel, 'Login Settings - [Your Organization Name]'. Settings configured here are applied across the entire organization.
ThreatLocker Access
The 'ThreatLocker Access' section determines the level of access ThreatLocker Staff has to your organization. This can be configured to give No access, Read-Only access, or Full Control to Solutions Engineers and Cyber Heroes. Changes to these settings can only be made by Super Admins within your organization, ThreatLocker Staff is unable to make changes to these settings on your behalf.
Your Solutions Engineer is the primary technical point of contact for your account. This is the team member you would have worked with through your deployment and onboarding process. By default, Solutions Engineers will have Full Control selected, and we recommend keeping this set during your trial and onboarding process.
Cyber Heroes designates access for Cyber Hero Support and the Application Request team, who may need access to your account to assist in troubleshooting any issues you encounter. By default, the Cyber Heroes will have Read-Only access to your account. If you have Cyber Hero Management, the Cyber Heroes will need Full Control access to your account in order to process Application Requests.
Login Restrictions
This section allows you to restrict administrator login attempts to ensure security in your environment by geographical location and IP address, restrict available MFA modes, and enable/enforce Office 365 SSO.
Country Restrictions
Under 'Country Restrictions' , choose 'Allow Selected' to create a list of countries from which login to your ThreatLocker account is permitted, or choose 'Block Selected' to set a list of countries from which login to your ThreatLocker account is prohibited.
Please note: If you choose 'Allow selected', login attempts from all countries not allowed will be blocked. If you choose 'Block selected', logins from all countries or IPs not on the blocklist will be permitted. Please ensure that you permit your own country when configuring this option, as it is possible to block legitimate sign-ins to your own account.
IP Address Restrictions
Under 'IP Address Restrictions', choose 'Allow Selected' to create a list of IPv4 addresses from which login to your ThreatLocker account is permitted, or choose 'Block Selected' to set a list of IPv4 addresses from which login to your ThreatLocker account is prohibited.
Please note: If you choose 'Allow Selected', all IP addresses not on the allowed list will be blocked. If you choose 'Block Selected', all IP addresses not on the blocked list will be permitted. This does not override Allowed Countries. If you allow specific IPs within a country and also allow the country itself via Country Restrictions, the entire country will be allowed.
MFA Restrictions
Under 'MFA Restrictions', you can select which Multi-Factor Authentication methods can be utilized when signing in. These settings are organization-wide unless a User Override is configured in the section below. If you enable 'Allow Selected', OTC can be enabled. Choosing 'None' will allow the administrator to use their choice. Restricting to a particular method when an admin is using another method will prompt the admin to reset OTC on their next login.
If you haven't previously set up DUO, you can navigate to the Integrations Page and set up the DUO Integration for your organization. For assistance with the DUO Integration, see our associated article here.
Allow SSO
The 'Allow SSO' option lets admins establish O365 SSO. ThreatLocker does not recommend using SSO for your ThreatLocker Account. After this option is enabled, the administrator will need to switch their account from a standard login to SSO. Please see the following article for further instructions: How to Enable O365 SSO | ThreatLocker Help Center (kb.help)
Enabling the "Allow SSO" option will generate a further option, Enforce SSO / Disable Local Login, which will force all users within your organization to utilize SSO.
Warning: Enforcing SSO will prevent any administrators within your organization signing in if they do not have SSO set up.
Login Restrictions - User Override
'User Override' allows particular admins to be permitted to use other MFA methods, outside of those selected in 'MFA Restrictions'. If OTC is the only allowed MFA method across an organization, for example, an MFA User Override can be established to allow a specified administrator to utilize their DUO integration for authentication.