MAC Agent Release Notes

23 min. readlast update: 07.08.2024
Note: Reminder to run Learning Mode after installation before securing endpoints for the minimum recommendation of 5-7 days.

Version 3.1

07/08/2024 - Beta

New Features

Mac Agents 3.1+ now have the option to use the Realtime Unified Audit via the Mac Console. This tool allows Mac users to see what is happening on their endpoint in real time without waiting for logs to be transferred to the ThreatLocker Portal or having to filter out other users' logs.

Improvements

  • Application Control requests will now require a valid email address when an email address is required
  • Mac Storage Contol logs will now only show one log for a file being read, written, or executed by the same process during the same 24-hour period
  • Added the Policy Name to the Blocked Items menu in the tray
  • Added the ability to stop and restart the ThreatLocker service
  • Added the ability to remove and replace the Applications and Policies databases
  • Added the ability to uninstall when the system is running as root, for example with Jamf
  • Added the tracking and logging of the Created By Process, if one exists. This can be viewed in the sidebar of the Unified Audit
  • Added the Kill Running Processes option to Deny policies, which will kill any running instances of that application when the Policy is enabled and saved

Bugs and Fixes

  • Resolved an issue where Mac Admin was required to enter a password multiple times when uninstalling ThreatLocker
  • Resolved an issue with Mac and the learning algorithm where certain executables were not being captured correctly
  • Resolved an issue where downgrading versions while the baseline scanner was running would cause an unintentional second baseline scan to run
  • Resolved an issue where the uninstall function would fail if multiple users were logged in
  • Resolved an issue where the Mac agent was not able to be uninstalled through an MDM successfully
  • Resolved an issue where Built-In Mac Applications would have duplicate SHA256s
  • Resolved an issue where CodeSignature files were treated as executes in the Unified Audit
  • Resolved an issue where the Storage Request popup was hidden for some administrators
  • Resolved an issue where ThreatLocker administrators were not removed from the system when Elevation was disabled
  • Resolved an issue where signed dylib files were not showing the certificate in the Unified Audit
  • Resolved an issue where browser extensions were not processed as intended

 

Version 3.0.1

07/02/2024 - Live

07/1/2024 - Updated

New Features

Introducing Ringfencing for Mac!

Reduce the chance of a cyberattack by limiting what your applications can do, whether trying to interact with another application, your files, data, or the internet. ThreatLocker® Ringfencing™ can reduce the likelihood of an exploit being successful or an attacker weaponizing legitimate tools by limiting how software can interact with other software. Contact your Account Manager or a Cyber Hero for more information on this exciting addition to the Mac line of ThreatLocker products.

Improvements

  • Starting in the Mac 3.0.1 release, TL hash will no longer be included in the Unified Audit Logs for Mac applications. Sha256 will be used exclusively for Hash conditions and rules
  • Added the ability to stop and restart the ThreatLocker service
  • Added the ability to remove and replace the Applications and Policies databases
  • Improvements to the Manage Local Administrator feature 
  • Added CIDR notation support for Ringfencing Exclusions by IPv4 and IPv6
  • Mac Baseline actions will now skip cloud storage locations
  • Performance improvements related to muting processes without policies related to Ringfencing of Storage and Tamper Protection

Bugs and Fixes

  • Resolved an issue in which rebuilding the Apps database caused incorrect application matching which resulted in unapproved applications being permitted.
  • Resolved an issue where Elevation was not working with Cloudflare WARP as expected
  • Resolved an issue where Ringfencing Denies did not show in the tray or the Unified Audit
  • Resolved an intermittent issue where the Mac Agent would crash after starting
  • Resolved an issue that would cause Ringfencing to not work as expected if the agent experienced a crash and recovered
  • Resolved an issue where the Install Assistant would not run when ThreatLocker was installed
  • Resolved an issue where a Deny was not logged in the Unified Audit when a user failed to enter credentials during an Elevation request
  • Resolved an issue where the Elevation pop-up was populating during Sudo commands 
  • Resolved an issue where the agent would crash if it encountered an unknown API value
  • Resolved an issue where Storage Control was generating false positive logs
  • Resolved an issue where the Uninstall function was not controlled by Tamper Protection as expected
  • Resolved an issue where disabling Application Control Ringfencing would not disable the Network Ringfencing
  • Resolved an issue with uninstalling a partially installed version of ThreatLocker
  • Resolved an issue with Erase Contents and Settings, which was not running as a system administrator using Elevation 
  • Resolved an issue with the rebuild process of the Policy Database when it is deleted in Recovery Mode
  • Resolved an issue where Ringfencing was active during Learning, Installation and Monitor modes
  • Resolved an issue where Ringfencing would not be enabled after a reboot
  • Resolved an issue where Sudo would not elevate a non-admin user
  • Resolved an issue where the Elevate Disk Utility was unable to elevate as expected
  • Resolved an issue where the hash for a denied execute was not visible in the portal
  • Resolved an issue where read-only Storage Control policies were intermittently permitting the write action
  • Resolved an issue where hashes were not being downloaded automatically when updating an application definition
  • Resolved an issue where Storage Control Ringfencing would not show permitted files in Firefox using the "Open File" option 
  • Resolved an issue where simulated denies that occurred during Learning/Installation/Monitor Only Modes were appearing in the Blocked Items list in the tray
  • Resolved an issue where there was intermittent slowness when upgrading from older versions to the Mac Agent 3.0
  • Resolved an issue where Ringfencing denies were showing incorrectly in the Mac tray after the policy was changed
  • Resolved an issue where the ThreatLocker learning algorithm was learning ThreatLocker files unnecessarily
  • Resolved an issue that would cause the 'root' user to be removed from Mac devices when utilizing the Elevation Control module to remove administrators. Also improved this to add the 'root' user back to devices if it was removed by ThreatLocker

 

Version 2.8.5

05/25/2024 - Live

  • Resolved an issue that required Elevation to use the Find My feature

 

 Version 2.8.4

05/20/2024 - Live

  • Resolved an issue where the hash for a denied execute was not visible in the portal

 

Version 2.8.3

04/24/2024 - Live

Bugs and Fixes

  • Resolved an issue where the baseline process would sometimes start before downloading all policies, causing long baseline times

 

Version 2.8.2

04/24/2024 - Unavailable

Bugs and Fixes

  • Improved the installation process when using a PKG installer, and no user is logged in during the installation
  • Resolved an issue where the Elevation popup was populating during Sudo Commands

 

Version 2.8.1

04/11/2024 - Unavailable

Bugs and Fixes

  • Resolved an issue where Sudo would not elevate even with an elevation policy in place

 

Version 2.8.0

04/01/2024 - Unavailable

New Features

Manage Local Administrator Settings will allow all local administrators to be removed from the administrator group, with exceptions, via ThreatLocker. On the Computers Page, in the upper left 3-dash menu, a new setting for Manage Local Administrator Settings now exists. A toggle to enable or disable this feature, as well as define the level at which local administrators will be removed, from the Organization level down to the computer level. Exceptions will ensure that only intended local administrators have permissions on specific endpoints. Enabling this feature without including an exception will ensure that ALL local administrators are removed from the local administrators' group for all endpoints. This feature is available for Mac and Windows administrator groups

Improvements

  • Improved the process of removing application definitions and the impact on system performance

Bugs and Fixes

  • Resolved an issue on 3.0 Beta, where Discord was permitted via the core files policy
  • Resolved an issue with the ThreatLocker logo disappearing from the tray after updating from 2.7.10
  • Resolved an issue from 2.7.10, where open notifications from ThreatLocker would cause the Agent to crash

 

Version 2.7.10

03/28/2024 - Live

Bugs and Fixes

  • Resolved an issue in which the tray could not be re-opened using Spotlight Search or through Terminal
  • Resolved an issue in which tray notifications were not being displayed after switching users without logging out
  • Resolved an issue in which permitting an application using custom rules resulted in a blocked application
  • Resolved an issue in which Approval Requests were not being sent from a blocked file notification
  • Resolved an issue in which running Setup Assistant with Elevation resulted in being stuck in a loop
  • Resolved an issue in which some customers experienced high CPU usage
  • Resolved an issue with Elevation and Discord
  • Resolved an issue where, in certain circumstances, some executes may have been Denied in Learning Mode

 

Version 2.7.9

03/19/2024 - Depreciated

Bugs and Fixes

  • Resolved an issue with continually growing RAM usage from version 2.6

 

Version 2.7.8 

03/15/2024 - Depreciated

Bugs and Fixes

  • Added a cache size limit to reduce the impact on RAM usage

 

Version 2.7.7

03/14/2027 - Depreciated

Bugs and Fixes

  • Resolved an issue where the Install Assistant would not run when ThreatLocker was installed
  • Resolved an issue where rapidly and repeatedly pressing the Reload button on the tray would cause it to work incorrectly
  • Resolved an issue with the Blocked Items Tray where the sort feature was not working as intended

Version 2.7.6 

03/06/2024 - Depreciated

Improvements

  • Improvements to the Mac Agent Installer to validate group key prior to all installation actions

 

Version 2.7.5 

Live - Depreciated

Improvements

  • Added the ability to create custom permit policies if the execute function is XProtect

Bugs and Fixes

  • Resolved an issue where the Mac Agent would intermittently stop checking in

 

Version 2.7.4

Beta - Depreciated

Improvements

  • Improvements to the Mac Agent Installer to validate group key prior to all installation actions

 

Version 2.7.3

02/07/2024 - Depreciated

Bugs and Fixes

  • Resolved an issue where the Mac agent downloaded the full policy list more often than intended. Full policy downloads will now only be performed on the first installation

 

Version 2.7

02/07/2024 - Depreciated

Bugs and Fixes

  • Resolved an issue with Tamper Protection where updating the agent would not start until the endpoint was rebooted
  • Resolved an issue with incremental file updates related to an empty file version
  • Resolved an issue with mismatched local hostnames from Sharing > Local Hostname

 

Version 2.6.2

02/05/2024 - Depreciated

Improvements

  • Improved Unified Audit logging to include network and server information, including interface, when available
  • Continued performance optimizations, including reducing memory usage and reducing resource utilization
  • Removed the "Force the program to run as a standard administrator" function in Elevation control as it is not currently Mac-compatible
  • To improve the functionality of app bundles, CodeResource file types will now be seen as executables
  • ThreatLocker has added Storage Control and Tamper Protection monitoring to Exchange Data syscall events 
  • ThreatLocker will now display notifications when 'sudo' is called from a non-admin user Terminal
  • ThreatLocker has added default Elevation for Xcode

Bugs and Fixes

  • Resolved an issue with the Mac Agent related to Learning Mode and explicit deny policies not working as intended
  • Resolved an issue where Built-In policies were not downloading to endpoints as expected
  • Resolved an issue with Tamper Protection set to disabled but blocking the reading of ThreatLockerStorage.db file
  • Resolved an issue with the integration for Addigy related to Addigy Identity
  • Resolved an issue where Addigy installation would assign System if no user is logged in
  • Resolved an issue from 2.3 and 2.4 where some users would get stuck on a loading screen after enabling Elevation
  • Resolved an issue where the initial Learning Mode would be set to 0 days
  • Resolved an issue where if the PKG is blocked by ThreatLocker, the Installer would need to be quit manually before PKG could run again
  • Resolved an issue with 2.3, which caused high memory usage
  • Resolved an issue from 2.1, which caused high CPU when opening large applications
  • Resolved an issue where clicking "do not show' would not stop the ThreatLocker Tray from repeating a popup
  • Resolved a rare issue where an explicit deny policy would not prevent the executable  when in Learning Mode
  • Resolved an issue where closing the Tray from Terminal was not working as intended
  • Resolved an issue where some core files would not elevate when the endpoint was in Elevation Mode

 

Version 2.5

12/27/2023 - Depreciated

Improvements

  • Improved Unified Audit logging to include network and server information, including interface, when available 

Bugs and Fixes

  • Resolved an issue where ThreatLocker was causing excessive data usage
  • Resolved an issue where the Mac Agent would show a permit or deny on an install action type
  • Resolved an issue with the Mac Agent where logs were collected when Tamper Protection was enabled
  • Resolved an issue with Mac Agent Application Requests related to how Full Path and Process were added to the incorrect field

 

Version 2.4

11/28/2023 -Depreciated

Improvements

  • Added the option to Allow Silent Uninstall, which allows ThreatLocker to be uninstalled on Mac Groups and Mac Computers without end-user interaction 
  • A popup Maintenance Mode timer is now available, allowing users to end a timed Maintenance Mode prior to the timer expiring 
  • Improved Unified Audit logging to include file move events on Mac OS
  • Improved the Mac Elevation Password requirements to a minimum of (15) characters, a maximum of (64) characters, and a requirement to include at least two (2) uppercase letters, base 10 digits (0 through 9), and non-alphanumeric characters
  • A popup Maintenance Mode timer is now available, allowing users to end a timed Maintenance Mode prior to the timer expiring 

Bugs and Fixes

  • Resolved an issue where Elevation was not providing elevated credentials as expected 
  • Resolved an issue where deleting or disabling a policy would require a reboot
  • Resolved an issue with Mac custom rules where certificates were set to Equals and not Contains

 

Version 2.3

11/03/2023 - Depreciated

Bugs and Fixes

  • Resolved an issue with Mac where the full path of the process was not logged 
  • Resolved an issue where Mac SHAs were not checked when using certificates 
  • Resolved an issue with the Mac timestamps for blocked files 
  • Resolved an issue with the Mac Security Agent crashing when attempting to Elevate

 

Version 2.2

10/23/2023 - Depreciated

Bugs and Fixes

  • Resolved an issue with Path/Process Rules not processing as intended

 

Version 2.1

10/17/2023 - Depreciated

Due to database changes to facilitate incremental (Built-In) Application updates, machines updated to 2.1 cannot downgrade to previous versions. Please view our KB on Uninstalling ThreatLocker from Mac computers for guidance if downgrading your 2.1 version is necessary

New Features

Improvements

  • Mac baselines will now recover progress when the Agent crashes 
  • Mac policies will now be downloaded incrementally when policies are deployed 
  • Mac policies will no longer record or show serial numbers 
  • Mac now has the option to use the "Don't Update" ThreatLocker version (used for troubleshooting and not recommended as a setting for traditional use) 

Bugs and Fixes

  • Resolved an issue with multiple rescans on Mac Baseline
  • Resolved Mac issue where baseline scans would not complete
  • Resolved an issue with Mac Rescan Baseline failing to complete
  • Resolved an issue with Mac Baseline and Storage Control logs
  • Resolved an issue with Mac Baseline not starting on 2.1.0.349
  • Resolved an issue causing the Mac Baseline not to process completely 
  • Resolved an issue with Mac "System" users, which caused Elevation blocked prompts when logged in as an administrator 
  • Resolved an issue with Mac Agent where the agent could be stopped and/or uninstalled while Tamper Protection was enabled 
  • Resolved an issue with Mac where policies based on SHA256 and execute would not process correctly 
  • Resolved an issue with Mac Storage Control where Do Not Monitor or Log policies were still logging 
  • Resolved Mac issue where user creation or deletion would fail when using administrator credentials 
  • Resolved Mac issue where some executables were not gathered during baselining 
  • Resolved an issue with Mac where an offline computer did not update to the correct maintenance period when intended 
  • Resolved an issue with usernames and Elevation Requests with the MAC Agent 
  • Resolved an issue that allowed Mac end-users to move ThreatLocker into the trash, as it doesn't uninstall the files 
  • Resolved an issue in Mac when a user is prompted for Elevation but ThreatLocker does not elevate the file. This is now logged without a Policy Action 
  • Resolved an issue with Mac login, causing an unexpected Elevation popup 
  • Resolved an issue where the Mac ThreatLocker Tray would not restart when a user logged out and a new user logged in 
  • Resolved MAC issues with high CPU demands when baselining 
  • Resolved an issue where the wrong Mac storage policy was matched 
  • Resolved an issue with Uninstall on Mac related to turning Tamper Protection on, off, and then back on again 
  • Resolved an issue causing Mac computers to get stuck on the loading screen during reboot 
  • Resolved an issue with Mac baselining related to .dylib file types 
  • Resolved a Mac issue related to Group Level USB, and UNC deny policies blocking as expected but showed that the matched a different policy
  • Resolved an issue that prevented users from viewing the Blocked Items page
  • Resolved an issue where Mac users were prevented from using SUDO commands in the Terminal

 

Version 2.0

7/11/2023 - Depreciated

Bugs and Fixes

  • Resolved an issue with MAC where PKG files did not prompt for Elevation 
  • Resolved an issue from 2.0.0.313 where hashes were logged but not visible 
  • Resolved an issue with MAC high CPU usage during the baseline process 
  • Resolved an issue with MAC machines failing to upgrade or downgrade versions successfully 
  • Resolved an issue with the visibility of Elevation credentials and Tamper Protection mode. 
  • Resolved an issue where Tamper Protection was causing MAC machines to freeze 
  • Resolved an issue with custom rules not matching 
  • Resolved an issue with Learning Mode causing real denies rather than simulated ones 
  • Resolved an issue where the Application Name was not visible in the Unified Audit 
  • Resolved an issue with machines failing to upgrade or downgrade versions successfully 
  • Resolved an issue where Tamper Protection was causing machines to freeze 
  • Resolved an issue with install events that do not include all needed information (hashes, certificates, etc.) 
  • Resolved an issue where Learning Mode would be affected by loss of internet connection 
  • Resolved an issue that caused users to wait up to 3 seconds to change a system setting after that setting was initially changed 
  • Resolved an issue in the tray where the 'Don’t Show Again' option was malfunctioning due to how information was stored in the database 
  • Resolved an issue that allowed users to run Sudo commands with Elevation 
  • Resolved an issue related to how installed pkg files associate with policies when the policies contain a *(wildcard)
  • Resolved an issue where some files were reported as executing when Installer.app was only reading the file  
  • Resolved an issue where CPU usage would remain high after a heavy task is performed (for example, XCode build)
  • Resolved an issue where the tray would crash when the 'Reload' button was clicked quickly and repeatedly
  • Resolved an issue where the uninstall command did not remove /Applications/ThreatLocker.app file when running it as a non-admin user. This process will require a password when trying to remove the file
  •  Performance improvements  
  •  Resolved an issue where approved notifications would show before the Agent had received new policies

Improvements

  • Improved high CPU usage by requiring a short 5-minute delay prior to starting a new rescan after having already started the rescan baseline sequence 
  • Improved the logging and visibility of SHA256 hashes for MAC 
  • Improvements to Network Control, including inbound connections, are now being monitored. This can be changed in the products section 
  • Improved and simplifies the uninstall process 
  • Improved the Unified Audit to include and Install Action Type for new or modified executable files 
  • The full path is now displayed in the Blocked Items Window 
  • Improved caching for filesystem and application events for faster response and less CPU usage
  • Elevation Control – limited functionality (see notes below) 
  • Elevated Policies – limited functionality (see notes below)
  • Added ability to turn modules on and off
  • TL Tray - View Button is hidden for Explicit Deny Policies

New Features

  • Added Learning Mode (Hash Only) to the MAC 
  • Added three hard-coded process exclusions to the MAC agent to reduce unneeded Unified Audit Logs. BackupD, MDSync, and Bird will continue to run in the background but not be monitored by ThreatLocker 
  • Added the Install action for MACs 
  • Added the ability for the MAC computer groups to turn products on and off 
  • Added the ability to detect installing pkg files from the command line 
  • Added ability to Elevate additional system settings for MacOS 13.0-13.4, including:
    • Network Settings
    • Login Items
    • Sharing Settings
    • Time Machine Settings
    • Privacy & Security Settings
  • The Elevation improvements that were added for MacOS 13.3 are coming soon to MacOS 13.1 and MacOS 12  
  • Elevation Control may not support all elevation request types. If you find that elevation shows a password prompt without the ability to request elevation, please document and report to a Cyber Hero
  • Silent elevation is not currently supported

 

Version 1.1

3/22/2023

Known Limitation: Endpoints must be placed into Learning Mode during any updates to software. We are currently in the process of addressing the limitation and should have a solution shortly. 

Bugs and Fixes

  • Resolved an issue with process caching, resulting in duplicate logging 

 

Improvements

  • Improved baseline scanner detection of executables 

 

Version 1.0

2/9/2023 - Depreciated

Bugs and Fixes

  • Removed the Excluded Processes options section from the Computer Groups page  
  • Removed the "Attach a copy of the file with the request" feature from the Request Popup  
  • Solved an issue where some requests would fail to open 
  • Solved an issue where policy versions would not update during automatic downloads  
  • Solved an issue where the MAC agent would not upgrade or downgrade  
  • Solved an issue where maintenance modes were not being stored during the reboot 
  • Solved an issue in which the MAC Agent would crash when saving to the database   
  • Solved an issue in which a machine with a maintenance mode set in the future would incorrectly appear as unsecured

New Features

Improvements

  • Improved the reporting and downloading mechanisms around MAC check-ins with policy numbers and approvals   

 

1/31/2023 - Depreciated

Known Bugs - 

  • ThreatLocker Tray - No popup for Maintenance Modes
  • Default Deny and Storage Control products are enabled by default and cannot be disabled

Bugs and Fixes

  • Application Control - Resolved an issue preventing the ability to set a policy for a specific interface
  • Application Control - Resolved an issue where the Default Deny policy was not created by default 
  • Storage Control - Resolved an issue preventing the ability to use Apple’s storage interface in policy
  • Resolved an issue requiring policy deployment to approve via Approval Request
  • Resolved an issue where .pkg files were not treated as executables and were not able to be blocked using Default Deny
  • Resolved an issue where request Notifications relied on Apple's Notification Center and were not instant on a block
  • Resolved an issue where the blocked items in the ThreatLocker Tray didn't show in the correct order
  • Resolved an issue where processes did not work when used in Custom Rules

 

1/9/2023 - Depreciated

Known Bugs

  • .pkg files are not treated as executables and are not able to be blocked using Default Deny
  • Request Notifications rely on Apple's Notification Center and are not instant on a block
  • Blocked items in the Tray don't show in the correct order
  • Unable to set an Application Policy for a specified Interface
  • Apple's storage interface cannot be used in Storage Policies
  • Default Deny Policy isn't created automatically
  • Approval Requests don't automatically trigger a Policy Download, and Policy Deploy is required
  • Processes do not work when used in Custom Rules
  • Default Deny and Storage Control products are Enabled by default and cannot be Disabled
  • Users don't receive a popup for active Maintenance Modes and can't end them from the Mac

New Features

  • Mac Agent will install into the specified group and Check In to the Portal every minute
  • The application and file actions are uploaded to the Portal every minute
  • Upon Installation, a Baseline will run on the Mac, logging all files into the Unified Audit
  • Learning Automatic <Group> and Learning Automatic <Computer> will create Policies based on the Baseline and Simulated Denies (Green Denies) for the Default Deny Policy (e.g., Default - MAC)
  • Application Definitions can be created using hashes and custom rules
  • Tamper Protection Disabled, Learning, Installation, and Monitor Maintenance Modes are supported
  • Full auditing of the read, write, move, and delete of files on external devices and specified local drive folders
  • Ability to deny access to storage locations based on interface type or specified paths
  • Supports authentication using Authorization Hosts on a Windows device using NAC
  • Updates the IP address for NAC objects used by a Windows device
  • Tamper Protection is on by default and prevents users from disabling or removing ThreatLocker

 

1/4/2023 - Depreciated

Known Bugs

  • Approving via Approval Request requires policy deployment
  • Unable to disable products 
  • Application Control - Unable to set policy for a specific interface
  • Application Control - Default Deny policy is not created by default
  • Storage Control - Unable to use Apple's storage interface in policy
  • ThreatLocker Tray - No popup for Maintenance Modes

New Features

  • Baselining applications during ThreatLocker installation
  • Automatic Learning to Computer and Groups
  • Permitting applications by Hash as well as Custom Rules when attached to a policy
  • Application Control Default Deny Policy at the bottom of the policy hierarchy to secure machines and only permit what is explicitly allowed
  • Supports Learning Mode, Installation Mode, and Monitor Only
  • Storage Control supports auditing of external storage, custom paths, and specified local folders
  • Monitor and deny storage for all external storage as well as specified local folders
  • Network Access Controls (NAC) supports Authorization Hosts as well as updating IPs for objects
  • Tamper Protection to stop unauthorized users from disabling ThreatLocker

 

Was this article helpful?