MAC Agent Release Notes | ThreatLocker Help Center

Note: Reminder to run Learning Mode after installation before securing endpoints for the minimum recommendation of 5-7 days.

Version 5.0

7/11/2025 - Beta

New Features

Added support for ThreatLocker Detect
Added new feature that displays a Browser has been used for a Web Control event by adding the Browser to the "notes" section of a Unified Audit log
Added a new variable for Date and Time available for POST requests that were triggered from Detect events
Made improvements to the Realtime Unified Audit's user interface

Bug Fixes

Resolved an issue where sometimes the system would read the wrong value from maintenance mode internal storage, causing the system to freeze after granting ThreatLocker "Full Disk Access" during agent installation
Resolved issue in which the Realtime Unified Audit would not show logs if a user had macOS Ventura 13.6.3 or 13.7.4
Resolved an issue with 'shared_cache' files not logging as expected in the Unified Audit

Version 4.4.1

7/1/2025 - Live

6/26/2025 - Beta

New Features

Improved logging for Patch Management deprecated hashes
Added a new tray notification for a rejected approval request

Bug Fixes

Resolved an issue where the Elevation module was breaking passwordless authentication for Addigy LiveTerminal
Resolved an issue where applications run as admin by an admin were not being logged in the Unified Audit as an Elevation

Version 4.4

6/23/2025 - Live

6/11/2025 - Beta

New Features

Added support for being able to patch applications with Patch Management
Improved agent error reporting on events for when the SHA256 hash is empty for a process
Added the Store link for viewing available applications in the menu bar, request access notification, and the request access window
Made improvements to Tamper Protection while agent is updating
Improved the manual package installation process by adding a new window that guides the user through enabling necessary settings, extensions, and filters to help ensure the agent is installed properly. Right clicking the icon also displays status of each configuration needed.
Added the ability to delay the start of installation mode until triggered by the end user

Bug Fixes

Resolved an issue with 'shared_cache' files not logging as expected in the Unified Audit
Resolved an issue where the option to request for Elevation was not displaying
Resolved an issue with the login screen for JAMF Connect not properly displaying
Resolved an issue where mandatory fields for tray settings were not being enforced on requests properly
Resolved an issue where wildcards were not supported with matching to program process paths configured in Storage Control policies
Resolved an issue where installer arguments were not working if the argument contained a special character or spaces
Resolved an issue with deny all Network Control policies blocking DHCP traffic
Resolved an issue with ThreatLocker prompting for an Elevation request after inputting user credentials when starting a macOS upgrade

Version 4.3

IMPORTANT: Please replace your ThreatLocker configuration profile using the following link. This applies to the ThreatLocker Mac Agent version 4.3.

https://static.threatlocker.com/deployment/A/ThreatLockerConfigurationProfile.zip

Further information on this can be viewed in the following article:

Important for Mac Agent 4.3 Update: Replacing the ThreatLocker Configuration Profile | ThreatLocker Help Center

5/21/2025 - Live

4/10/2025 - Beta

New Features

Added Mac agent support for Web Control
Added Mac agent support for Patch Management and the reporting of deprecated hashes on out-of-date software
Added Mac agent support for the ThreatLocker Insights feature in collecting and providing additional data to users for events seen by the agent

Bug Fixes

Resolved an issue with the Elevation module being enabled that auto populated the administrator username for standard users in the credentials prompt
Resolved an issue with files being attached and uploaded to approval requests

Version 4.2.1

4/7/2025 - Live

4/1/2025 - Beta

New Features

Added Network event exclusions for both Network Control and Ringfencing
Added a retry when rebuilding the application files database or service tags fails
Added display of Network Direction and Transport layer in the Unified Audit
Added display of Effective Action in the Unified Audit
Added additional logging in the Unified Audit when kill running processes is used

Version 4.2

3/24/2025 - Live

New Features

Added new Option: EnableScriptDetection
- EnableScriptDetection increases security by adding additional script detection and control. Until all scripts are learned, it could cause unexpected blocks for custom applications.
- This option will not be enabled by default.
- To enable, navigate to the Options tab and type EnableScriptDetection into the Options input box, and select it from the dropdown.
- Press Save to save the option. This option does not require a service restart to take effect.

Improvements

Made performance improvements when clearing the Real Time Unified Audit
Made optimizations to Storage Ringfencing to improve performance
Improved parameter handling when submitting logs to the Unified Audit
Updates to Agent iconography
Made baseline improvements for matching process paths
Unified Audit will now display app version for all entries instead of just denies

Bug Fixes

Resolved an issue with caching causing memory to climb over time
Resolved an issue with downloading application definition files due to an apostrophe being in the full path or certificate field
Resolved an issue where custom text for blocked item popups was not being displayed properly
Resolved an issue where user was not receiving an elevation prompt with an older version of ChatGPT
Resolved an issue where certain scripts were not being identified as executes
Resolved an issue where some files were not being reported in the Unified Audit when installed via DMG
Resolved an issue where the Group Key dialogue box was being displayed twice during ThreatLocker Agent installation
Resolved an issue where some settings files remained after ThreatLocker Agent uninstallation
Resolved an issue with local IP addresses not being properly matched in Network Control
Resolved a display issue when sorting columns in the Blocked Items list
Resolved a display issue where reloading the Blocked Items list was adding additional blank entries
Resolved an issue where uninstalling the Agent was not removing the device from the portal
Resolved an issue where an "Allow All Except Below" Ringfencing policy produced unexpected results
Resolved an issue where certain macOS core files were not being learned when installing a beta build of macOS

Version 4.1.3

3/6/2025 - Live

Improvements

Improved application definition file by grabbing needed definitions in portions, rather than the whole database at once, and improving the redownloading of failed downloads to just the single portion that failed

Version 4.1.2

2/4/2025 - Live

Bug Fixes

Resolved an issue with downloading application definition files

Version 4.1.1

1/30/2025 - Live

Bug Fixes

Resolved an issue with case-sensitivity while matching full path and non wildcard policies

Version 4.1.0

1/23/2025 - Live

New Features

Added Serial Number and Service Tag logging
Added the ability to delay the start of installation mode until triggered by the end user
Added visibility of members of the local admin group on macOS computers on the Elevation Control Local Admin Users and Groups page
Made improvements to the way we baseline to first baseline for built-in apps and then a 2nd baseline scan for all non-built-in apps
Made improvements to Application Ringfencing to no longer require an application policy be present before it can be referenced in Ringfencing
Added a link to View Available Applications that will be displayed in the end user popup when the ThreatLocker Store is enabled and the blocked application matches a similar item in the Store
Added product research to the Approval Request window so requestors can view additional information about the software being requested

Improvements

Enhanced Agent check-in behavior after user performs a self-approval process
Improved ES event handling to avoid timeouts
Enhanced error messaging in cases where a System Extension fails to install or uninstall

Bug Fixes

Resolved an issue with caching causing memory to climb over time
Resolved an issue where a reboot of the machine was required to complete the agent upgrade process
Resolved an issue that caused an error when attempting to use the end button on the maintenance mode popup on the machine itself
Resolved an issue where deploying the ThreatLocker Agent with an MDM solution can assign the APFS secure token to the ThreatLocker Agent before the first user has been created
Resolved an issue in which the agent was not uploading logs to the Unified Audit with only a Default Deny policy
Resolved an issue where the DNS forwarder was being logged as the Destination IP address for Network Control and Ringfencing
Resolved an issue with Branding changes made in the portal not being applied
Resolved an issue in which a 400 error message was received on a self-approval process
Resolved an issue with Baseline Scans not completing due to failed Key Files policy update
Resolved an issue where the computer serial number was being incorrectly sent as Base64

Version 4.0.2

12/23/2024 - Live

Bug Fixes

Resolved a 400 error when trying to Request Access to a file

Version 4.0.1

12/12/2024 - Live

New Features

Added support for displaying a useable hyperlink in the Request Window message
Added sort by Action Type to the Realtime Unified Audit
Made the Realtime Unified Audit window always on top
Added new option DisableSystemExtensionsSettings that will force disable System Extension setting when MDM is disabled on the computer

Bug Fixes

Resolved an issue in which macOS agent 4.0 was unable to be installed using a command line tool
Resolved an issue in which the Maintenance Mode popup was not closing after the mode was ended from within the portal
Resolved an issue in which restarting the service deactivated the Network Filter
Resolved an issue in which Admin users were able to disable and uninstall Security Extension on macOS 15 and above when the computer doesn't have MDM
Resolved an issue in which some Install actions did not show a hash value in the Unified Audit
Resolved an issue in which CodeDirectory files were being learned
Resolved an issue in which updating the Mac Agent from the portal and then restarting the service caused the update to fail
Resolved an issue in which the Realtime Unified Audit was not starting on open if it had previously been closed while Start was pressed
Resolved an issue in which the name of an application as displayed in the Unified Audit was not matching what was being displayed in the application dropdown
Resolved an issue in which application blocking was not blocking browser extensions when installed on Chrome Dev and Chrome Beta
Resolved an issue in which an error message was being incorrectly displayed over and over again
Resolved an issue in which the XCode application was not being correctly learned
Resolved an issue in which the byobu command was causing excessive CPU usage
Resolved an issue in which the Start button was not being displayed on the Realtime Unified Audit

Version 4.0

12/3/2024 - Live

New Features

Added custom Tray Branding in the macOS tray
Added support for Authorization Hosts in macOS
Added support for ThreatLocker Objects in macOS Network Control
Added support for the Network Challenge to macOS Network Control
Added support for Override Codes on macOS
Added an Upload File button in the Unified Audit for executable files where admins can upload and download a copy of the file for further investigation
Added the ability to custom elevate sudo for specific applications while blocking the ability for users to pivot and use elevated sudo for any non-specified application
Added better customer messaging when a maintenance mode can't be ended because there is no internet connection
Added support for InstallKey, Company, GroupName, Key, and Instance when installing silently using the pkg installer
Added additional logging for diagnostic data
Made UI improvements to the Authorization window
Added the ability for the agent to use a different app server if the current one is offline
Added additional logging to the System Logs
Added the ability to have the macOS agent pull version number information from "Get Info" or "About xx" for an application when it is denied in the audit and the Realtime Unified Audit
Added the Maintenance Mode QR code in the macOS tray so ThreatLocker Admins can quickly enable maintenance modes using the ThreatLocker Mobile app
Added notes to the Unified Audit expand for macOS
Added support for macOS to ignore ThreatLocker files during baselining
Added Last Update to "Agent Helper --status" and saving last date to defaults

Bug Fixes

Resolved an issue in which Tags were not correctly being matched
Resolved an issue in which the direction of network traffic was not correctly being displayed in the Unified Audit
Resolved an issue in which install events were causing excessive CPU usage
Resolved an issue in which the Send Request button was being grayed out until a character was input and removed from the email textbox
Resolved an issue in which the settings window was appearing on macOS 15
Resolved an issue in which Elevation wasn't working correctly on macOS Sequoia
Resolved an issue in which the ThreatLocker Mac Agent was causing high memory usage
Creation of Group and Computer level Default - Deny policies for Network Control will be enabled in Portal version 2.7

Version 3.2.4

11/18/2024 - Live

New Features

Added new helper utility feature, located at '/Applications/ThreatLocker.app/Contents/Resources/ThreatLocker Agent Helper', which is accessed via the CLI and outputs the ThreatLocker agent's and MDM status using '--status' and '--is-mdm-enabled' CLI flags.

Version 3.2.3

10/28/2024 - Live

Improvements

Improved excluded processes functionality to support the use of wildcards

Bug Fixes

Resolved an issue in which downgrading caused unwanted application denies

Version 3.2.2

10/14/2024 - Live

Resolved an issue with high CPU usage experienced due to excessive storage-related activity
Added optimization to Install event processing to decrease CPU usage

Version 3.2.1

10/2/2024 - Live

Improvements

Mac agent now clears the CacheStorage database on rescanning the baseline

Bug Fixes

Resolved an issue with poor performance caused by excessive install actions on the endpoint
Resolved an issue with a Fatal Error popup occurring on agent crashes related to install events
Chromium extensions now send up only the ThreatLocker hash to cover both hash and SHA256, rather than both hash values

Version 3.2

09/11/2024 - Live

New Features

The Self Approval option is now available on Mac systems. Read more about this feature here: https://threatlocker.kb.help/allowing-end-user-to-self-approve-applications/
Module specific maintenance modes now are available on Mac endpoints
The Mac Health Service is now available. This service includes auto-repair of Application Files if the database fails

Bug Fixes

Resolved an issue with the Banyan application not being able to complete device registration on install and setup
Resolved an issue where wildcards used in File Interaction exclusions in Ringfencing was not working as expected
Resolved an issue in which the settings window was appearing on macOS15
Resolved an issue with the Default Deny and Application Control options in the Modules dropdown on the Organizations page, which were not applying as intended
Improved performance around system file caching which caused high CPU and RAM usage
Implemented Built-In SD Card detection and Serial Number acquisition for storage policies
Resolved an issue with excessive logs related to various XProtect executes
Resolved an intermittent issue with attempting to install an Application through the DMG which would cause the installation to fail

Version 3.1.2

09/10/2024 - Live

New Features

Mac Agents 3.1+ now have the option to use the Realtime Unified Audit via the Mac Console. This tool allows Mac users to see what is happening on their endpoint in real-time without waiting for logs to be transferred to the ThreatLocker Portal or having to filter out other users' logs.

Improvements

Application Control requests will now require a valid email address when an email address is required
Mac Storage Contol logs will now only show one log for a file being read, written, or executed by the same process during the same 24-hour period
Added the Policy Name to the Blocked Items menu in the tray
Added the ability to restart the ThreatLocker service
Added the ability to remove and replace the Applications and Policies databases
Added the ability to uninstall when the system is running as root, for example, with Jamf
Added the tracking and logging of the Created By Process, if one exists. This can be viewed in the sidebar of the Unified Audit
Added the Kill Running Processes option to Deny policies, which will kill any running instances of that application when the Policy is enabled and saved
Made a change to the way macOS Chrome extensions are displayed to provide parity with the way Windows displays them to make it easier to maintain the application definitions
Improved the Mac agent to now use a database for elevation configurations
Improved the Group Key verification logic on first install of the Agent

Bugs and Fixes

Resolved an issue where the System Settings software would prompt for a password when there should be no prompt
Resolved an issue where the Blocked Items list in the Tray would freeze based on a particular set of filters
Resolved an issue where users were unable to elevate the System Software Update settings
Resolved an issue where requesting access to an unencrypted USB would cause the tray to behave in an unintended way
Resolved an issue where uninstalling the ThreatLocker agent did not fully uninstall when the Elevation Configuration was empty
Resolved an issue where Mac Admin was required to enter a password multiple times when uninstalling ThreatLocker
Resolved an issue with Mac and the learning algorithm where certain executables were not being captured correctly
Resolved an issue where downgrading versions while the baseline scanner was running would cause an unintentional second baseline scan to run
Resolved an issue where the uninstall function would fail if multiple users were logged in
Resolved an issue where the Mac agent was not able to be uninstalled through an MDM successfully
Resolved an issue where Built-In Mac Applications would have duplicate SHA256s
Resolved an issue where CodeSignature files were treated as executes in the Unified Audit
Resolved an issue where the Storage Request popup was hidden for some administrators
Resolved an issue where ThreatLocker administrators were not removed from the system when Elevation was disabled
Resolved an issue where signed dylib files were not showing the certificate in the Unified Audit
Resolved an issue where browser extensions were not processed as intended
Resolved an issue where the network extension would be blocked based on the timing of when Full Disk Access was allowed

3.1 Update 08/29/2024

Resolved an issue where Mac devices experienced occasional unexpected denies when upgrading to 3.1
Changed build number to 3.1.1

Version 3.0.1

07/02/2024 - Live

New Features

Introducing Ringfencing for Mac!

Reduce the chance of a cyberattack by limiting what your applications can do, whether trying to interact with another application, your files, data, or the internet. ThreatLocker® Ringfencing™ can reduce the likelihood of an exploit being successful or an attacker weaponizing legitimate tools by limiting how software can interact with other software. Contact your Account Manager or a Cyber Hero for more information on this exciting addition to the Mac line of ThreatLocker products.

Improvements

Starting in the Mac 3.0.1 release, TL hash will no longer be included in the Unified Audit Logs for Mac applications. Sha256 will be used exclusively for Hash conditions and rules
Added the ability to stop and restart the ThreatLocker service
Added the ability to remove and replace the Applications and Policies databases
Improvements to the Manage Local Administrator feature
Added CIDR notation support for Ringfencing Exclusions by IPv4 and IPv6
Mac Baseline actions will now skip cloud storage locations
Performance improvements related to muting processes without policies related to Ringfencing of Storage and Tamper Protection

Bugs and Fixes

Resolved an issue in which rebuilding the Apps database caused incorrect application matching which resulted in unapproved applications being permitted.
Resolved an issue where Elevation was not working with Cloudflare WARP as expected
Resolved an issue where Ringfencing Denies did not show in the tray or the Unified Audit
Resolved an intermittent issue where the Mac Agent would crash after starting
Resolved an issue that would cause Ringfencing to not work as expected if the agent experienced a crash and recovered
Resolved an issue where the Install Assistant would not run when ThreatLocker was installed
Resolved an issue where a Deny was not logged in the Unified Audit when a user failed to enter credentials during an Elevation request
Resolved an issue where the Elevation pop-up was populating during Sudo commands
Resolved an issue where the agent would crash if it encountered an unknown API value
Resolved an issue where Storage Control was generating false positive logs
Resolved an issue where the Uninstall function was not controlled by Tamper Protection as expected
Resolved an issue where disabling Application Control Ringfencing would not disable the Network Ringfencing
Resolved an issue with uninstalling a partially installed version of ThreatLocker
Resolved an issue with Erase Contents and Settings, which was not running as a system administrator using Elevation
Resolved an issue with the rebuild process of the Policy Database when it is deleted in Recovery Mode
Resolved an issue where Ringfencing was active during Learning, Installation and Monitor modes
Resolved an issue where Ringfencing would not be enabled after a reboot
Resolved an issue where Sudo would not elevate a non-admin user
Resolved an issue where the Elevate Disk Utility was unable to elevate as expected
Resolved an issue where the hash for a denied execute was not visible in the portal
Resolved an issue where read-only Storage Control policies were intermittently permitting the write action
Resolved an issue where hashes were not being downloaded automatically when updating an application definition
Resolved an issue where Storage Control Ringfencing would not show permitted files in Firefox using the "Open File" option
Resolved an issue where simulated denies that occurred during Learning/Installation/Monitor Only Modes were appearing in the Blocked Items list in the tray
Resolved an issue where there was intermittent slowness when upgrading from older versions to the Mac Agent 3.0
Resolved an issue where Ringfencing denies were showing incorrectly in the Mac tray after the policy was changed
Resolved an issue where the ThreatLocker learning algorithm was learning ThreatLocker files unnecessarily
Resolved an issue that would cause the 'root' user to be removed from Mac devices when utilizing the Elevation Control module to remove administrators. Also improved this to add the 'root' user back to devices if it was removed by ThreatLocker

Version 2.8.5

05/25/2024 - Live

Resolved an issue that required Elevation to use the Find My feature

Version 2.8.4

05/20/2024 - Live

Resolved an issue where the hash for a denied execute was not visible in the portal

Version 2.8.3

04/24/2024 - Live

Bugs and Fixes

Resolved an issue where the baseline process would sometimes start before downloading all policies, causing long baseline times

Version 2.8.2

04/24/2024 - Unavailable

Bugs and Fixes

Improved the installation process when using a PKG installer, and no user is logged in during the installation
Resolved an issue where the Elevation popup was populating during Sudo Commands

Version 2.8.1

04/11/2024 - Unavailable

Bugs and Fixes

Resolved an issue where Sudo would not elevate even with an elevation policy in place

Version 2.8.0

04/01/2024 - Unavailable

New Features

Manage Local Administrator Settings will allow all local administrators to be removed from the administrator group, with exceptions, via ThreatLocker. On the Computers Page, in the upper left 3-dash menu, a new setting for Manage Local Administrator Settings now exists. A toggle to enable or disable this feature, as well as define the level at which local administrators will be removed, from the Organization level down to the computer level. Exceptions will ensure that only intended local administrators have permissions on specific endpoints. Enabling this feature without including an exception will ensure that ALL local administrators are removed from the local administrators' group for all endpoints. This feature is available for Mac and Windows administrator groups

Improvements

Improved the process of removing application definitions and the impact on system performance

Bugs and Fixes

Resolved an issue on 3.0 Beta, where Discord was permitted via the core files policy
Resolved an issue with the ThreatLocker logo disappearing from the tray after updating from 2.7.10
Resolved an issue from 2.7.10, where open notifications from ThreatLocker would cause the Agent to crash

Version 2.7.10

03/28/2024 - Live

Bugs and Fixes

Resolved an issue in which the tray could not be re-opened using Spotlight Search or through Terminal
Resolved an issue in which tray notifications were not being displayed after switching users without logging out
Resolved an issue in which permitting an application using custom rules resulted in a blocked application
Resolved an issue in which Approval Requests were not being sent from a blocked file notification
Resolved an issue in which running Setup Assistant with Elevation resulted in being stuck in a loop
Resolved an issue in which some customers experienced high CPU usage
Resolved an issue with Elevation and Discord
Resolved an issue where, in certain circumstances, some executes may have been Denied in Learning Mode

Version 2.7.9

03/19/2024 - Depreciated

Bugs and Fixes

Resolved an issue with continually growing RAM usage from version 2.6

Version 2.7.8

03/15/2024 - Depreciated

Bugs and Fixes

Added a cache size limit to reduce the impact on RAM usage

Version 2.7.7

03/14/2027 - Depreciated

Bugs and Fixes

Resolved an issue where the Install Assistant would not run when ThreatLocker was installed
Resolved an issue where rapidly and repeatedly pressing the Reload button on the tray would cause it to work incorrectly
Resolved an issue with the Blocked Items Tray where the sort feature was not working as intended

Version 2.7.6

03/06/2024 - Depreciated

Improvements

Improvements to the Mac Agent Installer to validate group key prior to all installation actions

Version 2.7.5

Live - Depreciated

Improvements

Added the ability to create custom permit policies if the execute function is XProtect

Bugs and Fixes

Resolved an issue where the Mac Agent would intermittently stop checking in

Version 2.7.4

Beta - Depreciated

Improvements

Improvements to the Mac Agent Installer to validate group key prior to all installation actions

Version 2.7.3

02/07/2024 - Depreciated

Bugs and Fixes

Resolved an issue where the Mac agent downloaded the full policy list more often than intended. Full policy downloads will now only be performed on the first installation

Version 2.7

02/07/2024 - Depreciated

Bugs and Fixes

Resolved an issue with Tamper Protection where updating the agent would not start until the endpoint was rebooted
Resolved an issue with incremental file updates related to an empty file version
Resolved an issue with mismatched local hostnames from Sharing > Local Hostname

Version 2.6.2

02/05/2024 - Depreciated

Improvements

Improved Unified Audit logging to include network and server information, including interface, when available
Continued performance optimizations, including reducing memory usage and reducing resource utilization
Removed the "Force the program to run as a standard administrator" function in Elevation control as it is not currently Mac-compatible
To improve the functionality of app bundles, CodeResource file types will now be seen as executables
ThreatLocker has added Storage Control and Tamper Protection monitoring to Exchange Data syscall events
ThreatLocker will now display notifications when 'sudo' is called from a non-admin user Terminal
ThreatLocker has added default Elevation for Xcode

Bugs and Fixes

Resolved an issue with the Mac Agent related to Learning Mode and explicit deny policies not working as intended
Resolved an issue where Built-In policies were not downloading to endpoints as expected
Resolved an issue with Tamper Protection set to disabled but blocking the reading of ThreatLockerStorage.db file
Resolved an issue with the integration for Addigy related to Addigy Identity
Resolved an issue where Addigy installation would assign System if no user is logged in
Resolved an issue from 2.3 and 2.4 where some users would get stuck on a loading screen after enabling Elevation
Resolved an issue where the initial Learning Mode would be set to 0 days
Resolved an issue where if the PKG is blocked by ThreatLocker, the Installer would need to be quit manually before PKG could run again
Resolved an issue with 2.3, which caused high memory usage
Resolved an issue from 2.1, which caused high CPU when opening large applications
Resolved an issue where clicking "do not show' would not stop the ThreatLocker Tray from repeating a popup
Resolved a rare issue where an explicit deny policy would not prevent the executable when in Learning Mode
Resolved an issue where closing the Tray from Terminal was not working as intended
Resolved an issue where some core files would not elevate when the endpoint was in Elevation Mode

Version 2.5

12/27/2023 - Depreciated

Improvements

Improved Unified Audit logging to include network and server information, including interface, when available

Bugs and Fixes

Resolved an issue where ThreatLocker was causing excessive data usage
Resolved an issue where the Mac Agent would show a permit or deny on an install action type
Resolved an issue with the Mac Agent where logs were collected when Tamper Protection was enabled
Resolved an issue with Mac Agent Application Requests related to how Full Path and Process were added to the incorrect field

Version 2.4

11/28/2023 -Depreciated

Improvements

Added the option to Allow Silent Uninstall, which allows ThreatLocker to be uninstalled on Mac Groups and Mac Computers without end-user interaction
A popup Maintenance Mode timer is now available, allowing users to end a timed Maintenance Mode prior to the timer expiring
Improved Unified Audit logging to include file move events on Mac OS
Improved the Mac Elevation Password requirements to a minimum of (15) characters, a maximum of (64) characters, and a requirement to include at least two (2) uppercase letters, base 10 digits (0 through 9), and non-alphanumeric characters
A popup Maintenance Mode timer is now available, allowing users to end a timed Maintenance Mode prior to the timer expiring

Bugs and Fixes

Resolved an issue where Elevation was not providing elevated credentials as expected
Resolved an issue where deleting or disabling a policy would require a reboot
Resolved an issue with Mac custom rules where certificates were set to Equals and not Contains

Version 2.3

11/03/2023 - Depreciated

Bugs and Fixes

Resolved an issue with Mac where the full path of the process was not logged
Resolved an issue where Mac SHAs were not checked when using certificates
Resolved an issue with the Mac timestamps for blocked files
Resolved an issue with the Mac Security Agent crashing when attempting to Elevate

Version 2.2

10/23/2023 - Depreciated

Bugs and Fixes

Resolved an issue with Path/Process Rules not processing as intended

Version 2.1

10/17/2023 - Depreciated

Due to database changes to facilitate incremental (Built-In) Application updates, machines updated to 2.1 cannot downgrade to previous versions. Please view our KB on Uninstalling ThreatLocker from Mac computers for guidance if downgrading your 2.1 version is necessary

New Features

Mac Agent now downloads Built-In Applications

Improvements

Mac baselines will now recover progress when the Agent crashes
Mac policies will now be downloaded incrementally when policies are deployed
Mac policies will no longer record or show serial numbers
Mac now has the option to use the "Don't Update" ThreatLocker version (used for troubleshooting and not recommended as a setting for traditional use)

Bugs and Fixes

Resolved an issue with multiple rescans on Mac Baseline
Resolved Mac issue where baseline scans would not complete
Resolved an issue with Mac Rescan Baseline failing to complete
Resolved an issue with Mac Baseline and Storage Control logs
Resolved an issue with Mac Baseline not starting on 2.1.0.349
Resolved an issue causing the Mac Baseline not to process completely
Resolved an issue with Mac "System" users, which caused Elevation blocked prompts when logged in as an administrator
Resolved an issue with Mac Agent where the agent could be stopped and/or uninstalled while Tamper Protection was enabled
Resolved an issue with Mac where policies based on SHA256 and execute would not process correctly
Resolved an issue with Mac Storage Control where Do Not Monitor or Log policies were still logging
Resolved Mac issue where user creation or deletion would fail when using administrator credentials
Resolved Mac issue where some executables were not gathered during baselining
Resolved an issue with Mac where an offline computer did not update to the correct maintenance period when intended
Resolved an issue with usernames and Elevation Requests with the MAC Agent
Resolved an issue that allowed Mac end-users to move ThreatLocker into the trash, as it doesn't uninstall the files
Resolved an issue in Mac when a user is prompted for Elevation but ThreatLocker does not elevate the file. This is now logged without a Policy Action
Resolved an issue with Mac login, causing an unexpected Elevation popup
Resolved an issue where the Mac ThreatLocker Tray would not restart when a user logged out and a new user logged in
Resolved MAC issues with high CPU demands when baselining
Resolved an issue where the wrong Mac storage policy was matched
Resolved an issue with Uninstall on Mac related to turning Tamper Protection on, off, and then back on again
Resolved an issue causing Mac computers to get stuck on the loading screen during reboot
Resolved an issue with Mac baselining related to .dylib file types
Resolved a Mac issue related to Group Level USB, and UNC deny policies blocking as expected but showed that the matched a different policy
Resolved an issue that prevented users from viewing the Blocked Items page
Resolved an issue where Mac users were prevented from using SUDO commands in the Terminal

Version 2.0

7/11/2023 - Depreciated

Bugs and Fixes

Resolved an issue with MAC where PKG files did not prompt for Elevation
Resolved an issue from 2.0.0.313 where hashes were logged but not visible
Resolved an issue with MAC high CPU usage during the baseline process
Resolved an issue with MAC machines failing to upgrade or downgrade versions successfully
Resolved an issue with the visibility of Elevation credentials and Tamper Protection mode.
Resolved an issue where Tamper Protection was causing MAC machines to freeze
Resolved an issue with custom rules not matching
Resolved an issue with Learning Mode causing real denies rather than simulated ones
Resolved an issue where the Application Name was not visible in the Unified Audit
Resolved an issue with machines failing to upgrade or downgrade versions successfully
Resolved an issue where Tamper Protection was causing machines to freeze
Resolved an issue with install events that do not include all needed information (hashes, certificates, etc.)
Resolved an issue where Learning Mode would be affected by loss of internet connection
Resolved an issue that caused users to wait up to 3 seconds to change a system setting after that setting was initially changed
Resolved an issue in the tray where the 'Don’t Show Again' option was malfunctioning due to how information was stored in the database
Resolved an issue that allowed users to run Sudo commands with Elevation
Resolved an issue related to how installed pkg files associate with policies when the policies contain a *(wildcard)
Resolved an issue where some files were reported as executing when Installer.app was only reading the file
Resolved an issue where CPU usage would remain high after a heavy task is performed (for example, XCode build)
Resolved an issue where the tray would crash when the 'Reload' button was clicked quickly and repeatedly
Resolved an issue where the uninstall command did not remove /Applications/ThreatLocker.app file when running it as a non-admin user. This process will require a password when trying to remove the file
Performance improvements
Resolved an issue where approved notifications would show before the Agent had received new policies

Improvements

Improved high CPU usage by requiring a short 5-minute delay prior to starting a new rescan after having already started the rescan baseline sequence
Improved the logging and visibility of SHA256 hashes for MAC
Improvements to Network Control, including inbound connections, are now being monitored. This can be changed in the products section
Improved and simplifies the uninstall process
Improved the Unified Audit to include and Install Action Type for new or modified executable files
The full path is now displayed in the Blocked Items Window
Improved caching for filesystem and application events for faster response and less CPU usage
Elevation Control – limited functionality (see notes below)
Elevated Policies – limited functionality (see notes below)
Added ability to turn modules on and off
TL Tray - View Button is hidden for Explicit Deny Policies

New Features

Added Learning Mode (Hash Only) to the MAC
Added three hard-coded process exclusions to the MAC agent to reduce unneeded Unified Audit Logs. BackupD, MDSync, and Bird will continue to run in the background but not be monitored by ThreatLocker
Added the Install action for MACs
Added the ability for the MAC computer groups to turn products on and off
Added the ability to detect installing pkg files from the command line
Added ability to Elevate additional system settings for MacOS 13.0-13.4, including:

Network Settings
Login Items
Sharing Settings
Time Machine Settings
Privacy & Security Settings

The Elevation improvements that were added for MacOS 13.3 are coming soon to MacOS 13.1 and MacOS 12
Elevation Control may not support all elevation request types. If you find that elevation shows a password prompt without the ability to request elevation, please document and report to a Cyber Hero
Silent elevation is not currently supported

Version 1.1

3/22/2023

Known Limitation: Endpoints must be placed into Learning Mode during any updates to software. We are currently in the process of addressing the limitation and should have a solution shortly.

Bugs and Fixes

Resolved an issue with process caching, resulting in duplicate logging

Improvements

Improved baseline scanner detection of executables

Version 1.0

2/9/2023 - Depreciated

Bugs and Fixes

Removed the Excluded Processes options section from the Computer Groups page
Removed the "Attach a copy of the file with the request" feature from the Request Popup
Solved an issue where some requests would fail to open
Solved an issue where policy versions would not update during automatic downloads
Solved an issue where the MAC agent would not upgrade or downgrade
Solved an issue where maintenance modes were not being stored during the reboot
Solved an issue in which the MAC Agent would crash when saving to the database
Solved an issue in which a machine with a maintenance mode set in the future would incorrectly appear as unsecured

New Features

Added MAC uninstaller
Added "Apple Fabric" as an interface to storage policies

Improvements

Improved the reporting and downloading mechanisms around MAC check-ins with policy numbers and approvals

1/31/2023 - Depreciated

Known Bugs -

ThreatLocker Tray - No popup for Maintenance Modes
Default Deny and Storage Control products are enabled by default and cannot be disabled

Bugs and Fixes

Application Control - Resolved an issue preventing the ability to set a policy for a specific interface
Application Control - Resolved an issue where the Default Deny policy was not created by default
Storage Control - Resolved an issue preventing the ability to use Apple’s storage interface in policy
Resolved an issue requiring policy deployment to approve via Approval Request
Resolved an issue where .pkg files were not treated as executables and were not able to be blocked using Default Deny
Resolved an issue where request Notifications relied on Apple's Notification Center and were not instant on a block
Resolved an issue where the blocked items in the ThreatLocker Tray didn't show in the correct order
Resolved an issue where processes did not work when used in Custom Rules

1/9/2023 - Depreciated

Known Bugs

.pkg files are not treated as executables and are not able to be blocked using Default Deny
Request Notifications rely on Apple's Notification Center and are not instant on a block
Blocked items in the Tray don't show in the correct order
Unable to set an Application Policy for a specified Interface
Apple's storage interface cannot be used in Storage Policies
Default Deny Policy isn't created automatically
Approval Requests don't automatically trigger a Policy Download, and Policy Deploy is required
Processes do not work when used in Custom Rules
Default Deny and Storage Control products are Enabled by default and cannot be Disabled
Users don't receive a popup for active Maintenance Modes and can't end them from the Mac

New Features

Mac Agent will install into the specified group and Check In to the Portal every minute
The application and file actions are uploaded to the Portal every minute
Upon Installation, a Baseline will run on the Mac, logging all files into the Unified Audit
Learning Automatic <Group> and Learning Automatic <Computer> will create Policies based on the Baseline and Simulated Denies (Green Denies) for the Default Deny Policy (e.g., Default - MAC)
Application Definitions can be created using hashes and custom rules
Tamper Protection Disabled, Learning, Installation, and Monitor Maintenance Modes are supported
Full auditing of the read, write, move, and delete of files on external devices and specified local drive folders
Ability to deny access to storage locations based on interface type or specified paths
Supports authentication using Authorization Hosts on a Windows device using NAC
Updates the IP address for NAC objects used by a Windows device
Tamper Protection is on by default and prevents users from disabling or removing ThreatLocker

1/4/2023 - Depreciated

Known Bugs

Approving via Approval Request requires policy deployment
Unable to disable products
Application Control - Unable to set policy for a specific interface
Application Control - Default Deny policy is not created by default
Storage Control - Unable to use Apple's storage interface in policy
ThreatLocker Tray - No popup for Maintenance Modes

New Features

Baselining applications during ThreatLocker installation
Automatic Learning to Computer and Groups
Permitting applications by Hash as well as Custom Rules when attached to a policy
Application Control Default Deny Policy at the bottom of the policy hierarchy to secure machines and only permit what is explicitly allowed
Supports Learning Mode, Installation Mode, and Monitor Only
Storage Control supports auditing of external storage, custom paths, and specified local folders
Monitor and deny storage for all external storage as well as specified local folders
Network Access Controls (NAC) supports Authorization Hosts as well as updating IPs for objects
Tamper Protection to stop unauthorized users from disabling ThreatLocker