MAC Agent Release Notes

11 min. readlast update: 11.29.2023
Note: Reminder to run Learning Mode after installation before securing endpoints for the minimum recommendation of 5-7 days.

Version 2.5

11/28/2023 - Beta

Improvements

  • Improved Unified Audit logging to include network and server information, including interface, when available 

Bugs and Fixes

  • Resolved an issue where the Mac Agent would show a permit or deny on an install action type
  • Resolved an issue with the Mac Agent where logs were collected when Tamper Protection was enabled
  • Resolved an issue with Mac Agent Application Requests related to how Full Path and Process were added to the incorrect field

Version 2.4

11/28/2023 - Live

Improvements

  • Added the option to Allow Silent Uninstall, which allows ThreatLocker to be uninstalled on Mac Groups and Mac Computers without end-user interaction 
  • A popup Maintenance Mode timer is now available, allowing users to end a timed Maintenance Mode prior to the timer expiring 
  • Improved Unified Audit logging to include file move events on Mac OS
  • Improved the Mac Elevation Password requirements to a minimum of (15) characters, a maximum of (64) characters, and a requirement to include at least two (2) uppercase letters, base 10 digits (0 through 9), and non-alphanumeric characters
  • A popup Maintenance Mode timer is now available, allowing users to end a timed Maintenance Mode prior to the timer expiring 

Bugs and Fixes

  • Resolved an issue where Elevation was not providing elevated credentials as expected 
  • Resolved an issue where deleting or disabling a policy would require a reboot
  • Resolved an issue with Mac custom rules where certificates were set to Equals and not Contains

Version 2.3

11/03/2023 - Live

Bugs and Fixes

  • Resolved an issue with Mac where the full path of the process was not logged 
  • Resolved an issue where Mac SHAs were not checked when using certificates 
  • Resolved an issue with the Mac timestamps for blocked files 

Version 2.2

10/23/2023 - Live

Bugs and Fixes

  • Resolved an issue with Path/Process Rules not processing as intended

Version 2.1

10/17/2023 - Live

Due to database changes to facilitate incremental (Built-In) Application updates, machines updated to 2.1 cannot downgrade to previous versions. Please view our KB on Uninstalling ThreatLocker from Mac computers for guidance if downgrading your 2.1 version is necessary

New Features

Improvements

  • Mac baselines will now recover progress when the Agent crashes 
  • Mac policies will now be downloaded incrementally when policies are deployed 
  • Mac policies will no longer record or show serial numbers 
  • Mac now has the option to use the "Don't Update" ThreatLocker version (used for troubleshooting and not recommended as a setting for traditional use) 

Bugs and Fixes

  • Resolved an issue with multiple rescans on Mac Baseline
  • Resolved Mac issue where baseline scans would not complete
  • Resolved an issue with Mac Rescan Baseline failing to complete
  • Resolved an issue with Mac Baseline and Storage Control logs
  • Resolved an issue with Mac Baseline not starting on 2.1.0.349
  • Resolved an issue causing the Mac Baseline to not process completely 
  • Resolved an issue with Mac "System" users which caused Elevation blocked prompts when logged in as an administrator 
  • Resolved an issue with Mac Agent where the agent could be stopped and/or uninstalled while Tamper Protection was enabled 
  • Resolved an issue with Mac where policies based on SHA256 and execute would not process correctly 
  • Resolved an issue with Mac Storage Control where Do Not Monitor or Log policies were still logging 
  • Resolved Mac issue where user creation or deletion would fail when using administrator credentials 
  • Resolved Mac issue where some executables were not gathered during baselining 
  • Resolved an issue with Mac where an offline computer did not update to the correct maintenance period when intended 
  • Resolved an issue with usernames and Elevation Requests with the MAC Agent 
  • Resolved an issue that allowed Mac end-users to move ThreatLocker into the trash, as it doesn't uninstall the files 
  • Resolved an issue in Mac when a user is prompted for Elevation but ThreatLocker does not elevate the file. This is now logged without a Policy Action 
  • Resolved an issue with Mac login causing an unexpected Elevation popup 
  • Resolved an issue where the Mac ThreatLocker Tray would not restart when a user logged out and a new user logged in 
  • Resolved MAC issues with high CPU demands when baselining 
  • Resolved an issue where the wrong Mac storage policy was matched 
  • Resolved an issue with Uninstall on Mac related to turning Tamper Protection on, off, then back on again 
  • Resolved an issue causing Mac computers to get stuck on the loading screen during reboot 
  • Resolved an issue with Mac baselining related to .dylib file types 
  • Resolved a Mac issue related to Group Level USB and UNC deny policies blocking as expected but showing that the matched a different policy
  • Resolved an issue that prevented users from viewing the Blocked Items page
  • Resolved an issue where Mac users were prevented from using SUDO commands in the Terminal

Version 2.0

7/11/2023 - Live

Bugs and Fixes

  • Resolved an issue with MAC where PKG files did not prompt for Elevation 
  • Resolved an issue from 2.0.0.313 where hashes were logged but not visible 
  • Resolved an issue with MAC high CPU usage during baseline process 
  • Resolved an issue with MAC machines failing to upgrade or downgrade versions successfully 
  • Resolved an issue with the visibility of Elevation credentials and Tamper Protection mode. 
  • Resolved an issue where Tamper Protection was causing MAC machines to freeze 
  • Resolved an issue with custom rules not matching 
  • Resolved an issue with Learning Mode causing real denies rather than simulated ones 
  • Resolved an issue where the Application Name was not visible in the Unified Audit 
  • Resolved an issue with machines failing to upgrade or downgrade versions successfully 
  • Resolved an issue where Tamper Protection was causing machines to freeze 
  • Resolved an issue with install events that do not include all needed information (hashes, certificates, etc.) 
  • Resolved an issue where Learning Mode would be affected by loss of internet connection 
  • Resolved an issue which caused users to wait up to 3 seconds to change a system setting after that setting is initially changed 
  • Resolved an issue in the tray where the 'Don’t Show Again' option was malfunctioning due to how information was stored in the database 
  • Resolved an issue that allowed users to run Sudo commands with Elevation 
  • Resolved an issue related to how installed pkg files associate to policies when the policies contain a *(wildcard)
  • Resolved an issue where some files were reported as executing when Installer.app was only reading the file  
  • Resolved an issue where CPU usage would remain high after a heavy task is performed (for example, XCode build)
  • Resolved an issue where the tray would crash when the 'Reload' button was clicked quickly and repeatedly
  • Resolved an issue where the uninstall command did not remove /Applications/ThreatLocker.app file when running it as a non-admin user. This process will require a password when trying to remove the file
  •  Performance improvements  
  •  Resolved an issue where approved notifications would show before the Agent had received new policies

Improvements

  • Improved high CPU usage by requiring a short 5 minute delay prior to starting a new rescan after having already started the rescan baseline sequence 
  • Improved the logging and visibility of SHA256 hashes for MAC 
  • Improvements to Network Control, including inbound connections are now being monitored. This can be changed in the products section 
  • Improved and simplifies the uninstall process 
  • Improved the Unified Audit to include and Install Action Type for new or modified executable files 
  • The full path is now displayed in the Blocked Items Window 
  • Improved caching for filesystem and application events for faster response and less CPU usage
  • Elevation Control – limited functionality (see notes below) 
  • Elevated Policies – limited functionality (see notes below)
  • Added ability to turn modules on and off
  • TL Tray - View Button is hidden for Explicit Deny Policies

New Features

  • Added Learning Mode (Hash Only) to the MAC 
  • Added three hard-coded process exclusions to the MAC agent to reduce unneeded Unified Audit Logs. BackupD, MDSync, and Bird will continue to run in the background but not be monitored by ThreatLocker 
  • Added the Install action for MACs 
  • Added the ability for the MAC computer groups to turn products on and off 
  • Added the ability to detect installing pkg files from the command line 
  • Added ability to Elevate additional system settings for MacOS 13.0-13.4, including:
    • Network Settings
    • Login Items
    • Sharing Settings
    • Time Machine Settings
    • Privacy & Security Settings
  • The Elevation improvements that were added for MacOS 13.3 are coming soon to MacOS 13.1 and MacOS 12  
  • Elevation Control may not support all elevation request types. If you find that elevation shows a password prompt without the ability to request elevation, please document and report to a Cyber Hero
  • Silent elevation is not currently supported

Version 1.1

3/22/2023

Known Limitation: Endpoints must be placed into Learning Mode during any updates to software. We are currently in the process of addressing the limitation and should have a solution shortly. 

Bugs and Fixes

  • Resolved an issue with process caching resulting in duplicate logging 

Improvements

  • Improved baseline scanner detection of executables 

Version 1.0

2/9/2023

Bugs and Fixes

  • Removed the Excluded Processes options section from the Computer Groups page  
  • Removed the "Attach a copy of the file with the request" feature from the Request Popup  
  • Solved an issue where some requests would fail to open 
  • Solved an issue where policy versions would not update during automatic downloads  
  • Solved an issue where the MAC agent would not upgrade or downgrade  
  • Solved an issue where maintenance modes were not being stored during reboot 
  • Solved an issue in which the MAC Agent would crash when saving to the database   
  • Solved an issue in which a machine with a maintenance mode set in the future would incorrectly appear as unsecured

New Features

Improvements

  • Improved the reporting and downloading mechanisms around MAC check-ins with policy numbers and approvals   

1/31/2023

Known Bugs

  • ThreatLocker Tray - No popup for Maintenance Modes
  • Default Deny and Storage Control products are enabled by default and cannot be disabled

Bugs and Fixes

  • Application Control - Resolved an issue preventing the ability to set a policy for a specific interface
  • Application Contiol - Resolved an issue where the Default Deny policy was not created by default 
  • Storage Control - Resolved an issue preventing the ability to use Apple’s storage interface in policy
  • Resolved an issue requiring policy deployment to approve via Approval Request
  • Resolved an issue where .pkg files were not treated as executables and were not able to be blocked using Default Deny
  • Resolved an issue where request Notifications relied on Apple's Notification Center and were not instant on a block
  • Resolved an issue where the blocked items in the ThreatLocker Tray didn't show in the correct order
  • Resolved an issue where processes did not work when used in Custom rules

1/9/2023

Known Bugs

  • .pkg files are not treated as executables and are not able to be blocked using Default Deny
  • Request Notifications rely on Apple's Notification Center and are not instant on a block
  • Blocked items in the Tray don't show in the correct order
  • Unable to set an Application Policy for a specified Interface
  • Apple's storage interface cannot be used in Storage Policies
  • Default Deny Policy isn't created automatically
  • Approval Requests don't automatically trigger a Policy Download, and Policy Deploy is required
  • Processes do not work when used in Custom rules
  • Default Deny and Storage Control products are Enabled by default and cannot be Disabled
  • Users don't receive a popup for active Maintenance Modes and can't end them from the Mac

New Features

  • Mac Agent will install into the specified group and Check In to the Portal every minute
  • The application and file actions are uploaded to the Portal every minute
  • Upon Installation, a Baseline will run on the Mac, logging all files into the Unified Audit
  • Learning Automatic <Group> and Learning Automatic <Computer> will create Policies based on the Baseline, and Simulated Denies (Green Denies) for the Default Deny Policy (e.g. Default - MAC)
  • Application Definitions can be created using hashes and custom rules
  • Tamper Protection Disabled, Learning, Installation, and Monitor Maintenance Modes are supported
  • Full auditing of the read, write, move, and delete of files on external devices and specified local drive folders
  • Ability to deny access to storage locations based on interface type or specified paths
  • Supports authentication using Authorization Hosts on a Windows device using NAC
  • Updates the IP address for NAC objects used by a Windows device
  • Tamper Protection is on by default and prevents users from disabling or removing ThreatLocker

1/4/2023

Known Bugs

  • Approving via Approval Request requires policy deployment
  • Unable to disable products 
  • Application Control - Unable to set policy for specific interface
  • Application Control - Default Deny policy is not created by default
  • Storage Control - Unable to use Apple's storage interface in policy
  • ThreatLocker Tray - No popup for Maintenance Modes

New Features

  • Baselining applications during ThreatLocker installation
  • Automatic Learning to Computer and Groups
  • Permitting applications by Hash as well as Custom Rules when attached to a policy
  • Application Control Default Deny Policy at the bottom of the policy hierarchy to secure machines and only permit what is explicitly allowed
  • Supports Learning Mode, Installation Mode, and Monitor Only
  • Storage Control supports auditing of external storage, custom paths, and specified local folders
  • Monitor and denying on storage for all external storage as well as specified local folders
  • Network Access Controls (NAC) supports Authorization Hosts as well as updating IPs for objects
  • Tamper Protection to stop unauthorized users from disabling ThreatLocker

Was this article helpful?