Company logoHelp Center
Visit www.threatlocker.com

ThreatLocker Mobile App

19 min. readlast update: 04.10.2024

The following article references ThreatLocker Mobile App Versions 4.0+ and 3.5.1. For Information, please scroll down to section titled: "ThreatLocker Mobile App Verion 3.5.1."

Available on both Apple and Android devices, the ThreatLocker Mobile Application is free to use and works in conjunction with the ThreatLocker web portal. It was created to provide a more convenient way for you to manage your endpoints, as well as provide fast access to your accounts. 

The application does not offer all the features provided in the web portal, but this was done intentionally to keep the application simplified and streamlined as a way to provide easier management. 

ThreatLocker highly recommends using the mobile app because it will lessen any potential friction between you and your end users.

ThreatLocker Mobile App Version 4.2

 

Homepage

Depending upon your user permissions, after login, you will be directed to one of two places: the Response Center or the Computers page.

Menu

Depending upon your user permissions, you may not have visibility of all options listed below.

 

The full menu can be accessed via the hamburger icon in the top left side of the screen.

Settings

When selected, the Settings modal slides up.  

  1. The user profile can be edited, and MFA settings can be adjusted.
  2. Help links to the ThreatLocker Knowledge Base.
  3. Log Out 

Approvals (Legacy)

This is the temporary location of the legacy Approvals screen. As many users are very comfortable with the user flow of the legacy system, for a period of time, the legacy Approvals will provide users the ability to continue using the system they are accustomed to while they acclimate to the new and improved process.

Please Note: The legacy system will be deprecated after a period of time, so users are encouraged to use the new system. 

For more information on the Legacy Approvals screen, please scroll down to the Mobile App 4.0 section below.

 

Response Center

The new home for Approval Requests and ThreatLocker Ops Alerts and Remediation

Beginning in 4.1, the Response Center has been built into the mobile app. Navigate here to view all pending Application, Elevation, and Storage Approval Requests. For users of ThreatLocker Ops, the Response center will hold the Threats and Remediation tabs as well. Navigation icons are located at the bottom of the screen, along with a count of the number items contained in each tab.

Approvals Tab

This is where all Approval Requests are located.

When a request is selected, the user will be presented with Request Details.

Depending on what type of request (Application, Elevation, or Storage) the exact options will vary. The example below is from an Application Request.

  1. Select 'Show Complete File Details' to view additional details about the file.
  2. Click the 'Virus Total' button to be taken to the Virus Total entry on that file.
  3. Select 'New Install' and provide a name for the application or 'Update Existing' and select an existing application from the dropdown.
  4. Select how to permit the software:
    1. Custom - Create Custom Rules using parameters including SHA, Hash, File Path, Certificate, Process Path, Created By (depending on what is available for that file).
    2. Installation - Places the requesting machine into Installation Mode so the application can be installed.  
    3. Learning - Places the requesting machine into Learning Mode so the application can be installed.
    4. Monitor- Places the requesting machine into Monitor Mode. The application will be able to run during Monitor Mode, but it will not be learned and no policy will be created to permit the same application in the future.

  1. Select whether or not this application should be permitted to run with Admin rights.
  2. Add an expiration for the Elevation if desired
  3. Set Ringfence restrictions
  4. Approve the request
  5. Ignore the request

 

Threats Tab

The Threats tab contains all ThreatLocker Detect alerts. There will be one entry for each computer that has active alerts. Swipe right on an entry to quickly Lockdown, Isolate, or Clear all Alerts on the target computer.

 

Clicking on the entry will open the ThreatLocker Detect Alerts slideout, which contains the following:

  • Alerts - This tab shows all ThreatLocker Detect alerts on the computer.
    • You can quickly make exceptions to a  ThreatLocker Detect policies using the "+" button located within an alert.

Image

    • Hamburger menu in the bottom right-hand corner contains:
      • Lockdown - Place the target computer into lockdown mode
      • Isolate - Place the target computer into isolate mode
      • Clear Alerts - Clear all active alerts on the computer
      • Snooze Alerts - This will hide active alerts on the target computer for the time period selected. Any new alerts will come in as expected so users can easily see if a computer is experiencing new alerts.
  • Executes - By default, this tab shows execute logs on the computer from the last 24 hours that have at least 1 result in Virus Total that indicates the file is possibly malicious. The time frame can be extended, a specific policy action can be selected, and you can choose to show all execute logs, not only ones that have been flagged by Virus Total.
  • Installs - By default, this tab shows install logs from the last 24 hours that have at least 1 result in Virus Total that indicates the file is possibly malicious. The time period can be extended, and you can choose to show all install logs, not only the ones flagged by Virus Total.
  • Baseline - By default, this tab shows baseline logs from the last 24 hours that have at least 1 result in Virus Total that indicates the file is possibly malicious. The time period can be extended, and you can choose to show all baseline logs, not only the ones flagged by Virus Total.
  • Network - By default, this tab shows network logs on the computer from the last 24 hours that have at least 1 result in Virus Total that indicatesthe IP address is possibly malicious. The time frame can be extended, a specific policy action can be selected, and you can choose to show all network logs, not only ones that have been flagged by Virus Total.
  • Elevation - By default, this tab show Elevation logs from the last 24 hours. This timeframe can be extended, and you can choose to show only items that have been flagged by Virus  Total.
  • Storage - By default, this tab shows storage logs on the computer from the last 24 hours.  The time frame can be extended, a specific policy action can be selected, and you can choose to show only logs that have been flagged by Virus Total.
  • Exclusions - This tab will show all ThreatLocker Detect policy exclusions that apply to this computer.
  • Snooze History - This tab will contain a record of who, when, and for how long the alerts on this computer have been snoozed.

Remediation Tab

When a computer is placed into Isolate or Lockdown mode, the computer will be moved from the Threats tab into the Remediation tab. This provides the administrator with a central location in which all computers that require investigation are located.  While a computer is safely isolated from the network, or isolated and all executions are blocked, the investigator has a bit more time to delve into the activity that was attempted or occurred on each computer before deciding to lift the imposed restrictions, or take further remediation steps.

Swipe right on the main Remediation listing to quickly Remove Isolation, Remove Lockdown, or switch from one to the other.

Double tapping on the entry will open the ThreatLocker Detect Alerts sidebar as outlined in the Alerts tab section above.

Unified Audit 

No changes in the Unified Audit.

Health Center

The Health Center is currently read-only.  The ability to interact with these tiles is coming soon.

Reports

No changes in the Reports page.

Modules

The mobile app now contains 4 ThreatLocker Modules: Application Control, Network Control, Storage Control and ThreatLocker Detect.

  • Application Control - no changes
  • Network Control - no changes
  • Storage Control - no changes
  • ThreatLocker Detect - Now you can create, edit, and delete ThreatLocker Detect policies from within the mobile app. 
    • The main grid will display the policy name, who created it, where it applies, and an icon list of actions that will be taken whenever that policy is matched.

 

Computers / Computer Groups 

There were no changes made to the Computers and Computer Groups screens.

Administrators / User Roles / System Audit

There were no changes made to the Administrators, User Roles or Systen Audit screens.

Organizations

There were no changes made to the Organizations screen.

QR Scanner

There were no changes made to the QR Scanner.

Help Desk

There were no changes made to the Help Desk.

Help

The help page has been updated to reflect changes in the most recent ThreatLocker Mobile build.

Known Issues with Version 4.1:

  • ThreatLocker Mobile requires password complexity that may prevent users with legacy passwords from logging in. Please update your password to meet current Portal password complexity requirements.

 

ThreatLocker Mobile App Version 4.0 

 

The Login Screen

Input your ThreatLocker Portal username.

Click 'Continue'. 

Input your ThreatLocker Portal password into the 'Password' text box.

Select your Inactivity Timeout by selecting the displayed time to open a selection menu.

Click the 'Login' button.

For SMS or OTC 2-Factor Authentication, you will need to retrieve your code and input it into the 'One Time Code' textbox. Next, click 'Submit'.

For DUO, you will need to approve your DUO push and then you will be logged into ThreatLocker Mobile. 

ThreatLocker Mobile does not currently support authentication using Yubikey.

Homepage

Depending upon your user permissions, when accessing the application you will be directed to one of two places: the Approval Center or the Computers page.

Menu

Depending upon your user permissions, you may not have visibility of all options listed below.

The hamburger menu icon in the upper left-hand corner of the screen will allow you to navigate between the other pages.

Approval Center

Using the Approvals page in the mobile app will not allow for use of the ThreatLocker Testing Environment.

From the menu, select 'Approval Center'. Listed will be all pending Application, Elevation, and Storage Approval Requests for organizations you manage.

At the top of the page, you will see a search bar. You can input all or part of a file name to bring up requests that match that file name.

Below the Search bar, you will see the request list.

Parts of a Request

  1. The name of the Organization.
  2. The Hostname where the request originated.
  3. The username of the logged-in user when the request was sent.
  4. The name of the file that is being requested.
  5. The  type of request.

Ignoring or Permitting a Request

Tap on a request to review the request details.

If after looking at this request, you decide you don't want to permit it, tap the red 'Ignore' button towards the bottom right-hand corner.

If you have decided to permit this file, tap the green 'Permit' button to open the page where you can process this request.

At the top of the next screen, you will be informed if this file matches an existing application, and can select to add this file to the matching application, an existing application, or to create a new application for it. 

Next, you can choose to add Ringfencing if desired. 

You can select a Policy Expiration, apply Elevation if needed, and select where to apply this new policy to. 

Expanding the Administrator Notes section will provide a location to enter optional information: Ticket #, Requestor name or email address, and comments. 

Push Notifications

To receive push notifications when you receive an approval request, you will need to agree to permit the app to give you push notifications. You will also need to ensure you have toggled on the  'Notify on Request' option in the Edit Administrator window in the ThreatLocker web portal for the account using the mobile app.

Unified Audit

View and filter Unified Audit log entries. 

Tapping an entry will display the Action Log with scrollable additional details.

Health Center

The Health Center page is currently view-only.

Reports

All reports, including Override Codes, are available.

Modules

Currently, three modules are available within the mobile app: Application Control, Network Control, and Storage Control.

Application Control

Within the Application Control Module, applications, policies, and/or tags can be created, edited, or deleted.

Each page includes a filtering capability and the availability to delete by swiping left.

On the Application Control > Policies page, you can quickly change the status of policies with a swipe to the right.

Network Control

Policies and Authorization Hosts can be created, edited, ordeleted.

Storage Control

Policies and Devices can be created, edited, or deleted.

Computers and Computer Groups

From the menu, select 'Computers'. You will be taken to a list of all the computers you currently manage.

The top line in each entry is the name of the computer.  

The second line is the name of the organization.

Utilize the filter to be able to include computers from child organizations.

Buttons that have a colorful icon signify an active Maintenance period.

Any buttons with icons in gray signify an inactive Maintenance period.

Swipe to the right to quickly switch the computer into a different maintenance mode.

Tap on a computer to expand it to show Computer Details, Maintenance, Maintenance History, and Options tabs.

On computer groups, long press on any entry to enter a multi-select mode where you can change the ThreatLocker Versions or Update Channels.

Swipe to the left to delete a group, and swipe right to change the version or update channel for a single group.

Administrators

The Administrators page is currently read-only. From this page, you can navigate to the User Roles or System Audit tabs.

User Roles can be created, edited, and deleted.

The System Audit can be searched and filtered. Click on an individual entry to view the details.

Organizations

The Organizations page allows you to easily view items for specific organizations.

Swiping right on a specific organization will allow you to manage an organization. Once you select to manage an organization, your menu navigation will then only direct you to pages as relevant to that organization.

QR Scanner

Once you are running the ThreatLocker tray service on a computer, you can right click the ThreatLocker icon to display a QR code. The QR code can then be scanned with the Mobile Application's QR Scanner or the device's native camera.  

Scanning the QR code will allow you to manage the specific computer quickly within the mobile application's Computers page. 

QR Scanner requires Edit Computers user permission.

undefined

Help Desk

Help Desk on the Mobile Application allows you to create and manage tickets on the go.

Help

Selecting this page will direct you to this KnowledgeBase article, ThreatLocker Mobile App.

Known Issues with Version 4.0:

  • ThreatLocker Mobile requires password complexity that may prevent users with legacy passwords from logging in. Please update your password to meet current Portal password complexity requirements.
  • Currently, using the native phone camera is not opening the target computer screen.  The QR scanner that is built into the app is working as expected.

ThreatLocker Mobile App Version 3.5.1

The Login Screen

 

undefined

 

Input your ThreatLocker Portal username.

Click 'Continue'. 

undefined

 

Input your ThreatLocker Portal password into the 'Password' text box.

Select your Inactivity Timeout from the dropdown menu.

Click the 'Login' button.

For SMS or OTC 2-Factor Authentication, you will need to retrieve your code and input it into the 'One Time Code' textbox. Next, click 'Submit'.

For DUO, you will need to approve your DUO push and then you will be logged into ThreatLocker Mobile. 

ThreatLocker Mobile does not currently support authentication using Yubikey.

 

Homepage

Depending upon your user permissions, when accessing the application you will be directed to one of two places: the Approval Requests page or the Computers page. The hamburger menu icon in the upper left-hand corner of the screen will allow you to navigate between the other pages: Approvals, Computers, QR Scanner, Help Desk, Help, and LogOut.

Menu

Click the hamburger icon (3 lines) beside the ThreatLocker Logo to open the menu. 

undefined

 

The Approvals Page 

Using the Approvals page in the mobile app will not allow for use of the ThreatLocker Testing Environment.

From the menu, select 'Approvals'. Listed will be all pending Application, Elevation, and Storage Approval Requests for organizations you manage.

At the top of the page, you will see a filter bar where you can select to view 'All Requests', 'Application Requests', or 'Elevation Requests'.

undefined

 

Below the filter is a Search bar. You can input all or part of a file name to bring up requests that match that file name.

undefined

Below the Search bar, you will see the request list.

The top line on each request is the name of the Organization.

undefined

Next is the Hostname where the request originated.

undefined

Listed 3rd is the username of the logged-in user when the request was sent.

undefined

Below the username is the name of the file that is being requested.

undefined

The bottom line shows what type of request this is.

undefined

Click the 'Ignore' button to ignore the request and remove it from the list.

undefined

 

Click the blue 'View' button to open the corresponding request. 

undefined undefined

If after looking at this request, you decide you don't want to permit it, click the 'X' in the top left-hand corner.

undefined

If you have decided to permit this file, press the green 'Permit' button to open the page where you can process this request.

undefined

 

At the top of the next screen, you will be informed if this file matches an existing application, and can select to add this file to the matching application, an existing application, or to create a new application for it. 

Next, you can choose to add Ringfencing if desired. 

You can select a Policy Expiration, apply Elevation if needed, and select where to apply this new policy to. 

Expanding the Administrator Notes section will provide a location to enter optional information: Ticket #, Requestor name or email address, and comments. 

Click the blue checkmark button to finish permitting this request.  

 

Push Notifications

To receive push notifications when you receive an approval request, you will need to agree to permit the app to give you push notifications. You will also need to ensure you have selected the checkbox next to 'Notify on request' in the Edit Administrator window in the ThreatLocker web portal for the account using the mobile app.

undefined

 

The Computers Page

From the menu, select 'Computers'. You will be taken to a list of all the computers you currently manage, including computers in child organizations.  

The top line in each entry is the name of the Organization.  

undefined

 

The second line is the name of the computer.

undefined

Any active Maintenance Periods will be listed below the name of the computer.

undefined

Buttons that have a colorful icon signify an active Maintenance period.

undefined

Any buttons with icons in gray signify an inactive Maintenance period.

undefined

 

Computers Page Search

You can search by computer name, group name, or Organization name by inputting all or part of the name into the search bar at the top of the screen and then clicking 'Search'. 

undefined

 

Clicking on a specific computer listing will expand it.

undefined

 

 

Enabling Learning Mode

Please note: Learning and Monitor Only Mode will only work if you have enabled Application Control on your account.

Click the button that has the book and video camera icons next to the computer you wish to enable Learning Mode on. 

Next, select either 'Learning Automatic Group', 'Learning Automatic Computer', or 'Learning Automatic System' from the menu. 

undefined

 

  • Automatic Group will enable a one-hour Learning Mode on that computer. ThreatLocker will catalog all files that are being installed and executed on that computer and automatically create policies for the computer group the selected computer is in. All activity will be recorded in the Unified Audit. At the conclusion of the 1-hour period, the computer will switch to 'Secure'.
  • Automatic Computer will begin a one-hour Learning Mode on that computer. ThreatLocker will catalog all files that are being installed and executed on that computer and automatically create policies for just that single computer. All activity will be recorded in the Unified Audit. At the conclusion of the 1-hour period, the computer will switch to 'Secure'. 
  • Automatic System will begin a one-hour Learning Mode on that computer. ThreatLocker will catalog all drivers that are being installed and create a policy for them for that single computer. All activity will be recorded in the Unified Audit. At the conclusion of the 1-hour period, the computer will switch to 'Secure'. 

After you make your selection, the button will change color and the selected mode will be listed below the computer name.  

To end any maintenance period before the hour is up, click the desired button a second time, and then click 'Yes' on the alert that populates. The computer will then switch to 'Secure'.

undefined

 

 

Enabling Monitor Only Mode

Select the button that has the book and video camera icons.

undefined

Select 'Monitor Only' from the menu.

undefined

This will place the selected computer into a Monitor-Only status. No files will be blocked, nothing will be learned, and no policies will be created. All activity will be tracked in the Unified Audit. The computer will switch to 'Secure' at the end of the hour.

To end the Maintenance period early, click the button a second time and then click 'Yes' on the alert. The computer will then switch to 'Secure'.  

 

Enabling Elevation

Please Note: Elevation button will only function if you have purchased and enabled the Elevation product on your ThreatLocker account.

Click the button with the up arrow.

undefined

The button will change color, and a one-hour Elevation period will be enabled on the computer. All activity will be recorded in the Unified Audit.   

To end the Elevation period early, click the button a second time and then click 'Yes' on the alert.

Refresh

To refresh any page, pull down.

undefined

 

QR Scanner

Once you are running the ThreatLocker tray service on a computer, you can right click the ThreatLocker icon to display a QR code. The QR code can then be scanned with the Mobile Application's QR Scanner or the device's native camera.  

Scanning the QR code will allow you to manage the specific computer quickly within the mobile application's Computers page. 

QR Scanner requires Edit Computers permission.

undefined

 

undefined

 

undefined

 

Help Desk

Help Desk on the Mobile Application allows you to create and manage tickets on the go.

 

undefined

 

undefined

 

For more information about how to use the mobile app, please see our ThreatLocker Mobile App course in ThreatLocker University.
Was this article helpful?