ThreatLocker Mobile App

The following article applies to versions 4.0+ and is organized by sections of the ThreatLocker Mobile Application. To only see content related to our most current version, please see our ThreatLocker University course titled ThreatLocker Mobile App. 

Overview

Available on both Apple and Android devices, the ThreatLocker Mobile Application is free to use and works in conjunction with the ThreatLocker web portal. It was created to provide a more convenient way for you to manage your endpoints and fast access to your accounts. 

The application does not offer all the features provided in the web portal, but this was done intentionally to simplify and streamline the application to provide easier management. 

ThreatLocker highly recommends using the mobile app because it will lessen any potential friction between you and your end users.

Logging In

Input your ThreatLocker Portal username.

Click 'Continue'. 

Input your ThreatLocker Portal password into the 'Password' text box.

Select your Inactivity Timeout by selecting the displayed time to open a selection menu.

Click the 'Login' button.

For SMS or OTC 2-Factor Authentication, you will need to retrieve your code and input it into the 'One Time Code' textbox. Next, click 'Submit'.

For DUO, you will need to approve your DUO push and then you will be logged into ThreatLocker Mobile. 

ThreatLocker Mobile does not currently support authentication using Yubikey.

Homepage

Depending upon your user permissions, after login, you will be directed to one of two places: the Response Center or the Computers page.

Menu Navigation

The Global Navigation Menu (hamburger menu icon) is located at the top left of the screen. This menu will allow you to navigate between the other pages.

Depending on the version of your ThreatLocker Mobile app and your user permissions, you may not have visibility of all the options listed below.

ThreatLocker Mobile App Version 4.1+ Menu	ThreatLocker Mobile App Version 4.0 Menu

Approvals (Legacy)/Approval Center

Please Note: The legacy system will be deprecated after a period of time, so users are encouraged to use the Response Center. 

Using the Approvals page in the mobile app will not allow for use of the ThreatLocker Testing Environment.

From the menu, select 'Approval Center'. Listed will be all pending Application, Elevation, and Storage Approval Requests for organizations you manage.

At the top of the page, you will see a search bar. You can input all or part of a file name to bring up requests that match that file name.

Below the Search bar, you will see the request list.

Parts of a Request

1. The name of the Organization.
2. The Hostname where the request originated.
3. The username of the logged-in user when the request was sent.
4. The name of the file that is being requested.
5. The type of request.

Ignoring or Permitting a Request

Tap on a request to review the request details.

If after looking at this request, you decide you don't want to permit it, tap the red 'Ignore' button towards the bottom right-hand corner.

If you have decided to permit this file, tap the green 'Permit' button to open the page where you can process this request.

At the top of the next screen, you will be informed if this file matches an existing application, and can select to add this file to the matching application, an existing application, or to create a new application for it. 

Next, you can choose to add Ringfencing if desired. 

You can select a Policy Expiration, apply Elevation if needed, and select where to apply this new policy to. 

Expanding the Administrator Notes section will provide a location to enter optional information: Ticket #, Requestor name or email address, and comments. 

Push Notifications

To receive push notifications when you receive an approval request, you will need to agree to permit the app to give you push notifications. You will also need to ensure you have toggled on the 'Notify on Request' option in the Edit Administrator window in the ThreatLocker web portal for the account using the mobile app.

Response Center

Beginning in ThreatLocker Mobile App Version 4.1, the Response Center has been built into the mobile app. Navigate here to view all pending Application, Elevation, and Storage Approval Requests. For users of ThreatLocker Detect, the Response center will hold the Threats and Remediation tabs as well. Navigation icons are located at the bottom of the screen, along with a count of the number of items contained in each tab.

Approvals Tab

This is where all Approval Requests are located.

When a request is selected, the user will be presented with Request Details.

Depending on what type of request (Application, Elevation, or Storage) the exact options will vary. The example below is from an Application Request.

1. Select 'Show Complete File Details' to view additional details about the file.
2. Click the 'Virus Total' button to be taken to the Virus Total entry on that file.
3. Select 'New Install' and provide a name for the application or 'Update Existing' and select an existing application from the dropdown.
4. Select how to permit the software:
   1. Custom - Create Custom Rules using parameters including SHA, Hash, File Path, Certificate, Process Path, and Created By (depending on what is available for that file).
   2. Installation - Place the requesting machine into Installation Mode to install the application.
   3. Learning - Place the requesting machine into Learning Mode to install the application.
   4. Monitor- Place the requesting machine into Monitor Mode. The application will be able to run during Monitor Mode, but it will not be learned, and no policy will be created to permit the same application in the future.

1. Select whether or not this application should be permitted to run with Admin rights.
2. Add an expiration for the Elevation (if desired).
3. Set Ringfence restrictions.
4. Approve the request.
5. Ignore the request.

Threats Tab

The Threats tab contains all ThreatLocker Detect alerts. There will be one entry for each computer that has active alerts. Swipe right on an entry to quickly Lockdown, Isolate, or Clear all Alerts on the target computer.

Selecting an entry will open the ThreatLocker Detect Alerts slideout, which contains the following:

• Alerts - This tab shows all ThreatLocker Detect alerts on the computer.
  • You can quickly make exceptions to a ThreatLocker Detect policies using the "+" button located within an alert.

• Hamburger menu in the bottom right-hand corner contains:
  • Lockdown - Place the target computer into lockdown mode.
  • Isolate - Place the target computer into isolate mode.
  • Clear Alerts - Clear all active alerts on the computer.
  • Snooze Alerts - This will hide active alerts on the target computer for the time period selected. Any new alerts will come in as expected so users can easily see if a computer is experiencing new alerts.
• Executes - By default, this tab shows execute logs on the computer from the last 24 hours that have at least 1 result in Virus Total that indicates the file is possibly malicious. The time frame can be extended, a specific policy action can be selected, and you can choose to show all execute logs, not only ones that have been flagged by Virus Total.
• Installs - By default, this tab shows install logs from the last 24 hours that have at least 1 result in Virus Total that indicates the file is possibly malicious. The time period can be extended, and you can choose to show all install logs, not only the ones flagged by Virus Total.
• Baseline - By default, this tab shows baseline logs from the last 24 hours that have at least 1 result in Virus Total that indicates the file is possibly malicious. The time period can be extended, and you can choose to show all baseline logs, not only the ones flagged by Virus Total.
• Network - By default, this tab shows network logs on the computer from the last 24 hours that have at least 1 result in Virus Total that indicates the IP address is possibly malicious. The time frame can be extended, a specific policy action can be selected, and you can choose to show all network logs, not only ones that have been flagged by Virus Total.
• Elevation - By default, this tab show Elevation logs from the last 24 hours. This timeframe can be extended, and you can choose to show only items that have been flagged by Virus Total.
• Storage - By default, this tab shows storage logs on the computer from the last 24 hours. The time frame can be extended, a specific policy action can be selected, and you can choose to show only logs that have been flagged by Virus Total.
• Exclusions - This tab will show all ThreatLocker Detect policy exclusions that apply to this computer.
• Snooze History - This tab will contain a record of who, when, and for how long the alerts on this computer have been snoozed.

Remediation Tab

When a computer is placed into Isolate or Lockdown mode, the computer will be moved from the Threats tab into the Remediation tab. This provides the administrator with a central location where all computers requiring investigation are located. While a computer is safely isolated from the network, or isolated and all executions are blocked, the investigator has more time to delve into the activity that was attempted or occurred on each computer before deciding to lift the imposed restrictions or take further remediation steps.

Swipe right on the main Remediation listing to quickly Remove Isolation, Remove Lockdown, or switch from one to the other.

Double tapping on the entry will open the ThreatLocker Detect Alerts sidebar as outlined in the Alerts tab section above.

Unified Audit 

View and filter Unified Audit log entries. 

Tapping an entry will display the Action Log with scrollable additional details.

Health Center

The Health Center is currently read-only. The ability to interact with these tiles is coming soon.

ThreatLocker Mobile App Version 4.1+ Menu	ThreatLocker Mobile App Version 4.0 Menu

Reports

All reports, including Override Codes, are available.

Modules

Application Control

Within the Application Control Module, applications, policies, and/or tags can be created, edited, or deleted.

Each page includes a filtering capability and the availability to delete by swiping left.

On the Application Control > Policies page, you can quickly change the status of policies with a swipe to the right.

Network Control

Policies and Authorization Hosts can be created, edited, or deleted.

Storage Control

Policies and Devices can be created, edited, or deleted.

ThreatLocker Detect

Policies can be created, edited, or deleted.

• The main grid will display the policy name, who created it, where it applies, and an icon list of actions to be taken whenever that policy is matched.

Computers and Computer Groups 

From the menu, select 'Computers'. You will be taken to a list of all the computers you currently manage.

The top line in each entry is the name of the computer.

The second line is the name of the organization.

Utilize the filter to be able to include computers from child organizations.

Buttons that have a colorful icon signify an active Maintenance period.

Any buttons with icons in gray signify an inactive Maintenance period.

Swipe to the right to quickly switch the computer into a different maintenance mode.

Tap on a computer to expand it to show Computer Details, Maintenance, Maintenance History, and Options tabs.

On computer groups, press and hold on any entry to enter a multi-select mode where you can change the ThreatLocker Versions or Update Channels.

Swipe to the left to delete a group, and swipe right to change the version or update channel for a single group.

Administrators / User Roles / System Audit

The Administrators page is currently read-only. From this page, you can navigate to the User Roles or System Audit tabs.

User Roles can be created, edited, and deleted.

The System Audit can be searched and filtered. Click on an individual entry to view the details.

Organizations

The Organizations page allows you to easily view items for specific organizations.

Swiping right on a specific organization will allow you to manage an organization. Once you select to manage an organization, your menu navigation will then only direct you to pages as relevant to that organization.

QR Scanner

Once you are running the ThreatLocker tray service on a computer, you can right-click the ThreatLocker icon to display a QR code. The QR code can then be scanned with the Mobile Application's QR Scanner or the device's native camera.

Scanning the QR code will allow you to manage the specific computer quickly within the mobile application's Computers page. 

QR Scanner requires Edit Computers user permission.

Help Desk

Help Desk on the Mobile Application allows you to create and manage tickets on the go.

When managing tickets, you have the ability to search tickets, reply to tickets, or mark tickets as resolved. Once a ticket is marked as "Resolved" by a ThreatLocker employee, you will receive a pop-up to confirm the resolution of their ticket. After marking tickets as resolved, you will be prompted to submit optional feedback. 

Please note that the chat function is not available on the mobile application and can only be accessed through the ThreatLocker Portal. You can access offline tickets in the Mobile Application. 

Settings & Help