Help CenterApplies To:
- ThreatLocker Mac Agent v4.3 (Confirmed)
- All other versions of the ThreatLocker Mac Agent (Expected behavior)
- macOS Sequoia 15 (macOS 15)
- Devices managed by MDM (e.g., Jamf)
Issue Summary
On Macs running macOS Sequoia 15, ThreatLocker Network Control does not function correctly when the device is managed via MDM (e.g., Jamf). This issue is confirmed on ThreatLocker Mac Agent v4.3 and is expected to affect all versions of the ThreatLocker Mac agent due to changes in macOS behavior regarding system extensions under MDM management.
Symptoms
- No network traffic is shown in:
- Real-Time Unified Audit
- Unified Audit
- No network blocks are recorded
- System Settings > Network > Filters shows:
- Red icon next to “Filters” (indicating Inactive)
- Yellow icon next to “ThreatLocker” (indicating the filter driver is present but not started)
Root Cause
The MDM system (e.g., Jamf) may be failing to activate the ThreatLocker Network Extension due to missing or incomplete Content Filter profiles required under macOS Sequoia 15’s tightened extension management rules.
Resolution / Workaround
- Confirm the Driver Is Not Started
- Navigate to System Settings > Network > Filters
- Confirm that the ThreatLocker filter shows a yellow icon
- Temporarily Remove from MDM
- Unenroll the device from MDM
- Reboot the system
- Upon reboot, macOS should prompt to enable the ThreatLocker Network Extension
- Accept the prompt. The yellow icon should turn green, indicating the driver is active
- Re-enroll and Correct MDM Configuration (if rejoining MDM)
- Re-enroll the device into MDM
- Ensure your MDM (e.g., Jamf) deploys a valid Content Filter payload that enables ThreatLocker’s Network Extension
Additional Notes
- This behavior is confirmed on Agent v4.3 and is expected on all current versions of the ThreatLocker Mac agent
- macOS Sequoia 15 introduces stricter controls over system and network extensions when MDM-managed
- An update to resolve this issue more seamlessly is expected in a future agent release