Appearance
ThreatLocker Setup
ThreatLocker is a zero-trust endpoint protection platform built around application allowlisting. Once connected, Junto can review pending application approval requests, permit or reject blocked applications, and look up computers and computer groups across your organizations.
Prerequisites
- A ThreatLocker administrator account with permission to create API Users (e.g., a Super Admin role)
- An API key generated from the ThreatLocker Portal
- Your ThreatLocker instance letter (used to build the API URL)
Step 1: Generate an API Key
- Log in to the ThreatLocker Portal.
- Navigate to the Administrators page and select the API Users tab.
- Click New API User.
- Enter a name for the token (e.g., "junto").
- Select an API Token Expiration. The expiration is a sliding window -- each time the token is used, the timer resets, so a 365-day token only expires after 365 days of inactivity.
- Under Roles/Permissions, assign the role(s) and select the organization(s) Junto should manage. Include your child organizations if Junto should handle approval requests across all your clients.
- Click Generate API Token and copy the key. It is shown only once -- store it securely before closing the panel.
Step 2: Find Your API URL
ThreatLocker hosts customers on lettered instances, and the API URL depends on which instance your organization is on.
- In the ThreatLocker Portal, click the Help button in the upper-right corner.
- Your instance letter appears in parentheses next to the ThreatLocker Access header (e.g., "G").
- Your API URL is
https://portalapi.<instance>.threatlocker.com-- for example, instance G useshttps://portalapi.g.threatlocker.com.
Step 3: Configure in Junto
- In Junto, go to Settings > Integrations > ThreatLocker.
- Click Add Configuration and fill in:
- API URL -- Your instance-specific URL from Step 2.
- API Key -- The key from Step 1. This is encrypted before storage.
- Click Create, then use Test connection to verify the credentials.
TIP
If the connection test fails with an authentication error, double-check the instance letter in your API URL. A valid key from one instance will not authenticate against another instance's URL.
Step 4: Map Companies to Organizations
ThreatLocker organizes endpoints into organizations, with each MSP client typically a separate child organization.
- After connecting, click Company mapping on the configuration card. Junto lists the organizations available to your API key.
- Link each Junto company to its ThreatLocker organization.
- Auto-map is available to match organizations by name, with both exact and close-match suggestions.
- Save mappings.
What the AI Agent Can Do
Approval Requests
| Tool | Description | Risk Level |
|---|---|---|
| List Approval Requests | List pending application approval requests, with filtering by search text and child organizations | Low |
| Get Approval Request Details | View full details of a request, including file path, hash, certificates, and the requestor's reason | Low |
| Permit Application | Approve a blocked application, with an optional expiration date on the resulting policy | High |
| Reject Approval Request | Deny a request and notify the requester with a reason | Medium |
Permits are deliberately scoped to the single computer that generated the request -- the agent cannot create organization-wide allow policies. Requests that have been escalated to the MSP level must be handled directly in the ThreatLocker Portal.
Computers
| Tool | Description | Risk Level |
|---|---|---|
| List Computers | Search endpoints by name, with organization, OS, agent version, and last check-in details | Low |
| Get Computer Details | View detailed information about a specific computer | Low |
| List Computer Groups | List the computer groups used to scope policies | Low |
High-impact actions like permitting or rejecting applications require explicit technician approval before the agent proceeds.
Troubleshooting
- Connection fails with an authentication error -- Verify the API key and confirm the instance letter in your API URL matches your portal's instance (Step 2). Keys are instance-specific.
- Connection fails with an unreachable or timeout error -- Check the API URL for typos and confirm it uses
https://. - No organizations listed for mapping -- Confirm the API User was granted access to the expected organizations when it was created.
- Agent can't permit a request -- The request may have been escalated to the MSP level, already actioned by another administrator, or since removed. Escalated requests must be resolved in the ThreatLocker Portal.
- Key stopped working after a period of inactivity -- API token expiration is a sliding window based on last use. Generate a new key if yours has lapsed.