Configuring Asset

If you did not install Asset with the Apply All Tanium recommended configurations, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Asset action group to target the No Computers filter group by enabling restricted targeting before adding Asset to your Tanium licenseimporting Asset. This option enables you to control tools deployment and the endpoints that are inventoried in Asset through scheduled actions that are created during the import and that target the Tanium Asset action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

(Tanium 7.4.5 and later) When you import Asset, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group

For information about how the action group relates to what actions Asset can take on particular endpoints, and how to change the action group, see (Optional) Configure the Asset action group.
Import schedule

The import schedule is set to start collecting data and generating reports.

Enable collection of Active Directory (AD) information

(Optional) To gather user data from Windows and domain-joined macOS endpoints, including Full Name, Email, Phone, Department, and Location, install the Core ADQuery Content solution and verify that the Core Content - AD Query action group targets the appropriate computer groups.

For macOS endpoints that are not domain-joined and Linux endpoints, you do not need to deploy any actions to get this information.

Install the Active Directory Query content-only solution

  1. From the Main menu, go to Administration > Solutions.
  2. In the Content section, select the Core ADQuery Content row and click Import.
  3. Review the list of packages and sensors and click Begin Import.

Set the targeting for the Tanium Core AD Query action group and create a scheduled action

Complete the steps in the "Required Configuration Steps" and "Additional Core Content - AD Query Configuration" sections in this article: Tanium Community: Configure Delivery of Endpoint Tools and Content to set the targeting for the Tanium Core AD Query action group and create a scheduled action to collect Active Directory Query information.

The action gets recent sign ins and the primary user of each system. A primary user has the most interactive sign ins the past 30 days. You can access this information with the Primary User Details sensor or by adding the User Name column to a report.

For more information about viewing the status of content-only solutions in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: View the status of content-only solutions.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Asset, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure Asset

(Optional) Configure the Asset action group

The action group determines on which endpoints the following Asset activities can be performed:

  • Asset collection of software inventory and usage data
  • Asset tool distribution
  • Asset file evidence collection for Flexera
  • Asset collection of Microsoft Exchange information

Importing the Asset module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Asset, the action group targets No Computers.

If restricted targeting was disabled when you imported Asset, the computer group target for the Tanium Asset action group targets All Computers, and configuring the Asset action group is optional.

Select the computer groups to include in the Asset action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Asset are included in the Asset action group.

Asset inventory information is collected only for endpoints that are included in the Asset action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Asset.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

For more information about Flexera integration, see Flexera FlexNet Manager Suite: 2019 R1 or earlier.

Set up Asset users

You can use the following set of predefined user roles to set up Asset users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Asset Administrator

Assign the Asset Administrator role to users who manage all configuration and deployment of Asset functionality to endpoints.
This role can perform the following tasks:

  • Configure all Asset service settings
  • Manage the Tanium source

  • View, create, edit, and delete all reports and views

Asset Operator

Assign the Asset Operator role to users who manage most configuration and deployment of Asset functionality to endpoints.
This role can perform the following tasks:

  • Configure some Asset settings, including data retention, report timeout, and permissions

  • View, create, edit, and delete all reports and views

Asset User

Assign the Asset User role to users who manage reports and views.
This role can view, create, edit, and delete owned reports and views.

Asset Report Reader

Assign the Asset Report Reader role to users who view reports and views.

Asset API User

Assign the Asset API User role to a user who accesses the Asset API using API Gateway.

Asset Limited Report Reader

Assign the Asset Limited Report Reader role to a user who views only public reports.

Asset Endpoint Configuration Approver

Assign the Asset Endpoint Configuration Approver role to a user who approves or rejects Asset configuration items in Tanium Endpoint Configuration.
This role can approve, reject, or dismiss changes that target endpoints where Asset is installed.

Do not assign the Asset Service Account and Asset Service Account - All Content Sets roles to users. These roles are used for internal purposes only.

Set user permissions on computers

In addition to the Asset user roles that control access to Asset reports and settings as a whole, you can define more detailed permissions on computers that are based on individual attribute values. For example, you can create permissions that assign a user group permission to access information about only Windows or only macOS operating system assets. If a user belongs to multiple user groups, the permissions for all the user groups are combined with an AND operator.

Before you begin, you must have a user group to which you want to assign the Asset permissions. See Tanium Core Platform User Guide: Managing user groups. For the users in this user group to access Asset, they also must have an Asset user role assigned. See User role requirements.

  1. From the Asset Overview page, click Settings . Click the Permissions tab.
  2. Click Create Permissions.
  3. In the User Groups list, select the user group to which you want to assign Asset permissions.
  4. Add a condition. This list of attributes is from the ci_item table of the Asset database.
    For example, to assign the selected user group permission to view only Windows assets, set the values to OS Platform contains Windows.
  5. Click Apply to create each condition.
  6. Click Create.