Configuring Asset

If you did not install Asset with the Apply All Tanium recommended configurations, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Asset action group to target the No Computers filter group by enabling restricted targeting before adding Asset to your Tanium licenseimporting Asset. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Asset action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Asset with automatic configuration, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account.

Import schedule

The import schedule is set to start collecting data and generating reports.

Enable collection of Active Directory (AD) information

(Optional) To gather user data from Windows endpoints, including Full Name, Email, Phone, Department, and Location, install the Active Directory Query solution and create a scheduled action for the Collect Active Directory Info package.

For Mac and Linux endpoints, you do not need to deploy any actions to get this information.

  1. Install the Active Directory Query solution.
    1. From the Main menu, go to Administration > Solutions.
    2. In the Tanium Content section, select the Core AD Query Content row and click Import Solution.
    3. Review the list of packages and sensors and click Proceed with Import.
  2. Run the Collect Active Directory Info package on your endpoints with a scheduled action. For more information, see Tanium Core Platform User Guide: Managing Scheduled Actions.

    1. Use the Is Windows sensor to target Windows endpoints.

    2. Deploy the Collect Active Directory Info package to your endpoints. Configure a saved action as a scheduled action. Set Distribute Over to 1 hour, and set Reissue Every to 3 hours.

The action gets recent sign ins and the primary user of each system. A primary user has the most interactive sign-ins the past 30 days. You can access this information with the Primary User Details sensor or by adding the User Name column to a report.

Prepare endpoints

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Asset, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure Asset

Configure service account

The service account is a user that runs several background processes for Asset. This user requires the following roles and access:

  • Tanium Administrator or Asset Service Account role

    If you use the Asset Service Account role, be sure that the Asset service account user has sufficient computer group rights for visibility of Asset inventory. For example, for complete visibility, assign the service account user Unrestricted Management Rights for computer group assignments. For more information, see Tanium Console User Guide: Manage computer group assignments for a user.

  • If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

For more information about Asset permissions, see User role requirements.

If you imported Asset with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

  1. From the Main menu, go to Modules > Asset to open the Asset Overview page.
  2. Click Settings and open the Service Account tab.
  3. Update the service account settings and click Save.

Configure Asset action group for software inventory and usage and Flexera file evidence content

(Optional) Asset includes sensors for software inventory and usage and Flexera. To use these features, deploy this content to the endpoints. The Tanium Asset action group and associated actions to deploy tools and distribute configurations are created by Tanium Endpoint Configuration. By default, the computer group target for the Tanium Asset action group includes all computers. You can change the target computer group, if necessary.

For more information about Flexera integration, see Flexera FlexNet Manager Suite: 2019 R1 or earlier.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. In the list of action groups, click Tanium Asset.

  3. Click Edit, update the action group to include a computer group that has the computers you want to include in your Asset data, and click Save.

Set up Asset users

You can use the following set of predefined user roles to set up Asset users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Asset Administrator

Assign the Asset Administrator role to users who manage all configuration and deployment of Asset functionality to endpoints.
This role can perform the following tasks:

  • Configure all Asset service settings
  • Manage the Tanium source
  • View, create, edit, and delete all reports and views

Asset Operator

Assign the Asset Operator role to users who manage most configuration and deployment of Asset functionality to endpoints.
This role can perform the following tasks:

  • Configure some Asset settings, including data retention, report timeout, and permissions

  • View, create, edit, and delete all reports and views

Asset User

Assign the Asset User role to users who manage reports and views.
This role can view, create, edit, and delete owned reports and views.

Asset Report Reader

Assign the Asset Report Reader role to users who view reports and views.

Asset Service Account

Assign the Asset Service Account role to to an account that configures system settings for Asset.
This role can perform several background processes for Asset. For more information, see Installing Asset.

Asset Endpoint Configuration Approver

Assign the Asset Endpoint Configuration Approver role to a user who approves or rejects Asset configuration items in Tanium Endpoint Configuration.
This role can approve, reject, or dismiss changes that target endpoints where Asset is installed.

Set user permissions on computers

In addition to the Asset user roles that control access to Asset reports and settings as a whole, you can define more detailed permissions on computers that are based on individual attribute values. For example, you can create permissions that assign a user group permission to access information about Windows or macOS platform assets only. If a user belongs to multiple user groups, the permissions for all the user groups are combined with an OR operator.

Before you begin, you must have a user group to which you want to assign the Asset permissions. See Tanium Core Platform User Guide: Managing user groups. For the users in this user group to access Asset, they also must have an Asset user role assigned. See User role requirements.

  1. From the Asset Overview page, click Settings . Click the Permissions tab.
  2. Click Create Permissions.
  3. Select the user group from the list that you want to assign.
  4. Add a condition. This list of attributes is from the ci_item table of the Asset database.
    For example, to assign the user group permission to view Windows assets only, set to OS Platform contains Windows.
  5. Click Apply to create each condition.
  6. Click Create.

What to do next

See Succeeding with Asset for more information about using Asset.