Configuring Certificate Manager

You must enable and configure certain features.

The following default setting is configured:

When you import Certificate Manager, the following default setting is configured:

Setting Default value
Action group

No Computers computer group

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Certificate Manager, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure Certificate Manager

Configure the Certificate Manager action group

Select the computer groups to include in the Certificate Manager action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Certificate Manager are included in the Certificate Manager action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Certificate Manager.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Select the All Windows, All Linux, and All Mac computer groups and choose the OR operator.

Set up Certificate Manager users

You can use the following set of predefined user roles to set up Certificate Manager users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Certificate Manager User

Assign the Certificate Manager User role to users who manage the deployment of Certificate Manager functionality to endpoints.
This role can perform the following tasks:

  • View Certificate Manager reports and dashboard in Tanium Reporting.
  • Deploy Certificate Manager packages.

Certificate Manager Read Only User

Assign the Certificate Manager Read Only User role to users who need visibility into Certificate Manager data.
This role can view Certificate Manager reports and dashboard in Tanium Reporting.

In addition to the Certificate Manager roles, users must also include the following requirements:
  • be assigned a basic Interact role, such as Interact Read-Only User
  • have sufficient management rights, such as All Computers

Create scheduled actions for Certificate Manager

  1. From the Main menu, go to Administration > Content > Packages and search for Certificate.
  2. For each of the following packages, select the package and then click Deploy Action.
    • Certificate Audit [Non-Windows]
    • Certificate Audit [Windows]
  3. In the Deployment Schedule section, configure the following schedule.
    • Schedule Type: Recurring Deployment
    • Re-issue every: 1 Days
    • Distribute Over: 10 Minutes

    Schedule the action to run daily.

  4. In the Targeting Criteria section, select the All non-Windows or All Windows action group depending on which package you previously selected and then click Show Preview To Continue.
  5. When the preview completes, click Deploy Action and confirm.

Configure authorized certificate authorities

To configure authorized certificate authorities, see Configure authorized certificate authorities.