Using the Tanium Client Deployment Tool
The Tanium™ Client Deployment Tool (CDT) is a free and simple utility that enables you to deploy the Tanium Client. The endpoints must be reachable from the computer on which the tool is installed. We recommend you target endpoints in batches. You can target 250-500 endpoints per batch.
You can use the following methods to discover endpoints to which to deploy the Tanium Client:
- Active Directory
Use in conjunction with domain-connected computers running a Microsoft Windows operating system only.
- Computer List
Discover assets based on list of computer host names and IP addresses. Does not depend on Active Directory and can be used for all supported client OS.
- You can install and execute the Tanium CDT on any computer running a Microsoft Windows operating system with Microsoft .NET Framework 4.5 installed.
- Download the Tanium CDT from the Tanium Support site (login required).
- Copy the Tanium Server public key file (tanium.pub) from the Tanium Server installation directory to the host computer from which you will run the tool. You select this file when you configure the installation package to deploy to clients.
- Work with your network security administrator to ensure the ports used by the Tanium Client are not blocked. Tanium Clients send and receive data from the Tanium Server and other Tanium Clients over TCP port 17472.
- When deploying to Linux, Mac, or UNIX endpoints:
- You can configure password-based or SSH key-based authentication. You should configure whatever type of authentication is expected by the endpoint. Amazon Linux, for example, requires key-based authentication. On the endpoint, be sure to enable SSH key-based authentication and enable NOPASSWD in the sudoers file for the admin user account that you use to make the connection from the CDT. This ensures that the key and not a password is used to elevate the admin privileges of the user so that the user can install the Tanium Client and start the service.
- Allow traffic from the deployment tool to endpoints on TCP port 22 (SSH port; configurable).
Disable any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation that is initiated through SSH.
If you are using the root account to install, make sure the sshd_config allows root login.
Verify that you can log in to the remote system with SSH, using the same credentials you are planning to use for the Tanium Client deployment.
- When deploying to Windows endpoints:
- Enable Windows File and Print Sharing and RPC on the target endpoints. This is required only for installation and can be disabled after installation is complete.
- Disable any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation initiated through RPC.
- Allow TCP traffic on ports 135 and 445 from the Tanium CDT host computer to the endpoints on which you want to deploy the Tanium Client.
Verify that you can log in to the remote system with PSEXEC or WMIC command line utilities with the same credentials you are planning to use for the Tanium Client deployment. For example:
psexec \\192.168.1.130 -u Administrator -p [email protected] cmd /c dir C:\Users\Administrator\Documents
- Use a temporary account that is removed after deployment.
- Disable or change the password for the account after client deployment is complete.
- Right-click the TaniumClientDeploymentToolSetup.exe file and select Run as administrator.
The installation wizard prompts you for one value—the installation directory. The default is C:\Program Files (x86)\Tanium\Tanium Client Deployment Tool.
- In Windows, select Start > Tanium Client Deployment Tool to open the tool.
- Click OK to download the latest endpoint software.
The software is downloaded to C:\Program Files (x86)\Tanium\Tanium Client Deployment Tool\clients\.
- If you plan to use Microsoft PSExec to push Tanium Client to endpoints:
- Under Settings, specify:
Tanium pub file Type or browse to the Tanium Server public key file. The default installation location is C:\Program Files\Tanium\Tanium Server\tanium.pub. The Tanium Server public key you specify here is included in the client installation. Server Name
The FQDN of the Tanium Server. For example, ts1.example.com. The Tanium Client registers with the Tanium Server you specify here.
In HA deployments and deployments with Zone Servers, you can send a server list. Enter the FDQN for all servers, separated by a comma. For example: ts1.example.com,ts2.example.com,zs1.example.com
Port Port used by Tanium Clients to communicate with the Tanium Server and with their designated peers. The default is 17472. Log Verbosity Level Sets the Tanium Client log level:
- 0: Disable logging. Recommended for clients installed to sensitive endpoints or VDI endpoints.
- 1: Recommended logging level during normal operation.
- 41: Recommended logging during troubleshooting.
- >= 91: Enable the most detailed log levels for short periods of time only.
- For deployments to Windows endpoints, specify:
Username Local or domain user with administrative privileges on the targeted endpoints. The deployment tool uses this account when it connects to the targeted endpoint and executes the client installer. Password The corresponding password. Target Folder Override Specify an installation folder if you do not want to use the default. On Windows, the default is C:\Program Files (x86)\Tanium\Tanium Client. Execution Method For Windows endpoints, specify which Windows operating system command line utility the tool uses to analyze target computers and perform the remote installation of the client:
- PSEXEC: Recommended because it is faster.
- WMIC: Recommended if analysis using PSEXEC returns endpoints with OS Unknown and status Processing.
Impersonate User Select this option to use the PSEXEC user impersonation option. The credentials specified in the Settings section are used to connect to endpoint using a PSEXEC process that is run under those credentials on the Client Deployment tool host computer. Those credentials are also used to install the client.
For deployments to Linux or Mac endpoints, you can use password authentication or SSH key-based authentication.
Username Local or domain user with administrative privileges on the targeted endpoints. The deployment tool uses this account when it connects to the targeted endpoint and executes the client installer. Password or Key-Based Authentication Select Password Authentication. Password The corresponding password.
The deployment tool attempts to connect to the target endpoints using the values provided in the Username and Password fields and then elevates to root privileges by using the sudo or su - commands. Select Use sudo when preferred or root is not a valid user. Select Use su - when preferred and root is a valid user. If you use su -, you must specify the root password. SSH Port The default is the standard port number (22). If endpoints in your network listen for SSH on a different port, you can specify it here. Username
Local or domain user with administrative privileges to log in and install software on targeted endpoints.
For Amazon Linux, the user name is ec2-user. Specify the username in the form expected for an SSH connection to the Amazon hosted Linux instance: user_name@public_dns_name.
For example: [email protected]
Password or Key-Based Authentication Select Key Based Authentication. Key Type Browse and select the private key file that pairs with the public key file that has been added to the authorized_keys file on the endpoint:
The private key file is a .pem file.
The private key file is a .ppk file.
SSH Port The default is the standard port number (22). If endpoints in your network listen for SSH on a different port, you can specify it here.
- Use the Computer List tab (Linux or Windows) or the Active Directory
tab (Windows only) to search for the target endpoints.
- Specify a list of computer names, IP addresses, IP address ranges, and subnet addresses in the text box. One item per line.
- Click Analyze to query the list and populate the results table.
- Domain: Specify the Active Directory domain to which the targeted endpoints belong. For example, example.com.
- Connect using credentials: Select this option to use the administrator credentials specified in Settings instead of the logged in user credentials.
- Include computers in child containers: When this option is unchecked, computer names from endpoints within only the first level are included in the target list, not computers contained in child containers. When checked, all computers within an Organizational Unit or container and all child Organization Units or containers are included in the list.
- Click Analyze to query the AD tree and populate the results table. Click Retry Bind if necessary in the event the AD query fails.
- Select one or more rows in the results table and click Install.
- In Interact, verify the endpoints respond to the following query:
Get Computer Name and Tanium Server Name from all machines
- Review the results grid to verify that all clients on which Tanium Client software was deployed are now reporting.
- You can also go to the System Status page to review recent client registration details. Click the menu icon and select Administration > System Status to display the page.
- Select Clients > Check for Updates.
The CDT reads available versions from content.tanium.com and populates the Client selection box. The most recent version for a platform is selected by default.
- Select the versions you want to download and click OK.
Any new client software is downloaded to C:\Program Files (x86)\Tanium\Tanium Client Deployment Tool\clients\. If there is no new client software, the CDT displays a message indicating there are no updates.
If deployment fails, examine logs to identify the issues. You might be able to work around the issues using advanced settings.
The Tanium CDT writes debug logs, including logs for connection attempts and client installation success and failure. Logs are written in the following location:
<install>\Tanium Client Deployment Tool\
The most recent logs are written to TaniumClientDeploy.log. When that file is filled, the older messages are rolled into TaniumClientDeploy.log[.integer].
You must be able to connect to content.tanium.com to download the client manifest JSON file and the client software files. If necessary, you can use the advanced settings file to change the SSH timeout and to configure proxy server settings.
Open a text editor as administrator and edit the TaniumClientDeploy.exe.config file in the \Program Files (x86)\Tanium\Tanium Client Deployment Tool\ directory.
Specify the IP address and port as the value for the proxyAddress key. Specify username and password with the proxyUsername and proxyPassword keys only if the proxy server requires authentication.
The following example TaniumClientDeploy.exe.config file highlights these settings:
<add key="removeWinInstallDir" value="true"/>
<add key="removeWinInstallDirDelayInSeconds" value="20"/>
<add key="sshTimeoutSeconds" value="120"/>
<add key="agents value="https://content.tanium.com/files/deploy/tanium/ClientDeployManifestEx.json.signed"/>
<add key="currrentProcessLimit" value="100"/>
<add key="soapProxyUseDefault" value="false"/>
<add key="soapProxyAddress" value="10.10.10.10:8080"/>
<add key="soapProxyDomain" value=""/>
<add key="soapProxyUsername" value=""/>
<add key="soapProxyPassword" value=""/>
<add key="proxyAddress" value="10.10.10.10:8080"/>
<add key="proxyDomain" value=""/>
<add key="proxyUsername" value=""/>
<add key="proxyPassword" value=""/>
<add key="logReadTimeout" value="30"/>
<add key="psexecTimeout" value="30"/>
<add key="bypassPsExecWarning" value="false"/>
<add key="sudoCommand" value="sudo"/>
Consult with your TAM before changing values other than sshTimeoutSeconds and "proxy" settings.
Last updated: 2/20/2018 4:13 PM | Feedback