Using the Tanium Client Deployment Tool
The Tanium™ Client Deployment Tool (CDT) is a free and simple utility that enables you to deploy the Tanium Client. The endpoints must be reachable from the computer on which the tool is installed. As a best practice, target endpoints in batches. You can target 250-500 endpoints per batch. Before you install and use the CDT, ensure that your environment meets the host, network, and administrative requirements for the Tanium Client: see Requirements.
You can use the following methods to discover endpoints on which to deploy the Tanium Client:
- Active Directory (AD): Use in conjunction with domain-connected computers running a Microsoft Windows operating system (OS) only.
- Computer List: Discover assets based on a list of computer host names and IP addresses. This method does not depend on AD and you can use it for all supported OSs.
- Configure password-based or SSH key-based authentication based on what the endpoints expect.
For example, Amazon Linux requires key-based authentication. On the endpoint, be sure to enable SSH key-based authentication and enable NOPASSWD in the sudoers file for the admin user account that you use to make the connection from the CDT. This ensures that the key and not a password is used to elevate the admin permissions of the user so that the user can install the Tanium Client and start the service.
- Allow traffic from the CDT to endpoints on TCP port 22 (SSH port, configurable).
Disable any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation that is initiated through SSH.
If you use the root account to install, make sure the sshd_config allows root login.
Verify that you can log in to the remote system with SSH, using the same credentials that you will use for the Tanium Client deployment.
- Enable Windows file-and-print sharing and remote procedure calls (RPCs) on the target endpoints. This is required only for installation; you can disable the sharing and RPCs after the installation.
- Disable any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation initiated through RPC.
- Allow TCP traffic on ports 135 and 445 from the Tanium CDT host computer to the endpoints on which you want to deploy the Tanium Client.
Verify that you can log in to the remote system with PSEXEC or WMIC command line utilities with the same credentials that you will use for the Tanium Client deployment. For example:
psexec \\192.168.1.130 -u Administrator cmd /c dir C:\Users\Administrator\Documents
wmic /node:"192.168.1.130" /user:"Administrator" useraccount list brief
- Use a temporary account that is removed after deployment.
- Disable or change the password for the account after client deployment is complete.
You must install the CDT on a Windows system that has Microsoft .NET Framework versions 3.5 and 4.5 installed.
- Download the Tanium CDT installer file TaniumClientDeploymentToolSetup.exe. Contact your Tanium Technical Account Manager (TAM) for the instructions.
- Copy the Tanium Server public key file (tanium.pub) from the Tanium Server installation directory to the host computer from which you will run the tool. You select this file when you configure the installation package to deploy to clients.
- Right-click the CDT installer file and select Run as administrator.
The installation wizard prompts you for one value—the installation directory. The default is C:\Program Files (x86)\Tanium\Tanium Client Deployment Tool.
- In Windows, select Start > Tanium Client Deployment Tool to open the tool.
- Click OK to download the latest endpoint software.
The software is downloaded to C:\Program Files (x86)\Tanium\Tanium Client Deployment Tool\clients\.
- If you plan to use Microsoft PSExec to push Tanium Client to endpoints:
- When prompted, follow the link to download PSTools from the Microsoft download site.
- Unzip the package and copy the PsExec.exe file to the CDT installation directory.
- Restart the Tanium CDT.
- Start the Tanium CDT.
- In the Settings section, specify:
Tanium pub file Type or browse to the Tanium Server public key file. The default installation location is C:\Program Files\Tanium\Tanium Server\tanium.pub. The Tanium Server public key you specify here is included in the client installation. Server Name
The FQDN of the Tanium Server. For example, ts1.example.com. The Tanium Client registers with the Tanium Server you specify here.
In HA deployments and deployments with Zone Servers, you can send a server list. Enter the comma-separated FQDNs of all the servers, such as: ts1.example.com,ts2.example.com,zs1.example.com
Port Port that Tanium Clients use to communicate with the Tanium Server and with their designated peers. The default is 17472. Log Verbosity Level
Sets the Tanium Client log levels.
The following decimal values are best practices for specific use cases:
- 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
- 1: This is the best practice value during normal operation.
- 41: This is the best practice value during troubleshooting.
- 91 or higher: Enable the most detailed log levels for short periods of time only.
- (Windows endpoints) Click the Windows tab and specify:
Username Local or domain user with administrative permissions on the targeted endpoints. The deployment tool uses this account when it connects to the targeted endpoint and executes the client installer. Password The corresponding password. Target Folder Override Specify an installation folder if you do not want to use the default. On Windows, the default is C:\Program Files (x86)\Tanium\Tanium Client. Execution Method For Windows endpoints, specify which Windows operating system command line utility the tool uses to analyze target computers and perform the remote installation of the client:
- PSEXEC: Recommended because it is faster.
- WMIC: Recommended if analysis using PSEXEC returns endpoints with OS Unknown and status Processing.
Impersonate User Select this option to use the PSEXEC user impersonation option. The credentials specified in the Settings section are used to connect to endpoint using a PSEXEC process that is run under those credentials on the Client Deployment tool host computer. Those credentials are also used to install the client.
(Linux or macOS endpoints) Click the Linux/Mac tab. You can use password authentication or SSH key-based authentication.
For password authentication, specify:
Username Local or domain user with administrative permissions on the targeted endpoints. The deployment tool uses this account when it connects to the targeted endpoint and executes the client installer. Password or Key-Based Authentication Select Password Authentication. Password The corresponding password.
The deployment tool attempts to connect to the target endpoints using the values provided in the Username and Password fields and then elevates to root permissions by using the sudo or su - commands. Select Use sudo when preferred or root is not a valid user. Select Use su - when preferred and root is a valid user. If you use su -, you must specify the root password. SSH Port The default is the standard port number (22). If endpoints in your network listen for SSH on a different port, you can specify it here.
For SSH key-based authentication, specify:
Local or domain user with administrative permissions to log in and install software on targeted endpoints.
For Amazon Linux, the user name is ec2-user. Specify the username in the form expected for an SSH connection to the Amazon hosted Linux instance: user_name@public_dns_name.
For example: [email protected]
Password or Key-Based Authentication Select Key Based Authentication. Key Type Browse and select the private key file that pairs with the public key file that has been added to the authorized_keys file on the endpoint:
The private key file is a .pem file.
The private key file is a .ppk file.
SSH Port The default is the standard port number (22). If endpoints in your network listen for SSH on a different port, you can specify it here.
- Click the Computer List tab (Linux or Windows) or the Active Directory
tab (Windows only) to search for the target endpoints.
For Computer List:
- Specify a list of computer names, IP addresses, IP address ranges, and subnet addresses in the text box. One item per line.
- Click Analyze to query the list and populate the results table.
For Active Directory:
- Domain: Specify the Active Directory domain to which the targeted endpoints belong. For example, example.com.
- Connect using credentials: Select this option to use the administrator credentials specified in Settings instead of the logged in user credentials.
- Include computers in child containers: When this option is unchecked, computer names from endpoints within only the first level are included in the target list, not computers contained in child containers. When checked, all computers within an Organizational Unit or container and all child Organization Units or containers are included in the list.
- Click Analyze to query the AD tree and populate the results table. Click Retry Bind if necessary in the event the AD query fails.
- Select one or more rows in the results table and click Install.
The status table has information about the installation attempt. Review the information to confirm deployment. Click Clear Completed or Clear All to clear status table entries.
- Access the Tanium Console.
- Use the Interact Ask a Question field to verify that the endpoints respond to the following query:
Get Computer Name and Operating System and Tanium Client Version and Tanium Server Name from all machines
- Review the Question Results grid to verify that all endpoints where you deployed Tanium Client software are reporting.
- (Optional) Go to the Administration > System Status page to review recent client registration details.
- Start the Tanium Client CDT.
- Select Clients > Check for Updates.
The CDT reads available versions from content.tanium.com and populates the Clients selection box. The most recent version for a platform is selected by default.
- Select the versions you want to download and click OK.
Any new client software is downloaded to C:\Program Files (x86)\Tanium\Tanium Client Deployment Tool\clients\. If no new client software exists, the CDT displays a message indicating this.
You can use the CDT to generate packages in the following formats:
- Windows EXE or MSI: In the CDT, select Clients > Generate Windows MSI or EXE, select Create .EXE or Create .MSI, and click OK.
- ISO, TAR.GZ, and ZIP: In the CDT, select Clients > Generate Archive, select the package format (Create .ISO, Create .TAR.GZ, or Create .MSI), select a Platform, optionally click Add to include other files (such as a TaniumClient.ini file), and click OK.
Packages include the installer package, tanium.pub file, and any files that you manually add, such as a TaniumClient.ini file. The non-Windows installers for Tanium Client 7.2 or later migrate settings found in a TaniumClient.ini file to the equivalent settings in the Tanium Client 7.2 or later database.
You must be able to connect to content.tanium.com to download the Tanium Client manifest JSON file and the client software files. If necessary, you can use the advanced settings file to change the SSH timeout and to configure proxy server settings.
Open a text editor as administrator and edit the TaniumClientDeploy.exe.config file in the \Program Files (x86)\Tanium\Tanium Client Deployment Tool\ directory.
Specify the IP address and port as the value for the proxyAddress key. Specify username and password with the proxyUsername and proxyPassword keys only if the proxy server requires authentication.
The following example TaniumClientDeploy.exe.config file highlights these settings:
<add key="removeWinInstallDir" value="true"/>
<add key="removeWinInstallDirDelayInSeconds" value="20"/>
<add key="sshTimeoutSeconds" value="120"/>
<add key="agents value="https://content.tanium.com/files/deploy/tanium/ClientDeployManifestEx.json.signed"/>
<add key="currrentProcessLimit" value="100"/>
<add key="soapProxyUseDefault" value="false"/>
<add key="soapProxyAddress" value="10.10.10.10:8080"/>
<add key="soapProxyDomain" value=""/>
<add key="soapProxyUsername" value=""/>
<add key="soapProxyPassword" value=""/>
<add key="proxyAddress" value="10.10.10.10:8080"/>
<add key="proxyDomain" value=""/>
<add key="proxyUsername" value=""/>
<add key="proxyPassword" value=""/>
<add key="logReadTimeout" value="30"/>
<add key="psexecTimeout" value="30"/>
<add key="bypassPsExecWarning" value="false"/>
<add key="sudoCommand" value="sudo"/>
Consult with your TAM before changing values other than sshTimeoutSeconds and proxy server settings.
Last updated: 11/13/2019 8:40 AM | Feedback