Configuring Client Management

If you did not install Client with the Apply All Tanium recommended configurations option, you must enable and configure certain features. Additionally, you must upload the Tanium public key if you are using Tanium Server 7.2.x or 7.3.x, and you must add client installation files if you are using an air-gapped enviroment.

Tanium as a Service automatically handles initial configuration for Client Management, but you can set up additional Client Management users.

When you import Client Management with automatic configuration, the following default settings are configured:

The following default setting is configured:

Setting Default Value
Action group

The action group is set to the All Linux, All Mac, and All Windows computer groups.

  • Restricted targeting disabled (default): All Linux, All Mac, and All Windows computer groups
  • Restricted targeting enabled: No Computers computer group

If you import Client Management with restricted targeting disabled. leave Leave the Client Management action group set to the default of All Linux, All Mac, and All Windows. If you use restricted targeting to set the Client Management action group to target the No Computers filter group, set the action group to target the computer group All Computers or the computer groups All Linux, All Mac, and All Windows.

Service account

The service account is set to the account that you used to import the solution.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure the service account.

Configure Client Management

Configure the service account

The service account is a user that runs several background processes for Client Management. This user requires the following roles and access:

  • Content Administrator and Tanium Client Administrator, or Tanium Administrator
  • (Optional) Discover Read Only User role, to deploy to endpoints based on labels created in Tanium Discover

For more information about Client Management permissions, see User role requirements for Client Management.

If you imported Client Management with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

  1. From the Main menu, click Administration > Shared Services > Client Management to open the Client Management Home page.
  2. Click Settings and open the Service Account tab.
  3. Update the service account settings and click Save.

Configure the Client Management action group

If you did not install Client Management with the Apply All Tanium recommended configurations option, the Client Management action group was not created by default. Create the Tanium Client Management action group.

If you import Client Management with restricted targeting disabled. leave Leave the Client Management action group set to the default of All Linux, All Mac, and All Windows. If you use restricted targeting to set the Client Management action group to target the No Computers filter group, set the action group to target the computer group All Computers or the computer groups All Linux, All Mac, and All Windows.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click New Group.
  3. For the Name, enter Tanium Client Management.
  4. Select computer groups to include in the action group, and click Save.

Set up Client Management users

You can use the following set of predefined user roles to set up Client Management users.

To review specific permissions for each role, see User role requirements for Client Management.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Client Management Administrator

Assign the Client Management Administrator role to users who manage all configuration in Client Management, configure client deployments, and investigate issues with specific clients.

This role can perform the following tasks:

  • Configure the Client Management service account

  • View, create, edit, and delete client configurations and client credentials

    No user can view passwords in existing credentials.

  • View, create, and delete client deployments

  • View summarized client health information

  • Directly connect to endpoints to view detailed client health information

Client Management User

Assign the Client Management User role to users who execute client deployments.

This role can perform the following tasks:

  • View client configurations and client credentials

    No user can view passwords in existing credentials.

  • View and execute client deployments

  • View summarized client health information

Client Management Read-Only User

Assign the Client Management Read-Only User role to users who can review details of client deployments.

This role can view client configurations, client credentials, and client deployments.

Client Management API User

This role is used internally and is not typically assigned to users.

Client Management Auditor

This role is used internally and is not typically assigned to users.

Client Management Operator

Assign the Client Management Operator role to users who download installation packages for the Tanium Client or investigate issues with specific clients.

This role can perform the following tasks:

  • Download installation packages for the Tanium Client.

  • Directly connect to endpoints to view detailed client health information.

This role can directly connect to endpoints to view detailed client health information.

Client Management Endpoint Configuration Approver

Assign the Client Management Endpoint Configuration Approver role to a user who approves or rejects Client Management configuration items in Endpoint Configuration.

Client Management Service Account

Assign the Client Management Service Account role to the account that performs background processes for Client Management. For more information, see Configure the service account.

(Tanium 7.2.x, 7.3.x only) Upload Tanium public key

If you are using Tanium Server 7.2.x or 7.3.x, upload the Tanium public key. This public key enables the connection between the clients you are installing and the Tanium Server. This configuration occurs automatically with Tanium Server 7.4 and later.

  1. From the Client Management Home page, click Settings .
  2. Click Choose File and select the tanium.pub file for your Tanium Server. The tanium.pub file is in the top-level installation directory for the Tanium Server.
  3. Click Upload.

Add client installation files for air-gapped environments

If you cannot enable communication between your Tanium Module Server and content.tanium.com, contact Tanium Support for help with configuring client installers on the Tanium Module Server.