Configuring Client Management

If you did not install Client Management with the Apply All Tanium recommended configurations option, you must enable and configure certain features. Additionally, you must add client installation files if you are using an air-gapped environment.

Tanium™ Cloud automatically handles initial configuration for Client Management, but you can set up additional Client Management users.

The following default setting is configured:

Setting Default Value
Action group

The action group is set to the All Computers computer group.

If you import Client Management with restricted targeting disabled. leave Leave the Client Management action group set to the default of All Computers. If you use restricted targeting to set the Client Management action group to target the No Computers filter group, set the action group to target the computer group All Computers.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

For information about installing Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Installing Endpoint Configuration.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Client Management, see User role requirements for Client Management. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure the Client Management action group

If you imported Client Management without the Apply All Tanium recommended configurations option or with Restricted Targeting enabled, the Client Management action group targets No Computers by default. To enable Client Management functionality after importing without the Apply All Tanium recommended configurations option or with Restricted Targeting enabled, set the Client Management action group to target the computer group All Computers.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Client Management.
  3. Clear the selection for No Computers.
  4. Select All Computers and click Save.

Set up Client Management users

You can use the following set of predefined user roles to set up Client Management users.

To review specific permissions for each role, see User role requirements for Client Management.

On installation, Client Management creates a Client Management user to automatically manage the Client Management service account. Do not edit or delete the Client Management user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Client Management Administrator

Assign the Client Management Administrator role to users who manage all configuration in Client Management, configure client deployments, and investigate issues with specific clients.

This role can perform the following tasks:

  • View, create, edit, and delete client configurationstemplates and client credentials

    No user can view passwords in existing credentials.

  • View, create, and delete client deployments

  • View summarized client health information

  • Directly connect to endpoints to view detailed client health information

Client Management User

Assign the Client Management User role to users who execute client deployments.

This role can perform the following tasks:

  • View client configurationstemplates and client credentials

    No user can view passwords in existing credentials.

  • View and execute client deployments

  • View summarized client health information

Client Management Read-Only User

Assign the Client Management Read-Only User role to users who can review details of client deployments.

This role can view client configurations, client credentials, and client deployments.

Client Management API User

This role is used internally and is not typically assigned to users.

Client Management Auditor

This role is used internally and is not typically assigned to users.

Client Management Downloader

Assign the Client Management Downloader role to users who download installation packages for the Tanium Client.

Client Management Operator

Assign the Client Management Operator role to users who download installation packages for the Tanium Client or investigate issues with specific clients.

This role can perform the following tasks:

  • Download installation packages for the Tanium Client.

  • Directly connect to endpoints to view detailed client health information.

This role can directly connect to endpoints to view detailed client health information.

Client Management Upgrade Operator

Assign the Client Management Upgrade Operator role to users who manage upgrades of the Tanium Client on endpoints.

This role can perform the following tasks:

  • Upgrade the Tanium Client on endpoints.

  • manage versions of the Tanium Client that are available for upgrades.

Client Management Endpoint Configuration Approver

Assign the Client Management Endpoint Configuration Approver role to a user who approves or rejects Client Management configuration items in Endpoint Configuration.

Do not assign the Client Management Service Account and Client Management Service Account - All Content Sets roles to users. These roles are for internal purposes only.

To configure a user who can only view client health information and connect to endpoints to access detailed client health and troubleshooting information, assign the following roles:

  • Direct Connect User
  • A custom role with the following permissions:
    • Clientmanagement Show
    • Client-Management Direct Connect
    • Client-Management View Health

For information about creating a custom role, see Tanium Console User Guide: Configure a custom role, and for information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Manage versions of the Tanium Client available for deployments and upgrades

The Tanium Server Your Tanium Cloud instance must download and cache the installers for each version of the Tanium Client that you want to use in client deployments or upgrades. The serverTanium Cloud instance caches the latest version by default. When you synchronize the manifest and a new version is available, the serverthe Tanium Cloud instance automatically caches the new version, but it does not remove the previously cached version. You can manually cache other specific versions that you want to use in client deployments or upgrades.

You cannot use Client Management to install a Tanium Client version earlier than 7.4.7.1094.

  1. From the Main menu, go to Shared Services > Client Management.

  2. From the Client Management menu, click Client Versions.
  3. (Optional) To download the latest manifest for Tanium Client installers from content.tanium.com, click Synchronize Manifest.

  4. Beside each version that you want to cache for client upgrades, click Cache Packages .

    To remove the cached packages for a version that is no longer needed and free up storage space, click Clear Package Cache beside that version. That version is not available for client upgrades until you cache it again. You cannot remove the cached packages for a version that is selected in an existing client upgrade.

Manage versions of the Tanium Client available in an air-gapped environment

If you cannot enable communication between your Tanium Module Server and content.tanium.com, you must manually import Tanium Clients instead of caching versions from the online manifest.

  1. Contact Tanium Support to obtain a ZIP file with the installation packages.

  2. From the Main menu, go to Shared Services > Client Management.

  3. Click Upload Tanium Client, click Select Client ZIP file, select the file, and click Upload.

    To delete an imported version, click Delete Version beside that version. That version is not available for client upgrades until you reimport it. You cannot delete a version that is selected in an existing client upgrade.