Configuring Client Management

If you did not install Client Management with the Apply All Tanium recommended configurations option, you must enable and configure certain features. Additionally, you must upload the Tanium public key if you are using Tanium Server 7.3.x, and you must add client installation files if you are using an air-gapped environment.

Tanium™ Cloud automatically handles initial configuration for Client Management, but you can set up additional Client Management users.

When you import Client Management with automatic configuration, the following default settings are configured:

The following default setting is configured:

Setting	Default Value
Action group	The action group is set to the All Computers computer group. Restricted targeting disabled (default): All Computers computer group Restricted targeting enabled: No Computers computer group If you import Client Management with restricted targeting disabled. leave Leave the Client Management action group set to the default of All Computers. If you use restricted targeting to set the Client Management action group to target the No Computers filter group, set the action group to target the computer group All Computers.
Service account	The service account is set to the account that you used to import the solution. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure the service account.

Setting

Default Value

Action group

The action group is set to the All Computers computer group.

Restricted targeting disabled (default): All Computers computer group
Restricted targeting enabled: No Computers computer group

If you import Client Management with restricted targeting disabled. leave Leave the Client Management action group set to the default of All Computers. If you use restricted targeting to set the Client Management action group to target the No Computers filter group, set the action group to target the computer group All Computers.

Service account

The service account is set to the account that you used to import the solution.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure the service account.

Configure Client Management

Configure the service account

The service account is a user that runs several background processes for Client Management. This user requires the following roles and access:

Client Management Service Account or Tanium Administrator role
Trends Integration Service Account role, to send data to Trends
(Optional) Discover Read Only User role, to deploy to endpoints based on labels created in Tanium Discover

For more information about Client Management permissions, see User role requirements for Client Management.

If you imported Client Management with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

From the Main menu, click Administration > Shared Services > Client Management to open the Client Management Overview page.
Click Settings .
In the Service Account section, update the service account settings and click Save.

Configure the Client Management action group

If you imported Client Management without the Apply All Tanium recommended configurations option or with Restricted Targeting enabled, the Client Management action group targets No Computers by default. To enable Client Management functionality after importing without the Apply All Tanium recommended configurations option or with Restricted Targeting enabled, set the Client Management action group to target the computer group All Computers.

From the Main menu, go to Administration > Actions > Action Groups.
Click Tanium Client Management.
Clear the selection for No Computers.
Select All Computers and click Save.

Set up Client Management users

You can use the following set of predefined user roles to set up Client Management users.

To review specific permissions for each role, see User role requirements for Client Management.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Client Management Administrator

Assign the Client Management Administrator role to users who manage all configuration in Client Management, configure client deployments, and investigate issues with specific clients.

This role can perform the following tasks:

Configure the Client Management service account
View, create, edit, and delete client configurations and client credentials

No user can view passwords in existing credentials.
View, create, and delete client deployments
View summarized client health information
Directly connect to endpoints to view detailed client health information

Client Management User

Assign the Client Management User role to users who execute client deployments.

This role can perform the following tasks:

View client configurations and client credentials

No user can view passwords in existing credentials.
View and execute client deployments
View summarized client health information

Client Management Read-Only User

Assign the Client Management Read-Only User role to users who can review details of client deployments.

This role can view client configurations, client credentials, and client deployments.

Client Management API User

This role is used internally and is not typically assigned to users.

Client Management Auditor

This role is used internally and is not typically assigned to users.

Client Management Operator

Assign the Client Management Operator role to users who download installation packages for the Tanium Client or investigate issues with specific clients.

This role can perform the following tasks:

Download installation packages for the Tanium Client.
Directly connect to endpoints to view detailed client health information.

This role can directly connect to endpoints to view detailed client health information.

Client Management Upgrade Operator

Assign the Client Management Upgrade Operator role to users who manage upgrades of the Tanium Client on endpoints.

This role can perform the following tasks:

Upgrade the Tanium Client on endpoints.
manage versions of the Tanium Client that are available for upgrades.

Client Management Endpoint Configuration Approver

Assign the Client Management Endpoint Configuration Approver role to a user who approves or rejects Client Management configuration items in Endpoint Configuration.

Client Management Service Account

Assign the Client Management Service Account role to the account that performs background processes for Client Management. For more information, see Configure the service account.

(Tanium 7.3.x only) Upload Tanium public key

If you are using Tanium Server 7.3.x, upload the Tanium public key. This public key enables the connection between the clients you are installing and the Tanium Server. This configuration occurs automatically with Tanium Server 7.4 and later.

From the Client Management Overview page, click Settings .
Click Choose File and select the tanium.pub file for your Tanium Server. The tanium.pub file is in the top-level installation directory for the Tanium Server.
Click Upload.

Add client installation files for air-gapped environments

If you cannot enable communication between your Tanium Module Server and content.tanium.com, contact Tanium Support for help with configuring client installers on the Tanium Module Server.