Configuring Client Management

If you did not install Client Management with the Apply All Tanium recommended configurations option, you must enable and configure certain features. Additionally, you must add client installation files if you are using an air-gapped environment.

Tanium™ Cloud automatically handles initial configuration for Client Management, but you can set up additional Client Management users.

The following default setting is configured:

Setting Default Value
Action group

The action group is set to the All Computers computer group.

If you import Client Management with restricted targeting disabled. leave Leave the Client Management action group set to the default of All Computers. If you use restricted targeting to set the Client Management action group to target the No Computers filter group, set the action group to target the computer group All Computers.

Review Endpoint Configuration settings

The following default setting is configured:

Setting Default Value
Action group

The action group is set to the All Computers computer group.

If you use restricted targeting to set the Client Management and Endpoint Configuration action groups to target the No Computers filter group, then make sure that before using any modules, you first set the Client Management action group to target the appropriate endpoints (typically All Computers), and then set the Endpoint Configuration action group to target the same endpoint. For more information, see Configure the Client Management action group in this guide and Tanium Endpoint Configuration User Guide: Configure the Endpoint Configuration action group. Modules cannot deploy configurations or tools to endpoints that are not targeted by the Endpoint Configuration action group. Use the appropriate targeting groups within modules to control targeted deployment of configurations or tools.

For information about initially configuring Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Configuring Endpoint Configuration.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

Configure the Client Management action group

If you imported Client Management without the Apply All Tanium recommended configurations option or with Restricted Targeting enabled, the Client Management action group targets No Computers by default. To enable Client Management functionality after importing without the Apply All Tanium recommended configurations option or with Restricted Targeting enabled, set the Client Management action group to target the computer group All Computers.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Client Management.
  3. Clear the selection for No Computers.
  4. Select All Computers and click Save.

Set up Client Management users

You can use the following set of predefined user roles to set up Client Management users.

To review specific permissions for each role, see User role requirements for Client Management.

On installation, Client Management creates a Client Management user to automatically manage the Client Management service account. Do not edit or delete the Client Management user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Client Management Administrator

Assign the Client Management Administrator role to users who manage all configuration in Client Management, configure client deployments, and investigate issues with specific clients.

This role can perform the following tasks:

  • View, create, edit, and delete client configurations and client credentials

    No user can view passwords in existing credentials.

  • View, create, and delete client deployments

  • View summarized client health information

  • Directly connect to endpoints to view detailed client health information

Client Management User

Assign the Client Management User role to users who execute client deployments.

This role can perform the following tasks:

  • View client configurations and client credentials

    No user can view passwords in existing credentials.

  • View and execute client deployments

  • View summarized client health information

Client Management Read-Only User

Assign the Client Management Read-Only User role to users who can review details of client deployments.

This role can view client configurations, client credentials, and client deployments.

Client Management API User

This role is used internally and is not typically assigned to users.

Client Management Auditor

This role is used internally and is not typically assigned to users.

Client Management Operator

Assign the Client Management Operator role to users who download installation packages for the Tanium Client or investigate issues with specific clients.

This role can perform the following tasks:

  • Download installation packages for the Tanium Client.

  • Directly connect to endpoints to view detailed client health information.

This role can directly connect to endpoints to view detailed client health information.

Client Management Upgrade Operator

Assign the Client Management Upgrade Operator role to users who manage upgrades of the Tanium Client on endpoints.

This role can perform the following tasks:

  • Upgrade the Tanium Client on endpoints.

  • manage versions of the Tanium Client that are available for upgrades.

Client Management Endpoint Configuration Approver

Assign the Client Management Endpoint Configuration Approver role to a user who approves or rejects Client Management configuration items in Endpoint Configuration.

Do not assign the Client Management Service Account and Client Management Service Account - All Content Sets roles to users. These roles are for internal purposes only.

To configure a user who can only view client health information and connect to endpoints to access detailed client health and troubleshooting information, assign the following roles:

  • Direct Connect User
  • A custom role with the following permissions:
    • Clientmanagement Show
    • Client-Management Direct Connect
    • Client-Management View Health

For information about creating a custom role, see Tanium Console User Guide: Configure a custom role, and for information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Manage versions of the Tanium Client available for deployments and upgrades

The Tanium Server Your Tanium Cloud instance must download and cache the installers for each version of the Tanium Client that you want to use in client deployments or upgrades. The serverTanium Cloud instance caches the latest version by default. When you synchronize the manifest and a new version is available, the serverthe Tanium Cloud instance automatically caches the new version, but it does not remove the previously cached version. You can manually cache other specific versions that you want to use in client deployments or upgrades.

  1. From the Main menu, go to Administration > Shared Services > Client Management.

  2. From the Client Management menu, click Client Versions.
  3. (Optional) To download the latest manifest for Tanium Client installers from content.tanium.com, click Synchronize Manifest.

  4. Beside each version that you want to cache for client upgrades, click Cache Packages .

    To remove the cached packages for a version that is no longer needed and free up storage space, click Clear Package Cache beside that version. That version is not available for client upgrades until you cache it again. You cannot remove the cached packages for a version that is selected in an existing client upgrade.

Manage versions of the Tanium Client available in an air-gapped environment

If you cannot enable communication between your Tanium Module Server and content.tanium.com, you must manually import Tanium Clients instead of caching versions from the online manifest.

  1. Contact Tanium Support to obtain a ZIP file with the installation packages.

  2. From the Main menu, go to Administration > Shared Services > Client Management.

  3. Click Upload Tanium Client, click Select Client ZIP file, select the file, and click Upload.

    To delete an imported version, click Delete Version beside that version. That version is not available for client upgrades until you reimport it. You cannot delete a version that is selected in an existing client upgrade.