Configuring Client Management
If you did not install Client Management with the Apply All Tanium recommended configurations option, you must enable and configure certain features. Additionally, you must upload the Tanium public key if you are using Tanium Server 7.3.x, and you must add client installation files if you are using an air-gapped environment.
Tanium™ Cloud automatically handles initial configuration for Client Management, but you can set up additional Client Management users.
When you import Client Management with automatic configuration, the following default settings are configured:
The following default setting is configured:
Setting | Default Value |
---|---|
Action group |
The action group is set to the All Computers computer group.
|
Service account |
The service account is set to the account that you used to import the solution. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure the service account. |
Configure Client Management
Configure the service account
The service account is a user that runs several background processes for Client Management. This user requires the following roles and access:
- Client Management Service Account or Tanium Administrator role
- Trends Integration Service Account role, to send data to Trends
- (Optional) Discover Read Only User role, to deploy to endpoints based on labels created in Tanium Discover
For more information about Client Management permissions, see User role requirements for Client Management.
If you imported Client Management with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.
- From the Main menu, click Administration > Shared Services > Client Management to open the Client Management Overview page.
- Click Settings
.
- In the Service Account section, update the service account settings and click Save.
Configure the Client Management action group
If you imported Client Management without the Apply All Tanium recommended configurations option or with Restricted Targeting enabled, the Client Management action group targets No Computers by default. To enable Client Management functionality after importing without the Apply All Tanium recommended configurations option or with Restricted Targeting enabled, set the Client Management action group to target the computer group All Computers.
- From the Main menu, go to Administration > Actions > Action Groups.
- Click Tanium Client Management.
- Clear the selection for No Computers.
- Select All Computers and click Save.
Set up Client Management users
You can use the following set of predefined user roles to set up Client Management users.
To review specific permissions for each role, see User role requirements for Client Management.
For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.
Client Management Administrator
Assign the Client Management Administrator role to users who manage all configuration in Client Management, configure client deployments, and investigate issues with specific clients.
This role can perform the following tasks:
-
Configure the Client Management service account
-
View, create, edit, and delete client configurations and client credentials
No user can view passwords in existing credentials.
-
View, create, and delete client deployments
-
View summarized client health information
-
Directly connect to endpoints to view detailed client health information
Client Management User
Assign the Client Management User role to users who execute client deployments.
This role can perform the following tasks:
-
View client configurations and client credentials
No user can view passwords in existing credentials.
-
View and execute client deployments
-
View summarized client health information
Client Management Read-Only User
Assign the Client Management Read-Only User role to users who can review details of client deployments.
This role can view client configurations, client credentials, and client deployments.
Client Management API User
This role is used internally and is not typically assigned to users.
Client Management Auditor
This role is used internally and is not typically assigned to users.
Client Management Operator
Assign the Client Management Operator role to users who
This role can perform the following tasks:
-
Download installation packages for the Tanium Client.
-
Directly connect to endpoints to view detailed client health information.
This role can directly connect to endpoints to view detailed client health information.
Client Management Upgrade Operator
Assign the Client Management Upgrade Operator role to users who manage upgrades of the Tanium Client on endpoints.
This role can perform the following tasks:
-
Upgrade the Tanium Client on endpoints.
-
manage versions of the Tanium Client that are available for upgrades.
Client Management Endpoint Configuration Approver
Assign the Client Management Endpoint Configuration Approver role to a user who approves or rejects Client Management configuration items in Endpoint Configuration.
Client Management Service Account
Assign the Client Management Service Account role to the account that performs background processes for Client Management. For more information, see Configure the service account.
(Tanium 7.3.x only) Upload Tanium public key
If you are using Tanium Server 7.3.x, upload the Tanium public key. This public key enables the connection between the clients you are installing and the Tanium Server. This configuration occurs automatically with Tanium Server 7.4 and later.
- From the Client Management Overview page, click Settings
.
- Click Choose File and select the tanium.pub file for your Tanium Server. The tanium.pub file is in the top-level installation directory for the Tanium Server.
- Click Upload.
Add client installation files for air-gapped environments
If you cannot enable communication between your Tanium Module Server and content.tanium.com, contact Tanium Support for help with configuring client installers on the Tanium Module Server.
Last updated: 6/22/2022 12:03 PM | Feedback