Mac links

Deploying the Tanium Client to macOS endpoints

On macOS, the Tanium Client is installed as a system service. The client files are installed in the /Library/Tanium/TaniumClient directory.

Endpoints that are running macOS 10.14 (Mojave) or later require a mobile device management (MDM) profile that provides the necessary permissions for Tanium applications. For more information, see the Tanium Knowledge Base article Tanium and Apple macOS TCC (Transparency, Consent and Control) and Privacy Preferences Policy Control (PPPC) (account required).

macOS firewall rules

The Tanium Client service is signed to automatically allow communication through the default macOS firewall. The client installation process does not modify any host-based firewall that might be in use. Your network security team must ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on the port that the client uses for Tanium traffic (default 17472).

For details about port and firewall requirements for the Tanium Client, see Network connectivity, ports, and firewalls.

Table 1 lists the commands for managing firewall rules for:

  • macOS 10.12 (Sierra), 10.13 (High Sierra), 10.14 (Mojave)
  • OS X 10.8 (Mountain Lion), 10.9 (Mavericks), 10.10 (Yosemite), 10.11 (El Capitan)
 Table 1: Firewall commands for OS X and macOS
Tasks Commands
View port 17472 status sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps | awk '/TaniumClient/
{getline; print $0}'
Add Tanium Client to firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /Library/Tanium/TaniumClient/TaniumClient
Unblock Tanium Client in firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /Library/Tanium/TaniumClient/TaniumClient
Remove Tanium Client from firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --remove /Library/Tanium/TaniumClient/TaniumClient
Block Tanium Client in firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /Library/Tanium/TaniumClient/TaniumClient

Install the Tanium Client on macOS

Use the Tanium Client Management service (see Tanium Client Management User Guide), installation wizard, or CLI to install the Tanium Client. You must perform the installation as a user with an administrator account.

Prepare for installation

  1. Ensure that the macOS endpoint meets the basic requirements for the Tanium Client.
  2. Ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on the port that the client uses for Tanium traffic (default 17472). See macOS firewall rules.
  3. Sign into the macOS endpoint.

  4. Use the Tanium Client Management service to download the client installer bundle (mac-client-bundle.zip) to the macOS endpoint. The download link is available on the Client Management Overview page.For the procedure, see Tanium Client Management Guide: Download and deploy the installer bundle.

    The bundle contains the following files:

    • TaniumClient‑<version>.pkg
    • tanium‑init.dat (Tanium Client 7.4 or later)
    • tanium.pub (Tanium Client 7.2)
    • install.sh

    You can also download tanium‑init.dat or tanium.pub through the Tanium Console (see Tanium Console User Guide: Download infrastructure configuration files (keys)) and request TaniumClient‑<version>.pkg from Tanium Support (see Contact Tanium Support). However, the installation process for Tanium Client 7.4 or later requires fewer manual configuration steps if you download tanium‑init.dat through Client Management.

  5. Copy the installer bundle to a temporary directory on the macOS endpoint and unzip the bundle.
  6. (Optional) Create a TaniumClient.ini file to specify the Tanium Client settings.

    Typically, an administrator creates the INI file to remove the need to configure the settings after the client is installed.

     Table 2: Basic Tanium Client settings
    ServerName or ServerNameListIn a deployment with a standalone Tanium Server, sSet the ServerName to the TaaSserver FQDN or IP address. In a deployment with Tanium Zone Servers or multiple TaaS instancesTanium Servers, configure ServerNameList with the FQDN or IP address of each instanceserver, separated with a comma.

    If the tanium‑init.dat file for Tanium Client 7.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList; any setting that you specify here is added to the ServerNameList specified in tanium-init.dat. By default, the tanium‑init.dat that you download through the Tanium Client Management service specifies ServerNameList, while the tanium‑init.dat that you download through the Tanium Console does not. For Tanium Client 7.2, you must specify ServerName or ServerNameList.

    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): This is the best practice value during normal operation.
    • 41: This is the best practice value during troubleshooting.
    • 91 or higher: Enable the most detailed log levels for short periods of time only.

    For details on additional settings that you can configure, see Tanium Client settings.

    The following is an example of the INI file contents for an active-active deployment with Zone Servers:

    ServerNameList=taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
    LogVerbosityLevel=1

  7. Copy the client installer bundle and TaniumClient.ini (if you created it) to a temporary directory on the macOS endpoint and uncompress the bundle.

Wizard installation

  1. Sign in locally to the macOS endpoint as a user with an administrator account.
  2. Double-click TaniumClient‑<version>.pkg to start the installation wizard.
  3. Respond to the wizard prompts. Specify the User Name and Password of a local administrator when the wizard prompts you for credentials.
  4. (Tanium Client 7.4 or later) Copy tanium‑init.dat from the temporary directory to the Tanium Client installation directory.
  5. Use the CLI (see CLI on Non-Windows endpoints) to configure the basic Tanium Client settings that Table 2 lists if you did not create a /Library/Tanium/TaniumClient/TaniumClient.ini file with those settings.

    The following example commands are for a deployment with multiple TaaS instancesTanium Servers and Zone Servers:

    cd <Tanium Client installation directory>
    sudo ./TaniumClient config set ServerNameList taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
    sudo ./TaniumClient config set LogVerbosityLevel 1

    For additional settings that you can configure, see Tanium Client settings.

    Before proceeding, wait a few minutes for the Tanium Client to register with TaaS the Tanium Server or Zone Server.

  6. Verify that the client installed correctly and can communicate with TaaS the server. From the Main menu, go to Administration > Management > Client Status. If the installation and registration succeeded, the client appears in the grid.

    To find a specific Tanium Client, enter a text string in the Filter items field above the grid to filter it by Host Name or Network Location (IP address).


Command-line installation

To install the Tanium Client, you require root or sudo permissions to run the installer command. For details on using the CLI, see CLI on Non-Windows endpoints.

  1. Sign in locally to the macOS endpoint as a user with an administrator account.
  2. Open the command-line application Terminal.
  3. Install the client by running the following command in the directory into which you copied TaniumClient‑<version>.pkg:

    sudo installer -pkg TaniumClient-<version>.pkg -target /
    installer: Package name is TaniumClient
    installer: Installing at base path /
    installer: The install was successful.

  4. Use the CLI to configure the basic Tanium Client settings that Table 2 lists if you did not create a /Library/Tanium/TaniumClient/TaniumClient.ini file with those settings. The following example commands are for a deployment with multiple TaaS instancesTanium Servers and Zone Servers:

    cd <Tanium Client installation directory>
    sudo ./TaniumClient config set ServerNameList taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
    sudo ./TaniumClient config set LogVerbosityLevel 1

    For additional settings that you can configure, see Tanium Client settings.

  5. (Tanium Client 7.4 or later) Copy tanium‑init.dat to the Tanium Client installation directory.

    Before proceeding, wait a few minutes for the Tanium Client to register with TaaS the Tanium Server or Zone Server.

  6. Verify that the client installed correctly and can communicate with TaaS the server. From the Main menu, go to Administration > Management > Client Status. If the installation and registration succeeded, the client appears in the grid.

    To find a specific Tanium Client, enter a text string in the Filter items field above the grid to filter it by Host Name or Network Location (IP address).


Manage popups for Tanium Client upgrades

When you upgrade the Tanium Client on endpoints that have a firewall turned on and that run macOS 10.14 (Mojave) or later, end users might see a pop-up prompting them to allow connections for the Tanium Client. The pop-up results from a rule that Apple added to improve user privacy by restricting third-party applications. To prevent the pop-up, instead of training users to respond to it, either configure a firewall rule (best practice) or configure the System Preferences on the endpoints. To perform the task as a batch for multiple endpoints, configure a policy or profile through a User Approved Mobile Device Management (UAMDM) tool. Contact Tanium Support if you need help ensuring that your environment is ready before the Tanium Client upgrade.

Configure an MDM policy or profile for multiple endpoints

When you configure a firewall rule or System Preferences through a policy or profile, the specific steps depend on your UAMDM. Contact Tanium Support for the procedure. The general steps are as follows:

  1. Create the policy or profile.
  2. Add a firewall or security setting to the policy or profile.
  3. Add com.tanium.taniumclient.plist to the allowed connections.

Users cannot see that the Tanium Client is allowed in the firewall unless you provide those users access to the Tanium Client installation directory. To view and manage permissions for that directory, see Client Service Hardening.

Configure a firewall rule on a single endpoint

For security, configuring a firewall rule to prevent the connections pop-up is preferable to configuring the System Preferences. However, only endpoints running macOS 10.14.4 or later support this method. You require read-only access to the /Library/Tanium/TaniumClient directory to perform this task.

  1. Go to System Preferences > Security & Privacy.
  2. Unlock the settings: Click Unlock Unlock, enter administrator credentials, and click Unlock.
  3. Add a firewall rule: Click Firewall Options, click Add +, navigate to the /Library/Tanium/TaniumClient/ directory, select taniumclient, and click Add.
  4. Click OK to apply the rule.

Configure the System Preferences on a single endpoint

All endpoints that run macOS 10.14.x or later support this method for preventing the connections pop-up.

  1. Go to System Preferences > Security & Privacy.
  2. Unlock the settings: Click Unlock Unlock, enter administrator credentials, and click Unlock.
  3. Click Firewall Options, select Automatically allow downloaded signed software to receive incoming connections, and click OK.

Manage the Tanium Client service on macOS

On the macOS endpoint, open Terminal and use the listed launchctl commands to complete the following actions:

  • Start the Tanium Client service:

    sudo launchctl load /Library/LaunchDaemons/com.tanium.taniumclient.plist

  • Stop the Tanium Client service:

    sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist

  • Remove the Tanium Client from the launch list:

    sudo launchctl remove com.tanium.taniumclient

Uninstall the Tanium Client on macOS

Uninstall without using a script

  1. On the macOS endpoint, open Terminal.
  2. Run the following command to stop the Tanium Client and remove it from the launch list:

    sudo launchctl remove com.tanium.taniumclient

  3. Remove the following files and directories:

    • /Library/LaunchDaemons/com.tanium.taniumclient.plist
    • /Library/LaunchDaemons/com.tanium.trace.recorder.plist
    • /Library/Tanium/TaniumClient/ (directory)
    • /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.bom
    • /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.plist
    • /var/db/receipts/com.tanium.tanium.client.bom*
    • /var/db/receipts/com.tanium.tanium.client.plist*

    * These files appear only if a version of the Tanium Client earlier than 7.2.314.3608 was installed on the endpoint.

Uninstall using a script

To uninstall the Tanium Client silently from a command line, you can use a simple shell script such as the following:

#!/bin/bash

if [[ $(/usr/bin/id -u) -ne 0 ]]; then
     echo "Not running as root or using sudo"
     exit
fi

launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist
launchctl remove com.tanium.taniumclient > /dev/null 2>&1
rm /Library/LaunchDaemons/com.tanium.taniumclient.plist
rm /Library/LaunchDaemons/com.tanium.trace.recorder.plist
rm -rf /Library/Tanium/
rm /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.bom
rm /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.plist
rm /var/db/receipts/com.tanium.tanium.client.bom
rm /var/db/receipts/com.tanium.tanium.client.plist