Mac links

Deploying the Tanium Client to macOS endpoints

On macOS, the Tanium Client is installed as a system service. The service is signed to automatically allow communication through the default macOS firewall. The client files are installed in the /Library/Tanium/TaniumClient directory.

macOS firewall rules

The installation process does not modify any host-based firewall that might be in use. Your network security team must ensure host and network firewalls are configured to allow inbound and outbound TCP traffic on port 17472. The following table lists the commands for managing firewall rules for:

  • macOS 10.12 (Sierra), 10.13 (High Sierra), 10.14 (Mojave)
  • OS X 10.8 (Mountain Lion), 10.9 (Mavericks), 10.10 Yosemite, 10.11 El Capitan
Table 1:   Firewall commands for OS X and macOS
Tasks Commands
View port 17472 status sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps | awk '/TaniumClient/
{getline; print $0}'
Add Tanium Client to firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /Library/Tanium/TaniumClient/TaniumClient
Unblock Tanium Client in firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /Library/Tanium/TaniumClient/TaniumClient
Remove Tanium Client from firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --remove /Library/Tanium/TaniumClient/TaniumClient
Block Tanium Client in firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp /Library/Tanium/TaniumClient/TaniumClient

Install the Tanium Client on macOS

Use the installation wizard or CLI to install the Tanium Client. You must perform the installation as a user with an administrator account.

Prepare for installation

  1. Ensure that the macOS endpoint meets the basic requirements for the Tanium Client.
  2. Ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on port 17472: see macOS firewall rules.
  3. Sign into the macOS endpoint.

  4. Use the Tanium Client Management service to download the client installer bundle (mac-client-bundle.zip) to the macOS endpoint. For the procedure, see Tanium Client Management Guide: Download and deploy the installer bundle.

    The bundle contains the following files:

    • TaniumClient-<version>.pkg
    • tanium-init.dat (Tanium Client 7.4 or later)
    • tanium.pub (Tanium Client 7.2)

    You can also download tanium-init.dat or tanium.pub through the Tanium Console (see Tanium Console User Guide: Download infrastructure configuration files (keys)) and request TaniumClient-<version>.pkg from Tanium Support (see Contact Tanium Support). However, the installation process for Tanium Client 7.4.4 or later requires fewer manual configuration steps if you download tanium-init.dat through Client Management.

  5. Copy the installer bundle to a temporary folder on the macOS endpoint and uncompress the bundle.
  6. (Optional) Create a TaniumClient.ini file to specify the Tanium Client settings.

    Typically, an administrator creates the INI file to remove the need for end users to configure the settings after they install the client.

    Table 2:   Basic Tanium Client settings
    ServerName or ServerNameListIn a deployment with a standalone Tanium Server, set the ServerName to the server FQDN or IP address. In a deployment with Tanium Zone Servers or multiple Tanium Servers, configure ServerNameList with the FQDN or IP address of each server, separated with a comma.

    If the tanium-init.dat file for Tanium Client 7.4.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList. By default, the tanium-init.dat that you download through Client Management specifies ServerNameList, while the the tanium-init.dat that you download through the Tanium Console does not. For Tanium Client 7.2, 74.1, or 7.4.2, you must specify ServerName or ServerNameList.

    LogVerbosityLevel

    The following decimal values are best practices for specific use cases:

    • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): This is the best practice value during normal operation.
    • 41: This is the best practice value during troubleshooting.
    • 91 or higher: Enable the most detailed log levels for short periods of time only.

    For details on additional settings that you can configure, see Tanium Client settings.

    The following is an example of the INI file contents for a high availability (HA) deployment with Zone Servers:

    ServerNameList=ts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
    LogVerbosityLevel=1

  7. Copy the client installer bundle and TaniumClient.ini (if you created it) to a temporary folder on the macOS endpoint and uncompress the bundle.

Wizard installation

  1. Sign in locally to the macOS endpoint as a user with an administrator account.
  2. Double-click TaniumClient-<version>.pkg to start the installation wizard.
  3. Respond to the prompts that the wizard presents. Specify the User Name and Password of a local administrator when the wizard prompts you for credentials.
  4. (Tanium Client 7.4 or later) Copy tanium-init.dat from the temporary folder to the Tanium Client installation folder.
  5. Use the CLI to configure the basic Tanium Client settings that Table 2 lists if you did not create a /Library/Tanium/TaniumClient/TaniumClient.ini file with those settings. See CLI on Non-Windows endpoints.

    The following example commands are for a deployment with HA Tanium Servers and Zone Servers:

    cd <Tanium Client installation folder>
    sudo ./TaniumClient config set ServerNameList ts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
    sudo ./TaniumClient config set LogVerbosityLevel 1

    For additional settings that you can configure, see Tanium Client settings.

    Before proceeding, wait a few minutes for the Tanium Client to register.

  6. Verify that the client installed correctly and can communicate with the Tanium Server. From the Main menu, go to Administration > Management > Client Status. If the installation and registration succeeded, the client appears in the grid.

    To find a specific Tanium Client, enter a text string in the Show Rows Containing field above the grid to filter it by Host Name or Network Location (IP address).


Command-line installation

To install the Tanium Client, you require root or sudo permissions to run the installer command. For details on using the CLI, see CLI on Non-Windows endpoints.

  1. Sign in locally to the macOS endpoint as a user with an administrator account.
  2. Install the client by running the following command in the directory into which you copied TaniumClient-<version>.pkg:

    sudo installer -pkg TaniumClient-<version>.pkg -target /
    installer: Package name is TaniumClient
    installer: Installing at base path /
    installer: The install was successful.

  3. Use the CLI to configure the basic Tanium Client settings that Table 2 lists if you did not create a /Library/Tanium/TaniumClient/TaniumClient.ini file with those settings. The following example commands are for a deployment with HA Tanium Servers and Zone Servers:

    cd <Tanium Client installation folder>
    sudo ./TaniumClient config set ServerNameList ts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
    sudo ./TaniumClient config set LogVerbosityLevel 1

    For additional settings that you can configure, see Tanium Client settings.

  4. (Tanium Client 7.4 or later) Copy tanium-init.dat to the Tanium Client installation folder.

    Before proceeding, wait a few minutes for the Tanium Client to register.

  5. Verify that the client installed correctly and can communicate with the Tanium Server. From the Main menu, go to Administration > Management > Client Status. If the installation and registration succeeded, the client appears in the grid.

    To find a specific Tanium Client, enter a text string in the Show Rows Containing field above the grid to filter it by Host Name or Network Location (IP address).


Manage popups for Tanium Client upgrades

When you upgrade the Tanium Client on endpoints that have a firewall turned on and that run macOS 10.14 (Mojave) or later, end users might see a pop-up prompting them to allow connections for the Tanium Client. The pop-up results from a rule that Apple added to improve user privacy by restricting third-party applications. To prevent the pop-up, instead of training users to respond to it, either configure a firewall rule (best practice) or configure the System Preferences on the endpoints. To perform the task as a batch for multiple endpoints, configure a policy or profile through a User Approved Mobile Device Management (UAMDM) tool. Contact Tanium Support if you need help ensuring that your environment is ready before the Tanium Client upgrade.

Configure an MDM policy or profile for multiple endpoints

When you configure a firewall rule or System Preferences through a policy or profile, the specific steps depend on your UAMDM. Contact Tanium Support for the procedure. The general steps are as follows:

  1. Create the policy or profile.
  2. Add a firewall or security setting to the policy or profile.
  3. Add com.tanium.taniumclient.plist to the allowed connections.

Users cannot see that the Tanium Client is allowed in the firewall unless you provide those users access to the Tanium Client installation folder.

Configure a firewall rule on a single endpoint

For security, configuring a firewall rule to prevent the connections pop-up is preferable to configuring the System Preferences. However, only endpoints running macOS 10.14.4 or later support this method. You require read-only access to the /Library/Tanium/TaniumClient folder to perform this task.

  1. Go to System Preferences > Security & Privacy.
  2. Unlock the settings: Click Unlock Unlock, enter administrator credentials, and click Unlock.
  3. Add a firewall rule: Click Firewall Options, click Add +, navigate to the /Library/Tanium/TaniumClient/ folder, select taniumclient, and click Add.
  4. Click OK to apply the rule.

Configure the System Preferences on a single endpoint

All endpoints that run macOS 10.14.x support this method for preventing the connections pop-up.

  1. Go to System Preferences > Security & Privacy.
  2. Unlock the settings: Click Unlock Unlock, enter administrator credentials, and click Unlock.
  3. Click Firewall Options, select Automatically allow downloaded signed software to receive incoming connections, and click OK.

Manage the Tanium Client service on macOS

On the macOS endpoint, open the command-line application Terminal and use the launchctl command to manage the Tanium Client service.

To start the Tanium Client service:

sudo launchctl load /Library/LaunchDaemons/com.tanium.taniumclient.plist

To stop the Tanium Client service:

sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist

To remove the Tanium Client from the launch list:

sudo launchctl remove com.tanium.taniumclient

Uninstall the Tanium Client on macOS

On the macOS endpoint, open the command-line application Terminal and use the launchctl remove command to stop the Tanium Client and remove it from the launch list:

sudo launchctl remove com.tanium.taniumclient

To finish uninstalling the Tanium Client, remove the following file resources.

.plist file /Library/LaunchDaemons/com.tanium.taniumclient.plist
Tanium Client folder /Library/Tanium/TaniumClient/

To uninstall the Tanium Client silently from a command line, you can use a simple shell script such as the following:

#!/bin/bash
 
if [[ $(/usr/bin/id -u) -ne 0 ]]; then
     echo "Not running as root or using sudo"
     exit
fi
 
launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist
launchctl remove com.tanium.taniumclient > /dev/null 2>&1
rm /Library/LaunchDaemons/com.tanium.taniumclient.plist
rm /Library/LaunchDaemons/com.tanium.trace.recorder.plist
rm -rf /Library/Tanium/
rm /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.bom
rm /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.plist