Mac links
Deploying the Tanium Client to macOS endpoints
The Taniumâ„¢ Client is installed as a system service. The Tanium Client files are installed by default in the /Library/Tanium/TaniumClient directory. On macOS, the service is signed to allow communication through the default macOS firewall automatically.
You can use the Tanium Client Deployment Tool (CDT) as described in the following steps to generate an ISO file that contains the Tanium public key file and Tanium Client configuration settings to support manual installation.
Create a TaniumClient.ini file
The installer can use a TaniumClient.ini file to generate the equivalent configuration in the Tanium Client 7.2 or later configuration database.
Create a TaniumClient.ini file that has at least the Tanium Server name or ServerNameList values. You can also include LogVerbosityLevel or ReportingTLSMode. For example:
LogVerbosityLevel=1
ReportingTLSMode=2
ServerNameList=ts1.example.com,ts2.example.com
If you use the CDT to generate an ISO for a Tanium Client 6.0, include the Version setting. For example, Version=6.0.314.1579. Tanium Client 7.2 does not require explicitly setting the version.
Create the Tanium Client ISO package
- Open the CDT and select Clients > Generate Archive.
- Set the Platform to osx.
- Click Add and select the TaniumClient.ini file. The tanium.pub file is included automatically.
- Click OK and then save the ISO file.
Execute the Tanium Client installer
To install the Tanium Client, you must install the package file as an Administrator. The .pkg, .pub, and .ini files must be in the same directory (as they are in the .iso file).
If you encounter issues when deploying the Tanium Client, examine the Tanium Client installation log (see Tanium Client installation log).
Wizard installation
- Copy the .iso file to a location on the target computer.
- Double-click the .iso file to display its contents.
- Double-click the .pkg file to open it with the default application for its type (Installer). The installation wizard then opens.
- Complete the wizard. When prompted, you must provide a local administrator username and password.
Command-line installation
- Copy the .iso file to a location on the target computer.
- Mount the .iso file so you can execute the contents therein.
- Use the installer command to install the package (root or sudo permissions required).
The following example shows the command-line sequence:
test-docs$ hdiutil mount Tanium_OSX.iso
/dev/disk1 /Volumes/Tanium_OSX
test-docs$ cd /Volumes/Tanium_OSX/
test-docs$ ls
TaniumClient-7.2.314.3518.pkg
tanium.pub
TaniumClient.ini
test-docs$ sudo installer -pkg TaniumClient-7.2.314.3518.pkg -target /
installer: Package name is TaniumClient-7.2.314.3518
installer: Installing at base path /
installer: The install was successful. - Configure basic Tanium Client settings (for details, see Tanium Client settings).
ServerName or ServerNameList Tanium Server FQDN or IP address. LogVerbosityLevel The following decimal values are best practices for specific use cases:
- 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
- 1: This is the best practice value during normal operation.
- 41: This is the best practice value during troubleshooting.
- 91 or higher: Enable the most detailed log levels for short periods of time only.
Version (Tanium Client 6.0 only) The Tanium Client version number. The steps to configure the settings depend on the Tanium Client version:
- Tanium Client 6.0: Edit the /Library/Tanium/TaniumClient/TaniumClient.ini file. The following is an example of the file contents:
Version=6.0.314.1579
ServerNameList=ts1.example.com,ts2.example.com LogVerbosityLevel=1- Tanium Client 7.2: Issue the following CLI commands (for details, see Non-Windows). For version 7.2, you do not have to configure the version.
cmd-prompt> cd <Tanium Client>
cmd-prompt> sudo ./TaniumClient config set ServerNameList ts1.example.com,ts2.example.com cmd-prompt> sudo ./TaniumClient config set LogVerbosityLevel 1
Manage popups for Tanium Client upgrades
When you upgrade the Tanium Client on endpoints that have a firewall turned on and that run macOS 10.14 (Mojave) or later, end users might see a pop-up prompting them to allow connections for the Tanium Client. The pop-up results from a rule that Apple added to improve user privacy by restricting third-party applications. If you want to prevent the pop-up, instead of training users to respond to it, either configure a firewall rule (best practice) or configure the System Preferences on the endpoints. If you want to perform the task as a batch for multiple endpoints instead of individually on each endpoint, you can use User Approved MDM (UAMDM) enrollment to create a policy or profile. If you need help ensuring that your environment is ready before the Tanium Client upgrade, consult your Tanium Technical Account Manager (TAM).
Configure a firewall rule
For security, configuring a firewall rule to prevent the connections pop-up is preferable to configuring the System Preferences. However, only endpoints running macOS 10.14.4 or later support this method. Unless you use a mobile device management (MDM) product to push the rule as a policy, you require read-only access to the /Library/Tanium/TaniumClient folder to perform this task.
If you use an MDM product to push the rule as a policy, users cannot see that the Tanium Client is whitelisted in the firewall unless you provide those users access to the Tanium Client installation folder.
If you use an MDM product to push the rule as a profile, it automatically enables the Automatically allow downloaded signed software to receive incoming connections option in the System Preferences.
- Go to System Preferences > Security & Privacy.
- Unlock the settings: Click Unlock
, enter administrator credentials, and click Unlock. - Add a firewall rule: Click Firewall Options, click Add +, navigate to the /Library/Tanium/TaniumClient/ folder, select taniumclient, and click Add.
- Click OK to apply the rule.
Configure the System Preferences
All endpoints that run macOS 10.14.x support this method for preventing the connections pop-up.
- Go to System Preferences > Security & Privacy.
- Unlock the settings: Click Unlock , enter administrator credentials, and click Unlock.
- Click Firewall Options, select Automatically allow downloaded signed software to receive incoming connections, and click OK.
Manage the Tanium Client service on macOS
Use the launchctl command to manage the Tanium Client service.
To start the Tanium Client service:
sudo launchctl load /Library/LaunchDaemons/com.tanium.taniumclient.plist
To stop the Tanium Client service:
sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist
To remove the Tanium Client from the launch list:
sudo launchctl remove com.tanium.taniumclient
Uninstall the Tanium Client on macOS
The following launchctl remove command stops the Tanium Client and removes it from the launch list:
sudo launchctl remove com.tanium.taniumclient
To finish uninstalling the Tanium Client, remove the following file resources.
| .plist file | /Library/LaunchDaemons/com.tanium.taniumclient.plist |
| Tanium Client folder | /Library/Tanium/TaniumClient/ |
To uninstall the Tanium Client silently from a command line, you can use a simple shell script such as the following:
#!/bin/bash
if [[ $(/usr/bin/id -u) -ne 0 ]]; then
echo "Not running as root or using sudo"
exit
fi
launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist
launchctl remove com.tanium.taniumclient > /dev/null 2>&1
rm /Library/LaunchDaemons/com.tanium.taniumclient.plist
rm /Library/LaunchDaemons/com.tanium.trace.recorder.plist
rm -rf /Library/Tanium/
rm /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.bom
rm /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.plist
Last updated: 10/15/2019 2:24 PM | Feedback