Mac links
Deploying the Tanium Client to macOS endpoints
On macOS, the Tanium Client is installed as a system service. The service is signed to automatically allow communication through the default macOS firewall. The client files are installed in the /Library/Tanium/TaniumClient directory.
Install the Tanium Client on macOS
Use the installation wizard or CLI to install the Tanium Client. You must perform the installation as a user with an administrator account.
Prepare for installation
- Get the installation package file (TaniumClient-<version>.pkg) from your Technical Account Manager (TAM).
- Download the tanium-init.dat file (Tanium Client 7.4 or later) or tanium.pub file (Tanium Client 7.2 or earlier) from the Tanium Server: see Tanium Console User Guide: Download infrastructure configuration files (keys).
- Create a TaniumClient.ini file to specify the Tanium Client settings. This file is required for Tanium Client 6.0 and optional for version 7.2 or later.
Typically, an administrator creates the .ini file to remove the need for end users to configure the settings after they install the client. The .ini file must specify at least the ServerName or ServerNameList and (for Tanium Client 6.0) the client Version, as described in the following table. For details on all the settings that you can configure, see Tanium Client settings.
The following is an example of the .ini file contents for an HA deployment with Zone Servers:
Version=6.0.314.1579
ServerNameList=ts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
LogVerbosityLevel=1 - Copy the following files to a temporary folder on the macOS endpoint:
- TaniumClient-<version>.pkg
- tanium-init.dat (Tanium Client 7.4 or later)
- tanium.pub (Tanium Client 7.2 or earlier)
- TaniumClient.ini (if you created the file)
Wizard installation
- Log in locally to the macOS endpoint.
- Double-click TaniumClient-<version>.pkg to start the installation wizard.
- Respond to the prompts that the wizard presents. Specify the User Name and Password of a local administrator when the wizard prompts you for credentials.
- (Tanium Client 7.4 or later) Copy tanium-init.dat from the temporary folder to the Tanium Client installation folder.
- Wait a few minutes for the Tanium Client to register, and then go to Administration > System Status to verify that the client installed correctly and can communicate with the Tanium Server. If the installation and registration succeeded, the client appears in the grid.
To find a specific Tanium Client, enter a text string in the Show Rows Containing field above the grid to filter it by Host Name or IP address.
Command-line installation
To install the Tanium Client, you require root or sudo permissions to run the installer command. For details on using the CLI, see CLI on Non-Windows endpoints.
- Log in locally to the macOS endpoint.
- Install the client by running the following command in the directory into which you copied TaniumClient-<version>.pkg:
sudo installer -pkg TaniumClient-<version>.pkg -target /
installer: Package name is TaniumClient
installer: Installing at base path /
installer: The install was successful. - (Tanium Client 7.2 or later) Use the CLI to configure the basic Tanium Client settings described in Table 1 if they are not already defined in the /Library/Tanium/TaniumClient/TaniumClient.ini file.
The following example commands are for a deployment with HA Tanium Servers and Zone Servers:
cd <Tanium Client>
sudo ./TaniumClient config set ServerNameList ts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
sudo ./TaniumClient config set LogVerbosityLevel 1 - (Tanium Client 7.4 or later) Copy tanium-init.dat to the Tanium Client installation folder.
- Wait a few minutes for the Tanium Client to register, and then go to Administration > System Status to verify that the client installed correctly and can communicate with the Tanium Server. If the installation and registration succeeded, the client appears in the grid.
To find a specific Tanium Client, enter a text string in the Show Rows Containing field above the grid to filter it by Host Name or IP address.
Manage popups for Tanium Client upgrades
When you upgrade the Tanium Client on endpoints that have a firewall turned on and that run macOS 10.14 (Mojave) or later, end users might see a pop-up prompting them to allow connections for the Tanium Client. The pop-up results from a rule that Apple added to improve user privacy by restricting third-party applications. To prevent the pop-up, instead of training users to respond to it, either configure a firewall rule (best practice) or configure the System Preferences on the endpoints. To perform the task as a batch for multiple endpoints, configure a policy or profile through a User Approved Mobile Device Management (UAMDM) tool. If you need help ensuring that your environment is ready before the Tanium Client upgrade, consult your Tanium Technical Account Manager (TAM).
Configure an MDM policy or profile for multiple endpoints
When you configure a firewall rule or System Preferences through a policy or profile, the specific steps depend on your UAMDM. Consult your TAM for the procedure. The general steps are as follows:
- Create the policy or profile.
- Add a firewall or security setting to the policy or profile.
- Add com.tanium.taniumclient.plist to the allowed connections.
Users cannot see that the Tanium Client is whitelisted in the firewall unless you provide those users access to the Tanium Client installation folder.
Configure a firewall rule on a single endpoint
For security, configuring a firewall rule to prevent the connections pop-up is preferable to configuring the System Preferences. However, only endpoints running macOS 10.14.4 or later support this method. You require read-only access to the /Library/Tanium/TaniumClient folder to perform this task.
- Go to System Preferences > Security & Privacy.
- Unlock the settings: Click Unlock
, enter administrator credentials, and click Unlock. - Add a firewall rule: Click Firewall Options, click Add +, navigate to the /Library/Tanium/TaniumClient/ folder, select taniumclient, and click Add.
- Click OK to apply the rule.
Configure the System Preferences on a single endpoint
All endpoints that run macOS 10.14.x support this method for preventing the connections pop-up.
- Go to System Preferences > Security & Privacy.
- Unlock the settings: Click Unlock , enter administrator credentials, and click Unlock.
- Click Firewall Options, select Automatically allow downloaded signed software to receive incoming connections, and click OK.
Manage the Tanium Client service on macOS
Use the launchctl command to manage the Tanium Client service.
To start the Tanium Client service:
sudo launchctl load /Library/LaunchDaemons/com.tanium.taniumclient.plist
To stop the Tanium Client service:
sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist
To remove the Tanium Client from the launch list:
sudo launchctl remove com.tanium.taniumclient
Uninstall the Tanium Client on macOS
The following launchctl remove command stops the Tanium Client and removes it from the launch list:
sudo launchctl remove com.tanium.taniumclient
To finish uninstalling the Tanium Client, remove the following file resources.
| .plist file | /Library/LaunchDaemons/com.tanium.taniumclient.plist |
| Tanium Client folder | /Library/Tanium/TaniumClient/ |
To uninstall the Tanium Client silently from a command line, you can use a simple shell script such as the following:
#!/bin/bash
if [[ $(/usr/bin/id -u) -ne 0 ]]; then
echo "Not running as root or using sudo"
exit
fi
launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist
launchctl remove com.tanium.taniumclient > /dev/null 2>&1
rm /Library/LaunchDaemons/com.tanium.taniumclient.plist
rm /Library/LaunchDaemons/com.tanium.trace.recorder.plist
rm -rf /Library/Tanium/
rm /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.bom
rm /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.plist
Last updated: 5/12/2020 2:05 PM | Feedback