Deploying the Tanium Client using an installer or package file

Download installation packages for the Tanium Client from Client Management and install the client on endpoints.

If you are deploying the Tanium Client to endpoints that cannot be reached directly from the Tanium Module Server, such as those connected to a Zone Server, or if your organization has a preferred standard software package deployment tool, you can use an installer or package file to deploy the Tanium Client.

Use Client Management to create a client configuration and then download an installation bundle for use in alternative deployment. If you are using Tanium Server 7.5 or later, the tanium-init.dat file that is contained in this bundle includes the ServerNameList, ServerPort, Log Level, and any other client settings and tags from the client configuration. For the procedure, see Create a client configuration.

You can also deploy the Tanium Client using the Client Management service. For more information, see Deploying the Tanium Client using Client Management.

If you are deploying the Tanium Client to virtual desktop infrastructure (VDI) instances or other endpoints with limited resources, you might need to adjust certain client settings to help to reduce resource usage. For more information, see Tuning Tanium Client settings for VDI endpoints and other endpoints with limited resources.

If you use an operating system (OS) image to deploy an OS to new endpoints, you can install the Tanium Client on the template image (as described in this section) and perform additional steps to prepare the Tanium Client for deployment through the image. For the procedures to prepare OS images that include the Tanium Client, see Preparing the Tanium Client on OS images.

Download installation packages for the Tanium Client

Download Tanium Client installation packages for each operating system from the Tanium Client Management Overview page:

  1. From the Main menu, go to Administration > Shared Services > Client Management.

  2. Click Download Windows Package, Download macOS Package, or Download Linux Package.

To obtain the installers for Solaris or AIX, contact Tanium Support.

Deploy the Tanium Client to Windows endpoints using the installer

For additional Windows information, see the following sections:

You can use the installation wizard, client command-line interface (CLI), or third-party software distribution tools, such as System Center Configuration Manager (SCCM), to deploy the Tanium Client to Windows endpoints. For details on using a third-party tool with Tanium installers, refer to the documentation for that tool.

If you encounter issues when deploying the Tanium Client, examine the Tanium Client installation log.

All these deployment methods use the Tanium Client installer SetupClient.exe, which makes the following changes to the target endpoints:

  • Creates the Tanium Client installation directories for the client application files and related content files.
  • Creates the Tanium Client Windows registry key along with an initial set of registry values.
  • Adds the Tanium Client program to the Windows Add/Remove Programs list.
  • Creates the Tanium Client service with a Startup Type set to Automatic.

For information about managing the Tanium Client service or uninstalling the Tanium Client after deployment, see Manage the Tanium Client on Windows.

Prepare for installation

  1. Ensure that the Windows endpoint meets the basic requirements for the Tanium Client.
  2. Sign in to the Windows endpoint with a local user or domain account that has administrative permissions.

  3. Use the Tanium Client Management service to download the client installer bundle (windows-client-bundle.zip) to the Windows endpoint. The download link is available on the Client Management Overview page.For the procedure, see Download the installation bundle or tanium-init.dat file for alternative deployment.

    The bundle contains includes the following files for Windows installations:

    • install.bat
    • SetupClient.exe
    • tanium‑init.dat (Tanium Client 7.4 or later)
    • tanium.pub (Tanium Client 7.2)

    You can also download tanium‑init.dat or tanium.pub through the Tanium Console (see Tanium Console User Guide: Download infrastructure configuration files (keys)) and request SetupClient.exe from Tanium Support (see Contact Tanium Support). However, the installation process for Tanium Client 7.4 or later requires fewer manual configuration steps if you download tanium‑init.dat through Client Management.

    Be careful not to allow the tanium-init.dat or tanium.pub file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though these files do this file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use them it to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  4. Copy the installer bundle to a temporary directory on the Windows endpoint and unzip the bundle. Make sure to keep the tanium‑init.dat in the same directory as SetupClient.exe.

Installation wizard

  1. Sign in to the Windows endpoint with a local user or domain account that has administrative permissions.
  2. Right-click SetupClient.exe and select Run as administrator to start the wizard.

  3. Respond to the wizard prompts. The values that you enter depend on the client version and the source of the installation files:

    • Tanium Client 7.4 or later: If you used Client Management to download tanium‑init.dat and the file is in the same directory as SetupClient.exe, the wizard prompts you to accept the license agreement and select an installation directory, and then automatically configures the remaining settings. The installer uses default values, or if you are using Tanium Server 7.5 or later and installing Tanium Client 7.4.7 or later, the settings configured in the installation bundle. Otherwise, you must manually specify the Initialization File (tanium‑init.dat) and other settings.

      To configure custom values instead of default values, move tanium‑init.dat to a different directory than SetupClient.exe before starting the wizard. The wizard then prompts you to specify the settings.

    • Tanium Client 7.2: Specify the Public Key File (tanium.pub), TLS Mode, and other settings.


    Respond to the wizard prompts to accept the license agreement, select an installation directory, and complete the installation.

  4. (Optional) Use the CLI on Windows endpoints to configure additional Tanium Client settings that you did not set through the installation wizard. For information about configuring additional settings at a later time, see Modify client settings.
  5. Wait a few minutes for the Tanium Client to register with Tanium Cloud the Tanium Server or Zone Server, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Command-line interface (CLI)

You can use the endpoint CLI to install the Tanium Client. For details on using the CLI, see CLI on Windows endpoints.

The install.bat file provides an example of a script that installs the Tanium Client silently. By default, the script checks for administrative access and runs a silent express installation. You can modify this script with other arguments that are necessary for your environment. You can then use the modified script for automated deployment of the Tanium Client.

If User Account Control (UAC) is enabled and you are using an account other than the default Administrator account, you must run the install.bat script as an Administrator to prevent a UAC prompt when the script runs the Tanium Client installer.

  1. Sign in to the Windows endpoint with a local user or domain account that has administrative permissions.

  2. Access the endpoint command prompt.

    If User Account Control (UAC) is enabled and you are using an account other than the default Administrator account, open the command prompt as an Administrator to prevent a UAC prompt when you run the Tanium Client installer.

  3. Navigate to the directory where the Tanium Client installer resides.

  4. Use the following command to run the Tanium Client installer.

    SetupClient.exe /ServerAddress={<FQDN|IPaddress>}[,{<FQDN|IPaddress>},...] [/ServerPort=<PortNumber>] [/LogVerbosityLevel=<LogLevel>] [/KeyPath=<FullPath>\[tanium‑init.dat|tanium.pub] [/ReportingTLSMode=[0|1|2]] [/ProxyAutoConfigAddress=<URL/filename.pac>] [/ProxyServers=<FQDN|IPaddress:PortNumber>] [/S] [/D=<DirectoryPath>]

    SetupClient.exe [/LogVerbosityLevel=<LogLevel>] [/ProxyAutoConfigAddress=<URL/filename.pac>] [/ProxyServers=<FQDN|IPaddress:PortNumber>] [/S] [/D=<DirectoryPath>]

    Table 1 describes the arguments for the SetupClient.exe command.

    Before running the installer, determine which installation type to use based on whether the Tanium Client requires default or custom settings:

    • Express: The installer uses settings configured in the tanium-init.dat file (Tanium Server 7.5 or later with Tanium Client 7.4.7 or later) or otherwise the default values, except for ServerNameList default values and requires only the following arguments:/S argument to specify silent installation.
      • /ServerAddress sets the ServerNameList and is required for Tanium Client 7.2. It is required for Tanum Client 7.4 only if tanium‑init.dat does not specify ServerNameList. By default, the tanium‑init.dat that you download through Client Management specifies ServerNameList, while the tanium‑init.dat that you download through the Tanium Console does not.
      • /KeyPath specifies the full path of the tanium‑init.dat file (Tanium Client 7.4 or later) or tanium.pub file (Tanium Client 7.2) and is required only if the file is not in the same directory as SetupClient.exe.
      • /S specifies silent installation and is required for express installation of any Tanium Client version.
    • Custom: Specify the arguments from Table 1 for settings that require custom values instead of settings configured in the tanium-init.dat file or default valuesdefault values. If you omit the /S argument, the Tanium Client installation wizard opens and prompts you to configure the settings.

    Table 2 shows examples of how to use the CLI for express and custom installations.

    To configure settings other than those that Table 1 describes, see Modify client settings.

  5. Wait a few minutes for the Tanium Client to register with Tanium Cloud the Tanium Server or Zone Server, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)
 Table 1: Tanium Client installation command syntax
Argument Guidance
/ServerAddress

Fully qualified domain names (FQDNs) from the Tanium Cloud Client Edge URLs with which the client can connect.

Typically, the tanium-init.dat file included with the installation package includes the appropriate FQDNs and you omit this argument. If you need to specify server addresses manually, contact Tanium Support for the appropriate FQDNs.Fully qualified domain names (FQDNs) or IP addresses of the Tanium Servers. In a deployment with Zone Servers, add their FQDNs or IP addresses. Using internally defined FQDNs or aliases is strongly recommended. Use a comma to separate the entry for each FQDNserver.

If you specify one value for this option, it populates the ServerName registry entry. If When you specify multiple values, they populate the ServerNameList registry entry.

For Tanium Client 7.4 or later, omit /ServerAddress during the initial installation if the tanium‑init.dat file specifies the ServerNameList (see the client installation types). If tanium‑init.dat does not specify the ServerNameList, or you are installing Tanium Client 7.2, you must include /ServerAddress during installation. You can omit this argument when reinstalling or upgrading any version of the client.

You can optionally set the port that the Tanium Client uses to communicate with the Tanium Server by appending :<port_number> to the server address (for example, ts1.local.com:12345). The /ServerAddress port overrides the /ServerPort value.
/ServerPort The port that the Tanium Client uses for communication with the Tanium Server and with peers. When using Tanium Server 7.5 or later and installing Tanium Client 7.4.7 or later, you can omit this argument if the tanium-init.dat file came from a Client Management client configuration. If you omit this argument and the tanium-init.dat file does not supply this setting, the Tanium Client uses the default port, 17472. For details, see ServerPort.
/LogVerbosityLevel

The level of logging on the endpoint. When using Tanium Server 7.5 or later and installing Tanium Client 7.4.7 or later, you can omit this argument if the tanium-init.dat file came from a Client Management client configuration. If you omit this argument and the tanium-init.dat file does not supply this setting, the Tanium Client uses the default value of 1.

The following values are best practices for specific use cases:

  • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
  • 1 (default): Use this value during normal operation.
  • 41: Use this value during troubleshooting.
  • 91 or higher: Use this value for full logging, for short periods of time only.
/KeyPath

The full path and file name that the Tanium Client installer program uses to locate the tanium‑init.dat file (Tanium Client 7.4 or later) or tanium.pub file (Tanium Client 7.2) and copy it to the Tanium Client installation directory.

Typically, the tanium-init.dat file included with the installation package is located in the same directory as the installer and you omit this argument. Only include this argument in a specific case where you cannot provide the tanium-init.dat file in the same directory as the installer.

No quotation marks are necessary, except to enclose path or file names with spaces. The KeyPath argument requires a fully qualified path name when the installer runs directly from a command prompt. However, in a batch file, you can use the batch file command variable %~dp0 to expand a relative path before passing the KeyPath value to SetupClient.exe. For example: /KeyPath=%~dp0<My\Relative\Path>\tanium‑init.dat

If you omit the KeyPath argument for silent installations (/S argument), the tanium‑init.dat or tanium.pub file must be in the same directory as SetupClient.exe.
/S Run the installation command silently, which means the Tanium Client installation wizard does not open and prompt you to configure settings.

If you include this argument without specifying the /KeyPath argument, tanium‑init.dat (Tanium Client 7.4 or later) or tanium.pub (Tanium Client 7.2) must be in the same directory as SetupClient.exe.

For examples of how to run silent installations, see Table 2.
/D

Sets the destination path for the Tanium Client installation directory. No quotation marks are necessary to enclose path names with spaces. Because environment variables are expanded, the argument value can include path variables, such as %programfiles%.

  • Because the value of this argument can include spaces, it must be the last argument on the command line if you include it. This includes appearing after the /S argument if you also include that argument.

  • You must install the Tanium Client on a local fixed drive.

If you omit this argument, the installer uses a default directory based on whether the endpoint is running a 64-bit or 32-bit version of Windows:

  • 64-bit versions of Windows\Program Files (x86)\Tanium\Tanium Client
  • 32-bit versions of Windows\Program Files\Tanium\Tanium Client

For an example commmand that includes the /D argument, see Tanium Client installation command examples.

If you are using the command line to reinstall or upgrade an existing Tanium Client, you cannot change the installation directory. The installer ignores this argument and automatically reinstalls or upgrades the Tanium Client in the existing directory, whether it is the default directory or a custom directory.
/ReportingTLSMode This setting applies only to Tanium Client 7.2. The possible values are:
  • 0 (TLS not used)
  • 1 (TLS required)
  • 2 (TLS optional)

If you plan to use TLS, initially set this option to 2 (optional). When TLS is optional, the Tanium Client tries to connect over TLS. If the TLS connection fails, the client tries a non-TLS connection.
/ProxyAutoConfigAddress Include this setting if the Tanium Client connects to Tanium Cloud the Tanium Server or Zone Server through a Hypertext Transfer Protocol Secure (HTTPS) proxy server. The setting specifies the URL and file name of a proxy auto configuration (PAC) file that the client can access. Specify the value in the format http[s]://<URL>/<file name>.pac. The client downloads the file from the URL that you specify and runs a script that the file contains to select the correct proxy for connecting to a particular Tanium Cloud Client Edge URLserver. If no proxy is available, the client ignores the setting and connects directly to Tanium Cloud the Tanium Server or Zone Server. For details, see Configure proxy connections with a PAC file.
/ProxyServers Include this setting if the Tanium Client connects to Tanium Cloud the Tanium Server or Zone Server through an HTTPS proxy server but cannot access a PAC file. The setting specifies the IP address or FQDN, and port number, of the HTTPS proxy server. You can specify multiple proxies as a comma-separated list in the format "<proxy1>:<port>,...,<proxyN>:<port>". The client tries to connect to the proxies in the order that you list them. After any single connection succeeds, the client stops trying to connect with more proxies. If no proxy is available, the client ignores the setting and connects directly to Tanium Cloud the Tanium Server or Zone Server. For details, see Configure proxy connections without a PAC file.

The following are examples of using the CLI command to install the Tanium Client.

For Tanium Client 7.4 or later, omit the /ServerAddress argument if the tanium‑init.dat file came from a Client Management installation bundle. For details, see the client installation types.

For Tanium Client 7.5 or later, also omit the /ServerPort and /LogVerbosityLevel arguments if the tanium‑init.dat file came from a Client Management installation bundle.

 Table 2: Tanium Client installation command examples
Example Description
Silent express installation In an express installation, SetupClient.exe installs and configures the Tanium Client with default values for all the arguments.arguments, except /ServerAddress when it is not specified by tanium-init.dat. Before starting, make sure that the Tanium initialization file tanium‑init.dat or public key file tanium.pub is in the same directory as SetupClient.exe.

SetupClient.exe /ServerAddress=ts1.example.com /S

SetupClient.exe /ServerAddress=192.168.1.10 /S

SetupClient.exe /S

In a deployment with Zone Servers or multiple Tanium Servers, specify each server in /ServerAddress:

In specific cases where you need to specify server addressees, specify the FQDN for each Tanium Cloud Client Edge URL in /ServerAddress:

SetupClient.exe /ServerAddress=^
taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.example.com,ts2.example.com,zs1.example.com /S
Silent custom installation

The following example specifies a non-default valuevalues in a silent installation:

SetupClient.exe /ServerAddress=ts1.example.com ^
/ServerPort=63422 /LogVerbosityLevel=1 /S

To use a custom installation directory, add the /D parameter. Note that it must be the last argument in the command, even when you include /S.

SetupClient.exe /ServerAddress=ts1.example.com ^
/ServerPort=63422 /LogVerbosityLevel=1 /S ^
/D=C:\Custom Installation Directory\Tanium\Tanium Client

Silent installation TLS option The following example specifies non-default values for a silent installation of Tanium Client 7.2:

SetupClient.exe /ServerAddress=ts1.example.com /ServerPort=63422 ^
/LogVerbosityLevel=0 /ReportingTLSMode=1 /S
Batch file format When you run a batch file, the Windows command interpreter expands the variable %~dp0 to the full drive and path name of the batch file working directory. The following example of a batch file instruction performs a silent installation:

"%~dp0SetupClient.exe" /ServerAddress=ts1.example.com ^
/ServerPort=28583 /S

Deploy the Tanium Client to macOS endpoints using the installer

For additional macOS information, see the following sections:

On macOS endpoints, the Tanium Client is installed as a system service. The client files are installed in the /Library/Tanium/TaniumClient directory.

You can use the installation wizard or CLI to deploy the Tanium Client to macOS endpoints. You must perform the installation as a user with an administrator account.

You cannot install the universal version of the macOS Tanium Client on an endpoint where the x86-64 version is already installed. You must first uninstall the existing Tanium Client.

For information about managing the Tanium Client service, managing firewall rules or pop-ups, or uninstalling the Tanium Client after deployment, see Manage the Tanium Client on macOS.

Prepare for installation

  1. Ensure that the macOS endpoint meets the basic requirements for the Tanium Client.
  2. Ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on port 17472 and the portsport that the client uses for peer Tanium Client traffic (default 17472). See Manage macOS firewall rules.

  3. (macOS 10.14 or later only) Create a mobile device management (MDM) profile that provides the necessary permissions for the following Tanium applications:

    Application Location Required Permissions Apple Events
    Tanium Client /Library/Tanium/TaniumClient/TaniumClient All System Files, Admin System Files, Post Events System Events, SystemUIServer, Finder
    Tanium Client Extensions /Library/Tanium/TaniumClient/TaniumCX All System Files, Admin System Files, Post Events System Events, SystemUIServer, Finder
    Tanium End User Notifications /Library/Tanium/EndUserNotifications/bin/end-user-notifications.app Post Events System Events, SystemUIServer, Finder

    An MDM administrator must create a Privacy Preferences Policy Control (PPPC) custom payload that specifies the necessary permissions for each application. The PPPC custom payload must be delivered using a User-Approved MDM (UAMDM) payload in a device profile.

    If you use Mac Device Configuration Profile policies in Tanium Enforce 2.3 or later, the PPPC payload is available in each policy. See Tanium Enforce User Guide: Create a Mac Device Configuration Profile policy.

    The team identifier for Tanium applications is TZTPM3VTUU.

    If you previously created a PPPC custom payload for a version of the Tanium Client earlier than 7.2.314.3608, you must update the code signing requirement for version 7.2.314.3608 or later.

    For more information about MDM on macOS, see Apple Platform Deployment.

  4. Sign in to the macOS endpoint.

  5. Use the Tanium Client Management service to download the client installer bundle (mac-client-bundle.zip) to the macOS endpoint. The download link is available on the Client Management Overview page.For the procedure, see Download the installation bundle or tanium-init.dat file for alternative deployment.

    The bundle contains includes the following files for macOS installations:

    • TaniumClient‑<version>-universal.pkg
    • TaniumClient‑<version>-x64.pkg
    • tanium‑init.dat (Tanium Client 7.4 or later)
    • tanium.pub (Tanium Client 7.2)
    • install.sh

    You can also download tanium‑init.dat or tanium.pub through the Tanium Console (see Tanium Console User Guide: Download infrastructure configuration files (keys)) and request TaniumClient‑<version>.pkg from Tanium Support (see Contact Tanium Support). However, the installation process for Tanium Client 7.4 or later requires fewer manual configuration steps if you download tanium‑init.dat through Client Management.

    Be careful not to allow the tanium-init.dat or tanium.pub file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though these files do this file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use them it to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  6. Copy the installer bundle to a temporary directory on the macOS endpoint and unzip the bundle. Make sure to keep the tanium‑init.dat in the same directory as the installer pacakges.

Installation wizard

  1. Sign in locally to the macOS endpoint as a user with an administrator account.

  2. Double-click TaniumClient‑<version>-universal.pkg or TaniumClient‑<version>-x64.pkg to start the installation wizard.

    Tanium recommends the universal binary for all Mac computers running macOS 11 or later. The universal binary is supported and runs natively on both Intel-based Mac computers running macOS 11 or later and Apple "M" series-based Mac computers.

  3. Respond to the wizard prompts. Specify the User Name and Password of a local administrator when the wizard prompts you for credentials.

  4. (For tanium-init.dat files that do not include client settings or for Tanium Client 7.2 installations) Use the CLI (see CLI on non-Windows endpoints) to configure the following basic Tanium Client settings.

    ServerName or ServerNameList

    In a deployment with a standalone Tanium Server, set the ServerName to the server FQDN or IP address. In a deployment with Tanium Zone Servers or multiple Tanium Servers, configure ServerNameList with the FQDN or IP address of each server, separated with a comma. Fully qualified domain names (FQDNs) from the Tanium Cloud Client Edge URLs with which the client can connect, separated with commas.

    Typically, the tanium-init.dat file included with the installation package includes the appropriate FQDNs and you omit this argument. If you need to specify server addresses manually, contact Tanium Support for the appropriate FQDNs.

    If the tanium‑init.dat file for Tanium Client 7.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList; any setting that you specify here is added to the ServerNameList specified in tanium-init.dat. By default, the tanium‑init.dat that you download through the Client Management service specifies ServerNameList, while the tanium‑init.dat that you download through the Tanium Console does not. You can use the TaniumClient pki show <path_to_tanium-init.dat> command on an endpoint where Tanium Client 7.4.5 or later is already installed to view the ServerNameList that the tanium-init.dat file specifies. For Tanium Client 7.2, you must specify ServerName or ServerNameList.
    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.

    For information about configuring additional settings, see Modify client settings and Tanium Client settings reference.

    The following example commands are for a Tanium Cloud deployment with multiple Tanium Servers and Zone Servers:


    sudo /Library/Tanium/TaniumClient/TaniumClient config set ServerNameList \
    ts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
    sudo /Library/Tanium/TaniumClient/TaniumClient config set LogVerbosityLevel 1

  5. (Tanium Client 7.4 or later) Use the following command to copy tanium‑init.dat from the temporary directory to the Tanium Client installation directory:

    sudo cp <extracted installer bundle directory>/tanium-init.dat /Library/Tanium/TaniumClient

  6. Wait a few minutes for the Tanium Client to register with Tanium Cloud the Tanium Server or Zone Server, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Command-line interface (CLI)

To install the Tanium Client, you must have root or sudo permissions to run the installer command. For details on using the CLI, see CLI on non-Windows endpoints.

The install.sh file provides an example of a script that performs a CLI installation of the Tanium Client. By default, the script checks for a supported version of macOS, installs the Tanium Client, and copies the tanium‑init.dat file. You can modify this script with CLI commands that configure the Tanium Client settings that are necessary for your environment. You can then use the modified script for automated deployment of the Tanium Client. To run the install.sh script, you must have root or sudo permissions.

  1. Sign in locally to the macOS endpoint as a user with an administrator account.
  2. Open Terminal.

  3. Run the following command in the directory into which you copied TaniumClient‑<version>-universal.pkg or TaniumClient‑<version>-x64.pkg to install the client :

    sudo installer -pkg TaniumClient-<version>-binary.pkg -target /
    installer: Package name is TaniumClient
    installer: Installing at base path /
    installer: The install was successful.

    Tanium recommends the universal binary for all Mac computers running macOS 11 or later. The universal binary is supported and runs natively on both Intel-based Mac computers running macOS 11 or later and Apple "M" series-based Mac computers.

  4. (For tanium-init.dat files that do not include client settings or for Tanium Client 7.2 installations) Use the CLI (see CLI on non-Windows endpoints) to configure the following basic Tanium Client settings.

    ServerName or ServerNameList

    In a deployment with a standalone Tanium Server, set the ServerName to the server FQDN or IP address. In a deployment with Tanium Zone Servers or multiple Tanium Servers, configure ServerNameList with the FQDN or IP address of each server, separated with a comma. Fully qualified domain names (FQDNs) from the Tanium Cloud Client Edge URLs with which the client can connect, separated with commas.

    Typically, the tanium-init.dat file included with the installation package includes the appropriate FQDNs and you omit this argument. If you need to specify server addresses manually, contact Tanium Support for the appropriate FQDNs.

    If the tanium‑init.dat file for Tanium Client 7.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList; any setting that you specify here is added to the ServerNameList specified in tanium-init.dat. By default, the tanium‑init.dat that you download through the Client Management service specifies ServerNameList, while the tanium‑init.dat that you download through the Tanium Console does not. You can use the TaniumClient pki show <path_to_tanium-init.dat> command on an endpoint where Tanium Client 7.4.5 or later is already installed to view the ServerNameList that the tanium-init.dat file specifies. For Tanium Client 7.2, you must specify ServerName or ServerNameList.
    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.

    For information about configuring additional settings, see Modify client settings and Tanium Client settings reference.

    The following example commands are for a Tanium Cloud deployment with multiple Tanium Servers and Zone Servers:


    sudo /Library/Tanium/TaniumClient/TaniumClient config set ServerNameList \
    ts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
    sudo /Library/Tanium/TaniumClient/TaniumClient config set LogVerbosityLevel 1

  5. (Tanium Client 7.4 or later) Use the following command to copy tanium‑init.dat to the Tanium Client installation directory:

    sudo cp tanium-init.dat /Library/Tanium/TaniumClient

  6. Wait a few minutes for the Tanium Client to register with Tanium Cloud the Tanium Server or Zone Server, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Deploy the Tanium Client to Linux endpoints using package files

For additional Linux information, see the following sections:

On Linux endpoints, the Tanium Client is installed as a system service. The default installation directory for Tanium Client files is /opt/Tanium/TaniumClient.

If your environment requires a different installation location for applications, you can create a symbolic link during installation.

For information about managing the Tanium Client service, managing firewall rules, or uninstalling the Tanium Client after deployment, see Manage the Tanium Client on Linux.

Tanium Client package files for Linux

The Linux installer bundle (linux‑client-bundle.zip) that you download through Tanium Client Management contains package installer files for every Linux distribution. Contact Tanium Support for other means to obtain the package file for your Linux distribution.

 Table 3: Tanium Client package files for Linux
Linux Distribution Latest Installation Package Files
Amazon Linux 2 LTS TaniumClient-<client_version>-1.amzn2.x86_64.rpm
TaniumClient-<client_version>-1.amzn2.aarch64.rpm
Amazon Linux AMI 2018.3 TaniumClient-<client_version>-1.amzn2018.03.x86_64.rpm
Amazon Linux AMI 2016.09 TaniumClient-<client_version>-1.amzn2016.09.x86_64.rpm
Debian 11.x taniumclient-<client_version>-debian11_i386.deb
taniumclient-<client_version>-debian11_amd64.deb
Debian 10.x taniumclient-<client_version>-debian10_amd64.deb
Debian 9.x taniumclient-<client_version>-debian9_i386.deb
taniumclient-<client_version>-debian9_amd64.deb
Debian 8.x taniumclient-<client_version>-debian8_i386.deb
taniumclient-<client_version>-debian8_amd64.deb
Debian 7.x, 6.x taniumclient-<client_version>-debian6_i386.deb
taniumclient-<client_version>-debian6_amd64.deb
Oracle Linux 9.x TaniumClient-<client_version>-1.oel9.x86_64.rpm
TaniumClient-<client_version>-1.oel9.aarch64.rpm
Oracle Linux 8.x TaniumClient-<client_version>-1.oel8.x86_64.rpm
Oracle Linux 7.x TaniumClient-<client_version>-1.oel7.x86_64.rpm
Oracle Linux 6.x TaniumClient-<client_version>-1.oel6.i686.rpm
TaniumClient-<client_version>-1.oel6.x86_64.rpm
Oracle Linux 5.x TaniumClient-<client_version>-1.oel5.i386.rpm
TaniumClient-<client_version>-1.oel5.x86_64.rpm
Red Hat / AlmaLinux / Rocky Linux 9.x TaniumClient-<client_version>-1.rhe9.x86_64.rpm
TaniumClient-<client_version>-1.rhe9.aarch64.rpm
Red Hat / CentOS / AlmaLinux / Rocky Linux 8.x TaniumClient-<client_version>-1.rhe8.x86_64.rpm
TaniumClient-<client_version>-1.rhe8.aarch64.rpm
Red Hat / CentOS 7.x TaniumClient-<client_version>-1.rhe7.x86_64.rpm
Red Hat / CentOS 6.x TaniumClient-<client_version>-1.rhe6.i686.rpm
TaniumClient-<client_version>-1.rhe6.x86_64.rpm
Red Hat / CentOS 5.x TaniumClient-<client_version>-1.rhe5.i386.rpm

TaniumClient-<client_version>-1.rhe5.x86_64.rpm
SUSE Linux Enterprise Server (SLES) / OpenSUSE 15.x TaniumClient-<client_version>-1.sle15.i586.rpm

TaniumClient-<client_version>-1.sle15.x86_64.rpm
SUSE Linux Enterprise Server (SLES) / OpenSUSE 12.x TaniumClient-<client_version>-1.sle12.i586.rpm
TaniumClient-<client_version>-1.sle12.x86_64.rpm
SUSE Linux Enterprise Server (SLES) / OpenSUSE 11.x TaniumClient-<client_version>-1.sle11.i586.rpm
TaniumClient-<client_version>-1.sle11.x86_64.rpm
Ubuntu 22.04 LTS taniumclient_<client_version>-ubuntu22_amd64.deb
Ubuntu 20.04 LTS taniumclient_<client_version>-ubuntu20_amd64.deb
Ubuntu 18.04 LTS taniumclient_<client_version>-ubuntu18_amd64.deb
Ubuntu 16.04 LTS taniumclient_<client_version>-ubuntu16_amd64.deb
Ubuntu 14.04 LTS taniumclient_<client_version>-ubuntu14_amd64.deb

Install the Tanium Client on Linux using the package file

Use the endpoint CLI to install the Tanium Client. For details on using the CLI, see CLI on non-Windows endpoints.

The install.sh file provides an example of a script that performs an installation of the Tanium Client. By default, the script determines the distribution and version of Linux, installs the appropriate Tanium Client package, and copies the tanium‑init.dat file. You can modify this script with CLI commands that configure the Tanium Client settings that are necessary for your environment. You can then use the modified script for automated deployment of the Tanium Client. To run the install.sh script, you must have root or sudo permissions.

  1. Ensure that the Linux endpoint meets the basic requirements for the Tanium Client.
  2. Ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on the ports that the Tanium Client uses. See Manage Linux firewall rules.
  3. Sign in to the endpoint using an account that has administrative privileges, or that is listed in the sudoers file to allow the account you are using to use sudo.

  4. Use the Tanium Client Management service to download the client installer bundle (linux-client-bundle.zip) to the Linux endpoint. The download link is available on the Client Management Overview page.For the procedure, see Download the installation bundle or tanium-init.dat file for alternative deployment.

    The bundle contains the following files:

    • Installer package files for each Linux distribution (such as TaniumClient-7.4.4.1250-1.oel8.x86_64.rpm)
    • install.sh
    • tanium-init.dat (Tanium Client 7.4 or later)
    • tanium.pub (Tanium Client 7.2)

    You can also download tanium‑init.dat or tanium.pub through the Tanium Console (see Tanium Console User Guide: Download infrastructure configuration files (keys)) and request the installer package from Tanium Support (see Contact Tanium Support). However, the installation process for Tanium Client 7.4 or later requires fewer manual configuration steps if you download tanium‑init.dat through Client Management.

    Be careful not to allow the tanium-init.dat or tanium.pub file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though these files do this file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use them it to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  5. Copy the installer bundle to a temporary directory on the Linux endpoint and unzip the bundle:

    unzip linux-client-bundle.zip

    Make sure to keep the tanium‑init.dat in the same directory as the installer packages.

  6. (Optional) To use a directory other than the default for the client installation, create a symbolic link. For example, to use the directory /appbin/Tanium, run the following command:

    ln -s /appbin/Tanium /opt/Tanium

    You must install the Tanium Client on a local fixed drive.

  7. Run the appropriate installation command to install the package and generate a default configuration file.

    The RPM installers for Redhat and SUSE have command syntax similar to the following example:

    sudo rpm -Uvh TaniumClient-7.4.4.1362-1.oel6.x86_64.rpm

    The Debian installers for Debian and Ubuntu have command syntax similar to the following example:

    sudo dpkg -i taniumclient_7.4.4.1362-debian6_amd64.deb

  8. Copy tanium-init.dat(Tanium Client 7.4 or later) or tanium.pub (Tanium Client 7.2) to the installation directory. For example:

    cp tanium-init.dat /opt/Tanium/TaniumClient

  9. (For tanium-init.dat files that do not include client settings or for Tanium Client 7.2 installations) Use the CLI (see CLI on non-Windows endpoints) to configure the following basic Tanium Client settings.

    ServerName or ServerNameList

    In a deployment with a standalone Tanium Server, set the ServerName to the server FQDN or IP address. In a deployment with Tanium Zone Servers or multiple Tanium Servers, configure ServerNameList with the FQDN or IP address of each server, separated with a comma. Fully qualified domain names (FQDNs) from the Tanium Cloud Client Edge URLs with which the client can connect, separated with commas.

    Typically, the tanium-init.dat file included with the installation package includes the appropriate FQDNs and you omit this argument. If you need to specify server addresses manually, contact Tanium Support for the appropriate FQDNs.

    If the tanium‑init.dat file for Tanium Client 7.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList; any setting that you specify here is added to the ServerNameList specified in tanium-init.dat. By default, the tanium‑init.dat that you download through the Client Management service specifies ServerNameList, while the tanium‑init.dat that you download through the Tanium Console does not. You can use the TaniumClient pki show <path_to_tanium-init.dat> command on an endpoint where Tanium Client 7.4.5 or later is already installed to view the ServerNameList that the tanium-init.dat file specifies. For Tanium Client 7.2, you must specify ServerName or ServerNameList.
    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.

    For information about configuring additional settings, see Modify client settings and Tanium Client settings reference.

    The following example commands are for a Tanium Cloud deployment with multiple Tanium Servers and Zone Servers:

    cd <Tanium Client installation directory>
    sudo ./TaniumClient config set ServerNameList \
    ts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
    sudo ./TaniumClient config set LogVerbosityLevel 1

  10. Start the Tanium Client service. (See Manage the Tanium Client service on Linux.)
  11. Wait a few minutes for the Tanium Client to register with Tanium Cloud the Tanium Server or Zone Server, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Deploy the Tanium Client to Solaris endpoints using a package file

For additional Solaris information, see the following sections:

On Solaris endpoints, the Tanium Client is installed as a system service. The Tanium Client files are installed by default in the /opt/Tanium/TaniumClient directory.

If your environment requires a different installation location for applications, you can create a symbolic link during installation.

The following procedures describe how to use the endpoint CLI to install the Tanium Client. For details on using the CLI, see CLI on non-Windows endpoints.

For information about managing the Tanium Client service or uninstalling the Tanium Client after deployment, see Manage the Tanium Client on Solaris.

Prepare for installation

  1. Ensure that the Solaris endpoint meets the basic requirements for the Tanium Client.
  2. Contact Tanium Support for the Tanium Client installer file: TaniumClient‑<client_version>‑SunOS‑5.10‑<platform>.pkg.

  3. Work with your network security team to ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on port 17472 and the portsport that the client uses for peer Tanium Client traffic (default 17472). See Network connectivity, ports, and firewalls.

    The installation process does not modify any host-based firewall that might be in use.

  4. (Solaris 11.4 only) Install the legacy pkgadd utilities:

    1. Access the endpoint CLI.

    2. Find the pkgadd IPS package name:

      pkg search pkgadd

      INDEX     ACTION VALUE     PACKAGE
      basename  file            usr/sbin/pkgadd pkg:/package/[email protected]

    3. Install the pkgadd utilities:

      pkg install pkg:/package/[email protected]

  5. (Solaris 10 or 11.0–11.3 only) Install the SUNWgccruntime package if it is not yet installed.

    Although this package is part of a default Solaris installation, some organizations omit it in their standard image.

    1. Determine whether the package is installed:

      pkginfo -l SUNWgccruntime

      The following example output indicates the package is installed:

      PKGINST: SUNWgccruntime
      NAME: GCC Runtime libraries
      CATEGORY: system
      ARCH: sparc
      VERSION: 11.11.0,REV=2010.05.25.01.00
      BASEDIR: /
      VENDOR: Oracle Corporation
      DESC: GCC Runtime - Shared libraries used by gcc and other gnu components
      INSTDATE: Dec 01 2015 11:43
      HOTLINE: Please contact your local service provider
      STATUS: completely installed

    2. If the SUNWgccruntime package is not yet installed, run one of the following commands:

      • Solaris 10 or 11.0–11.3 (without using Image Packing System [IPS]):

        # pkgadd -d /path/to/SUNWGccruntime.pkg SUNWgccruntime

      • Solaris 11.0–11.3 using IPS:

        # pkg install SUNWgccruntime

Install the Tanium Client on Solaris using a package file

  1. Sign in to the Solaris endpoint.
  2. Copy the installer file TaniumClient‑<client_version>‑SunOS‑5.10‑<platform>.pkg to a temporary location on the Solaris endpoint.

  3. Use the Tanium Client Management service to download a client installer bundle that contains the tanium‑init.dat (Tanium Client 7.4 or later) or tanium.pub (Tanium Client 7.2) file.

    Client Management does not provide an installer bundle for Solaris endpoints, but you can use the DAT or PUB file from the bundle that is provided for any other OS (Windows, macOS, or Linux). Download links are available on the Client Management Overview page.For the procedure, see Download the installation bundle or tanium-init.dat file for alternative deployment.

    You can also download tanium‑init.dat or tanium.pub through the Tanium Console (see Tanium Console User Guide: Download infrastructure configuration files (keys)).

    Be careful not to allow the tanium-init.dat or tanium.pub file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though these files do this file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use them it to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  4. Copy the installer bundle to the same temporary directory as the installer file and unzip the bundle.

    The DAT or PUB file is the only file that you need from the bundle, so you can delete the other files in the bundle.

  5. (Optional) To use a directory other than the default for the client installation, create a symbolic link, and set the PKG_NONABI_SYMLINKS environment variable to true. For example, to use the directory /appbin/Tanium, run the following commands:

    ln -s /appbin/Tanium /opt/Tanium
    PKG_NONABI_SYMLINKS=true
    export PKG_NONABI_SYMLINKS

    You must install the Tanium Client on a local fixed drive.

  6. Run the following command from the temporary directory to install the package and generate a default configuration file:

    sudo pkgadd -d ./TaniumClient‑<client_version>‑SunOS‑5.10‑<platform>.pkg TaniumClient

    Note: If you are signed into the Global Zone and want to install only in the current zone, specify the ‑G flag. If you have questions, consult your system administrator for proper zone behavior.

  7. (For tanium-init.dat files that do not include client settings or for Tanium Client 7.2 installations) Use the CLI (see CLI on non-Windows endpoints) to configure the following basic Tanium Client settings.

    The Resolver client setting is not included in the tanium-init.dat file by default. You must either create a separate client configuration for Solaris that includes the custom client setting Resolver=nslookup (for Tanium Server 7.5 or later and Tanium Client 7.4.7 or later) or manually set Resolver=nslookup using the CLI.

    ServerName or ServerNameList

    In a deployment with a standalone Tanium Server, set the ServerName to the server FQDN or IP address. In a deployment with Tanium Zone Servers or multiple Tanium Servers, configure ServerNameList with the FQDN or IP address of each server, separated with a comma. Fully qualified domain names (FQDNs) from the Tanium Cloud Client Edge URLs with which the client can connect, separated with commas.

    Typically, the tanium-init.dat file included with the installation package includes the appropriate FQDNs and you omit this argument. If you need to specify server addresses manually, contact Tanium Support for the appropriate FQDNs.

    If the tanium‑init.dat file for Tanium Client 7.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList; any setting that you specify here is added to the ServerNameList specified in tanium-init.dat. By default, the tanium‑init.dat that you download through the Client Management service specifies ServerNameList, while the tanium‑init.dat that you download through the Tanium Console does not. You can use the TaniumClient pki show <path_to_tanium-init.dat> command on an endpoint where Tanium Client 7.4.5 or later is already installed to view the ServerNameList that the tanium-init.dat file specifies. For Tanium Client 7.2, you must specify ServerName or ServerNameList.
    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.
    Resolver Add the Resolver=nslookup setting to enable host name resolution.

    For information about configuring additional settings, see Modify client settings and Tanium Client settings reference.

    The following example commands are for a Tanium Cloud deployment with multiple Tanium Servers and Zone Servers:

    cd <Tanium Client installation directory>
    sudo ./TaniumClient config set ServerNameList \
    ts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
    sudo ./TaniumClient config set LogVerbosityLevel 1
    sudo ./TaniumClient config set Resolver nslookup

  8. Copy the tanium‑init.dat file or tanium.pub file from the Tanium Server to the Tanium Client installation directory on the Solaris endpoint.

  9. Run the following command to start the Tanium Client service:

    svcadm enable taniumclient

  10. Wait a few minutes for the Tanium Client to register with Tanium Cloud the Tanium Server or Zone Server, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Perform unattended Tanium Client installation

By default, the pkgadd utility performs a manual installation. The utility prompts for user intervention when it encounters operations that might be a security issue or conflict, such as running scripts with SUID, creating directories, or changing permissions. The utility provides a method to bypass these interventions and perform or abandon the installation. You accomplish this with a tanium.admin file, which contains operator identifiers and specifies what to do when the utility encounters security issues or conflicts.

  1. Create the tanium.admin file with the following contents:

    mail=
    instance=overwrite
    partial=nocheck
    runlevel=nocheck
    idepend=nocheck
    rdepend=nocheck
    space=nocheck
    setuid=nocheck
    conflict=nocheck
    action=nocheck
    networktimeout=60
    networkretries=3
    authentication=quit
    keystore=/var/sadm/security
    proxy=
    basedir=default

  2. Run pkgadd with the ‑a option:

    pkgadd ‑a tanium.admin ‑d ./TaniumClient‑<client_version>‑SunOS‑5.10‑<platform>.pkg TaniumClient

Configure the Tanium Client on Solaris

The Tanium Client binary has statically linked libraries. All the libraries are in the standard default location (/lib) except libstdc++ and gcc. These two libraries are assumed to be in /usr/sfw/lib. If they are not, the client does not start. If libstdc++ and gcc are not in /usr/sfw/lib, you must add the library search path to the Service Management Facility (SMF) taniumclient service:

  1. Find the directory location of libgcc.* and libstdc++.*.

  2. Run the following command to add the search path to the SMF service:

    svccfg -s application/taniumclient setenv LD_LIBRARY_PATH /lib:/usr/lib:/usr/local/lib:/usr/sfw/lib

Deploy the Tanium Client to AIX endpoints using a package file

For additional AIX information, see the following sections:

On AIX endpoints, the Tanium Client is installed as a system service. The default installation directory for Tanium Client files is /opt/Tanium/TaniumClient.

If your environment requires a different installation location for applications, you can create a symbolic link during installation.

The following procedures describe how to use the endpoint CLI to install the Tanium Client. For details on using the CLI, see CLI on non-Windows endpoints.

For information about managing the Tanium Client service or uninstalling the Tanium Client after deployment, see Manage the Tanium Client on AIX.

Prepare for installation

  1. Ensure that the AIX endpoint meets the basic requirements for the Tanium Client.
  2. Contact Tanium Support for the Tanium Client installer file: TaniumClient‑<client_version>‑powerpc.pkg.

  3. Work with your network security team to ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on port 17472 and the portsport that the client uses for peer Tanium Client traffic (default 17472). See Network connectivity, ports, and firewalls.

    The installation process does not modify any host-based firewall that might be in use.

  4. If they are not yet installed, install the IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and, if indicated in the following table, the IBM LLVM runtime libraries file set (libc++.rte). The required xlC.rte version and the requirement for libc++.rte depend on the AIX version:

    AIX version Tanium Client version xlC.rte version libc++.rte required?
    7.1.1–7.1.3 7.2 13.1.3.1 or later When xlC.rte version 16.1.0.0 or later is installed, or when required by an installed module or shared service. See Solution-specific requirements for the Tanium Client and endpoints for links to specific requirements.
    7.1.4 or later All supported versions 16.1.0.0 or later Yes

    Install the file sets as follows:

    1. Access the operating system CLI on the endpoint.

    2. Run the following commands to determine the versions of the currently installed xlC.rte bundle and, if required, the libc++.rte bundle:

      lslpp -l xlC\.*
      lslpp -l libc++\.*

      If the appropriate version of each bundle is already installed where required, skip to Install the Tanium Client on AIX using a package file. Otherwise, complete the remaining steps for each bundle that needs to be installed or updated.

    3. Obtain the appropriate xlC.rte and libc++.rte bundles for your system from IBM Fix Central.
    4. Download each bundle to your endpoint.
    5. Extract, unzip, or untar each bundle to the /usr/sys/inst.images directory.

    6. Install the bundles:

      sudo installp -aXYgd /usr/sys/inst.images -e /tmp/install.log all

    7. Review the installation log /tmp/install.log for any errors.

Install the Tanium Client on AIX using a package file

  1. Sign in to the target endpoint.
  2. Copy the Tanium Client installer file  TaniumClient‑<client_version>‑powerpc.pkg to a temporary location on the target endpoint.

  3. Use the Tanium Client Management service to download a client installer bundle that contains the tanium‑init.dat (Tanium Client 7.4 or later) or tanium.pub (Tanium Client 7.2) file.

    Client Management does not provide an installer bundle for AIX endpoints, but you can use the DAT or PUB file from the bundle that is provided for any other OS (Windows, macOS, or Linux). Download links are available on the Client Management Overview page.For the procedure, see Download the installation bundle or tanium-init.dat file for alternative deployment.

    You can also download tanium‑init.dat or tanium.pub through the Tanium Console (see Tanium Console User Guide: Download infrastructure configuration files (keys)).

    Be careful not to allow the tanium-init.dat or tanium.pub file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though these files do this file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use them it to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  4. Copy the installer bundle to the same temporary directory as the installer file and unzip the bundle.

    You must first install the unzip utility if it is not already installed on the AIX endpoint.

    The DAT or PUB file is the only file that you need from the bundle, so you can delete the other files in the bundle.

    The following example command uncompresses the Linux bundle for the Tanium Client:

    unzip linux-client-bundle.zip

  5. (Optional) To use a directory other than the default for the client installation, create a symbolic link. For example, to use the directory /appbin/Tanium, run the following command:

    ln -s /appbin/Tanium /opt/Tanium

    You must install the Tanium Client on a local fixed drive.

  6. Run the following command from the temporary directory to install the package and generate a default configuration file:

    sudo installp -agqXYd ./TaniumClient‑<client_version>‑powerpc.pkg TaniumClient

  7. (For tanium-init.dat files that do not include client settings or for Tanium Client 7.2 installations) Use the CLI (see CLI on non-Windows endpoints) to configure the following basic Tanium Client settings.

    The Resolver client setting is not included in the tanium-init.dat file by default. You must either create a separate client configuration for AIX that includes the custom client setting Resolver=nslookup (for Tanium Server 7.5 or later and Tanium Client 7.4.7 or later) or manually set Resolver=nslookup using the CLI.

    ServerName or ServerNameList

    In a deployment with a standalone Tanium Server, set the ServerName to the server FQDN or IP address. In a deployment with Tanium Zone Servers or multiple Tanium Servers, configure ServerNameList with the FQDN or IP address of each server, separated with a comma. Fully qualified domain names (FQDNs) from the Tanium Cloud Client Edge URLs with which the client can connect, separated with commas.

    Typically, the tanium-init.dat file included with the installation package includes the appropriate FQDNs and you omit this argument. If you need to specify server addresses manually, contact Tanium Support for the appropriate FQDNs.

    If the tanium‑init.dat file for Tanium Client 7.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList; any setting that you specify here is added to the ServerNameList specified in tanium-init.dat. By default, the tanium‑init.dat that you download through the Client Management service specifies ServerNameList, while the tanium‑init.dat that you download through the Tanium Console does not. You can use the TaniumClient pki show <path_to_tanium-init.dat> command on an endpoint where Tanium Client 7.4.5 or later is already installed to view the ServerNameList that the tanium-init.dat file specifies. For Tanium Client 7.2, you must specify ServerName or ServerNameList.
    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.
    Resolver The default hostname resolver for Tanium is getent. Because AIX generally does not have the getent command, add the Resolver=nslookup setting.

    For information about configuring additional settings, see Modify client settings and Tanium Client settings reference.

    The following example commands are for a Tanium Cloud deployment with multiple Tanium Servers and Zone Servers:

    cd <Tanium Client installation directory>
    sudo ./TaniumClient config set ServerNameList \
    ts1.example.com,ts2.example.com,zs1.example.com,zs2.example.com
    sudo ./TaniumClient config set LogVerbosityLevel 1
    sudo ./TaniumClient config set Resolver nslookup

  8. Copy the tanium‑init.dat file or tanium.pub file to the Tanium Client installation directory on the AIX endpoint.

  9. Use the following command to start the Tanium Client service:

    startsrc -s taniumclient

  10. Wait a few minutes for the Tanium Client to register with Tanium Cloud the Tanium Server or Zone Server, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Verify the Tanium Client installation

Wait a few minutes after installation for the Tanium Client to register with Tanium Cloud the Tanium Server or Zone Server.

After you deploy the Tanium Client, perform the following steps to verify that the client installed correctly and can communicate with Tanium Cloud the Tanium Server or Zone Server.

  1. From Interact, ask a question to verify that the endpoints respond to the following query: Get Computer Name and Operating System and Tanium Client Version and Tanium Server Name from all machines
  2. Review the Question Results grid to verify that all endpoints where you deployed Tanium Client software are reporting.

  3. (Optional) From the main menu, go to Administration > Configuration > Client Status , and review recent client registration details.

    To find a specific Tanium Client, enter a text string in the Filter items field above the grid to filter it by Host Name or Network Location (IP address).