Deploying the Tanium Client using Client Management

Deployment using the Client Management service is not available in Tanium Cloud. You must use an installer or package file to deploy the Tanium Client. For more information, see Deploying the Tanium Client using an installer or package file.

Use Client Management to deploy the Tanium Client to any number of endpoints in a single operation. To begin, plan and prepare the set of targeted endpoints, create client configurations to define the configuration of the deployed client, and create credentials to define the information that is needed to log into the endpoints to perform the installations. Then, use these configurations to create a deployment that targets a specific set of endpoints.

When you use Client Management to deploy the Tanium Client to endpoints, Client Management also installs Client Management tools on the endpoints to provide client health information. For more information, see Monitor the client health overview in Client Management and Access detailed client health and troubleshooting information on an endpoint.

You can also obtain installation packages and install the client on endpoints using an alternative method. For more information, see Deploying the Tanium Client using an installer or package file.

If you use an operating system (OS) image to deploy an OS to new endpoints, you can install the Tanium Client on the template image (as described in this section) and perform additional steps to prepare the Tanium Client for deployment through the image. For the procedures to prepare OS images that include the Tanium Client, see Preparing the Tanium Client on OS images.

Plan deployment targeting

You can deploy the Tanium Client to a single IP address or computer name, an IP or CIDR range, or a Discover label. Both the Tanium Server and endpoints must have IPv4 addresses; IPv6 addresses are not supported in Client Management.

If you want to deploy to unmanaged interfaces that get defined in Discover, you can create a label and use the label as a deployment target. For example, you might create a New Computers label with the condition: First Seen in the last 30 minutes AND Computer Id = "0". For more information about creating labels in Discover, see Tanium Discover User Guide: Labels.

Discover labels must have the following settings to be used with Client Management:

  • Type: Automatic
  • Activity: Retain
  • Retain Activity: Label

The Tanium Module Server must have a connection to endpoints to automatically deploy the Tanium Client using Client Management. If you deploy the Tanium Client to endpoints that cannot be reached directly from the Tanium Module Server, such as those connected to a Zone Server, or if you plan to deploy the Tanium Client where only IPv6 addresses are available, you can create a client configuration, and then download and manually deploy an installation bundle.

By default, a deployment installs the Tanium Client only on unmanaged endpoints and ignores any endpoints where the client is already installed. However, you can also configure the deployment to reinstall the client. See Configure a deployment.

Prepare for deployment to Linux, macOS, or UNIX endpoints

  1. Configure password-based or SSH key-based authentication based on the authentication requirements on the endpoints.

    On each non-Windows endpoint, you must have an account configured that can remotely connect to the endpoint and authenticate with SSH. You must use one of the following options to configure a user with elevated privileges to perform installation:

    • The root user
    • A user that is listed in the sudoers file on each endpoint, to allow the account you are using for installation to use sudo

      If you restrict user commands in the sudoers file, you must allow the commands used by Client Management during deployment.

    Specific distributions or your specific environment might have specific authentication requirements.

    Amazon Linux: Amazon Linux requires key-based authentication. On the endpoint, be sure to enable SSH key-based authentication and enable NOPASSWD in the sudoers file for the admin user account. Add this user name and password to the credentials list. This configuration ensures that the key, and not a password, is used to elevate the admin permissions of the user so that the user can install the Tanium Client and start the service.

  2. Allow traffic from the Module Server to endpoints on TCP port 22 (SSH port, configurable), and allow SFTP access. For more information, see Port requirements for Tanium Client and Client Management.

  3. Configure any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation that is initiated through SSH. For more information, see Port requirements for Tanium Client and Client Management.

  4. (macOS 10.14 or later only) Create a mobile device management (MDM) profile that provides the necessary permissions for the following Tanium applications:

    Application Location Required Permissions Apple Events
    Tanium Client /Library/Tanium/TaniumClient/TaniumClient All System Files, Admin System Files, Post Events System Events, SystemUIServer, Finder
    Tanium Client Extensions /Library/Tanium/TaniumClient/TaniumCX All System Files, Admin System Files, Post Events System Events, SystemUIServer, Finder
    Tanium End User Notifications /Library/Tanium/EndUserNotifications/bin/end-user-notifications.app Post Events System Events, SystemUIServer, Finder

    An MDM administrator must create a Privacy Preferences Policy Control (PPPC) custom payload that specifies the necessary permissions for each application. The PPPC custom payload must be delivered using a User-Approved MDM (UAMDM) payload in a device profile.

    The team identifier for Tanium applications is TZTPM3VTUU.

    If you previously created a PPPC custom payload for a version of the Tanium Client earlier than 7.2.314.3608, you must update the code signing requirement for version 7.2.314.3608 or later.

    For more information about MDM on macOS, see Apple Platform Deployment.

  5. (Solaris 11.4 only) Install the legacy pkgadd utilities:

    1. Access the endpoint CLI.
    2. Find the pkgadd IPS package name:

      pkg search pkgadd

      INDEX     ACTION VALUE     PACKAGE
      basename  file            usr/sbin/pkgadd pkg:/package/[email protected]

    3. Install the pkgadd utilities:

      pkg install pkg:/package/[email protected]

  6. (Solaris 10 or 11.0–11.3 only) Install the SUNWgccruntime package if it is not yet installed.

    Although this package is part of a default Solaris installation, some organizations omit it in their standard image.

    1. Determine whether the package is installed:

      pkginfo -l SUNWgccruntime

      The following example output indicates the package is installed:

      PKGINST: SUNWgccruntime
      NAME: GCC Runtime libraries
      CATEGORY: system
      ARCH: sparc
      VERSION: 11.11.0,REV=2010.05.25.01.00
      BASEDIR: /
      VENDOR: Oracle Corporation
      DESC: GCC Runtime - Shared libraries used by gcc and other gnu components
      INSTDATE: Dec 01 2015 11:43
      HOTLINE: Please contact your local service provider
      STATUS: completely installed

    2. If the SUNWgccruntime package is not yet installed, run one of the following commands:

      • Solaris 10 or 11.0–11.3 (without using Image Packing System [IPS]):

        # pkgadd -d /path/to/SUNWGccruntime.pkg SUNWgccruntime

      • Solaris 11.0–11.3 using IPS:

        # pkg install SUNWgccruntime

  7. (AIX only) If they are not yet installed, install the IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and, if indicated in the following table, the IBM LLVM runtime libraries file set (libc++.rte). The required xlC.rte version and the requirement for libc++.rte depend on the AIX version:

    AIX version Tanium Client version xlC.rte version libc++.rte required?
    7.1.1–7.1.3 7.2 13.1.3.1 or later When xlC.rte version 16.1.0.0 or later is installed, or when required by an installed module or shared service. See Solution-specific requirements for the Tanium Client and endpoints for links to specific requirements.
    7.1.4 or later All supported versions 16.1.0.0 or later Yes

    Install the file sets as follows:

    1. Access the operating system CLI on the endpoint.
    2. Run the following commands to determine the versions of the currently installed xlC.rte bundle and, if required, the libc++.rte bundle:

      lslpp -l xlC\.*
      lslpp -l libc++\.*

      If the appropriate version of each bundle is already installed where required, skip to Deploying the Tanium Client using Client Management. Otherwise, complete the remaining steps for each bundle that needs to be installed or updated.

    3. Obtain the appropriate xlC.rte and libc++.rte bundles for your system from IBM Fix Central.
    4. Download each bundle to your endpoint.
    5. Extract, unzip, or untar each bundle to the /usr/sys/inst.images directory.
    6. Install the bundles:

      sudo installp -aXYgd /usr/sys/inst.images -e /tmp/install.log all

    7. Review the installation log /tmp/install.log for any errors.
  8. If you use the root account to install, make sure the sshd_config allows root login.

  9. Verify that you can log in to the remote system with SSH, using the same credentials that you will use for the Tanium Client deployment.

To protect credentials that are used for client deployment, use one of the following methods: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.

Prepare for deployment to Windows endpoints

  1. Configure local or domain accounts with the necessary permissions.

    On each Windows endpoint, you must have an account with Local Administrator rights, or a local or domain account configured that has the following abilities:

    • Remotely connect to the endpoint and authenticate with SMB
    • Create folders within the installation directory for 32-bit applications, and, if applicable, the custom location where the Tanium Client will be installed (by default, C:\Program Files (x86)\ for 64-bit versions of Windows, or C:\Program Files\ for 32-bit versions of Windows)

      A custom installation directory must be located on drive C for deployment with Client Management. To install Tanium Client on a different drive, you must use an alternative deployment method. For more information, see Deploying the Tanium Client using an installer or package file.

    • Write and execute files in the Tanium installation directory (by default, C:\Program Files (x86)\Tanium\ for 64-bit versions of Windows, or C:\Program Files\Tanium\ for 32-bit versions of Windows)
  2. Enable Windows file-and-print sharing and administrative shares on the target endpoint, and make sure the Windows Management Instrumentation (WMI) service is enabled and started.

    Enabling these settings and services is required only for installation. You can disable sharing and WMI as needed after the installation.

  3. Configure any host-based firewalls or other security tools on the endpoint that might interfere with WMI, which uses port 135, or file sharing, which uses port 445. For more information, see Port requirements for Tanium Client and Client Management.
  4. Allow TCP traffic on ports 135 and 445 from the Tanium Module Server host computer to the endpoints on which you want to deploy the Tanium Client. For more information, see Port requirements for Tanium Client and Client Management.
  5. If both of the following conditions are met, User Account Control (UAC) remote restrictions prevent access to administrative shares and remote installations:

    • The endpoint is not joined to a domain.
    • You use a non-default Administrator account, or you use the default local Administrator account with the Admin Approval Mode for the Built-in Administrator account policy setting enabled.

    Because these administrative tasks are necessary for deployment of the Tanium Client using Client Management, you must disable UAC remote restrictions under these conditions to allow deployment. To disable UAC remote restrictions, add the following value to the Windows registry and restart the machine:

    Subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    Data type: REG_DWORD
    Value name: LocalAccountTokenFilterPolicy
    Value data: 1

    Administrative shares are not available in Home editions of Windows operating systems.

    After you deploy the Tanium Client, remove the LocalAccountTokenFilterPolicy registry value or set it to 0 to restore UAC remote restrictions. These restrictions help prevent malicious users from accessing the endpoint remotely with administrative rights.

  6. Verify that you can execute the wmic and net use commands remotely with the same credentials that you will use for the Tanium Client deployment. For example:

    • Port 135:wmic /node:"192.168.1.130" /user:"user_name" useraccount list brief

    • Port 445:net use p: \\192.168.1.130\C$ password /user:user_name

To protect credentials that are used for client deployment, use one of the following methods: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.

Create a client configuration

A client configuration defines the Tanium Server, platforms, and installation directories for your client deployment. You can configure multiple client configurations to deploy to different types of environments.

Before you create a client configuration, make sure that the Tanium Serveryour Tanium Cloud instance has cached the versions of the Tanium Client that you need: see Manage versions of the Tanium Client available for deployments and upgrades.

  1. From the Client Management menu, click Client Installations > Client Configurations, and then click Create.
  2. Specify a descriptive name for the client configuration.
  3. Specify the IP address or fully qualified domain name of the Tanium Server. In high-availability deployments and deployments with Zone Servers, you can enter a comma-separated list of all servers, such as: ts1.example.com,ts2.example.com,zs1.example.com.

    The Tanium Module Server must have a connection to endpoints to automatically deploy the Tanium Client using Client Management. Additionally, both the Tanium Server and endpoints must have IPv4 addresses; IPv6 addresses are not supported in Client Management. If you plan to deploy the Tanium Client to endpoints that cannot be reached directly from the Tanium Module Server, such as those connected to a Zone Server, or if you plan to deploy the Tanium Client where only IPv6 addresses are available, you can download and manually deploy an installation bundle. For more information, see Download the installation bundle or tanium-init.dat file for alternative deployment.

  4. Select the Client Version to install.
  5. Select the Client Platforms of the endpoints to which you are installing Tanium Client.
  6. Leave the installation directories blank to use the defaults, or enter a custom Installation Directory on Windows or Installation Directory on Non Windows.

    • The installation directory must be located on a local fixed drive on each endpoint.

    • (Windows endpoints) The installation directory must be located on drive C for deployment with Client Management. To install Tanium Client on a different drive, you must use an alternative deployment method. For more information, see Deploying the Tanium Client using an installer or package file.
    • (macOS endpoints) You cannot customize the installation directory on macOS. The fixed installation directory for macOS is /Library/Tanium/TaniumClient.
  7. Enter a Log Level.

    The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.
  8. Leave the default Server Port, or enter a custom port.
  9. In the Space Required for each operating system, enter the disk space that should be available on a targeted endpoint for the client to be installed.

    The default of 3000 MB is sufficient for the Tanium Client itself, but the total space required depends on the modules that you use with each endpoint. For more information, see Hardware requirements.

  10. To change a default client setting, click Add Client Setting, and then enter a Key and Value. For information about specific client settings, see Tanium Client settings reference.

    If you are deploying the Tanium Client to virtual desktop infrastructure (VDI) instances or other endpoints with limited resources, you might need to adjust certain client settings to help to reduce resource usage. For more information, see Tuning Tanium Client settings for VDI endpoints and other endpoints with limited resources.

  11. To add a custom tag to the client during deployment, click Add Client Tag and enter a tag name. The InstalledByTCM tag is included by default so that you can later easily target clients that were installed using Client Management.

    Do not include spaces in a tag name.

  12. Click Save.

Download the installation bundle or tanium-init.dat file for alternative deployment

For endpoints that are connected to a Zone Server or that cannot be reached directly from the Tanium Module Server for any other reason, you can download and manually deploy the installation bundle associated with a client configuration. The tanium-init.dat file that is contained in this bundle includes the ServerNameList setting from the client configuration. If you are using Tanium Server 7.5 or later, it also includes the ServerPort, Log Level, and any other client settings and tags that you added to the client configuration, which the installer for Tanium Client 7.4.7 or later automatically applies during installation. Using this bundle reduces the manual configuration steps when you deploy the Tanium Client outside of Client Management.

If you already downloaded installers that you need for a deployment, you can download only the customized tanium-init.dat for a client configuration.

After you create or update a client configuration, the Module Server must retrieve the necessary client installers before you can download the installation bundle. The Download Bundle button becomes available when the download is ready.

  1. From the Client Management menu, click Client Installations > Client Configurations.
  2. Download the installation bundle or the tanium-init.dat file for a client configuration:

    • To download the full installation bundle, click Download Bundle in the Actions column.

    • To download only thetanium-init.dat file, click Download tanium-init.dat in the Actions column.

  3. Deploy the installation bundle to the appropriate endpoints. For more information, see Deploying the Tanium Client using an installer or package file.

Configure client credentials

Client credentials are a list of user name and password combinations for the target endpoints on which you want to install Tanium Client. For specific requirements for authentication and permissions, see Account permissions for Client Management.

  1. From the Client Management menu, click Client Installations > Credentials. Click Create.
  2. Enter a name for the credentials list.
  3. Add a set of credentials to try for each operating system type.

    • (Windows endpoints) If you are using domain credentials, you must enter the user name in the format domain\username. If you are using local credentials, enter only username for the user name.
    • (Non-Windows endpoints) You can add an SSH key. If you are using an SSH key, the private key is required in PEM format. Click + key, copy the contents of the PEM-formatted private key, and paste the contents in the Key field. If the key requires a passphrase, click + keyphrase and enter the passphrase in the Keyphrase field. When you use an SSH key for authentication, a user name is required, and a password is optional. However, endpoints typically still require a password for non-root users, unless the specified user is configured to use sudo without a password.

  4. Click Save.

Configure a deployment

  1. From the Client Management menu, click Client Installations > Deployments, and then click Create.
  2. Specify a name for the deployment, and select the client configuration and credentials that you configured.
  3. Configure targeting. You can target endpoints by a single IP address, a list of IP addresses, a computer name, an IP or CIDR range, or a Discover label. For information about configuring Discover labels, see Tanium Discover User Guide: Labels.

    Discover labels must have the following settings to be used with Client Management:

    • Type: Automatic
    • Activity: Retain
    • Retain Activity: Label

    To define an additional target for the deployment, click Add Target. To remove a target, click Delete .

  4. (Deployments targeting a Discover label) To have the deployment re-run automatically when the selected label is updated in Discover, select Run deployment whenever a Discover import is detected.
  5. Configure the settings in the Method section as needed.

  6. Configure the settings in the Installation Options section.

    • To install the client on unmanaged endpoints, make sure New Installation is selected.
    • To determine how to manage endpoints where the client is already installed, select one of the following options:

      • Ignore: Ignore endpoints where the client is already installed. Leave this option selected for a typical deployment to unmanaged endpoints. Disable this option if you want only to reinstall existing clients.
      • Install Newer Version: Install the version that you specified in the selected client configuration only on endpoints where an earlier version is currently installed.

        For general management of upgrades to existing clients, create upgrade deployments that target computer groups: see Upgrade Tanium Clients using Client Management.

      • Reinstall: Reinstall existing clients. Use this option to repair disabled or corrupt clients.

        With the default selections for Advanced Options, this option reinstalls clients only on endpoints where the client is not communicating properly with the Tanium Server and where the currently installed version is earlier than or the same as the version that you configure in a client configuration. Any data that the client has collected remains on the client.

        Select Wipe data as if New Installation to wipe all client data. If you select this option, the version that you deploy replaces any existing version, since the deployment first removes any version of the client found on the endpoint.

        Select Perform action even if client is connected to a server to reinstall clients that are still communicating with the server.

        macOS: If you are installing the Universal version of the macOS client on an endpoint where the x86-64 version of the client is installed, you must select Wipe data as if New Installation.

  7. Click Save to save the deployment without running, or Save and Deploy to immediately deploy.

Deploy clients

From the Client Management menu, click Client Installations > Deployments. In the Deployment column, click the name of a deployment.

To run the deployment, click Start.

You can then view the status of the deployment, including a list of the targeted endpoints.

Deployment process

When you start a deployment, the Module Server takes the following actions to install the Tanium Client:

  1. Pings the targeted endpoints to verify they are online.
  2. Detects the operating system of the endpoints that respond to the ping.
  3. Tries the credentials in the defined credentials list to log into the endpoint for installation.
  4. Checks for the space required on the endpoint as specified in the client configuration.
  5. Copies the Tanium public key file for the Tanium Server to the endpoint.
  6. Installs Tanium Client on the endpoint. The version and installation location are defined in the client configuration for the deployment.
  7. Displays the deployment status.

View deployment status

Each successful deployment reports a status of COMPLETE in the Installation Status column.

Filter the endpoints by clicking the status buttons in the grid, or enter filter text in the Filter logs and details box.

For more information about other status messages and troubleshooting deployments, see Troubleshoot deployment issues.

After the deployment is complete, wait a few minutes for the Tanium Client to register with Tanium Cloud the Tanium Server or Zone Server, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

To see the results of a previous run of the deployment, you can select that run from the list.

Adjust deployment history retention

  1. From the Client Management Overview page, click Settings .

  2. In the Data Retention Settings section, configure the following settings.

    • Deployment Target Records (days): The number of days that the list of endpoints and the status information for each endpoint should be retained for completed deployments
    • Deployment Target Detailed History (days): The number of days that the full deployment log for each endpoint should be retained in completed deployments
  3. Click Save Settings.

Verify the Tanium Client installation

Wait a few minutes after installation for the Tanium Client to register with Tanium Cloud the Tanium Server or Zone Server.

After you deploy the Tanium Client, perform the following steps to verify that the client installed correctly and can communicate with Tanium Cloud the Tanium Server or Zone Server.

  1. From Interact, ask a question to verify that the endpoints respond to the following query: Get Computer Name and Operating System and Tanium Client Version and Tanium Server Name from all machines
  2. Review the Question Results grid to verify that all endpoints where you deployed Tanium Client software are reporting.
  3. (Optional) From the main menu, go to Administration > Configuration > Client Status , and review recent client registration details.

    To find a specific Tanium Client, enter a text string in the Filter items field above the grid to filter it by Host Name or Network Location (IP address).