Deploying the Tanium Client using Client Management

Deployment using the Client Management service is not available in TaaS. You must use an installer or package file to deploy the Tanium Client. For more information, see Deploying the Tanium Client using an installer or package file.

Use Client Management to deploy the Tanium Client to any number of endpoints in a single operation. To begin, plan and prepare the set of targeted endpoints, create sets of client settings to define the configuration of the deployed client, and create credentials to define the information that is needed to log into the endpoints to perform the installations. Then, use these configurations to create a deployment that targets a specific set of endpoints.

When you use Client Management to deploy the Tanium Client to endpoints, Client Management also installs Client Management tools on the endpoints to provide client health information. For more information, see Monitoring client health in the Client Management service.

You can also obtain installation packages and install the client on endpoints using an alternative method. For more information, see Deploying the Tanium Client using an installer or package file.

If you use an operating system (OS) image to deploy an OS to new endpoints, you can install the Tanium Client on the template image (as described in this section) and perform additional steps to prepare the Tanium Client for deployment through the image. For the procedures to prepare OS images that include the Tanium Client, see Preparing the Tanium Client on OS images.

Plan deployment targeting

You can deploy the Tanium Client to a single IP address or computer name, an IP or CIDR range, or a Discover label. Both the Tanium Server and endpoints must have IPv4 addresses; IPv6 addresses are not supported in Client Management.

If you want to deploy to unmanaged interfaces that get defined in Discover, you can create a label and use the label as a deployment target. For example, you might create a New Computers label with the condition: First Seen in the last 30 minutes AND Computer Id = "0". For more information about creating labels in Discover, see Tanium Discover User Guide: Labels.

The Tanium Module Server must have a connection to endpoints to automatically deploy the Tanium Client using Client Management. If you deploy the Tanium Client to endpoints that cannot be reached directly from the Tanium Module Server, such as those connected to a Zone Server, or if you plan to deploy the Tanium Client where only IPv6 addresses are available, you can configure client settings, and then download and manually deploy an installation bundle.

Upgrade or reinstall the Tanium Client

By default, a deployment installs the Tanium Client only on unmanaged endpoints and ignores any endpoints where the client is already installed. However, you can also configure the deployment to reinstall or upgrade the client.

For planning and additional considerations for upgrading the Tanium Client, see Upgrading Tanium Clients.

Configure a deployment to upgrade existing clients if you want to install the version that you specify in client settings on any endpoint where an earlier version is currently installed. You can optionally disable new installations if you want only to upgrade existing client installations.

macOS 10.14 (Mojave) or later: When you upgrade the Tanium Client on endpoints that have a firewall turned on and that run macOS 10.14 (Mojave) or later, end users might see a pop-up prompting them to allow connections for the Tanium Client. For information about preventing this pop-up, see Manage pop-ups for Tanium Client upgrades.

Configure a deployment that reinstalls existing clients to repair disabled or corrupt clients. With the default selections for advanced options, the deployment reinstalls clients only on endpoints where the client is not communicating properly with the Tanium Server and where the currently installed version is earlier than or the same as the version that you configure in client settings. Any data that the client has collected remains on the client. However, you can configure the deployment to reinstall the client even if it is currently communicating with the server, or to wipe all data before reinstallation. If you configure the deployment to wipe data, the version that you deploy replaces any existing version, since the deployment first removes any version of the client found on the endpoint. You can also optionally disable new installations if you want only to reinstall existing clients.

Prepare for deployment to Linux, macOS, or UNIX endpoints

  1. Configure password-based or SSH key-based authentication based on the authentication requirements on the endpoints.

    On each non-Windows endpoint, you must have an account configured that can remotely connect to the endpoint and authenticate with SSH. You must use one of the following options to configure a user with elevated privileges to perform installation:

    • The root user
    • A user that is listed in the sudoers file on each endpoint, to allow the account you are using for installation to use sudo

      If you restrict user commands in the sudoers file, you must allow the commands used by Client Management during deployment.

    Specific distributions or your specific environment might have specific authentication requirements.

    Amazon Linux: Amazon Linux requires key-based authentication. On the endpoint, be sure to enable SSH key-based authentication and enable NOPASSWD in the sudoers file for the admin user account. Add this user name and password to the credentials list. This configuration ensures that the key, and not a password, is used to elevate the admin permissions of the user so that the user can install the Tanium Client and start the service.

  2. Allow traffic from the Module Server to endpoints on TCP port 22 (SSH port, configurable), and allow SFTP access. For more information, see Port requirements for Client Management.

  3. Configure any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation that is initiated through SSH. For more information, see Port requirements for Client Management.

  4. (macOS 10.14 or later only) Create a mobile device management (MDM) profile that provides the necessary permissions for Tanium applications. For more information, see the Tanium Knowledge Base article Tanium and Apple macOS TCC (Transparency, Consent and Control) and Privacy Preferences Policy Control (PPPC) (account required).

  5. (Solaris 11.4 only) Install the legacy pkgadd utilities:

    1. Access the endpoint CLI.
    2. Find the pkgadd IPS package name:

      pkg search pkgadd

      INDEX     ACTION VALUE     PACKAGE
      basename  file            usr/sbin/pkgadd pkg:/package/[email protected]

    3. Install the pkgadd utilities:

      pkg install pkg:/package/[email protected]

  6. (Solaris 10 or 11 only) Install the SUNWgccruntime package if it is not yet installed.

    Although this package is part of a default Solaris installation, some organizations omit it in their standard image.

    1. Determine whether the package is installed:

      pkginfo -l SUNWgccruntime

      The following example output indicates the package is installed:

      PKGINST: SUNWgccruntime
      NAME: GCC Runtime libraries
      CATEGORY: system
      ARCH: sparc
      VERSION: 11.11.0,REV=2010.05.25.01.00
      BASEDIR: /
      VENDOR: Oracle Corporation
      DESC: GCC Runtime - Shared libraries used by gcc and other gnu components
      INSTDATE: Dec 01 2015 11:43
      HOTLINE: Please contact your local service provider
      STATUS: completely installed

    2. If the SUNWgccruntime package is not yet installed, run one of the following commands:

      • Solaris 10 or 11 (without using Image Packing System [IPS]):

        # pkgadd -d /path/to/SUNWGccruntime.pkg SUNWgccruntime

      • Solaris 11 using IPS:

        # pkg install SUNWgccruntime

  7. (AIX only) If they are not yet installed, install the IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and, if indicated in the following table, the IBM LLVM runtime libraries file set (libc++.rte). The required xlC.rte version and the requirement for libc++.rte depend on the AIX and Tanium Client version:

    AIX version Tanium Client version xlC.rte version libc++.rte required?
    7.1.3 or earlier 7.2 13.1.3.1 or later When xlC.rte version 16.1.0.0 or later is installed, or when required by an installed module or shared service. See Module- and service-specific requirements for the Tanium Client and endpoints for links to specific requirements.
    7.1.4 or later All versions 16.1.0.0 or later Yes
    All versions 7.4 16.1.0.0 or later Yes

    Install the file sets as follows:

    1. Access the operating system CLI on the endpoint.
    2. Run the following commands to determine the versions of the currently installed xlC.rte bundle and, if required, the libc++.rte bundle:

      lslpp -l xlC\.*
      lslpp -l libc++\.*

      If the appropriate version of each bundle is already installed where required, skip to Deploying the Tanium Client using Client Management. Otherwise, complete the remaining steps for each bundle that needs to be installed or updated.

    3. Obtain the appropriate xlC.rte and libc++.rte bundles for your system from IBM Fix Central.
    4. Download each bundle to your endpoint.
    5. Extract, unzip, or untar each bundle to the /usr/sys/inst.images directory.
    6. Install the bundles:

      sudo installp -aXYgd /usr/sys/inst.images -e /tmp/install.log all

    7. Review the installation log /tmp/install.log for any errors.
  8. If you use the root account to install, make sure the sshd_config allows root login.

  9. Verify that you can log in to the remote system with SSH, using the same credentials that you will use for the Tanium Client deployment.

To protect credentials that are used for client deployment, use one of the following methods: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.

Prepare for deployment to Windows endpoints

  1. Configure local or domain accounts with the necessary permissions.

    On each Windows endpoint, you must have an account with Local Administrator rights, or a local or domain account configured that has the following abilities:

    • Remotely connect to the endpoint and authenticate with SMB
    • Create folders within the installation directory for 32-bit applications, or the custom location where the Tanium Client will be installed (by default, C:\Program Files (x86)\ for 64-bit versions of Windows, or C:\Program Files\ for 32-bit versions of Windows)
    • Write and execute files in the Tanium installation directory (by default, C:\Program Files (x86)\Tanium\ for 64-bit versions of Windows, or C:\Program Files\Tanium\ for 32-bit versions of Windows)
  2. Enable Windows file-and-print sharing and administrative shares on the target endpoint, and make sure the Windows Management Instrumentation (WMI) service is enabled and started.

    Enabling these settings and services is required only for installation. You can disable sharing and WMI as needed after the installation.

  3. Configure any host-based firewalls or other security tools on the endpoint that might interfere with WMI, which uses port 135, or file sharing, which uses port 445. For more information, see Port requirements for Client Management.
  4. Allow TCP traffic on ports 135 and 445 from the Tanium Module Server host computer to the endpoints on which you want to deploy the Tanium Client. For more information, see Port requirements for Client Management.
  5. If the endpoint is not joined to a domain, and either you use a non-default Administrator account or you use the default local Administrator account with the Admin Approval Mode for the Built-in Administrator account policy setting enabled, User Account Control (UAC) remote restrictions prevent access to administrative shares and remote installations. These administrative tasks are necessary for deployment of the Tanium Client using Client Management, and you must disable UAC remote restrictions to allow this deployment. To disable UAC remote restrictions, add the following value to the Windows registry and restart the machine:

    Subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    Data type: REG_DWORD
    Value name: LocalAccountTokenFilterPolicy
    Value data: 1

    Administrative shares are not available in Home editions of Windows operating systems.

    After you deploy the Tanium Client, remove the LocalAccountTokenFilterPolicy registry value or set it to 0 to restore UAC remote restrictions. These restrictions help prevent malicious users from accessing the endpoint remotely with administrative rights.

  6. Verify that you can log in to the remote system wmic and net use commands with the same credentials that you will use for the Tanium Client deployment. For example:

    • Port 135:wmic /node:"192.168.1.130" /user:"Administrator" useraccount list brief

    • Port 445:net use p: \\192.168.1.130\C$ password /user:Administrator

To protect credentials that are used for client deployment, use one of the following methods: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.

Configure client settings

Client settings define the Tanium Server, platforms, and installation directories for your client deployment. You can configure multiple client settings to deploy to different types of environments.

  1. From the Client Management menu, click Client Settings, and then click Create.
  2. Specify a descriptive name for the client settings.
  3. Specify the IP address or fully qualified domain name of the Tanium Server. In high-availability deployments and deployments with Zone Servers, you can enter a comma-separated list of all servers, such as: ts1.example.com,ts2.example.com,zs1.example.com.

    The Tanium Module Server must have a connection to endpoints to automatically deploy the Tanium Client using Client Management. Additionally, both the Tanium Server and endpoints must have IPv4 addresses; IPv6 addresses are not supported in Client Management. If you plan to deploy the Tanium Client to endpoints that cannot be reached directly from the Tanium Module Server, such as those connected to a Zone Server, or if you plan to deploy the Tanium Client where only IPv6 addresses are available, you can download and manually deploy an installation bundle. For more information, see Download the installation bundle for alternative deployment.

  4. Select the Client Version to install.
  5. Select the Client Platforms of the endpoints to which you are installing Tanium Client.
  6. Leave the installation directories blank to use the defaults, or enter a custom Installation Directory on Windows or Installation Directory on Non Windows.

    You cannot customize the installation directory on macOS. The fixed installation directory for macOS is /Library/Tanium/TaniumClient.

  7. Enter a Log Level.

    The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.
  8. Leave the default Server Port, or enter a custom port.
  9. In the Space Required for each operating system, enter the space that should be available on a targeted endpoint for the client to be installed.
  10. To change a default client settings, click Add Client Setting, and then enter a Key and Value. For information about specific client settings, see Tanium Client settings.
  11. To add a custom tag to the client during deployment, click Add Client Tag and enter a tag name. The InstalledByTCM tag is included by default so that you can later easily target clients that were installed using Client Management.

    Do not include spaces in a tag name.

  12. Click Save.

Download the installation bundle for alternative deployment

For endpoints that are connected to a Zone Server or that cannot be reached directly from the Tanium Module Server for any other reason, you can download and manually deploy the installation bundle associated with client settings.

After you create or update client settings, the Module Server must retrieve the necessary client installers before you can download the installation bundle. The Download Bundle button becomes available when the download is ready.

  1. From the Client Management menu, click Client Settings.
  2. To download the installation bundle associated with a set of client settings, click Download Bundle in the Actions column.
  3. Deploy the installation bundle to the appropriate endpoints. For more information, see Deploying the Tanium Client using an installer or package file.

Configure client credentials

Client credentials are a list of user name and password combinations for the target endpoints on which you want to install Tanium Client. For specific requirements for authentication and permissions, see Account permissions for Client Management.

  1. From the Client Management menu, click Credentials. Click Create.
  2. Enter a name for the credentials list.
  3. Add a set of credentials to try for each operating system type.

    • (Windows endpoints) If you are using domain credentials, you must enter the user name in the format domain\username. If you are using local credentials, enter only username for the user name.
    • (Non-Windows endpoints) You can add an SSH key. If you are using an SSH key, the private key is required. Click + key, copy the contents of the private key, and paste the contents in the Key field. If the key requires a passphrase, click + keyphrase and enter the passphrase in the Keyphrase field. When you use an SSH key for authentication, a user name is required, and a password is optional. However, endpoints typically still require a password for non-root users, unless the specified user is configured to use sudo without a password.

  4. Click Save.

Configure a deployment

  1. From the Client Management menu, click Deployments, and then click Create.
  2. Specify a name for the deployment, and select the client configuration and credentials that you configured.
  3. Configure targeting. You can target endpoints by a single IP address, a list of IP addresses, a computer name, an IP or CIDR range, or a Discover label. For information about configuring Discover labels, see Tanium Discover User Guide: Labels.

    To define an additional target for the deployment, click Add Target. To remove a target, click Delete .

  4. Configure the settings in the Method section as needed.

  5. Configure the settings in the Installation Options section.

    • To install the client on unmanaged endpoints, make sure New Installation is selected.
    • To determine how to manage endpoints where the client is already installed, select Ignore, Upgrade, or Reinstall. For more information, see Upgrade or reinstall the Tanium Client.
  6. Click Save to save the deployment without running, or Save and Deploy to immediately deploy.

Deploy clients

From the Client Management menu, click Deployments. In the Deployment column, click the name of a deployment.

To run the deployment, click Start .

You can then view the status of the deployment, including a list of the targeted endpoints.

Deployment steps

When you start a deployment, the Module Server takes the following actions to install the Tanium Client:

  1. Pings the targeted endpoints to verify they are online.
  2. Detects the operating system of the endpoints that respond to the ping.
  3. Tries the credentials in the defined credentials list to log into the endpoint for installation.
  4. Checks for the space required on the endpoint as specified in the client settings.
  5. Copies the Tanium public key file for the Tanium Server to the endpoint.
  6. Installs Tanium Client on the endpoint. The version and installation location are defined in the client configuration for the deployment.
  7. Displays the deployment status.

Deployment status

Each successful deployment reports a status of COMPLETE in the Installation Status column.

Filter the endpoints by clicking the status buttons in the grid, or enter filter text in the Filter logs and details box.

For more information about other status messages and troubleshooting deployments, see Troubleshoot deployment problems.

After the deployment is complete, wait a few minutes for the Tanium Client to register with TaaS the Tanium Server or Zone Server, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Verify the Tanium Client installation

Wait a few minutes after installation for the Tanium Client to register with TaaS the Tanium Server or Zone Server.

After you deploy the Tanium Client, perform the following steps to verify that the client installed correctly and can communicate with TaaS the Tanium Server or Zone Server.

  1. From Interact, ask a question to verify that the endpoints respond to the following query: Get Computer Name and Operating System and Tanium Client Version and Tanium Server Name from all machines
  2. Review the Question Results grid to verify that all endpoints where you deployed Tanium Client software are reporting.
  3. (Optional) From the main menu, go to Administration > Management > Client StatusAdministration > Configuration > Client Status , and review recent client registration details.

    To find a specific Tanium Client, enter a text string in the Filter items field above the grid to filter it by Host Name or Network Location (IP address).