Planning the Tanium Client deployment

Deploying the Tanium Client to enterprise computers and integrating the deployment into standard IT processes involves multiple phases, as illustrated in the following figure. Each phase involves various tools and options. Contact Tanium Support for details about these options.

Figure  1:  Tanium Client deployment options

Review the following best practices for each phase.

Assess network topology and Tanium infrastructure

When planning the deployment of the Tanium Client, assess the following factors to help determine the client settings to use during deployment.

  • IPv4 or IPv6 protocol: The network protocol that you use determines the addresses that you use for Tanium Servers or Zone Servers, as well as the client peering settings you use. For more information about TCP/IP requirements, see Network connectivity, ports, and firewalls.

  • Tanium infrastructure: Whether your Tanium environment uses a single Tanium Server or an active-active cluster, and whether it uses Zone Servers determines the server addresses you specify during deployment. For more information about Tanium Core Platform servers, see Tanium Core Platform Deployment Guide for Windows and Tanium Appliance Deployment Guide.

  • Proxy servers: If endpoints must connect to a Tanium Server or Zone Server TaaS through a proxy server, you must configure the appropriate client settings For more information, see Connect through an HTTPS proxy server.

    Configure proxy server settings during client deployment.

  • Subnets and WAN connections: If the network includes wide area network (WAN) connections between peers on the same subnet defined by the default /24 address mask, or it there are other factors that would slow connections between such peers, you might need to use Tanium Client peering settings to adjust the boundaries of the linear chains in which Tanium Clients form peer relationships. For more information about how Tanium Client peering works, see Client peering.

    Use the default client peering settings when all endpoints on a subnet defined by the default /24 address mask share a high-speed local connection. Contact Tanium Support for guidance in adjusting client peering settings.

For more information about configuring the Tanium Client for connections to Tanium servers and to peer clients, see Configuring connections to the Tanium Core Platform and Configuring Tanium Client peering.

Determine deployment methods and pilot the deployment

Pilots usually target fewer than 5,000 endpoints. During your pilot, test deploying the Tanium Client with the standard software package deployment tool of your organizationorganization, or use Client Management if you have direct network access to the pilot endpoints and an account with the necessary permissions on each endpoint. For more information about the requirements to deploy clients with Client Management, see Tanium Client and Client Management requirements.

Some standard third-party tools include System Center Configuration Manager (SCCM), Altiris, LANDESK, Puppet, and Casper. You can also use custom scripts. For details about the installer files and client settings that are required to deploy the client, see Deploying the Tanium Client using an installer or package file.

The available deployment tools are:

  • Tanium Client Management service: You can deploy any version of the Tanium Client to any number of endpoints in a single operation. For details, see the Deploying the Tanium Client using Client Management.
  • Existing application package deployment tools: You can use standard third-party tools, such as System Center Configuration Manager (SCCM), Altiris, LANDESK, Puppet, and Casper. You can also use custom scripts that run the appropriate installation commands. For details about the installer files and client settings that are required to deploy the client, see Deploying the Tanium Client using an installer or package file.

This guide does not describe third-party tool-specific procedures for deploying the Tanium Client. Contact Tanium Support for details on using these tools.

Deploy to an initial set of endpoints

After the pilot, an initial deployment into an enterprise might target 500,000 endpoints or more, and the deployment might reach across data center, headquarter, and branch locations.

For the initial rollout, use either Client Management or the standard application package deployment tools with which your IT organization and end users are already familiar.

Onboard new computers

Plan to integrate the Tanium Client installation into standard build processes for new computers, such as Microsoft Deployment Toolkit task sequences. You can optionally install the client within operating system-specific images to adhere to organizational policies for provisioning new computers or virtual desktop infrastructure (VDI) instances: see Preparing the Tanium Client on OS images. When a new computer boots for the first time, the Tanium Client starts and registers with TaaS the Tanium Server.

Maintain continuous hygiene

After the initial rollout, establish policies and procedures to enforce the use of the Tanium Client on endpoints in an enterprise network. Many organizations use Active Directory (AD) computer startup scripts to ensure that the Tanium Client is installed and that the Tanium Client service is started. Contact Tanium Support for details.

Use Tanium™ Discover to scan for previously unmanaged or even unknown endpoints. For more information, see the Tanium Discover User Guide.

You can use Client Management to continuously monitor the health of installed clients. Quickly identify outliers and issues by viewing aggregated information for clients on supported operating systems. Diagnose specific issues with Windows, Linux, and macOS clients by directly connecting and exploring individualized client health information. For more information, see Monitoring client health in the Client Management service.