Planning the Tanium Client deployment

Deploying the Tanium Client to enterprise computers and integrating the deployment into standard IT processes involves multiple phases, as illustrated in the following figure. Each phase involves various considerations, tools, and options.

Figure  1:  Tanium Client deployment phases

Review the following best practices for each phase.

Assess the environment where you are deploying the Tanium Client

When planning the deployment of the Tanium Client, assess the following factors to help determine the client settings to use during deployment.

  • IPv4 or IPv6 protocol: The network protocol that you use determines the addresses that you use for Tanium Servers or Zone Servers, the client peering settings you use, and the deployment methods available. For more information about TCP/IP requirements, see Network connectivity, ports, and firewalls.

  • Tanium infrastructure: Whether your Tanium environment uses a single Tanium Server or an active-active cluster, and whether it uses Zone Servers determines the server addresses you specify during deployment. For more information about Tanium Core Platform servers, see Tanium Core Platform Deployment Guide for Windows and Tanium Appliance Deployment Guide.

  • Proxy servers: If endpoints must connect to a Tanium Server or Zone Server Tanium Cloud through a proxy server, you must configure the appropriate client settings For more information, see Connect through an HTTPS forward proxy server.

    Configure proxy server settings during client deployment.

  • Subnets and WAN connections: If the network includes wide area network (WAN) connections between peers on the same subnet defined by the default /24 address mask, or it there are other factors that would slow connections between such peers, you might need to use Tanium Client peering settings to adjust the boundaries of the linear chains in which Tanium Clients form peer relationships. For more information about how Tanium Client peering works, see Client peering.

    Use the default client peering settings when all endpoints on a subnet defined by the default /24 address mask share a high-speed local connection. Contact Tanium Support for guidance in adjusting client peering settings.

  • Endpoint resources: If you are deploying the Tanium Client to endpoints with limited resources, virtualized servers, or virtual desktop infrastructure (VDI) instances, you might need to adjust certain client settings, such as disabling logging and increasing the "distribute over time" value for actions. For more information, see Tuning Tanium Client settings for VDI endpoints and other endpoints with limited resources and Preparing the Tanium Client on a virtual desktop infrastructure (VDI) instance.

  • Licensing in VDI environments: The Tanium Server Tanium Cloud allocates a license for each unique Tanium Client for 30 days after that client last registers with the Tanium Server or Tanium Zone Server.Tanium Cloud. Each VDI instance that is created or reimaged counts as a licensed endpoint for at least 30 days, and each VDI instance that is deleted continues to consume a license for 30 days after it last registers.

    Use the following formula to calculate the number of licenses required to support your Tanium deployment.

    Devices and VDI Instances Estimated Count
    Physical endpoints and persistent VDI instances +
    VDI instances that are created or reimaged over a 30-day period +
    Physical endpoints that are added or reimaged over a 30-day period +
    Total required licenses =

    For assistance with licensing, contact Tanium Support.

For more information about configuring the Tanium Client for connections to the Tanium Core Platform and to peer clients, see Configuring connections to the Tanium Core Platform and Configuring Tanium Client peering.

Determine deployment methods and pilot the deployment

The available deployment tools are:

  • Tanium Client Management service: You can deploy any version of the Tanium Client to any number of endpoints in a single operation.operation using a satellite. For details, see the Deploying the Tanium Client using Client Management.
  • Existing application package deployment tools: You can use standard third-party tools, such as System Center Configuration Manager (SCCM), Altiris, LANDESK, Puppet, and Casper. You can also use custom scripts that run the appropriate installation commands. For details about the installer files and client settings that are required to deploy the client, see Deploying the Tanium Client using an installer or package file.

Pilots usually target fewer than 5,000 endpoints. During your pilot, test deploying the Tanium Client with the standard software package deployment tool of your organization, or use Client Management if at least one endpoint that is connected to the network must also have a connection to Tanium Cloud. you have direct network access to the pilot endpoints and an account with the necessary permissions on each endpoint. For more information about the requirements to deploy clients with Client Management, see Tanium Client and Client Management requirements.

This guide does not describe third-party tool-specific procedures for deploying the Tanium Client. For details on using a third-party tool with Tanium installers, refer to the documentation for that tool.

Deploy to an initial set of endpoints

After the pilot, an initial deployment into an enterprise might target 500,000 endpoints or more, and the deployment might reach across data center, headquarter, and branch locations.

For the initial rollout, use either Client Management or the standard application package deployment tools with which your IT organization and end users are already familiar.

To monitor containers on endpoints, install and configure the Tanium™ Client Container on those endpoints after you deploy the Tanium Client. For more information see Tanium Containers Deployment Guide.

Onboard new computers

Plan to integrate the Tanium Client installation into standard build processes for new computers, such as Microsoft Deployment Toolkit task sequences. You can optionally install the client within operating system-specific images to adhere to organizational policies for provisioning new computers or virtual desktop infrastructure (VDI) instances. See Preparing the Tanium Client on OS images. When a new computer boots for the first time, the Tanium Client starts and registers with Tanium Cloud the Tanium Server.

  • For bare-metal provisioning of Windows or Linux endpoints, you can use Tanium™ Provision. For more information, see Tanium Provision User Guide.

  • For onboarding macOS endpoints, you can use Tanium™ Mac Device Enrollment. Mac Device Enrollment supports macOS 11 or later. For more information, see Tanium Mac Device Enrollment User Guide.

Maintain continuous hygiene

After the initial rollout, establish policies and procedures to enforce the use of the Tanium Client on endpoints in an enterprise network. Many organizations use Active Directory (AD) computer startup scripts to ensure that the Tanium Client is installed and that the Tanium Client service is started. Contact Tanium Support for details.

Use Tanium™ Discover to scan for previously unmanaged or even unknown endpoints. For more information, see the Tanium Discover User Guide.

You can use Client Management to continuously monitor the health of installed clients. Quickly identify outliers and issues by viewing aggregated information for clients on supported operating systems. Diagnose specific issues with Windows, Linux, and macOS clients by directly connecting and exploring individualized client health information. For more information, see Monitor the client health overview in Client Management.

For an overview of Tanium Client maintenance tasks, see Maintaining Tanium Clients.