Installing Client Management

Tanium as a Service automatically handles module installations and upgrades.

Install Client Management to help deploy and manage the Tanium Client in your environment.

Use the Solutions page to install Client Management and choose either automatic or manual configuration:

  • Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Client Management is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For more information about the automatic configuration for Client Management, see Import and configure Client Management with default settings.
  • Manual configuration with custom settings: After installing Client Management, you must manually configure required settings. Select this option only if Client Management requires settings that differ from the recommended default settings. For more information, see Import and configure Client Management with custom settings.

To install Client Management, you must have the Import Signed Content Administration permission (Tanium Core Platform 7.4 or later) or the reserved role of Administrator.

Endpoint Configuration is automatically installed when you install Client Management. For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

When you import Client Management, sign in to the Tanium Console with the account that will be used as the Client Management and Endpoint Configuration service account. The Endpoint Configuration service account is set to the account that you used to import the Client Management service, regardless of whether you use automatic configuration when you import Client Management.

Before you begin

Import and configure Client Management with default settings

The Tanium Client Management action group is set to the computer groups All Linux, All Mac, and All Windows.

When you import Client Management with automatic configuration, the following default settings are configured:

  • The Client Management service account is set to the account that you used to import the solution.
  • The Tanium Client Management action group is set to the computer groups All Linux, All Mac, and All Windows.

(Tanium Core Platform 7.4.5 or later only) You can set the module action group to target the No Computers filter group by enabling restricted targeting before adding the module to your Tanium licenseimporting the module. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the module action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

If you use restricted targeting to set the Client action group to target the No Computers filter group, set the Client Management action group to the computer group All Computers or the computer groups All Linux, All Mac, and All Windows.

To import Client Management and configure default settings, see Tanium Console User Guide: Import all modules and services. After the import, verify that the correct version is installed: see Verify Client Management version.

Import and configure Client Management with custom settings

To import Client Management without automatically configuring default settings, follow the steps in Tanium Console User Guide: Manage shared services and content. After the import, verify that the correct version is installed: see Verify Client Management version.

Configure the service account

The service account is a user that runs several background processes for Client Management. This user requires the following roles and access:

  • Content Administrator and Tanium Client Administrator, or Tanium Administrator
  • (Optional) Discover Read Only User role, to deploy to endpoints based on labels created in Tanium Discover

For more information about Client Management permissions, see User role requirements for Client Management.

To configure the service account:

  1. From the Main menu, click Administration > Shared Services > Client Management to open the Client Management Home page.
  2. Click Settings and open the Service Account tab.
  3. Update the service account settings and click Save.

Configure the Client action group

The Client Management is not created by default. Create the Tanium Client Management action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click New Group.
  3. For the Name, enter Tanium Client Management.
  4. Select computer groups to include in the action group, and click Save.

    Set the Tanium Client Management action group to the computer group All Computers or the computer groups All Linux, All Mac, and All Windows.

Configure Endpoint Configuration

The Tanium Endpoint Configuration action group is set to the computer group All Computers.

When you import Client Management (regardless of whether you use automatic configuration), the following default settings are configured for Endpoint Configuration:

  • The Endpoint Configuration service account is set to the account that you used to import the Client Management service.
  • The Tanium Endpoint Configuration action group is set to the computer group All Computers.

If you use restricted targeting to set the Endpoint Configuration action group to target the No Computers filter group, make sure you set the action group to target the appropriate endpoints before using any modules. Modules cannot deploy configurations or tools to endpoints that are not targeted by the Endpoint Configuration action group.

Leave the Endpoint Configuration action group set to the default of All Computers. If you have endpoints with operating systems that are not supported by Endpoint Configuration, contact Tanium Support.

For information about initially configuring Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Verifying and configuring Endpoint Configuration.

Verify Client Management version

After you import or upgrade Client Management, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, go to Administration > Shared Services > Client Management to open the Client Management Overview page.
  3. To display version information, click Info Info.

(Tanium 7.2.x, 7.3.x only) Upload Tanium public key

If you are using Tanium Server 7.2.x or 7.3.x, upload the Tanium public key. This public key enables the connection between the clients you are installing and the Tanium Server. This configuration occurs automatically with Tanium Server 7.4 and later.

  1. From the Client Management Home page, click Settings .
  2. Click Choose File and select the tanium.pub file for your Tanium Server. The tanium.pub file is in the top-level installation directory for the Tanium Server.
  3. Click Upload.

Add client installation files for air-gapped environments

If you cannot enable communication between your Tanium Module Server and content.tanium.com, contact Tanium Support for help with configuring client installers on the Tanium Module Server.

Upgrade Client Management

For the steps to upgrade Client Management, see Tanium Console User Guide: Import, re-import, or update specific solutions. After the upgrade, verify that the correct version is installed: see Verify Client Management version.