Maintaining Tanium Clients

Perform regular maintenance tasks to ensure that Tanium Clients are connected in good health, so that Tanium successfully performs scheduled activities on all the targeted endpoints and does not overuse endpoint or network resources. If Tanium Clients are not performing as expected, you might need to troubleshoot issues or change settings. See Troubleshooting Tanium Clients and Client Management for related procedures.

For information about general management of Tanium Clients, see Managing Tanium Clients.

Perform as-needed maintenance

Configure automated maintenance

Audit and remediate disconnected Tanium Clients

In some cases, users with local administrative rights might be able to uninstall the Tanium Client, stop the Tanium Client service, or tamper with Tanium Client files. Use Tanium Discover to regularly audit endpoints to which you have deployed the Tanium Client, and automatically redeploy the Tanium Client to previously managed endpoints that have become unmanaged.

  1. Configure a profile in Discover that scans endpoints to which you have deployed the Tanium Client. For more information, see Tanium Discover User Guide: Scan types.

  2. Configure an automatic label in Discover (such as Disconnected) with conditions that identify endpoints on which you expect the Tanium Client to be installed. For more information, see Tanium Discover User Guide: Automatically label interfaces.

    Discover labels must have the following settings to be used with Client Management:

    • Type: Automatic
    • Activity: Retain
    • Retain Activity: Label
  3. Regularly review the label you created in Discover. Optionally, configure (Optional) Configure a Connect destination to alert you of newly unmanaged endpoints that the label identifies. For more information, see Tanium Discover User Guide: Export interface data to a Connect destination.
  4. Configure a deployment in Client Management that targets the Discover label you created. See Deploying the Tanium Client using Client Management. After the label identifies newly unmanaged endpoints, reissue the deployment. created, and enable the Run deployment whenever a Discover import is detected setting. For more information, see Deploying the Tanium Client using Client Management.

If redeploying the Tanium Client is unsuccessful or does not successfully reconnect the endpoint, other issues might be preventing the Tanium Client from connecting or registering. For troubleshooting information, see Troubleshoot issues with connection and registration.

To reduce the likelihood of casual tampering by users with local administrator rights on Windows, you can take measures to harden the Tanium Client on Windows. For more information, see (Optional) Harden the Tanium Client on Windows. Performing regular audits of unmanaged assets is a best practice regardless of whether you have hardened the Tanium Client on Windows.

Perform weekly maintenance

Check the endpoint leader percentage

In linear chains of Tanium Clients, minimizing the percentage of endpoints that function as leaders helps to reduce bandwidth usage in communications with Tanium Servers and Tanium™ Zone Servers. The leader percentage varies among networks and no specific percentage is ideal for all networks. However, unexpected changes in the percentage might indicate network issues that your networking team must address. For example, a sharp increase in the percentage might cause excessive wide area network (WAN) traffic. Therefore, monitor changes in the leader percentage over time by recording the percentage at weekly intervals.

For details about leaders, linear chains, and how the servers evaluate subnet boundaries, see Client peering.
  1. Configure the TPAN report if it is not already configured. See Tanium Health Check User Guide: Configuring Health Check.
  2. Open the latest TPAN report and select the Tuning page.
  3. Check the value of What's the actual or anticipated leader count percentage?

    Typically, this value does not change significantly unless your network changes in ways that affect the number and size of client subnets.

  4. If the leader percentage changes more than expected, investigate the possible causes. The percentage might change if:
    • Subnets join or leave your network. Check the endpoint count to see if the number of managed endpoints has changed. If the change is due to new subnets, verify that they are authorized to join your network. If the change is due to subnets no longer registering with Tanium Servers or Tanium Zone Servers, verify whether network disruptions or misconfigurations are responsible.
    • A shift occurs between the number of users who are connecting within your internal network and the number who are connecting through virtual private network (VPN) connections. Typically, VPN endpoints do not peer with each other and therefore each one is effectively a leader. See Configure isolated subnets.
  5. Contact Tanium Support for help optimizing the leader count, if necessary.

Check the endpoint count

The number of managed endpoints might fluctuate as endpoints join or leave your network. View the number of managed endpoints to check for potential anomalies and to ensure compliance with your Tanium license:

  • Go to the Tanium Home page to check the Total Endpoints. This field displays the most accurate tally of online and offline managed endpoints that have registered with Tanium™ Cloudthe Tanium Server or Zone Server within the retention period (default is 30 days). For details, see Tanium Console User Guide: View environment status.

    If the endpoint count is lower than expected, investigate whether network disruptions or misconfigurations prevent endpoints from registering. If the count is higher than expected, verify that the new endpoints are authorized to join your network.

    You can configure an automatic Discover label and a Connect destination to alert you when endpoints become unmanaged. See Audit and remediate disconnected Tanium Clients.

  • Go to Administration > Configuration > Client Status to check the endpoint count as it relates to your Tanium license, regardless of whether it matches the Total Endpoints value on the Tanium Home page. For details, see Tanium Console User Guide: View managed endpoints count for license compliance.

    Track changes in the weekly endpoint count to project future growth. Contact Tanium Support to update your license for a higher number of maximum managed endpoints if necessary.

Review and update tags

If you use computer groups for which membership is based on custom tags or enhanced tags, review which endpoints have which tags. Deploy changes to the tags and configure new computer groups if necessary.

Review and update enhanced tags

For the steps to review and update enhanced tags, sign in to the Tanium™ Knowledge Base and see the Enhanced Tags Documentation.

Review and update custom tags

  1. Determine which endpoints have which tags. See Tanium Console User Guide: Review custom tags.
  2. Add or remove custom tags if necessary. See Tanium Console User Guide: Manage custom tags for computer groups.
  3. Create or delete computer groups with tag-based membership if necessary. See Tanium Console User Guide: Managing computer groups.

    You cannot change the membership definition of existing computer groups. You must delete existing groups and recreate them with the correct definition.

  4. Add or edit action groups to target tag-based computer groups if necessary. See Tanium Console User Guide: Managing action groups.

Perform monthly maintenance

Perform the following tasks to review the state of the Tanium Clients running on endpoints, as well as client communication and registration with Tanium CloudTanium Servers and Zone Servers. If you observe client issues that require resolution, see Troubleshooting Tanium Clients and Client Management.

Review and remediate Tanium Client health and client extension issues

  1. From the Main menu, go to Shared Services > Client Management.

  2. From the Client Management menu, select Client Health and click the Deployment tab to review the Health Failures panel. This panel shows failures associated with Tanium™ Client Extensions. Perform the remaining steps if you need to troubleshoot client extension issues.
  3. Click Interact Interact action in the Health Failures panel to display the question results that provide the panel data.

  4. Retrieve any additional details from endpoints that you need to diagnose client extension issues. See Tanium Console User Guide: Managing question results.
  5. To resolve client extension failures, see the following sections:

Review and adjust the distribution of Tanium Client registration traffic

Tanium Clients must register with a Tanium™ Cloud Client EdgeTanium Server or Zone Server for the client hosts to function as managed endpoints. As clients and client subnets are added to or removed from your network, you might have to update connections to Client Edge URLsclient-server connections to optimize registration traffic.

Each Tanium Client connects to only one Tanium Cloud Client EdgeTanium Server or Zone Server at a time. However, to avoid a single point of failure, you can configure the ServerNameList setting with a list of Client Edge URLsservers to which the client can attempt a connection. The Client Edge URLs are available in the Tanium™ Cloud Management Portal (CMP). For more information, see Tanium Cloud Deployment Guide: Getting started with Tanium Cloud.

For details about Client Edge URLsclient-server connections, see Configuring connections to the Tanium Core Platform.

To determine which Client Edgesservers are processing client registrations and, if necessary, to rebalance registration traffic among them:

  1. From the Main menu, go to Shared Services > Client Management.
  2. From the Client Management menu, select Client Health and click the Settings tab.
  3. Scroll to the ServerNameList setting to determine whether clients are connecting to the correct Client Edges and that the list is the same for all clients.servers.
  4. Review the ServerName setting to verify that client connections are balanced among Client Edges.Zone Servers.
  5. Deploy actions with packages that reset the ServerNameList settings if necessary to ensure that all clients target the same, correct list of Client Edge URLs. See Content for configuring connections to Tanium CloudTanium Core Platform servers. To verify that clients can connect to Client Edges, see Tanium Cloud Deployment Guide: Step 5: Deploy Tanium Client.connect clients to different servers. See Content for configuring connections to Tanium CloudTanium Core Platform servers.
  6. Add Zone Servers if necessary to rebalance client registration traffic and then repeat step 5 to connect clients to those servers. See the procedure for your Tanium infrastructure:

Review and update Tanium Client logging levels

Tanium Clients generate logs that can help you troubleshoot issues. Higher logging levels record more details about events on clients but also consume more client resources. The default logging level is 1. Review client logging levels and adjust them if necessary to ensure new endpoints that join your network have optimal logging levels.

Set the logging level to 0 (logging disabled) for clients that run on sensitive endpoints, endpoints with limited resources, or virtual desktop infrastructure (VDI) endpoints.

For details about logging levels, see Tanium Core Platform Deployment Reference Guide: Logging levels.

For Tanium™ Client Containers, the default logging level is 10 and you cannot change it through actions. Contact Tanium Support to change the logging level on Client Containers.

For details about logs on Tanium Clients, see Troubleshooting Tanium Clients and Client Management.

  1. From the Client Management menu, go to Client Health and click the Settings tab.

    If the logging level is set to a value other than the default 1 on any clients, the LogVerbosityLevel setting displays the Count of clients for each value. If all clients have the default value, the page does not display the setting.

    To verify that the logging level is set to the best practice value 0 for clients on VDI endpoints, select All Virtual Machines in the Computer Group drop-down.

  2. To update the logging level on clients, see Managing client settings and Index configurations in Client Management.

Review and update Tanium Client settings

  1. From the Client Management menu, go to Client Health and click the Settings tab.
  2. Verify that the setting values are correct and that the Count column indicates they apply to the expected number of clients.
  3. To update settings, see Managing client settings and Index configurations in Client Management.

Review and upgrade Tanium Client versions

The best practice is to run the latest Tanium Client version on all endpoints. However, in certain cases, temporarily running earlier client versions might be acceptable for some endpoints. For example, if you are rolling out client upgrades in phases, one group of endpoints at a time, you might want to finish testing the upgrade for the first phase before upgrading more endpoints in the next phase. Endpoints might also run an earlier client version if the upgrade process failed.

For details about client versions, see Client version and operating system requirements.

Determine which endpoints are running a client that is not at the latest version and decide whether to accept the earlier versions or upgrade the clients:

  1. From the Main menu, go to Administration > Client Management.

  2. Scroll to the Health dashboard to see the Client Version panel.
  3. If any endpoints are running an earlier client version, click the Client Version title and then click Interact Interact action in the Client Version panel to display the question results that provide the panel data.

  4. Retrieve any details from endpoints that you need to determine whether the versions are appropriate, or upgrades are required, or upgrades failed.

    For example, select a Filter by Computer Group option (such as All Windows) or issue a drill-down question. For the steps to retrieve additional details, see Tanium Console User Guide: Managing question results.

  5. Upgrade the client on any endpoints that require the latest version. See Upgrading Tanium Clients.
  6. Troubleshoot client upgrade issues if necessary. See Troubleshooting Tanium Clients and Client Management.

Review and update Tanium Client subnets

Separated subnets, intentional subnets, and isolated subnets provide methods for modifying the default peering behavior of Tanium Clients. Default peering settings define the boundaries of client subnets in the Tanium linear chain architecture. As subnets are added to or removed from your network, you might have to update the client subnet configurations. For example, add isolated subnets for any new virtual private networks (VPNs).

For details about client peering and subnets, see Configuring Tanium Client peering.

Review and update isolated subnets

Configure isolated subnets for Tanium Clients that are in VPNs. VPN clients have local IP addresses in a special VPN address block, but their host endpoints are actually not close to each other. If VPN clients are not isolated, they use WAN links for peering and latency is significantly greater than for client-to-server connections.

  1. Go to Administration > Configuration > Subnets and review the Isolated Subnets. If necessary, consult your networking team to determine if the configurations require updates.
  2. Update isolated subnet configurations if necessary. See Configure isolated subnets.

Review and update separated subnets

Configure separated subnet configurations to apply more granular subnet boundaries for Tanium linear chains than the default boundaries.

  1. Go to Administration > Configuration > Subnets and review the Separated Subnets. If necessary, consult your networking team to determine if the configurations require updates.
  2. Update separated subnet configurations if necessary. See Configure separated subnets.

Review and update intentional subnets

In a network configuration that uses network address translation (NAT), you might have to configure intentional subnets to ensure that clients in the same subnet can peer with each other.

  1. From the Main menu, go to Administration > Configuration > Client Status.

    The Network Location (from client) values indicate which clients are in the same subnet based on the AddressMask setting. See AddressMask.

    The Network Location (from server) column indicates the NAT IP addresses of clients.

  2. Select the endpoints that are in the same subnet but are not peering because their NAT IP addresses differ.

  3. Click Export Export, set the Format to List of Clients - CSV, and click Export.
  4. Go to Administration > Configuration > Subnets and compare the Intentional Subnets configurations to the exported list of clients.
  5. Update the intentional subnet configurations if necessary to enable peering among clients in the same subnets. See Configure intentional subnets.