Requirements

This page summarizes requirements you must understand before deploying the Tanium Client to endpoints.

Host system requirements

The following table summarizes basic requirements for endpoint host systems where you install the Tanium Client. Hardware resource requirements vary based on the actions that you deploy to the endpoints; contact Tanium Support at [email protected] for guidance.

We strongly recommend that all Windows endpoints have the following root certificate authority (CA) certificates because they are required to verify the integrity of the Tanium Client binaries:
  • DigiCert Assured ID Root CA (thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43)
  • DigiCert High Assurance EV Root CA (thumbprint 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25)
  • DigiCert SHA2 Assured ID CA (thumbprint E12D2E8D47B64F469F518802DFBD99C0D86D3C6A)
  • DigiCert SHA2 Assured ID Code Signing CA (thumbprint 92C1588E85AF2201CE7915E8538B492F605B80C6)

Table 1:   Supported OS versions for Tanium Client hosts
Operating system OS Version Tanium Client Version
Microsoft Windows Server *

* Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported.

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012, 2012 R2
  • Windows Server 2008 R2 *

* Tanium modules that use Python Runtime Services require Windows Server 2008 R2 endpoints to have Service Pack 1 (SP1) or higher.

7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Windows Server 2008 7.2.314.3584
7.2.314.3476
Microsoft Windows Workstation
  • Windows 10
  • Windows 8
  • Windows 7
7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Windows Vista 7.2.314.3584
7.2.314.3476
macOS *

* Intel processor only

  • macOS 10.15 Catalina*
  • macOS 10.14 Mojave**
  • macOS 10.13 High Sierra
  • macOS 10.12 Sierra
  • OS X 10.11.1+ El Capitan

* If you enable the app notarization requirement (a security process that Apple introduced in macOS 10.15), you must install Tanium Client 7.2.314.3608 or later.

** See the Tanium™ Support Knowledge Base for the Minimum Tanium product versions required to support endpoints that run macOS 10.14 Mojave or later.

7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3608
7.2.314.3476
7.2.314.3236
OS X 10.10 Yosemite 7.2.314.3476
7.2.314.3236
Linux
Amazon Linux 2 LTS (2017.12) 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Amazon Linux 1 AMI (2016.09, 2017.12, 2018.03) 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Debian 10.x 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
Debian 9.x, 8.x 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Debian 7.x, 6.x 7.2.314.3632
7.2.314.3584
7.2.314.3476
Oracle Linux 8.x 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.2.314.3632
Oracle Enterprise Linux 7.x, 6.x 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Oracle Enterprise Linux 5.x 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
7.2.314.3236
  • Red Hat Enterprise Linux (RHEL) 8.x
  • CentOS 8.x
7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
  • Red Hat Enterprise Linux (RHEL) 7.x, 6.x
  • CentOS 7.x, 6.x
7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
  • Red Hat Enterprise Linux (RHEL) 5.x
  • CentOS 5.x
7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
7.2.314.3236
  • SUSE Linux Enterprise Server (SLES) 15
  • openSUSE 15.x
7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
  • SUSE Linux Enterprise Server (SLES) 12
  • openSUSE 12.x
7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
  • SUSE Linux Enterprise Server (SLES) 11.3, 11.4
  • openSUSE 11.3, 11.4
7.2.314.3632
7.2.314.3584
Ubuntu 20.04 LTS 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
Ubuntu 18.04 LTS 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Ubuntu 16.04 LTS 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Ubuntu 14.04 LTS 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
AIX *

* Requires a 64-bit operating system and the IBM XL C++ runtime environment file set (xlC.rte). For the required xlC.rte version and the steps to install it, see Deploying the Tanium Client to AIX endpoints.

  • IBM AIX 7.2
  • IBM AIX 7.1 TL1SP10 and higher
7.4.4.1250
7.4.4.1226
7.2.314.3632
7.2.314.3584
Solaris *

* Requires SUNWgccruntime

  • Oracle Solaris 11 SPARC
  • Oracle Solaris 11 x86
  • Oracle Solaris 10 U8 SPARC or higher
  • Oracle Solaris 10 U8 x86 or higher
7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584

Admin account

On Windows, the Tanium Client is installed as a service that runs in the context of the Local System account.

On AIX, Linux, macOS, and Solaris, the Tanium Client is installed as a system service. On Linux, the service must run with a User ID (UID) of 0.

Network connectivity and firewall

Tanium components use TCP/IP to communicate over IPv4 networks and IPv6 networks. Tanium Core Platform 7.2 or earlier supports only IPv4. Contact Tanium Support if you need IPv6 support in version 7.3 or later. You must work with your network administrator to ensure that the Tanium components are provisioned with IP addresses and that DNS can be used to resolve host names.

Work with your network security administrator to ensure that the ports that the Tanium Client uses are not blocked. Tanium Clients send and receive data from the Tanium Server and other Tanium Clients over TCP port 17472. Clients dynamically communicate with peers based on proximity and latency. Peer chains form to match an enterprise topology automatically. For example, endpoints in California form one chain, while endpoints in Germany form a separate chain. With this dynamic configuration in mind, you must allow bi-directional TCP communication on port 17472 between clients on the same local area network, but not necessarily between all clients on the internal network.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Some Tanium modules and shared services have additional port requirements for the Tanium Client: see Tanium Core Platform Deployment Reference Guide: Module- and service-specific port requirements.

If you configure the Tanium Client to randomly select a new listening port at intervals, you must configure endpoint firewalls to allow incoming connections on any port that the Tanium Client process requests. See Randomize listening ports.

On endpoints that run macOS 10.14 (Mojave) or later, you might have to configure a firewall rule to prevent end users from seeing a pop up for allowing connections during a Tanium Client upgrade. See Manage popups for Tanium Client upgrades.

Host system security exclusions

Some environments use security software to monitor and block unknown host system processes. Work with your network and security team to allow Tanium processes. Define exclusions to allow the Tanium™ platform components to operate smoothly and at optimal performance. Typically, this means configuring the security software to exempt the Tanium™ Client installation directories from real-time inspection as well as setting a policy to ignore I/O from the Tanium binaries.

If you use Microsoft Group Policy Objects (GPO) or other central management tools to manage host firewalls, you might need to create rules to allow inbound and output TCP traffic across port 17472 on any managed endpoints.

If running McAfee Host Intrusion Prevention System (HIPS), mark the Tanium Client as both Trusted for Firewall and Trusted for IPS, per McAfee KB71704.

The Tanium Client uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file.

Table 2 lists Tanium Client folders that antivirus or other host-based security applications must exclude from on-access or real-time scans. Include subfolders of these locations when you create the exception rules. The listed folder paths are the defaults. If you changed the folder locations to non-default paths, create rules based on the actual locations.

Some Tanium solution modules have their own requirements for the Tanium Client. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Table 2:   Security exclusions for Tanium Client folders
Endpoint OS Installation Folder
Windows 32-bit \Program Files\Tanium\Tanium Client\
Windows 64-bit \Program Files (x86)\Tanium\Tanium Client\
macOS /Library/Tanium/TaniumClient
Linux, Solaris, AIX /opt/Tanium/TaniumClient

For additional folder exclusions that are required when you use the Tanium Client Management service to install Tanium Clients, see Tanium Core Platform Deployment Reference Guide: Client Management.

The following system processes must be allowed (not blocked, quarantined, or otherwise processed). The <Tanium Client> variable indicates the installation folder of the Tanium Client.

Table 3:   Security exclusions for system processes on Tanium Client endpoints
Endpoint OS Notes Process
Windows, macOS, Linux   <Tanium Client>/Tools/StdUtils folder or all the files that it contains, including:
  • 7za.exe (Windows) or 7za (macOS, Linux)
  • runasuser.exe (Windows only)
  • runasuser64.exe (Windows only)
  • TaniumExecWrapper.exe (Windows) or TaniumExecWrapper (macOS, Linux)
  • TaniumFileInfo.exe (Windows only)
  • TPowerShell.exe (Windows only)
7.2.x clients <Tanium Client>/Python27/*.dll
7.4.x clients <Tanium Client>/Python38/*.dll
macOS, Linux, Solaris, AIX   TaniumClient
  taniumclient
macOS, Linux   distribute-tools.sh
  TaniumCX
  python
Windows   TaniumClient.exe
  TaniumCX.exe
  TPython.exe