Tanium Client and Client Management requirements

Review the requirements before deploying the Tanium Client to endpoints. Additionally, review the specific requirements for the Tanium Client Management shared service before installing it and using it to deploy and monitor the health of clients.

Endpoint Configuration is also installed as part of Client Management. Also review the Endpoint Configuration requirements before installing Client Management.

Client version and host system requirements

Table 1 lists the supported operating systems on endpoint host systems where you install the Tanium Client.

Hardware resource requirements vary based on the actions that you deploy to the endpoints. See Hardware requirements for baseline RAM and disk space requirements.

Some Tanium modules and shared services have additional requirements for the Tanium Client and endpoint hosts. Table 3 provides links to the user guide sections that list these requirements.

Windows endpoints must have the following root certificate authority (CA) certificates because they are required to verify the integrity of the Tanium Client binaries:
  • DigiCert Assured ID Root CA (thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43)
  • DigiCert High Assurance EV Root CA (thumbprint 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25)
  • DigiCert SHA2 Assured ID CA (thumbprint E12D2E8D47B64F469F518802DFBD99C0D86D3C6A)
  • DigiCert SHA2 Assured ID Code Signing CA (thumbprint 92C1588E85AF2201CE7915E8538B492F605B80C6)

Supported operating systems

The following table lists operating systems that are supported by the Tanium Client and the Client Management service.

 Table 1: Supported OS versions for Tanium Client hosts
Operating system OS Version Available Executables Tanium Client Version Supported by Client Management Notes
Microsoft Windows Server
  • Currently supported Semi-Annual Channel releases of Windows Server
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012, 2012 R2
  • Windows Server 2008 R2
x86 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
  • Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported.

  • Some Tanium sensors and packages require Windows Management Instrumentation (WMI) queries, VBScript, and PowerShell. If you disable any of these features on endpoints, some Tanium functionality might be limited.

  • For Tanium Client versions 7.2.314.3584 and later, PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows Server 2008 or Windows Server 2008 R2 for PowerShell-based sensors to work on those endpoints.
  • Tanium™ Endpoint Configuration and Tanium modules do not support Windows Server 2008. On Windows Server 2008, the Tanium Client provides only basic visibility and endpoint information.
Windows Server 2008 x86 7.2.314.3632
7.2.314.3584
7.2.314.3476
Microsoft Windows Server
  • Currently supported Semi-Annual Channel releases of Windows Server
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012, 2012 R2
  • Windows Server 2008 R2
x86 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported.

  • Some Tanium sensors and packages require Windows Management Instrumentation (WMI) queries, VBScript, and PowerShell. If you disable any of these features on endpoints, some Tanium functionality might be limited.

  • PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows Server 2008 R2 for PowerShell-based sensors to work on those endpoints.
Microsoft Windows Workstation
  • Windows 10
  • Windows 8
  • Windows 7
x86 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
  • Some Tanium sensors and packages require Windows Management Instrumentation (WMI) queries, VBScript, and PowerShell. If you disable any of these features on endpoints, some Tanium functionality might be limited.

  • For Tanium Client versions 7.2.314.3584 and later, PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows 7 for PowerShell-based sensors to work on those endpoints.
Microsoft Windows Workstation
  • Windows 10
  • Windows 8
  • Windows 7
x86 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • Some Tanium sensors and packages require Windows Management Instrumentation (WMI) queries, VBScript, and PowerShell. If you disable any of these features on endpoints, some Tanium functionality might be limited.

  • PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows 7 for PowerShell-based sensors to work on those endpoints.
macOS
  • macOS 11.0 Big Sur
  • macOS 10.15 Catalina
  • macOS 10.14 Mojave
  • macOS 10.13 High Sierra
  • macOS 10.12 Sierra
  • OS X 10.11.1+ El Capitan
x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3608
7.2.314.3476
7.2.314.3236
  • (macOS 11) The Tanium Client compiled for x86-64 processors has been found to work correctly on macOS endpoints that use the M1 ARM processors with Rosetta 2. Tanium intends to release a universal binary for native code execution on both Intel and Apple ARM processors.

  • (macOS 10.15 or later) Apple introduced the app notarization requirement as a security process in macOS 10.15. If you enable the requirement, you must install Tanium Client 7.2.314.3608 or later on endpoints that run macOS 10.15 or later.

  • (macOS 10.14 or later) The Tanium Core Platform requires a certain content pack to manage endpoints that run macOS 10.14 Mojave or later:

    • Tanium Core Platform 7.0 or later: Tanium™ Default Content 7.1.7 or later
    • Tanium Core Platform 6.5: Tanium™ Initial Content 6.5.17 or later
OS X 10.10 Yosemite x86-64 7.2.314.3476
7.2.314.3236
 
macOS
  • macOS 11.0 Big Sur
  • macOS 10.15 Catalina
  • macOS 10.14 Mojave
  • macOS 10.13 High Sierra
  • macOS 10.12 Sierra
  • OS X 10.11.1+ El Capitan
x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • (macOS 11) The Tanium Client compiled for x86-64 processors has been found to work correctly on macOS endpoints that use the M1 ARM processors with Rosetta 2. Tanium intends to release a universal binary for native code execution on both Intel and Apple ARM processors.

Linux Amazon Linux 2 LTS x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Amazon Linux 1 AMI (2016.09, 2018.03) x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Debian 10.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
 
Debian 9.x, 8.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Debian 7.x, 6.x x86-64 7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Oracle Linux 8.x x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.2.314.3632
 
Oracle Linux 7.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.2.314.3632
 
Oracle Linux 6.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.2.314.3632
 
Oracle Linux 5.x x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
7.2.314.3236
 
  • Red Hat Enterprise Linux (RHEL) 8.x
  • CentOS 8.x
x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
 
  • Red Hat Enterprise Linux (RHEL) 7.x
  • CentOS 7.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
  • Red Hat Enterprise Linux (RHEL) 6.x
  • CentOS 6.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
  • Red Hat Enterprise Linux (RHEL) 5.x
  • CentOS 5.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
7.2.314.3236
  • (CentOS 5.x) CentOS 5.x endpoints are included in summary client health information in Client Management, but you cannot use Direct Connect to access detailed client health information.

  • SUSE Linux Enterprise Server (SLES) 15
  • openSUSE 15.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
 
  • SUSE Linux Enterprise Server (SLES) 12
  • openSUSE 12.x
x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
 
  • SUSE Linux Enterprise Server (SLES) 11.3, 11.4
  • openSUSE 11.3, 11.4
x86-64 7.2.314.3632
7.2.314.3584
 
Ubuntu 20.04 LTS x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
 
Ubuntu 18.04 LTS x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Ubuntu 16.04 LTS x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Ubuntu 14.04 LTS x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Linux Amazon Linux 2 LTS x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Amazon Linux 1 AMI (2016.09, 2018.03) x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Debian 10.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
 
Debian 9.x, 8.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Oracle Linux 8.x x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063

 
Oracle Linux 7.x x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Oracle Linux 6.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Oracle Linux 5.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
  • Red Hat Enterprise Linux (RHEL) 8.x
  • CentOS 8.x
x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
  • Red Hat Enterprise Linux (RHEL) 7.x
  • CentOS 7.x
x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
  • Red Hat Enterprise Linux (RHEL) 6.x
  • CentOS 6.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
  • Red Hat Enterprise Linux (RHEL) 5.x
  • CentOS 5.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • (CentOS 5.x) CentOS 5.x endpoints are included in summary client health information in Client Management, but you cannot use Tanium™ Direct Connect to access detailed client health information.

  • SUSE Linux Enterprise Server (SLES) 15
  • openSUSE 15.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955

 
  • SUSE Linux Enterprise Server (SLES) 12
  • openSUSE 12.x

x86
x86-64

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Ubuntu 20.04 LTS x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
 
Ubuntu 18.04 LTS x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Ubuntu 16.04 LTS x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Ubuntu 14.04 LTS x86-64 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
AIX
  • IBM AIX 7.2
  • IBM AIX 7.1 TL1SP10 and higher
POWER 7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.2.314.3632
7.2.314.3584
  • The Tanium Client for AIX requires a 64-bit operating system and the IBM XL C++ runtime environment file set (xlC.rte), and, in most cases, the IBM LLVM runtime libraries file set (libc++.rte). For specific requirements for each file set and installation steps, see Prepare for deployment to Linux, macOS, or UNIX endpoints (for deployment using Client Management) or Deploy the Tanium Client to AIX endpoints using a package file.

  • Summary client health information in Client Management includes AIX endpoints, but you cannot use Direct Connect to access detailed client health information.

  • You cannot download the AIX installer from Client Management. To obtain the installer for AIX, contact Tanium support.

Solaris
  • Oracle Solaris 11 SPARC
  • Oracle Solaris 11 x86
  • Oracle Solaris 10 U8 SPARC or higher
  • Oracle Solaris 10 U8 x86 or higher

SPARC
x86

7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
  • The Tanium Client for Solaris requires SUNWgccruntime on Solaris 10 and 11.0–11.3.

  • Summary client health information in Client Management includes Solaris endpoints, but you cannot use Direct Connect to access detailed client health information.

  • You cannot download the Solaris installer from Client Management. To obtain the installer for Solaris, contact Tanium support.

Hardware requirements

The following minimums are recommended to install and run the Tanium Client on endpoints:

  • RAM: 2 GB
  • Available disk space: 1 GB

Installed modules or services might require additional RAM and disk space, depending on your usage. Contact Tanium support for guidance on specific configurations

The modules that are listed in the following table have specific additional hardware requirements. Requirements for RAM refer to the total installed RAM that the client and all installed modules and services require. Requirements for disk space refer to the additional available disk space that each listed module requires. (For additional module- and service-specific requirements, follow the links in Table 3.)

 Table 2: Additional hardware requirements for specific modules
Product Additional available disk space Total installed RAM
Comply 200 MB 1
Deploy 2 GB2 1
Integrity Monitor 1 GB 4 GB
Map 200 MB 4 GB
Patch 2 GB2 1
Performance The amount specified in the Database maximum size parameter plus 100 MB 1
Reveal 2 GB 1
Threat Response 3 GB 4 GB

1 This module does not have a specific RAM requirement above the baseline 2 GB of RAM that is required by the Tanium Client.

2 If both Deploy and Patch are installed, only 2 GB of additional available disk space is required for both solutions, for client cache space.

Module and service requirements

Click the links in the following table to see the minimum Tanium Client version (Tanium dependencies) and client endpoint requirements for each Tanium module and shared service.

 Table 3: Module- and service-specific requirements for the Tanium Client and endpoints
Product Tanium Dependencies Endpoint Requirements
Asset2 Tanium dependencies Endpoints
Client Management Tanium dependencies (following this section)

The following sections:

Comply2 Tanium dependencies Endpoints
Connect Tanium dependencies Endpoints
Deploy2 Tanium dependencies Endpoints
Direct Connect2 Tanium dependencies Endpoints
Discover2 Tanium dependencies Endpoints
Endpoint Configuration1 Tanium dependencies Endpoints
End-User Notifications Tanium dependencies Endpoints
Enforce Tanium dependencies Endpoints
Health Check Tanium dependencies Endpoints
Impact2 Tanium dependencies Endpoints
Integrity Monitor2 Tanium dependencies Endpoints
Interact Tanium dependencies Endpoints
Map2 Tanium dependencies Endpoints
Network Quarantine Tanium dependencies Endpoints
Patch2 Tanium dependencies Endpoints
Performance2 Tanium dependencies Endpoints
Protect Tanium dependencies Endpoints
Reputation Tanium dependencies Endpoints
Reveal2 Tanium dependencies Endpoints
Threat Response2 Tanium dependencies Endpoints
Trends Tanium dependencies Endpoints

1 Tanium™ Endpoint Configuration is automatically installed when you install Client Management 1.5 or later.

2 This solution requires Endpoint Configuration, to deploy tools and configuration changes to endpoints. You must upgrade Client Management to version 1.5 or later to support the latest version of this solution. For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Tanium Client Management dependencies

Downloading client installers from Client Management does not require a pre-existing installation of Tanium Client.

Using client health features, including using Tanium™ Direct Connect to access detailed client health information, requires a supported Tanium Client (see Supported OS versions for Tanium Client hosts).

To use the Client Management service, make sure that your environment meets the following requirements.

 Table 4: Client Management requirements
Component Requirement
Tanium™ Core Platform 7.3 or later
Tanium™ Module Server

Client Management is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Tanium™ Client

Client Management does not require a pre-existing installation of Tanium Client.

Using client health features, including using Direct Connect to access detailed client health information, requires a supported Tanium Client (see Supported OS versions for Tanium Client hosts).

Tanium solutions

If you clicked Tanium Recommended Installation when you installed Client Management, the Tanium Server automatically installed all your licensed solutions at the same time. Otherwise, you must manually install any other solutions you are using, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.

Client Management requires the given minimum versions to work with the following solutions:

  • Tanium™ Interact 2.4.50 or later
  • Tanium™ Discover 3.1 or later (target endpoints based on Discover tags)
  • Tanium™ Trends 3.6 or later (view charts on the Client Management Home page)
  • Tanium Direct Connect 1.4.3 or later (connect to endpoints to access detailed client health information)

Endpoint Configuration is installed as part of Client Management 1.5 or later. When you install a version of Client Management that includes Endpoint Configuration:

  • Make sure you upgrade each module that uses Endpoint Configuration to a version from after support for Endpoint Configuration was introduced (follow links for Tanium Dependencies from Table 3 and see the release notes for each module).

  • After Endpoint Configuration is installed, do not use the Initial Content - Python solution to deploy Python to endpoints that support Endpoint Configuration (see Tanium Endpoint Configuration User Guide: Endpoints).

Compatibility between Tanium Core Platform servers and Tanium Clients

Tanium Clients can connect only to Tanium Core Platform servers (Tanium Server, Tanium Module Server, and Tanium Zone Server) that run the same Tanium™ Protocol version as the clients or a later version than the clients. Servers and clients at version 7.3 or earlier run Tanium Protocol 314. Servers and clients at version 7.4 or later run Tanium Protocol 315. Effectively, this means that servers are backward-compatible with earlier clients; for example, servers at version 7.4 support Tanium Client 7.2, but Tanium Client 7.4 cannot connect to servers at version 7.2.

For details about the Tanium Protocol, see Tanium Core Platform Deployment Reference Guide: Overview of TLS in the Tanium Core Platform.

The release numbers for Tanium Core Platform servers and Tanium Clients have the format <major release>.<minor release>.<point release>, such as 7.4.5. Clients can connect to the servers when their major and minor release numbers match regardless of whether the point release numbers match. For example, Tanium Client 7.4.5 can connect to Tanium Server 7.4.2.

  • To ensure that all the features and fixes in a release are available to Tanium Core Platform servers and Tanium Clients, upgrade both to the same major, minor, and point release.

  • Do not install the Tanium Client on the same host as a Tanium Core Platform server. If you choose to install the client on Tanium Core Platform server machines, you must take precautions to prevent these servers from being targeted in endpoint actions that might be disruptive to the Tanium environment, and to prevent unauthorized users from accessing the servers as endpoints. You cannot install the client on a Tanium Appliance, and you cannot use Tanium Client Management to install the client on the Tanium Module Server.

Endpoint accounts

Tanium Client service account

On Windows, the Tanium Client is installed as a service that runs in the context of the Local System account.

On AIX, Linux, macOS, and Solaris, the Tanium Client is installed as a system service, which must run with a User ID (UID) of 0.

Account permissions for Client Management

During client installation using Client Management, you must have an account configured with the appropriate permissions on each endpoint. You add credentials for these accounts during the deployment process (see Configure client credentials). These accounts and permissions are necessary only during deployment, and they can be removed or changed after you successfully deploy clients.

To protect credentials that are used for client deployment, use one of the following methods: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.

Windows endpoints

On each Windows endpoint, you must have an account with Local Administrator rights, or a local or domain account configured that has the following abilities:

  • Remotely connect to the endpoint and authenticate with SMB
  • Create folders within the installation directory for 32-bit applications, or the custom location where the Tanium Client will be installed (by default, C:\Program Files (x86)\ for 64-bit versions of Windows, or C:\Program Files\ for 32-bit versions of Windows)
  • Write and execute files in the Tanium installation directory (by default, C:\Program Files (x86)\Tanium\ for 64-bit versions of Windows, or C:\Program Files\Tanium\ for 32-bit versions of Windows)

Non-Windows endpoints

On each non-Windows endpoint, you must have an account configured that can remotely connect to the endpoint and authenticate with SSH. You must use one of the following options to configure a user with elevated privileges to perform installation:

  • The root user
  • A user that is listed in the sudoers file on each endpoint, to allow the account you are using for installation to use sudo

    If you restrict user commands in the sudoers file, you must allow the commands used by Client Management during deployment.

Specific distributions or your specific environment might have specific authentication requirements.

Amazon Linux: Amazon Linux requires key-based authentication. On the endpoint, be sure to enable SSH key-based authentication and enable NOPASSWD in the sudoers file for the admin user account. Add this user name and password to the credentials list. This configuration ensures that the key, and not a password, is used to elevate the admin permissions of the user so that the user can install the Tanium Client and start the service.

Network connectivity, ports, and firewalls

TCP/IP requirements for Tanium Client

TaaS uses Tanium Core Platform components use TCP/IP to communicate over IPv4 networks and IPv6 networks. Tanium Core Platform 7.2 or earlier supports only IPv4. Contact Tanium Support if you need IPv6 support in version 7.3 or later. Work with your network administrator to ensure that the TaaS instancesTanium components have IP addresses and can use Domain Name System (DNS) to resolve host names.

Connectivity and TCP/IP requirements for Client Management

The Tanium Module Server must have a connection to endpoints to automatically deploy the Tanium Client using Client Management. Additionally, both the Tanium Server and endpoints must have IPv4 addresses; IPv6 addresses are not supported in Client Management. If you plan to deploy the Tanium Client to endpoints that cannot be reached directly from the Tanium Module Server, such as those connected to a Zone Server, or if you plan to deploy the Tanium Client where only IPv6 addresses are available, you can download and manually deploy an installation bundle. For more information, see Download the installation bundle for alternative deployment.

Port requirements for Tanium Client and Client Management

The following ports are the defaults that are required for Tanium Client communication, and those that are required forand Client Management communication.

 Table 5: Default port Port requirements for Tanium Client
Source Destination Port Protocol Purpose
Tanium Client Tanium Server TaaS 17472 TCP Used for communication between the Tanium Client and the Tanium ServerTaaS
Tanium Client Zone Server1 17472 TCP Used for communication between the Tanium Client and the Zone Server
Tanium Client Peer clients 17472 TCP Used for communication between the Tanium Client and peer clients
Peer clients Tanium Client 17472 TCP Used for communication between the Tanium Client and peer clients
Tanium Client Tanium Client (loopback) 17473 TCP

Used for the Tanium Client API

This port is used with the loopback interface and usually does not require a firewall rule.

1This destination is required only when you use a Zone Server.

 Table 6: Port requirements for Client Management
Source Destination Port Protocol Purpose
Module Server Endpoints (non-Windows) 22 TCP Used for SSH communication from the module server to the target endpoint during client installation
Module Server Endpoints (Windows) 135 TCP Used for initiating WMI communication from the module server to the target endpoint during client installation
445 TCP Used for SMB communication from the module server to the target endpoint during client installation
49152–65535 TCP Randomly allocated dynamic ports used for WMI communication after it is initiated on port 135. If a different dynamic port range is configured for RPC communication, that port range must be allowed by the firewall.
Tanium Client (internal) Module Server 17475 TCP Used for direct connection to endpoints for detailed client health information
Tanium Client (external) Zone Server1 17486 TCP Used for direct connection to endpoints for detailed client health information. The default port number is 17486. If needed, you can specify a different port number when you configure the Zone Proxy.
Module Server Zone Server1 17487 TCP Used by the Zone Server for Module Server connections. The default port number is 17487. If needed, you can specify a different port number when you configure the Zone Proxy.
17488 TCP Allows communication between the Zone Server and the Module Server. On TanOS, the Direct Connect Zone Proxy installer automatically opens port 17488 on the Zone Server. This port must be manually opened on Windows.

1These ports are required only when you use a Zone Server.

 Table 6: Port requirements for Client Management
Source Destination Port Protocol Purpose
Tanium Client TaaS 17486 TCP Used for direct connection to endpoints for detailed client health information

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Some Tanium modules and shared services have additional port requirements for the Tanium Client: see Tanium Core Platform Deployment Reference Guide: Solution-specific port requirementsTanium as a Service Deployment Guide: Solution-specific port requirements.

Work with your network security administrator to ensure that firewalls and security applications do not block port 17472, which the port that the Tanium Client uses for communication with TaaS the Tanium Server or Zone Server and with peer clients (default is port 17472). You can change the port that clients use to communicate with the server by configuring the ServerPort setting. You can also change the port that clients use for peer communication by configuring the ListenPort setting. If you do not configure ListenPort, clients default to using ServerPort for peer communication. The default client peering settings ensure that clients form linear chains only within the boundaries of local area networks (LANs). Therefore, firewalls must allow bi-directional TCP communication on the listening port between clients that are in the same LAN, but not necessarily between all clients across your enterprise wide area network (WAN). For more information about network port requirements in Tanium, see Tanium Core Platform Deployment Reference Guide: Tanium network portsTanium as a Service Deployment Guide: Host and network security requirements. For details on client peering settings, see Configuring Tanium Client peering.

  • macOS: The Tanium Client service is signed to automatically allow communication through the default macOS firewall. However, the client installation process does not modify any host-based firewall that might be in use. For more information about managing macOS firewalls, see Manage macOS firewall rules.

    On endpoints that run macOS 10.14 (Mojave) or later, you might have to configure a firewall rule to prevent end users from seeing a pop-up for allowing connections during a Tanium Client upgrade. See Manage pop-ups for Tanium Client upgrades.

  • Linux: For more information about managing Linux firewalls, see Manage Linux firewall rules.

  • The Tanium Server and Zone Server also use port 17472. Therefore, if you install the client on the same host as the server in a Windows deployment, the listening port for client-to-client communication automatically increments to 17473 on that host to prevent port conflicts. This installation is not a best practice (see Compatibility between Tanium Core Platform servers and Tanium Clients).

    If you configure the Tanium Client to randomly select a new listening port at intervals, you must configure endpoint firewalls to allow incoming connections on any port that the Tanium Client process requests. See Randomize listening ports.

  • The port number for the client API is one higher than the client-client listening port, which means that, by default, the API port is 17473. However, if the listening port changes, the API port also changes. For example, if you set ListenPort to 17473, the client API port becomes 17474. Because the API is on the loopback interface (localhost), the API port usually does not require a firewall rule for allowing traffic.

For additional information about preparing endpoints for remote installation using Client Management, see Prepare for deployment to Linux, macOS, or UNIX endpoints and Prepare for deployment to Windows endpoints.

The following figure illustrates a deployment with external and internal Tanium Clients. In this example, the external clients are in virtual private networks (VPNs) and therefore do not peer with each other (see Configure isolated subnets). Each external client has a leader connection to the Tanium Zone Server. The internal clients peer with each other in linear chains, and each chain connects to the Tanium Server through a backward and forward leader.

Figure  1:  Tanium Client connectivity

The following figure illustrates a deployment where Tanium Clients have direct endpoint connections to TaaS over port 17486 for Tanium modules that use the Tanium™ Direct Connect shared service. Therefore, the firewalls must allow traffic on port 17486 as well as port 17472. The clients in virtual private networks (VPNs) do not peer with each other and each of these clients has a leader connection to TaaS (see Configure isolated subnets). The clients that peer with each other connect to TaaS through backward and forward leaders at opposite ends of their linear chains.

Figure  2:  Tanium Client connectivity

Host system security exclusions

Some environments use security software to monitor and block unknown host system processes. Work with your network and security team to define exclusions that allow TaaSTanium Core Platform components and processes to operate smoothly and at optimal performance.

Security exclusions for Tanium Client

For Tanium Client, you typically must configure security software to exempt Tanium Client installation directories from real-time inspection and configure a policy to ignore input and output from Tanium binaries.

The following tools and files have specific requirements for the Tanium Client:

  • Microsoft Group Policy Objects (GPO) or other central management tools for managing host firewalls: You might need to create rules to allow inbound and outbound TCP traffic across the port that the client uses for Tanium traffic (default 17472) on any managed endpoints. See Network connectivity, ports, and firewalls.

  • McAfee Host Intrusion Prevention System (HIPS): Mark the Tanium Client as both Trusted for Firewall and Trusted for IPS, in accordance with McAfee KB71704.

  • Windows Update offline scan file (Wsusscn2.cab): The Tanium Client uses Wsusscn2.cab to assess endpoints for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, see the Microsoft KB for information on configuring those tools to interact appropriately with the Wsusscn2.cab file.

Some Tanium modules and shared services have their own security exclusions for the Tanium Client. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Table 7 lists Tanium Client directories that anti-virus software or other host-based security applications must exclude from on-access or real-time scans. Include subdirectories of these locations when you create the exception rules. The listed directory paths are the defaults. If you changed the directory locations to non-default paths, create rules that are based on the actual locations.

 Table 7: Security exclusions for Tanium Client directories
Endpoint OS Installation Directory
Windows (64-bit OS versions) \Program Files (x86)\Tanium\Tanium Client
Windows (32-bit OS versions) \Program Files\Tanium\Tanium Client
macOS /Library/Tanium/TaniumClient
Linux, Solaris, AIX /opt/Tanium/TaniumClient

Security applications must allow (not block, quarantine, or otherwise process) the following system processes. The <Tanium Client> variable indicates the Tanium Client installation directory, which is configurable during client installation.

 Table 8: Security exclusions for system processes on Tanium Client endpoints
Endpoint OS Process
Windows, macOS, Linux <Tanium Client>/Tools/StdUtils directory or all the files that it contains, including:
  • 7za.exe (Windows) or 7za (macOS, Linux)
  • runasuser.exe (Windows only)
  • runasuser64.exe (Windows only)
  • TaniumExecWrapper.exe (Windows) or TaniumExecWrapper (macOS, Linux)
  • TaniumFileInfo.exe (Windows only)
  • TPowerShell.exe (Windows only)
macOS, Linux, Solaris, AIX <Tanium Client>/TaniumClient
<Tanium Client>/taniumclient
macOS, Linux <Tanium Client>/distribute-tools.sh
<Tanium Client>/TaniumCX
Windows <Tanium Client>\TaniumClient.exe
<Tanium Client>\TaniumCX.exe

Security exclusions for Client Management

If you are using the Tanium Client Management service, your security administrator must create the following additional exclusions to allow the Client Management processes to run without interference.

The <Tanium Client> variable refers to the Tanium Client installation directory, which is configurable during client deployment.

The <Module Server> variable refers to the Tanium Module server installation directory.

 Table 9: Client Management security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\client-management-service\node.exe
  Process <Module Server>\services\twsm-v1\twsm.exe
Windows x86 endpoints During client installation Process \Program Files\Tanium\TaniumClientBootstrap.exe
During client installation Process \Program Files\Tanium\SetupClient.exe
During client installation Process <Tanium Client>\SetupClient.exe
  Process <Tanium Client>\TaniumClientExtensions.dll
  Process <Tanium Client>\TaniumClientExtensions.dll.sig
  Process <Tanium Client>\extensions\TaniumDEC.dll
  Process <Tanium Client>\extensions\TaniumDEC.dll.sig
  Process <Tanium Client>\TaniumCX.exe
Windows x64 endpoints During client installation Process \Program Files (x86)\Tanium\TaniumClientBootstrap.exe
During client installation Process \Program Files (x86)\Tanium\SetupClient.exe
During client installation Process <Tanium Client>\SetupClient.exe
  Process <Tanium Client>\TaniumClientExtensions.dll
  Process <Tanium Client>\TaniumClientExtensions.dll.sig
  Process <Tanium Client>\extensions\TaniumDEC.dll
  Process <Tanium Client>\extensions\TaniumDEC.dll.sig
  Process <Tanium Client>\TaniumCX.exe
macOS endpoints During client installation Process /Library/Tanium/TaniumClientBootstrap
During client installation Process /Library/Tanium/SetupClient
During client installation Process <Tanium Client>/SetupClient
  Process <Tanium Client>/libTaniumClientExtensions.dylib
  Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
  Process <Tanium Client>/extensions/libTaniumDEC.dylib
  Process <Tanium Client>/extensions/libTaniumDEC.dylib.sig
  Process <Tanium Client>/TaniumCX
Linux endpoints During client installation Process /opt/Tanium/TaniumClientBootstrap
During client installation Process /opt/Tanium/SetupClient
During client installation Process <Tanium Client>/SetupClient
  Process <Tanium Client>/libTaniumClientExtensions.so
  Process <Tanium Client>/libTaniumClientExtensions.so.sig
  Process <Tanium Client>/extensions/libTaniumDEC.so
  Process <Tanium Client>/extensions/libTaniumDEC.so.sig
  Process <Tanium Client>/TaniumCX
Solaris and AIX endpoints During client installation Process /opt/Tanium/TaniumClientBootstrap
During client installation Process /opt/Tanium/SetupClient
During client installation Process <Tanium Client>/SetupClient
 Table 9: Client Management security exclusions
Target Device Notes Exclusion Type Exclusion
Windows x86 endpoint   Process <Tanium Client>\TaniumClientExtensions.dll
  Process <Tanium Client>\TaniumClientExtensions.dll.sig
  Process <Tanium Client>\extensions\TaniumDEC.dll
  Process <Tanium Client>\extensions\TaniumDEC.dll.sig
  Process <Tanium Client>\TaniumCX.exe
Windows x64 endpoints   Process <Tanium Client>\TaniumClientExtensions.dll
  Process <Tanium Client>\TaniumClientExtensions.dll.sig
  Process <Tanium Client>\extensions\TaniumDEC.dll
  Process <Tanium Client>\extensions\TaniumDEC.dll.sig
  Process <Tanium Client>\TaniumCX.exe
macOS endpoints   Process <Tanium Client>/libTaniumClientExtensions.dylib
  Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
  Process <Tanium Client>/extensions/libTaniumDEC.dylib
  Process <Tanium Client>/extensions/libTaniumDEC.dylib.sig
  Process <Tanium Client>/TaniumCX
Linux endpoints   Process <Tanium Client>/libTaniumClientExtensions.so
  Process <Tanium Client>/libTaniumClientExtensions.so.sig
  Process <Tanium Client>/extensions/libTaniumDEC.so
  Process <Tanium Client>/extensions/libTaniumDEC.so.sig
  Process <Tanium Client>/TaniumCX

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to add the following URL to the approved list.

  • https://content.tanium.com

User role requirements for Client Management

The following tables list the role permissions required to use Client Management. To review a summary of the predefined roles, see Set up Client Management users.

For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

To install Client Management, you must have the Import Signed Content Administration permission (Tanium Core Platform 7.4 or later) or the reserved role of Administrator.

 Table 10: Client Management user role permissions
Permission Client Management Administrator1,2,3 Client Management User3 Client Management Read-Only User3 Client Management API User4 Client Management Auditor4 Client Management Operator1, 2 Client Management Endpoint Configuration Approver2 Client Management Service Account2,3,5

Client-management API

Access the Client Management API


EXECUTE

EXECUTE

Client-management Configurations

Access client and deployment configurations


READ
WRITE

READ

READ

Client-management Credentials

Access the credentials list (cannot view associated passwords or key data)


READ
WRITE

READ

READ

Client-management Deployments

Access data about client deployments


READ
WRITE
EXECUTE

READ
EXECUTE

READ

Client-management Direct

Connect to an endpoint using Direct Connect and read data from that endpoint


CONNECT


CONNECT

Client-management Endpoint Configuration / Client Management Endpoint Configuration

Approve Endpoint Configuration items for Client Management


APPROVE

Client-management Manage

Manage Client Management components


COMPONENTS

Client-management Read Audit

Read audit log with API


LOG

LOG

Client-management Settings

Access platform settings in the Client Management module


WRITE

WRITE

Client-management Support Bundle

Access the Client Management support bundle


READ

READ

Client-management

Download installation packages for the Tanium Client when using Client Management in TaaS


OPERATE

Clientmanagement

View the Client Management workbench


SHOW

SHOW

SHOW

SHOW

SHOW

SHOW

1 This role provides module permissions for Tanium Direct Connect. You can view which Direct Connect permissions are granted to this role in the Tanium Console. For more information, see Tanium Direct Connect User Guide: User role requirements.

2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

3 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

4 This role is used internally and is not typically assigned to users.

5 By default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

 

 Table 11: Provided Client Management Administration and Platform content user role permissions
Permission Role Type Client Management Administrator Client Management User Client Management Read-Only User Client Management API User Client Management Auditor Client Management Operator Client Management Endpoint Configuration Approver Client Management Service Account
Action Group Administration
READ

READ

READ

READ

READ

READ

READ
WRITE
Action Platform Content
READ
WRITE
Filter Group Platform Content
READ

READ

READ

READ

READ

READ
Own Action Platform Content
READ
Package Platform Content
READ
WRITE
Plugin Platform Content
READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE
Saved Question Platform Content
READ

READ

READ

READ

READ

READ

READ
WRITE
Sensor Platform Content
READ

READ

READ

READ

READ

READ

READ
You can view which content sets are granted to any role in the Tanium Console.

 

 Table 12: Optional roles for Client Management
Role Enables
Discover Read Only User For service account: Deploy to endpoints based on Discover labels

For more information and descriptions of content sets and permissions, see Tanium Core Platform User Guide: Managing roles.