Tanium Client and Client Management requirements

Review the requirements before deploying the Tanium Client to endpoints. Additionally, review the specific requirements for the Tanium Client Management shared service before installing it and using it to deploy clients, monitor client health, manage client settings, or upgrade clients.

Endpoint Configuration is also installed as part of Client Management. Also review the Endpoint Configuration requirements before installing Client Management.

Client version and operating system requirements

The Supported OS versions for Tanium Client hosts table lists the supported operating systems on endpoint host systems where you install the Tanium Client.

Hardware resource requirements vary based on the actions that you deploy to the endpoints. See Hardware requirements for baseline RAM and disk space requirements.

Some Tanium modules and shared services have additional requirements for the Tanium Client and endpoint hosts. The Solution-specific requirements for the Tanium Client and endpoints table provides links to the user guide sections that list these requirements.

Windows endpoints must have the following root certificate authority (CA) certificates because they are required to verify the integrity of the Tanium Client binaries:

DigiCert Assured ID Root CA
(thumbprint 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43)
DigiCert High Assurance EV Root CA
(thumbprint 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25)
DigiCert SHA2 Assured ID CA
(thumbprint E1:2D:2E:8D:47:B6:4F:46:9F:51:88:02:DF:BD:99:C0:D8:6D:3C:6A)
DigiCert SHA2 Assured ID Code Signing CA
(thumbprint 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6)

For certificate downloads, see DigiCert: Download DigiCert root and intermediate certificates, and for more information about installing certificates, see DigiCert Support.

Supported operating systems

The following table lists supported operating systems and versions for endpoints connected to Tanium™ Cloud an on-premises Tanium installation and the versions of the Tanium Client that are supported for each OS version in Tanium™ Cloud. an on-premises Tanium installation. The table also indicates Client Management service support for each OS version. The Client Management service supports all listed OS versions.

Because Tanium Cloud requires Tanium Client 7.4 or later, some legacy operating systems are not supported. Tanium Cloud supports only the operating system versions and associated Tanium Client versions listed in the following table.

You cannot use Client Management to install a Tanium Client version earlier than 7.4.7.1094.

Supported OS versions for Tanium Client hosts
Operating system	OS Version	Available Executables	Tanium Client Version	Notes
Microsoft Windows Server	Windows Server 2022 Windows Server 2019 (currently supported releases in the Long-Term Servicing Channel and the last supported release in the Semi-Annual Channel) Windows Server 2016 Windows Server 2012, 2012 R2 Windows Server 2008 R2	x86	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476	Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported. Some Tanium sensors and packages require unrestricted access to Windows Management Instrumentation (WMI) queries, VBScript execution in Windows Script Host (WSH), and PowerShell. If you restrict any of these features on endpoints, Tanium functionality is limited. For Tanium Client versions 7.2.314.3584 and later, PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows Server 2008 or Windows Server 2008 R2 for PowerShell-based sensors to work on those endpoints. Tanium™ Endpoint Configuration and Tanium modules do not support Windows Server 2008. On Windows Server 2008, the Tanium Client provides only basic visibility and endpoint information.
Microsoft Windows Server	Windows Server 2008	x86	7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476
Microsoft Windows Server	Windows Server 2022 Windows Server 2019 (currently supported releases in the Long-Term Servicing Channel and the last supported release in the Semi-Annual Channel) Windows Server 2016 Windows Server 2012, 2012 R2 Windows Server 2008 R2	x86	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955	Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported. Some Tanium sensors and packages require unrestricted access to Windows Management Instrumentation (WMI) queries, VBScript execution in Windows Script Host (WSH), and PowerShell. If you restrict any of these features on endpoints, Tanium functionality is limited. PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows Server 2008 R2 for PowerShell-based sensors to work on those endpoints.
Microsoft Windows Workstation	Windows 11 Windows 10 (currently supported releases in both the Semi-Annual Channel and the Long-Term Servicing Channel) Windows 8 Windows 7 (SP1)	x86	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476	Tanium Client 7.4.10.1054 or later supports running the x86 binary on Windows 11 endpoints with Arm processors. Windows RT is not supported. Arm processor support on Windows 11 also requires Tanium Client Management 1.12.150. Support for each solution might require a specific minimum version of that solution, and some solutions have specific limitations for Windows 11 endpoints with Arm processors. For more information, see the release notes and user guide for each solution. Some Tanium sensors and packages require unrestricted access to Windows Management Instrumentation (WMI) queries, VBScript execution in Windows Script Host (WSH), and PowerShell. If you restrict any of these features on endpoints, Tanium functionality is limited. For Tanium Client versions 7.2.314.3584 and later, PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows 7 for PowerShell-based sensors to work on those endpoints.
Microsoft Windows Workstation	Windows 11 Windows 10 (currently supported releases in both the Semi-Annual Channel and the Long-Term Servicing Channel) Windows 8 Windows 7 (SP1)	x86	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955	Tanium Client 7.4.10.1054 or later supports running the x86 binary on Windows 11 endpoints with Arm processors. Windows RT is not supported. Arm processor support on Windows 11 also requires Tanium Client Management 1.12.150. Support for each solution might require a specific minimum version of that solution, and some solutions have specific limitations for Windows 11 endpoints with Arm processors. For more information, see the release notes and user guide for each solution. Some Tanium sensors and packages require unrestricted access to Windows Management Instrumentation (WMI) queries, VBScript execution in Windows Script Host (WSH), and PowerShell. If you restrict any of these features on endpoints, Tanium functionality is limited. PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows 7 for PowerShell-based sensors to work on those endpoints.
macOS	macOS 13 Ventura macOS 12 Monterey macOS 11 Big Sur	Universal x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3608 7.2.314.3476 7.2.314.3236	The universal binary is available only in Tanium Client 7.4.8.1042 or later. Tanium recommends the universal binary for all Mac computers running macOS 11 or later. The universal binary is supported and runs natively on both Intel-based Mac computers running macOS 11 or later and Apple "M" series-based Mac computers. Tanium recommends replacing the x86-64 binary with the universal binary on all Mac computers running macOS 11 or later. However, you cannot upgrade an existing installation of the x86-64 version of the Tanium Client directly to the Universal version. You must first uninstall the existing Tanium Client or perform a reinstallation that includes wiping data with Tanium Client Managementperform a reinstallation that includes wiping data with Tanium Client Management. If you upgrade the x86-64 client in Client Management, it installs a newer version of the x86-64 client. For full support of Tanium Client, you must perform additional configuration in your macOS mobile device management (MDM) solution. For more information, see Prepare for deployment to Linux, macOS, or UNIX endpointsPrepare for deployment to Linux, macOS, or UNIX endpoints (for deployment with Client Management) or Deploy the Tanium Client to macOS endpoints using the installer. If you enable the app notarization requirement in macOS, you must install Tanium Client 7.2.314.3608 or later. The Tanium Core Platform requires Tanium™ Default Content 7.1.7 or later to manage endpoints that run macOS 10.14 Mojave or later. Tanium Client 7.2.314.3608 and later has a different code signing requirement from earlier versions. If you are creating a Privacy Preferences Policy Control (PPPC) custom payload, see Prepare for deployment to Linux, macOS, or UNIX endpointsPrepare for deployment to Linux, macOS, or UNIX endpoints (for deployment with Client Management) or Deploy the Tanium Client to macOS endpoints using the installer. For onboarding macOS endpoints, you can use Tanium™ Mac Device Enrollment. Mac Device Enrollment supports macOS 11 or later. For more information, see Tanium Mac Device Enrollment User Guide.
macOS	macOS 10.15 Catalina macOS 10.14 Mojave macOS 10.13 High Sierra	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3608 7.2.314.3476 7.2.314.3236	(macOS 10.15 or later) Apple introduced the app notarization requirement as a security process in macOS 10.15. If you enable the requirement, you must install Tanium Client 7.2.314.3608 or later on endpoints that run macOS 10.15 or later. (macOS 10.14 or later) For full support of Tanium Client, you must perform additional configuration in your macOS mobile device management (MDM) solution. For more information, see Prepare for deployment to Linux, macOS, or UNIX endpointsPrepare for deployment to Linux, macOS, or UNIX endpoints (for deployment with Client Management) or Deploy the Tanium Client to macOS endpoints using the installer. (macOS 10.14 or later) The Tanium Core Platform requires Tanium™ Default Content 7.1.7 or later to manage endpoints that run macOS 10.14 Mojave or later. Tanium Client 7.2.314.3608 and later has a different code signing requirement from earlier versions. If you are creating a Privacy Preferences Policy Control (PPPC) custom payload, see Prepare for deployment to Linux, macOS, or UNIX endpointsPrepare for deployment to Linux, macOS, or UNIX endpoints (for deployment with Client Management) or Deploy the Tanium Client to macOS endpoints using the installer.
macOS	macOS 13 Ventura macOS 12 Monterey macOS 11 Big Sur	Universal x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955	The universal binary is available only in Tanium Client 7.4.8.1042 or later. Tanium recommends the universal binary for all Mac computers running macOS 11 or later. The universal binary is supported and runs natively on both Intel-based Mac computers running macOS 11 or later and Apple "M" series-based Mac computers. Tanium recommends replacing the x86-64 binary with the universal binary on all Mac computers running macOS 11 or later. However, you cannot upgrade an existing installation of the x86-64 version of the Tanium Client directly to the Universal version. You must first uninstall the existing Tanium Client or perform a reinstallation that includes wiping data with Tanium Client Managementperform a reinstallation that includes wiping data with Tanium Client Management. If you upgrade the x86-64 client in Client Management, it installs a newer version of the x86-64 client. For full support of Tanium Client, you must perform additional configuration in your macOS mobile device management (MDM) solution. For more information, see Prepare for deployment to Linux, macOS, or UNIX endpointsPrepare for deployment to Linux, macOS, or UNIX endpoints (for deployment with Client Management) or Deploy the Tanium Client to macOS endpoints using the installer. For onboarding macOS endpoints, you can use Tanium™ Mac Device Enrollment. Mac Device Enrollment supports macOS 11 or later. For more information, see Tanium Mac Device Enrollment User Guide.
macOS	macOS 10.15 Catalina macOS 10.14 Mojave macOS 10.13 High Sierra	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955	(macOS 10.14 or later) For full support of Tanium Client, you must perform additional configuration in your macOS mobile device management (MDM) solution. For more information, see Prepare for deployment to Linux, macOS, or UNIX endpointsPrepare for deployment to Linux, macOS, or UNIX endpoints (for deployment with Client Management) or Deploy the Tanium Client to macOS endpoints using the installer.
Linux	Amazon Linux 2 LTS	x86-64 ARM64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476	ARM64 support is available only in Tanium Client 7.4.7.1130 or later. Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes.
	Amazon Linux 1 AMI (2018.03)	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476
	Debian 11.x	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042
	Debian 10.x	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063
	Debian 9.x, 8.x	x86 x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476
	Debian 7.x, 6.x	x86-64	7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476	TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
	Oracle Linux 9.x	x86-64 ARM64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062	ARM64 support is available only in Tanium Client 7.4.10.1034 or later. Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes.
	Oracle Linux 8.x	x86-64 ARM64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.2.314.3660 7.2.314.3657 7.2.314.3632	ARM64 support is available only in Tanium Client 7.4.10.1034 or later. Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes.
	Oracle Linux 7.x	x86 x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.2.314.3660 7.2.314.3657 7.2.314.3632
	Oracle Linux 6.x	x86 x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.2.314.3660 7.2.314.3657 7.2.314.3632	TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
	Oracle Linux 5.x	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476 7.2.314.3236	TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
	Red Hat Enterprise Linux (RHEL) 9.x AlmaLinux 9.x Rocky Linux 9.x	x86-64 ARM64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046	ARM64 support is available only in Tanium Client 7.4.10.1034 or later. Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes.
	Red Hat Enterprise Linux (RHEL) 8.x CentOS 8.x AlmaLinux 8.x Rocky Linux 8.x	x86-64 ARM64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584	ARM64 support is available only in Tanium Client 7.4.10.1034 or later. Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes. (CentOS 8.x) CentOS Stream is a separate distribution and is not supported. In Client Management, you can deploy only Tanium Client 7.4.5.1204 or later to AlmaLinux or Rocky Linux.
	Red Hat Enterprise Linux (RHEL) 7.x CentOS 7.x	x86 x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476
	Red Hat Enterprise Linux (RHEL) 6.x CentOS 6.x	x86 x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476	TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
	Red Hat Enterprise Linux (RHEL) 5.x CentOS 5.x	x86 x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476 7.2.314.3236	(CentOS 5.x) CentOS 5.x endpoints are included in summary client health information in Client Management, but you cannot use Direct Connect to access detailed client health information. TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
	SUSE Linux Enterprise Server (SLES) 15 openSUSE 15.x	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632
	SUSE Linux Enterprise Server (SLES) 12 openSUSE 12.x	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584
	SUSE Linux Enterprise Server (SLES) 11.3, 11.4 openSUSE 11.3, 11.4	x86-64	7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584	TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
	Ubuntu 22.04 LTS	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042
	Ubuntu 20.04 LTS	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063
	Ubuntu 18.04 LTS	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476
	Ubuntu 16.04 LTS	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476
	Ubuntu 14.04 LTS	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584 7.2.314.3476
Linux	Amazon Linux 2 LTS	x86-64 ARM64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955	ARM64 support is available only in Tanium Client 7.4.7.1130 or later. Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes.
	Amazon Linux 1 AMI (2018.03)	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955
	Debian 11.x	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042
	Debian 10.x	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063
	Debian 9.x, 8.x	x86 x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955
	Oracle Linux 9.x	x86-64 ARM64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062	ARM64 support is available only in Tanium Client 7.4.10.1034 or later. Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes.
	Oracle Linux 8.x	x86-64 ARM64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063	ARM64 support is available only in Tanium Client 7.4.10.1034 or later. Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes.
	Oracle Linux 7.x	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955
	Oracle Linux 6.x	x86 x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955	TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
	Oracle Linux 5.x	x86 x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955	TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
	Red Hat Enterprise Linux (RHEL) 9.x AlmaLinux 9.x Rocky Linux 9.x	x86-64 ARM64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046	ARM64 support is available only in Tanium Client 7.4.10.1034 or later. Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes.
	Red Hat Enterprise Linux (RHEL) 8.x CentOS 8.x AlmaLinux 8.x Rocky Linux 8.x	x86-64 ARM64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955	ARM64 support is available only in Tanium Client 7.4.10.1034 or later. Support for ARM64 architecture for each solution requires a specific minimum version of that solution. For more information, see solution release notes. (CentOS 8.x) CentOS Stream is a separate distribution and is not supported.
	Red Hat Enterprise Linux (RHEL) 7.x CentOS 7.x	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955
	Red Hat Enterprise Linux (RHEL) 6.x CentOS 6.x	x86 x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955	TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
	Red Hat Enterprise Linux (RHEL) 5.x CentOS 5.x	x86 x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955	(CentOS 5.x) CentOS 5.x endpoints are included in summary client health information in Client Management, but you cannot use Tanium™ Direct Connect to access detailed client health information. TSDB-CX, which is a client extension installed by Tanium™ Client Management, requires a newer version of glibc and cannot be installed on this OS. Client Management is supported and functions as normal, but some monitoring and data collection features that are used for troubleshooting are not available.
	SUSE Linux Enterprise Server (SLES) 15 openSUSE 15.x	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955
	SUSE Linux Enterprise Server (SLES) 12 openSUSE 12.x	x86 x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955
	Ubuntu 22.04 LTS	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042
	Ubuntu 20.04 LTS	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063
	Ubuntu 18.04 LTS	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955
	Ubuntu 16.04 LTS	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955
	Ubuntu 14.04 LTS	x86-64	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955
AIX	IBM AIX 7.1 TL4 or later	POWER	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584	The Tanium Client for AIX requires a 64-bit operating system and the IBM XL C++ runtime environment file set (xlC.rte), and, in most cases, the IBM LLVM runtime libraries file set (libc++.rte). For specific requirements for each file set and installation steps, see Prepare for deployment to Linux, macOS, or UNIX endpoints (for deployment using Client Management) or Deploy the Tanium Client to AIX endpoints using a package file. Summary client health information in Client Management includes AIX endpoints, but you cannot use Direct Connect to access detailed client health information. Tanium™ Endpoint Configuration and Tanium modules do not support AIX versions earlier than 7.1 TL4. On these versions of AIX, the Tanium Client provides only basic visibility and endpoint information.
AIX	IBM AIX 7.1 TL1 (Service Pack 10 or later) IBM AIX 7.1 TL2 IBM AIX 7.1 TL3	POWER	7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584
AIX	IBM AIX 7.1 TL4 or later	POWER	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250	The Tanium Client for AIX requires a 64-bit operating system and the IBM XL C++ runtime environment file set (xlC.rte), and the IBM LLVM runtime libraries file set (libc++.rte). For specific requirements for each file set and installation steps, see Prepare for deployment to Linux, macOS, or UNIX endpoints (for deployment using Client Management) or , see Deploy the Tanium Client to AIX endpoints using a package file. Summary client health information in Client Management includes AIX endpoints, but you cannot use Direct Connect to access detailed client health information.
Solaris	Oracle Solaris 11 SPARC Oracle Solaris 11 x86 Oracle Solaris 10 U8 SPARC or higher Oracle Solaris 10 U8 x86 or higher	SPARC x86	7.4.10.1067 7.4.10.1060 7.4.10.1054 7.4.10.1034 7.4.9.1077 7.4.9.1062 7.4.9.1046 7.4.8.1054 7.4.8.1042 7.4.7.1183 7.4.7.1179 7.4.7.1130 7.4.7.1094 7.4.5.1225 7.4.5.1220 7.4.5.1219 7.4.5.1204 7.4.4.1362 7.4.4.1250 7.4.2.2073 7.4.2.2063 7.4.2.2033 7.4.1.1955 7.2.314.3660 7.2.314.3657 7.2.314.3632 7.2.314.3584	The Tanium Client for Solaris requires SUNWgccruntime on Solaris 10 and 11.0–11.3. Summary client health information in Client Management includes Solaris endpoints, but you cannot use Direct Connect to access detailed client health information.

Hardware requirements

The following minimums are recommended to install and run the Tanium Client on endpoints:

CPU cores: 2
RAM: 2 GB
Available disk space: 1 GB

On an endpoint that does not use functionality from Tanium modules and uses the Tanium Client only for basic visibility and endpoint information, the Tanium Client can function with a single-core CPU. However, overall performance of the endpoint might be reduced.

Virtual desktop infrastructure (VDI) environments: For better performance, provide at least two CPU cores for each VDI instance, even if CPU cores are overprovisioned.

Installed modules or services might require additional RAM and disk space, depending on your usage. Other applications that run on an endpoint require additional CPU, RAM, and disk resources. Contact Tanium support for guidance on specific configurations.

The modules that are listed in the following table have specific additional hardware requirements. Requirements for RAM refer to the minimum installed RAM that the client and all installed modules and services require. Requirements for disk space refer to the additional available disk space that each listed module requires. (For complete endpoint requirements for each listed modules, follow the links in the table. For links to endpoint requirements for all solutions, see the Solution-specific requirements for the Tanium Client and endpoints table.)

Additional hardware requirements for specific modules
Product	Additional available disk space	Minimum RAM required
Tanium™ Comply	200 MB	2 GB¹
Tanium™ Deploy	2 GB²	2 GB¹
Tanium™ Integrity Monitor	1 GB^3,4	4 GB
Tanium™ Investigate	3 GB⁴	4 GB
Tanium™ Map	200 MB	4 GB
Tanium™ Patch	5 GB²	2 GB^1,5
Tanium™ Performance	100 MB plus the amount specified in the Database maximum size parameter (1 GB by default)⁶	2 GB¹
Tanium™ Software Bill of Materials (SBOM) add-in for Tanium™ Asset	1 GB³	2 GB¹
Tanium™ Reveal	2 GB^3,4	2 GB¹
Tanium™ Threat Response	3 GB^3,4	4 GB
¹ This module does not have a specific RAM requirement above the baseline 2 GB of RAM that the Tanium Client requires. ² If both Deploy and Patch are installed, only 5 GB of additional available disk space is required for both solutions, for client cache space. ³ This solution uses Tanium™ Index. Specific disk space requirements for Index depend on the file system on the endpoint. Depending on these factors, the disk space that is required on the endpoint might be greater than the amount listed here. A general guideline is that the database size is an additional 1 MB per 1 GB of files on disk. ⁴ This solution uses Tanium™ Recorder. Specific disk space requirements for Recorder depend on the number of events recorded on the endpoint. Depending on these factors, the disk space that is required on the endpoint might be greater than the amount listed here. ⁵ The utilities that Patch uses for scanning use increased RAM for up to several minutes during endpoint scans. If an endpoint must also run other processes that use significant RAM during Patch scans, it might require more RAM than the minimum 2 GB. ⁶ The Performance database collects approximately 45 MB per day for busy servers and 25-35 MB per day for workstations.

Module and service requirements

Click the links in the following table to see the minimum Tanium Client version (Tanium dependencies) and client endpoint requirements for each Tanium module and shared service.

Solution-specific requirements for the Tanium Client and endpoints
Product	Tanium Dependencies	Endpoint Requirements
Tanium™ API Gateway	Core platform dependencies No additional requirements	N/A
Tanium™ Asset	Core platform dependencies	Endpoints
Tanium™ Software Bill of Materials (SBOM) add-in for Asset	Core platform dependencies	Endpoints
Tanium™ Benchmark	Core platform dependencies	Endpoints
Tanium™ Certificate Manager	Core platform dependencies	Endpoints
Tanium™ Client Management	Core platform dependencies (following this section)	The following sections: Table 1 (in this section) Port requirements for Client Management Security exclusions for Client Management
Tanium™ Comply	Core platform dependencies	Endpoints
Tanium™ Connect	Core platform dependencies No additional requirements	N/A
Tanium™ Criticality	Core platform dependencies No additional requirements	N/A
Tanium™ Deploy	Core platform dependencies	Endpoints
Tanium™ Direct Connect	Core platform dependencies No additional requirements	Endpoints
Tanium™ Screen Sharing add-in for Direct Connect	No additional requirements	Endpoints
Tanium™ Directory Query	Core platform dependencies No additional requirements	N/A
Tanium™ Discover	Core platform dependencies	Endpoints
Tanium™ Endpoint Configuration	Core platform dependencies No additional requirements	Endpoints
Tanium™ End-User Notifications	Core platform dependencies	Endpoints
Tanium™ Enforce	Core platform dependencies	Endpoints
Tanium™ Engage	Core platform dependencies	Endpoints
Tanium™ Feed	Core platform dependencies No additional requirements	N/A
Tanium™ Health Check	Core platform dependencies	N/A
Tanium™ Impact	Core platform dependencies	Endpoints
Tanium™ Integrity Monitor	Core platform dependencies	Endpoints
Tanium™ Interact	Core platform dependencies No additional requirements	Endpoints
Tanium™ Investigate	Core platform dependencies	Endpoints
Tanium™ Mac Device Enrollment	Core platform dependencies	Endpoints
Tanium™ Map	Core platform dependencies	Endpoints
Tanium™ Network Quarantine	Core platform dependencies	Endpoints
Tanium™ Patch	Core platform dependencies	Endpoints
Tanium™ Performance	Core platform dependencies	Endpoints
Tanium™ Provision	Core platform dependencies	Endpoints
Tanium™ Reporting	Core platform dependencies No additional requirements	N/A
Tanium™ Reputation	Core platform dependencies	N/A
Tanium™ Reveal	Core platform dependencies	Endpoints
Tanium™ Threat Response	Core platform dependencies	Endpoints
Tanium™ Trends	Core platform dependencies No additional requirements	N/A
Tanium™ Zero Trust	Core platform dependencies	Endpoints

Requirements for satellites used for Tanium Client deployment in Client Management

Operating systems supported for satellites used in client deployment

Only the following operating systems are supported for a satellite used for Tanium Client deployment. For other OS requirements for Tanium Client, see the table Supported OS versions for Tanium Client hosts.

Windows
- Windows Server 2012 R2 or later
- Windows 7 or later
Linux
- AlmaLinux 8.x or later
- CentOS 7.x, 8.x
- Debian 10.x or later
- Oracle Linux 7.x or later
- Red Hat Enterprise Linux 7.x or later
- Rocky Linux 8.x or later
- Ubuntu 20.04 or later

Hardware requirements for satellites used in client deployment

The following hardware specifications are the recommended minimum for a satellite used for Tanium Client deployment:

CPU architecture: x64 or x86
CPU cores: 4
RAM: 8 GB
Disk space (in addition to space required for the Tanium Client and any modules in use): 500 MB
Network bandwidth: 10 Mbps between the Module ServerTanium Cloud and the satellite, and between the satellite and targeted endpoints

Tanium Client Management dependencies

Core platform dependencies

Make sure that your environment meets the following requirements:

Tanium™ Core Platform servers: 7.4.3.1204 or later
Tanium Client: Downloading client installers from Client Management does not require a pre-existing installation of Tanium Client. Using client profile and client health features, including using Direct Connect to access detailed client health information, requires a supported Tanium Client (see Supported OS versions for Tanium Client hosts).

Solution dependencies

Other Tanium solutions are required for specific Client Management features to work. The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Client Management dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Client Management requires.

When you install Endpoint Configuration (or a version of Client Management between 1.5 and 1.12, which included Endpoint Configuration):

Make sure you upgrade each module that uses Endpoint Configuration to a version from after support for Endpoint Configuration was introduced (follow links for Tanium Dependencies from and see the release notes for each module).
After Endpoint Configuration is installed, do not use the Initial Content - Python solution to deploy Python to endpoints that support Endpoint Configuration (see Tanium Endpoint Configuration User Guide: Endpoints).

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Client Management, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Client Management to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Client Management, the server automatically updates those dependencies to the latest available versions.

If you select only Client Management to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Client Management has the following required dependencies at the specified minimum versions:

Tanium™ Endpoint Configuration 1.7.194 or later
Tanium™ RDB 1.2.11 or later
Tanium™ Secrets 1.0.41 or later
Tanium™ System User service 1.0.77 or later
Tanium Trends 3.9.127 or later

Feature-specific dependencies

Client Management has the following feature-specific dependencies at the specified minimum versions:

Tanium Interact 2.4.50 or later is required to view charts on the Client Management Overview page

Interact 3.0 or later requires Tanium Core Platform 7.6.1 or later
Tanium Direct Connect 1.4.3 or later is required to connect to endpoints to access detailed client health information
Tanium Discover 3.1 or later is required to target endpoints based on Discover tags

Client extensions

Tanium Endpoint Configuration installs client extensions for Client Management on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Client Management functions:

Client Deployment CX - Provides the satellite functionality for Tanium Client deployments in Client Management. Tanium Client Management installs this client extension only on endpoints identified as satellites and used for client deployments.
Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension. This is a feature-specific dependency for Client Management.
Discover CX - Performs satellite-based Nmap scans. Tanium Discover installs this client extension. This is a feature-specific dependency for Client Management.
Extras CX - Provides a helper library that contains re-usable functions for various client extensions to use. Tanium Asset, Tanium Discover, Tanium Integrity Monitor, and Tanium Investigate install this client extension. This is a feature-specific dependency for Client Management.
Support CX - Provides the ability to gather troubleshooting content from endpoints through Tanium Client Management. Tanium Client Management installs this client extension.
TSDB CX - Collects metrics about the Tanium Client and client extensions. Tanium Client Management installs this client extension.

Tanium™ Module Server

Client Management is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Compatibility between Tanium Core Platform servers and Tanium Clients

Tanium Clients can connect only to Tanium Core Platform servers (Tanium Server, Tanium Module Server, and Tanium Zone Server) that run the same Tanium™ Protocol version as the clients or a later version than the clients. Servers at version 7.3 and clients at version 7.2 run Tanium Protocol 314. Servers and clients at version 7.4 or later run Tanium Protocol 315. Effectively, this means that servers are backward-compatible with earlier clients; for example, servers at version 7.4 support Tanium Client 7.2, but Tanium Client 7.4.x cannot connect to servers at version 7.3.

For details about the Tanium Protocol, see Tanium Core Platform Deployment Reference Guide: Overview of TLS in the Tanium Core Platform.

The release numbers for Tanium Core Platform servers and Tanium Clients have the format <major release>.<minor release>.<point release>, such as 7.4.5. Clients can connect to the servers when their major and minor release numbers match regardless of whether the point release numbers match. For example, Tanium Client 7.4.5 can connect to Tanium Server 7.4.2.

To ensure that all the features and fixes in a release are available to Tanium Core Platform servers and Tanium Clients, upgrade both to the same major, minor, and point release.
Do not install the Tanium Client on the same host as a Tanium Core Platform server. Managing Tanium Core Platform servers as endpoints requires significantly more complex access restrictions in Tanium. Tanium users with management rights over Tanium Core Platform servers might be able to circumvent access restrictions within Tanium or inadvertently deploy actions that interfere with Tanium functionality. If you choose to install the client on Tanium Core Platform server machines, you must carefully restrict access to computer groups that include Tanium Core Platform servers, such as All Computers, All Servers, and All Windows. You cannot install the client on a Tanium Appliance, and you cannot use Tanium Client Management to install the client on the Tanium Module Server.

Endpoint accounts

Tanium Client service account

On Windows, the Tanium Client is installed as a service that must run in the security context of the Local System account.

On AIX, Linux, macOS, and Solaris, the Tanium Client is installed as a system service, which must run with a User ID (UID) of 0.

Account permissions for Client Management

During client installation using Client Management, you must have an account configured with the appropriate permissions on each endpoint. You add credentials for these accounts during the deployment process (see Configure client credentials Manage endpoint credentials). These accounts and permissions are necessary only during deployment, and they can be removed or changed after you successfully deploy clients.

To protect credentials that are used for client deployment, use one of the following methods:

Use a temporary account that is removed after deployment.
Disable or change the password for the account after client deployment is complete.

Windows endpoints

On each Windows endpoint, you must have an account with Local Administrator rights or a local or domain account configured that has the following abilities:

Remotely connect to the endpoint and authenticate with SMB
Create folders within the installation directory for 32-bit applications, and, if applicable, the custom location where the Tanium Client will be installed (by default, C:\Program Files (x86)\ for 64-bit versions of Windows, or C:\Program Files\ for 32-bit versions of Windows)
A custom installation directory must be located on drive C for deployment with Client Management. To install Tanium Client on a different drive, you must use an alternative deployment method. For more information, see Deploying the Tanium Client using an installer or package file.
Write and execute files in the Tanium installation directory (by default, C:\Program Files (x86)\Tanium\ for 64-bit versions of Windows, or C:\Program Files\Tanium\ for 32-bit versions of Windows)

Non-Windows endpoints

On each non-Windows endpoint, you must have an account configured that can remotely connect to the endpoint and authenticate with SSH. You must use one of the following options to configure a user with elevated privileges to perform installation:

The root user
A user that is listed in the sudoers file on each endpoint to allow the account you are using for installation to use sudo
If you restrict user commands in the sudoers file, you must allow the commands used by Client Management during deployment.

Specific distributions or your specific environment might have specific authentication requirements.

Amazon Linux: Amazon Linux requires key-based authentication. On the endpoint, be sure to enable SSH key-based authentication and enable NOPASSWD in the sudoers file for the admin user account. Add this user name and password to the credentials list. This configuration ensures that the key, and not a password, is used to elevate the admin permissions of the user so that the user can install the Tanium Client and start the service.

Network connectivity, ports, and firewalls

TCP/IP requirements for Tanium Client

Tanium Cloud uses Tanium Core Platform components use TCP/IP to communicate over IPv4 networks and IPv6 networks. Contact Tanium Support if you need IPv6 support in Tanium Core Platform. Work with your network administrator to ensure that the endpoints in your environment can reach the Tanium Cloud Client Edge URLsTanium components have IP addresses and can use the Domain Name System (DNS) to resolve the host names. For more information, see Tanium Cloud Deployment Guide: Getting started with Tanium Cloud.

Connectivity and TCP/IP requirements for Client Management

The Tanium Module Server must have a connection to endpoints to automatically deploy the Tanium Client using Client Management.To automatically deploy the Tanium Client using Client Management, at least one endpoint that is connected to the network must also have a connection to Tanium Cloud. This endpoint is used as a satellite. Additionally, both the Tanium Server and endpoints must have IPv4 addresses; IPv6 addresses are not supported in Client ManagementTanium Cloud. If you plan to deploy the Tanium Client to endpoints where no endpoint can connect to Tanium Cloud,that cannot be reached directly from the Tanium Module Server, such as those connected to a Zone Server, or if you plan to deploy the Tanium Client where only IPv6 addresses are available, you can download installers and install the client manually or deploy it through other means. For more information, see Deploying the Tanium Client using an installer or package file.and manually deploy an installation bundle. For more information, see Download the installation bundle or tanium-init.dat file for alternative deployment.

Port requirements for Tanium Client and Client Management

The following ports are the defaults that are required for Tanium Client communication, and those that are required forand Client Management communication.

Table 1: Default portPort requirements for Tanium Client
Source	Destination	Port	Protocol	Purpose
Tanium Client	Tanium ServerTanium Cloud	17472	TCP	Used for communication between the Tanium Client and the Tanium ServerTanium Cloud
Tanium Client	Zone Server¹	17472	TCP	Used for communication between the Tanium Client and the Zone Server
Tanium Client	Peer clients	17472	TCP	Used for communication between the Tanium Client and peer clients
Peer clients	Tanium Client	17472	TCP	Used for communication between the Tanium Client and peer clients
Tanium Client	Tanium Client (loopback)	17473	TCP	Used for the Tanium Client API This port is used with the loopback interface and usually does not require a firewall rule.
Tanium Client	distribute.cloud.tanium.com	443	TCP (HTTPS)	Outbound communication from the Tanium Client and inbound communication for file part distribution
¹This destination is required only when you use a Zone Server.

Table 2: Port requirements for Client Management
Source	Destination	Port	Protocol	Purpose
Module Server	Endpoints targeted for Tanium Client installation (non-Windows)	22	TCP	Used for SSH communication from the module server to the target endpoint during client installation
Module Server	Endpoints targeted for Tanium Client installation (Windows)	135	TCP	Used for initiating WMI communication from the module server to the target endpoint during client installation
		445	TCP	Used for SMB communication from the module server to the target endpoint during client installation. If port 445 is inaccessible, the module server attempts a connection on port 139.
		49152–65535	TCP	Randomly allocated dynamic ports used for WMI communication after it is initiated on port 135. If a different dynamic port range is configured for RPC communication, that port range must be allowed by the firewall.
Tanium Client (internal)	Module Server	17475	TCP	Used for direct connection to endpoints for detailed client health information
Tanium Client (external)	Zone Server¹	17486	TCP	Used for direct connection to endpoints for detailed client health information. The default port number is 17486. If needed, you can specify a different port number when you configure the Zone Proxy.
Module Server	Zone Server¹	17487	TCP	Used by the Zone Server for Module Server connections. The default port number is 17487. If needed, you can specify a different port number when you configure the Zone Proxy.
Module Server	Zone Server¹	17488	TCP	Allows communication between the Zone Server and the Module Server. On TanOS, the Direct Connect Zone Proxy installer automatically opens port 17488 on the Zone Server. This port must be manually opened on Windows.
¹These ports are required only when you use a Zone Server.

Table 2: Port requirements for Client Management
Source	Destination	Port	Protocol	Purpose
Satellite endpoint	Endpoints targeted for Tanium Client installation (non-Windows)	22	TCP	Used for SSH communication from the satellite endpoint to the target endpoint during client installation
Satellite endpoint	Endpoints targeted for Tanium Client installation (Windows)	135	TCP	Used for initiating WMI communication from the satellite endpoint to the target endpoint during client installation
		445	TCP	Used for SMB communication from the satellite endpoint to the target endpoint during client installation
		49152–65535	TCP	Randomly allocated dynamic ports used for WMI communication after it is initiated on port 135. If a different dynamic port range is configured for RPC communication, that port range must be allowed by the firewall.
Tanium Client	Tanium Cloud	17486	TCP	Used for direct connection to endpoints for detailed client health information

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Some Tanium modules and shared services have additional port requirements for the Tanium Client. See Tanium Core Platform Deployment Reference Guide: Solution-specific port requirements Tanium Cloud Deployment Guide: Solution-specific port requirements.

Work with your network security administrator to ensure that firewalls and security applications do not block port 17472, which the port that the Tanium Client uses for communication with the Tanium Server or Zone Server and Tanium Cloud, and the port that the client uses for communication with peer clients (default is also port 17472). You can change the port that clients use to communicate with the server by configuring the ServerPort setting. You can also change the port that clients use for peer communication by configuring the ListenPort or EnableRandomListeningPort setting. (See Customize listening ports.) If you do not configure either of these settings, clients default to using ServerPortport 17472 for peer communication.

The default client peering settings ensure that clients form linear chains only within the boundaries of local area networks (LANs). Therefore, firewalls must allow bi-directional TCP communication on the listening port between clients that are in the same LAN, but not necessarily between all clients across your enterprise wide area network (WAN). For more information about network port requirements in Tanium, see Tanium Core Platform Deployment Reference Guide: Tanium network ports Tanium Cloud Deployment Guide: Host and network security requirements. For more information about client peering settings, see Configuring Tanium Client peering.

macOS: The Tanium Client service is signed to automatically allow communication through the default macOS firewall. However, the client installation process does not modify any host-based firewall that is in use. For more information about managing macOS firewalls, see Manage macOS firewall rules.
On endpoints that run macOS 10.14 (Mojave) or later, you might have to configure a firewall rule to prevent end users from seeing a pop-up for allowing connections during a Tanium Client upgrade. See Manage pop-ups for Tanium Client upgrades.
Linux: For more information about managing Linux firewalls, see Manage Linux firewall rules.
The Tanium Server and Zone Server also use port 17472 by default. Therefore, if you install the client on the same host as the server in a Windows deployment, the listening port for client-to-client communication automatically increments by one on that host to prevent port conflicts, so the default is 17473. This installation is not a best practice. See Compatibility between Tanium Core Platform servers and Tanium Clients.
If you configure the Tanium Client to randomly select a new listening port at intervals, you must configure endpoint firewalls to allow incoming connections on any port that the Tanium Client process requests. For more information, see Randomize listening ports.
The port number for the client API is one higher than the client-client listening port, which means that, by default, the API port is 17473. However, if the listening port changes, the API port also changes. For example, if you set ListenPort to 17473, the client API port becomes 17474. Because the API is on the loopback interface (localhost), the API port usually does not require a firewall rule for allowing traffic.

For additional information about preparing endpoints for remote installation using Client Management, see Prepare for deployment to Linux, macOS, or UNIX endpoints Prepare for deployment to Linux, macOS, or UNIX endpoints and Prepare for deployment to Windows endpoints Prepare for deployment to Windows endpoints.

The following figure illustrates a deployment with external and internal Tanium Clients. In this example, the external clients are in virtual private networks (VPNs) and therefore do not peer with each other (see Configure isolated subnets). Each external client has a leader connection to the Tanium Zone Server. The internal clients peer with each other in linear chains, and each chain connects to the Tanium Server through a backward and forward leader.

The following figure illustrates a deployment where Tanium Clients have direct endpoint connections to Tanium Cloud over port 17486 for Tanium modules that use the Tanium™ Direct Connect shared service. Therefore, the firewalls must allow traffic on port 17486 as well as port 17472. The clients in virtual private networks (VPNs) do not peer with each other and each of these clients has a leader connection to Tanium Cloud (see Configure isolated subnets). The clients that peer with each other connect to Tanium Cloud through backward and forward leaders at opposite ends of their linear chains.

API access

To access the Tanium Cloud APIs, you must first create an API Token. For more information, see Tanium Console User Guide: Create API tokens.

The maximum payload size for API requests and responses is 10 MB.

Use one of the following URLs for Tanium Cloud API access:

Tanium Cloud API access

<customerURL>-api.cloud.tanium.com

Tanium Cloud for U.S. Government API acess

<customerURL>-api.cloud.taniumfed.com

The <customerURL> variable is the subdomain that you specify for your service vanity URL when your Tanium Cloud instance is first provisioned. See Make initial elections Tanium Cloud Deployment Guide: Make initial elections.

Host system security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Security exclusions for Tanium Client

Some antivirus (AV) software might require excluding the installation directories of the Tanium Client from real-time inspection. Typically, configuring trusted exclusions also involves setting a policy to ignore the input and output of Tanium binaries. The configuration of these exclusions varies based on the AV software.

The following tools and files have specific requirements for the Tanium Client:

Microsoft Group Policy Objects (GPO) or other central management tools for managing host firewalls: Tanium recommends creating rules to allow inbound and outbound TCP traffic across the port that the client uses for Tanium traffic (default 17472) and port 17486 on any managed endpoints. See Network connectivity, ports, and firewalls.
Windows Update offline scan file (Wsusscn2.cab): The Tanium Client uses Wsusscn2.cab to assess endpoints for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, see the Microsoft KB for information on configuring those tools to interact appropriately with the Wsusscn2.cab file.
McAfee Host Intrusion Detection (in older versions of McAfee security software): Tanium recommends marking the Tanium Client as both Trusted for Firewall and Trusted for IPS.

Some Tanium modules and shared services have their own security exclusions for the Tanium Client. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

The following table lists Tanium Client directories that Tanium recommends AV software or other host-based security applications exclude from on-access or real-time scans. Include subdirectories of these locations when you create the exception rules. The listed directory paths are the defaults. If you changed the directory locations to non-default paths, create rules that are based on the actual locations.

Security exclusions for Tanium Client folders
Target Device	Installation folder
Windows x86 endpoints	\Program Files\Tanium\Tanium Client
Windows x64 endpoints	\Program Files (x86)\Tanium\Tanium Client
macOS endpoints	/Library/Tanium/TaniumClient
Linux, Solaris Solaris, AIX endpoints	/opt/Tanium/TaniumClient

Tanium recommends that security applications allow (not block, quarantine, or otherwise process) the following system processes. The <Tanium Client> variable indicates the Tanium Client installation directory, which is configurable during client installation.

Security exclusions for Tanium Client processes
Target Device	Process
Windows endpoints	<Tanium Client>\TaniumClient.exe
	<Tanium Client>\TaniumCX.exe
	<Tanium Client>\Tools\StdUtils\7za.exe
	<Tanium Client>\Tools\StdUtils\runasuser.exe
	<Tanium Client>\Tools\StdUtils\runasuser64.exe
	<Tanium Client>\Tools\StdUtils\TaniumExecWrapper.exe
	<Tanium Client>\Tools\StdUtils\TaniumFileInfo.exe
	<Tanium Client>\Tools\StdUtils\TPowerShell.exe
macOS, Linux, Solaris Solaris, AIX endpoints	<Tanium Client>/TaniumClient
	<Tanium Client>/taniumclient
	<Tanium Client>/TaniumCX
	<Tanium Client>/Tools/StdUtils/TaniumExecWrapper
	<Tanium Client>/Tools/StdUtils/distribute-tools.sh

Security exclusions for Client Management

For the Client Management solution, Tanium recommends the following exclusions.

The <Tanium Client> variable refers to the Tanium Client installation directory, which is configurable during client installation.

The <Module Server> variable refers to the Tanium Module server installation directory.

Client Management security exclusions for Tanium Core Platform servers (Windows deployments only)
Target Device	Notes	Exclusion Type	Exclusion
Module Server		Process	<Module Server>\services\client-management-service\node.exe
		Process	<Module Server>\services\client-profile-service\TaniumClientProfileService.exe
	When Direct Connect is installed	Process	<Module Server>\services\direct-connect-service\TaniumDirectConnectService.exe
	When Discover is installed	Process	<Module Server>\services\discover-service\node.exe
	When Discover is installed	Process	<Module Server>\plugins\content\discover-proxy\proxyplugin.exe
		Process	<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
		Process	<Module Server>\services\twsm-v1\twsm.exe
Zone Server	When Direct Connect is installed	Process	<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe
Zone Server	When Direct Connect is installed	Process	<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\twsm.exe

Client Management security exclusions for endpoints
Endpoint OS	Notes	Exclusion Type	Exclusion
Windows	During client installation; x64 endpoints	Process	\Program Files (x86)\Tanium\TaniumClientBootstrap.exe
	During client installation; x64 endpoints	Process	\Program Files (x86)\Tanium\SetupClient.exe
	During client installation; x86 endpoints	Process	\Program Files\Tanium\TaniumClientBootstrap.exe
	During client installation; x86 endpoints	Process	\Program Files\Tanium\SetupClient.exe
	During client installation	Process	<Tanium Client>\SetupClient.exe
		File	<Tanium Client>\TaniumClientExtensions.dll
		File	<Tanium Client>\TaniumClientExtensions.dll.sig
		Process	<Tanium Client>\TaniumCX.exe
	When Direct Connect is installed	File	<Tanium Client>\extensions\TaniumDEC.dll
	When Direct Connect is installed	File	<Tanium Client>\extensions\TaniumDEC.dll.sig
	When Discover is installed; satellite profiles only	File	<Tanium Client>\extensions\TaniumDiscover.dll
	When Discover is installed; satellite profiles only	File	<Tanium Client>\extensions\TaniumDiscover.dll.sig
	When Discover is installed; satellite profiles only	File	<Tanium Client>\extensions\TaniumExtras.dll
	When Discover is installed; satellite profiles only	File	<Tanium Client>\extensions\TaniumExtras.dll.sig
		File	<Tanium Client>\extensions\TaniumTSDB.dll
		File	<Tanium Client>\extensions\TaniumTSDB.dll.sig
	When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)	Folder	C:\Program Files\Npcap
	When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)	Process	<Tanium Client>\Tools\Discover\nmap\nmap.exe
Windows	During client installation; x64 endpoints	Process	\Program Files (x86)\Tanium\TaniumClientBootstrap.exe
	During client installation; x64 endpoints	Process	\Program Files (x86)\Tanium\SetupClient.exe
	During client installation; x86 endpoints	Process	\Program Files\Tanium\TaniumClientBootstrap.exe
	During client installation; x86 endpoints	Process	\Program Files\Tanium\SetupClient.exe
	During client installation	Process	<Tanium Client>\SetupClient.exe
	Satellites used for client deployment	File	<Tanium Client>\TaniumClientDeploy.dll
	Satellites used for client deployment	File	<Tanium Client>\TaniumClientDeploy.dll.sig
		File	<Tanium Client>\TaniumClientExtensions.dll
		File	<Tanium Client>\TaniumClientExtensions.dll.sig
		Process	<Tanium Client>\TaniumCX.exe
	When Direct Connect is installed	File	<Tanium Client>\extensions\TaniumDEC.dll
	When Direct Connect is installed	File	<Tanium Client>\extensions\TaniumDEC.dll.sig
	When Discover is installed; satellite profiles only	File	<Tanium Client>\extensions\TaniumDiscover.dll
	When Discover is installed; satellite profiles only	File	<Tanium Client>\extensions\TaniumDiscover.dll.sig
	When Discover is installed; satellite profiles only	File	<Tanium Client>\extensions\TaniumExtras.dll
	When Discover is installed; satellite profiles only	File	<Tanium Client>\extensions\TaniumExtras.dll.sig
		File	<Tanium Client>\extensions\TaniumTSDB.dll
		File	<Tanium Client>\extensions\TaniumTSDB.dll.sig
	When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)	Folder	C:\Program Files\Npcap
	When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)	Process	<Tanium Client>\Tools\Discover\nmap\nmap.exe
macOS	During client installation	Process	/Library/Tanium/TaniumClientBootstrap
	During client installation	Process	/Library/Tanium/SetupClient
	During client installation	Process	<Tanium Client>/SetupClient
		File	<Tanium Client>/libTaniumClientExtensions.dylib
		File	<Tanium Client>/libTaniumClientExtensions.dylib.sig
		Process	<Tanium Client>/TaniumCX
	When Direct Connect is installed	File	<Tanium Client>/extensions/libTaniumDEC.dylib
	When Direct Connect is installed	File	<Tanium Client>/extensions/libTaniumDEC.dylib.sig
	When Discover is installed (Distributed level 3, distributed level 4, and satellite profiles only)	Process	<Tanium Client>/Tools/Discover/nmap/nmap
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDEC.dylib
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDEC.dylib.sig
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.dylib
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.dylib.sig
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.dylib
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.dylib.sig
		File	<Tanium Client>/extensions/libTaniumTSDB.dylib
		File	<Tanium Client>/extensions/libTaniumTSDB.dylib.sig
Linux	During client installation	Process	/opt/Tanium/TaniumClientBootstrap
	During client installation	Process	/opt/Tanium/SetupClient
	During client installation	Process	<Tanium Client>/SetupClient
		File	<Tanium Client>/libTaniumClientExtensions.so
		File	<Tanium Client>/libTaniumClientExtensions.so.sig
		Process	<Tanium Client>/TaniumCX
	When Direct Connect is installed	File	<Tanium Client>/extensions/libTaniumDEC.so
	When Direct Connect is installed	File	<Tanium Client>/extensions/libTaniumDEC.so.sig
	When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)	Folder	<Tanium Client>/Tools/Discover/nmap/nmap
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.so
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.so.sig
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.so
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.so.sig
		File	<Tanium Client>/extensions/libTaniumTSDB.so
		File	<Tanium Client>/extensions/libTaniumTSDB.so.sig
Linux	During client installation	Process	/opt/Tanium/TaniumClientBootstrap
	During client installation	Process	/opt/Tanium/SetupClient
	During client installation	Process	<Tanium Client>/SetupClient
	Satellites used for client deployment	File	<Tanium Client>/libTaniumClientDeploy.so
	Satellites used for client deployment	File	<Tanium Client>/libTaniumClientDeploy.so.sig
		File	<Tanium Client>/libTaniumClientExtensions.so
		File	<Tanium Client>/libTaniumClientExtensions.so.sig
		Process	<Tanium Client>/TaniumCX
	When Direct Connect is installed	File	<Tanium Client>/extensions/libTaniumDEC.so
	When Direct Connect is installed	File	<Tanium Client>/extensions/libTaniumDEC.so.sig
	When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)	Folder	<Tanium Client>/Tools/Discover/nmap/nmap
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.so
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.so.sig
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.so
	When Discover is installed (Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.so.sig
		File	<Tanium Client>/extensions/libTaniumTSDB.so
		File	<Tanium Client>/extensions/libTaniumTSDB.so.sig
Solaris and AIX	During client installation	Process	/opt/Tanium/TaniumClientBootstrap
	During client installation	Process	/opt/Tanium/SetupClient
	During client installation	Process	<Tanium Client>/SetupClient

Internet URL required for Client Management

The Module Server must be able to connect to https://content.tanium.com to allow Client Management to import the files needed to deploy the Tanium Client.

User role requirements for Client Management

The following tables list the role permissions required to use Client Management. To review a summary of the predefined roles, see Set up Client Management users.

Do not assign the Client Management Service Account and Client Management Service Account - All Content Sets roles to users. These roles are for internal purposes only.

For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

To install Client Management, you must be assigned the Administrator reserved role.

Table 3: Client Management user role permissions
Permission	Client Management Administrator^1,2,3	Client Management User³	Client Management Read-Only User³	Client Management API User⁴	Client Management Auditor⁴	Client Management Downloader	Client Management Operator¹^{, 2}	Client Management Upgrade Operator	Client Management Endpoint Configuration Approver²
Client-Management API Access the Client Management API	EXECUTE		EXECUTE	EXECUTE				EXECUTE
Client-Management Configurations Access client and deployment configurations	READ WRITE	READ	READ
Client-Management Credentials Access the credentials list (cannot view associated passwords or key data)	READ WRITE DELETE	READ	READ
Client-Management Deployments Access data about client deployments	READ WRITE EXECUTE DELETE	READ EXECUTE	READ
Client-Management Direct Connect to an endpoint using Direct Connect and read data from that endpoint	CONNECT						CONNECT
Client-Management Discover API Access the Client Management Discover API	EXECUTE
Client-Management Endpoint Configuration / Client Management Endpoint Configuration Approve Endpoint Configuration items for Client Management									APPROVE
Client-Management Index Configuration Manage client Index configurations	READ WRITE DEPLOY	READ DEPLOY	READ				READ WRITE DEPLOY
Client-Management Manage Manage Client Management components
Client-Management Read Audit Read audit log with API	LOG				LOG
Client-Management Secrets Read Create credentials for client deployments	WRITE
Client-Management Settings Access platform settings in the Client Management module	WRITE			WRITE
Client-Management Settings Configuration Manage client settings configurations	READ WRITE DEPLOY	READ DEPLOY	READ				READ WRITE DEPLOY
Client-Management Support Bundle Access the Client Management support bundle	READ						READ
Client-Management Trends Supply data to Trends and view charts from Trends in Client Management	READ WRITE	READ	READ
Client-Management Upgrade Manage and run client upgrades	READ WRITE	READ	READ				READ WRITE	READ WRITE RUN
Client-Management View View client health charts	HEALTH	HEALTH	HEALTH					HEALTH
Client-Management Download installation packages for the Tanium Client when using Client Management in Tanium Cloud						OPERATE	OPERATE
Clientmanagement View the Client Management workbench	SHOW	SHOW	SHOW	SHOW	SHOW	SHOW	SHOW	SHOW
¹ This role provides module permissions for Tanium Direct Connect. You can view which Direct Connect permissions are granted to this role in the Tanium Console. For more information, see Tanium Direct Connect User Guide: User role requirements. ² This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium™ Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. ³ This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ⁴ This role is used internally and is not typically assigned to users.

Table 4: Client Management user role permissions
Permission	Client Management Administrator^1,2,3	Client Management User³	Client Management Read-Only User³	Client Management Downloader	Client Management Operator¹^{, 2}	Client Management Upgrade Operator	Client Management Endpoint Configuration Approver²
Client-Management API Access the Client Management API	EXECUTE	EXECUTE	EXECUTE	EXECUTE	EXECUTE	EXECUTE
Client-Management Client Version Access and manage the versions of the Tanium Client used in deployments and upgrades	READ WRITE	READ	READ		READ WRITE
Client-Management Credential Access the credentials list (cannot view associated passwords or key data)	READ WRITE	READ	READ		READ WRITE
Client-Management Deployment Access data in client deployments	READ WRITE EXECUTE	READ	READ		READ WRITE EXECUTE
Client-Management Direct Connect to an endpoint using Direct Connect and read data from that endpoint	CONNECT				CONNECT
Client-Management Discover API Access the Client Management Discover API	EXECUTE				EXECUTE
Client-Management Endpoint Configuration / Client Management Endpoint Configuration Approve Endpoint Configuration items for Client Management							APPROVE
Client-Management Index Configuration Manage client Index configurations	READ WRITE DEPLOY	READ	READ		READ WRITE DEPLOY
Client-Management Profile Support Bundle Access the Client Management support bundle	READ				READ
Client-Management Settings Configuration Manage client settings configurations	READ WRITE DEPLOY	READ	READ		READ WRITE DEPLOY
Client-Management Trends Supply data to Trends and view charts from Trends in Client Management	READ WRITE	READ	READ		READ WRITE
Client-Management Upgrade Manage and run client upgrades	READ WRITE	READ	READ		READ WRITE	READ WRITE
Client-Management View View client health charts	HEALTH	HEALTH	HEALTH		HEALTH	HEALTH
Client-Management Download installation packages for the Tanium Client when using Client Management in Tanium Cloud	DOWNLOAD			DOWNLOAD	DOWNLOAD
Clientmanagement View the Client Management workbench	SHOW	SHOW	SHOW	SHOW	SHOW	SHOW
¹ This role provides module permissions for Tanium Direct Connect. You can view which Direct Connect permissions are granted to this role in the Tanium Console. For more information, see Tanium Direct Connect User Guide: User role requirements. ² This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium™ Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. ³ This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

Table 5: Provided Client Management Administration and Platform content user role permissions
Permission	Role Type	Client Management Administrator	Client Management User	Client Management Read-Only User	Client Management API User	Client Management Auditor	Client Management Downloader	Client Management Operator	Client Management Upgrade Operator	Client Management Endpoint Configuration Approver
Action Group	Administration	READ	READ	READ	READ	READ			READ
Action	Platform Content	READ WRITE		READ					READ WRITE
Endpoint Configuration	Platform Content									SPECIAL READ
Endpoint Configuration Module	Platform Content	SPECIAL							SPECIAL
Filter Group	Platform Content	READ	READ	READ	READ	READ	READ	READ	READ
Own Action	Platform Content	READ		READ					READ
Package	Platform Content	READ		READ					READ
Plugin	Platform Content	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE
Saved Question	Platform Content	READ	READ	READ	READ	READ	READ	READ	READ
Secrets Value	Platform Content	READ WRITE
Sensor	Platform Content	READ	READ	READ	READ	READ	READ	READ	READ
Trends Data	Platform Content	READ	READ	READ
Trends API Board	Platform Content	READ WRITE	READ	READ
Trends API Source	Platform Content	READ WRITE	READ	READ
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.

Table 6: Provided Client Management Administration and Platform content user role permissions
Permission	Role Type	Client Management Administrator	Client Management User	Client Management Read-Only User	Client Management Downloader	Client Management Operator	Client Management Upgrade Operator	Client Management Endpoint Configuration Approver
Action Group	Administration	READ	READ	READ	READ	READ	READ
Computer Group	Administration	READ	READ	READ		READ	READ
User Group	Administration	READ	READ	READ		READ	READ
Endpoint Configuration	Platform Content	READ WRITE	READ	READ		READ WRITE		APPROVE DISMISS REJECT SHOW READ
Endpoint Configuration API	Platform Content	EXECUTE	EXECUTE	EXECUTE		EXECUTE		EXECUTE
Endpoint Configuration Module	Platform Content	USE				USE
Endpoint Configuration Support Bundle	Platform Content	READ				READ
Action	Platform Content	READ WRITE	READ	READ		READ WRITE	READ WRITE
Own Action	Platform Content	READ	READ	READ		READ	READ
Package	Platform Content	READ	READ	READ		READ	READ
Plugin	Platform Content	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE
Sensor	Platform Content	READ				READ	READ
Trends API Board	Platform Content	READ WRITE	READ	READ		READ WRITE
Trends API Source	Platform Content	READ WRITE	READ	READ		READ WRITE
Trends Data	Platform Content	READ	READ	READ		READ
Trends View Recent	Platform Content	RESULTS	RESULTS	RESULTS		RESULTS
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.

To configure a user who can only view client health information and connect to endpoints to access detailed client health and troubleshooting information, assign the following roles:

Direct Connect User
A custom role with the following permissions:
- Clientmanagement Show
- Client-Management Direct Connect
- Client-Management View Health

For information about creating a custom role, see Tanium Console User Guide: Configure a custom role, and for information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

For more information and descriptions of content sets and permissions, see Tanium Core Platform User Guide: Managing roles.