Requirements

This page summarizes requirements that you must understand before deploying the Tanium Client to endpoints.

Client version and host system requirements

Table 1 summarizes the basic Tanium Core Platform requirements for endpoint host systems where you install the Tanium Client. Hardware resource requirements vary based on the actions that you deploy to the endpoints; contact Tanium Support at [email protected] for guidance.

Tanium modules and shared services might have additional requirements for the Tanium Client and endpoint hosts. Table 2 provides links to the user guide sections that list these requirements.

We strongly recommend that all Windows endpoints have the following root certificate authority (CA) certificates because they are required to verify the integrity of the Tanium Client binaries:
  • DigiCert Assured ID Root CA (thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43)
  • DigiCert High Assurance EV Root CA (thumbprint 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25)
  • DigiCert SHA2 Assured ID CA (thumbprint E12D2E8D47B64F469F518802DFBD99C0D86D3C6A)
  • DigiCert SHA2 Assured ID Code Signing CA (thumbprint 92C1588E85AF2201CE7915E8538B492F605B80C6)
 Table 1: Supported OS versions for Tanium Client hosts
Operating system OS Version Tanium Client Version
Microsoft Windows Server *

* Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported.

  • Currently supported Semi-Annual Channel releases of Windows Server
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012, 2012 R2
  • Windows Server 2008 R2
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Windows Server 2008 7.2.314.3584
7.2.314.3476
Microsoft Windows Server *

* Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported.

  • Currently supported Semi-Annual Channel releases of Windows Server
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012, 2012 R2
  • Windows Server 2008 R2
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
Microsoft Windows Workstation
  • Windows 10
  • Windows 8
  • Windows 7
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Windows Vista 7.2.314.3584
7.2.314.3476
Microsoft Windows Workstation
  • Windows 10
  • Windows 8
  • Windows 7
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
macOS *

* Compiled for Intel processors only

  • macOS 11.0 Big Sur *
  • macOS 10.15 Catalina**
  • macOS 10.14 Mojave***
  • macOS 10.13 High Sierra
  • macOS 10.12 Sierra
  • OS X 10.11.1+ El Capitan

* The Tanium Client is compiled as x86, and has been found to work correctly on macOS endpoints that use the M1 ARM processors with Rosetta 2. Tanium intends to release a universal binary for native code execution on both Intel and Apple ARM processors.

** Apple introduced the app notarization requirement as a security process in macOS 10.15. If you enable the requirement, you must install Tanium Client 7.2.314.3608 or later on endpoints that run macOS 10.15 or later.

*** The Tanium Core Platform requires a certain content pack to manage endpoints that run macOS 10.14 Mojave or later:

  • Tanium Core Platform 7.0 or later: Tanium™ Default Content 7.1.7 or later
  • Tanium Core Platform 6.5: Tanium™ Initial Content 6.5.17 or later
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3608
7.2.314.3476
7.2.314.3236
OS X 10.10 Yosemite 7.2.314.3476
7.2.314.3236
macOS *

* Compiled for Intel processors only

  • macOS 11.0 Big Sur *
  • macOS 10.15 Catalina
  • macOS 10.14 Mojave
  • macOS 10.13 High Sierra
  • macOS 10.12 Sierra
  • OS X 10.11.1+ El Capitan

* The Tanium Client is compiled as x86, and has been found to work correctly on macOS endpoints that use the M1 ARM processors with Rosetta 2. Tanium intends to release a universal binary for native code execution on both Intel and Apple ARM processors.

7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
Linux
Amazon Linux 2 LTS (2017.12) 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Amazon Linux 1 AMI (2016.09, 2017.12, 2018.03) 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Debian 10.x 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
Debian 9.x, 8.x 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Debian 7.x, 6.x 7.2.314.3632
7.2.314.3584
7.2.314.3476
Oracle Linux 8.x 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.2.314.3632
Oracle Linux 7.x, 6.x 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Oracle Linux 5.x 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
7.2.314.3236
  • Red Hat Enterprise Linux (RHEL) 8.x
  • CentOS 8.x
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
  • Red Hat Enterprise Linux (RHEL) 7.x, 6.x
  • CentOS 7.x, 6.x
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
  • Red Hat Enterprise Linux (RHEL) 5.x
  • CentOS 5.x
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
7.2.314.3236
  • SUSE Linux Enterprise Server (SLES) 15
  • openSUSE 15.x
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
  • SUSE Linux Enterprise Server (SLES) 12
  • openSUSE 12.x
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
  • SUSE Linux Enterprise Server (SLES) 11.3, 11.4
  • openSUSE 11.3, 11.4
7.2.314.3632
7.2.314.3584
Ubuntu 20.04 LTS 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
Ubuntu 18.04 LTS 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Ubuntu 16.04 LTS 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Ubuntu 14.04 LTS 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Linux Amazon Linux 2 LTS (2017.12) 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
Amazon Linux 1 AMI (2016.09, 2017.12, 2018.03) 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
Debian 10.x 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
Debian 9.x, 8.x 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
Oracle Linux 8.x 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063

Oracle Linux 7.x, 6.x 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
Oracle Linux 5.x 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • Red Hat Enterprise Linux (RHEL) 8.x
  • CentOS 8.x
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • Red Hat Enterprise Linux (RHEL) 7.x, 6.x
  • CentOS 7.x, 6.x
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • Red Hat Enterprise Linux (RHEL) 5.x
  • CentOS 5.x
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • SUSE Linux Enterprise Server (SLES) 15
  • openSUSE 15.x
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955

  • SUSE Linux Enterprise Server (SLES) 12
  • openSUSE 12.x
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
Ubuntu 20.04 LTS 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
Ubuntu 18.04 LTS 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
Ubuntu 16.04 LTS 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
Ubuntu 14.04 LTS 7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
AIX *

* Requires a 64-bit operating system, the IBM XL C++ runtime libraries file set (xlC.rte), and, in most cases, the IBM LLVM runtime libraries file set (libc++.rte). For specific requirements for each file set and installation steps, see Deploying the Tanium Client to AIX endpoints.

  • IBM AIX 7.2
  • IBM AIX 7.1 TL1SP10 and higher
7.4.4.1362
7.4.4.1250
7.2.314.3632
7.2.314.3584
Solaris *

* Requires SUNWgccruntime

  • Oracle Solaris 11 SPARC
  • Oracle Solaris 11 x86
  • Oracle Solaris 10 U8 SPARC or higher
  • Oracle Solaris 10 U8 x86 or higher
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584

Click the links in the following table to see the minimum Tanium Client version (Tanium dependencies) and client endpoint requirements for each Tanium module and shared service.

 Table 2: Module- and service-specific requirements for the Tanium Client and endpoints
Product Tanium Dependencies Endpoint Requirements
Asset Tanium dependencies Endpoints
Client Management Tanium dependencies Endpoints
Comply Tanium dependencies Endpoints
Connect Tanium dependencies Endpoints
Deploy Tanium dependencies Endpoints
Direct Connect Tanium dependencies Endpoints
Discover Tanium dependencies Endpoints
Endpoint Configuration Tanium dependencies Endpoints
End-User Notifications Tanium dependencies Endpoints
Enforce Tanium dependencies Endpoints
Health Check Tanium dependencies Endpoints
Impact Tanium dependencies Endpoints
Incident Response Tanium dependencies Endpoints
Integrity Monitor Tanium dependencies Endpoints
Interact Tanium dependencies Endpoints
Map Tanium dependencies Endpoints
Network Quarantine Tanium dependencies Endpoints
Patch Tanium dependencies Endpoints
Performance Tanium dependencies Endpoints
Protect Tanium dependencies Endpoints
Reputation Tanium dependencies Endpoints
Reveal Tanium dependencies Endpoints
Threat Response Tanium dependencies Endpoints
Trends Tanium dependencies Endpoints

Tanium Core Platform servers

Tanium Clients can connect only to Tanium Core Platform servers (Tanium Server, Tanium Module Server, and Tanium Zone Server) that run the same Tanium™ Protocol version as the clients or a later version than the clients. Servers and clients at version 7.3 or earlier run Tanium Protocol 314. Servers and clients at version 7.4 or later run Tanium Protocol 315. Effectively, this means that servers are backward-compatible with earlier clients; for example, servers at version 7.4 support Tanium Client 7.2, but Tanium Client 7.4 cannot connect to servers at version 7.2.

For details about the Tanium Protocol, see Tanium Core Platform Deployment Reference Guide: Overview of TLS in the Tanium Core Platform.

The release numbers for Tanium Core Platform servers and Tanium Clients have the format <major release>.<minor release>.<point release>, such as 7.4.4. Clients can connect to the servers when their major and minor release numbers match regardless of whether the point release numbers match. For example, Tanium Client 7.4.4 can connect to Tanium Server 7.4.2.

To ensure that all the features and fixes in a release are available to Tanium Core Platform servers and Tanium Clients, upgrade both to the same major, minor, and point release.

Tanium Client service account

On Windows, the Tanium Client is installed as a service that runs in the context of the Local System account.

On AIX, Linux, macOS, and Solaris, the Tanium Client is installed as a system service, which must run with a User ID (UID) of 0.

Network connectivity, ports, and firewalls

TaaS uses Tanium Core Platform components use TCP/IP to communicate over IPv4 networks and IPv6 networks. Tanium Core Platform 7.2 or earlier supports only IPv4. Contact Tanium Support if you need IPv6 support in version 7.3 or later. Work with your network administrator to ensure that the TaaS instancesTanium components have IP addresses and can use Domain Name System (DNS) to resolve host names.

Work with your network security administrator to ensure that firewalls and security applications do not block port 17472, which the port that the Tanium Client uses for communication with TaaS the Tanium Server or Zone Server and with peer clients (default is port 17472). You can change the port that clients use to communicate with the server by configuring the ServerPort setting. You can also change the port that clients use for peer communication by configuring the ListenPort setting. If you do not configure ListenPort, clients default to using ServerPort for peer communication. The default client peering settings ensure that clients form linear chains only within the boundaries of local area networks (LANs). Therefore, firewalls must allow bi-directional TCP communication on the listening port between clients that are in the same LAN, but not necessarily between all clients across your enterprise wide area network (WAN). For details on client peering settings, see Configuring Tanium Client peering.

The following figure illustrates a deployment with external and internal Tanium Clients. In this example, the external clients are in virtual private networks (VPNs) and therefore do not peer with each other (see Configure isolated subnets). Each external client has a leader connection to the Tanium Zone Server. The internal clients peer with each other in linear chains, and each chain connects to the Tanium Server through a backward and forward leader.

Figure  1:  Tanium Client connectivity

The following figure illustrates a deployment where Tanium Clients have direct endpoint connections to TaaS over port 17486 for Tanium modules that use the Tanium™ Direct Connect shared service. Therefore, the firewalls must allow traffic on port 17486 as well as port 17472. The clients in virtual private networks (VPNs) do not peer with each other and each of these clients has a leader connection to TaaS (see Configure isolated subnets). The clients that peer with each other connect to TaaS through backward and forward leaders at opposite ends of their linear chains.

Figure  2:  Tanium Client connectivity
The Tanium Server and Zone Server also use port 17472. Therefore, if you install the client on the same host as the server in a Windows deployment, the listening port for client-client communication automatically increments to 17473 on that host to prevent port conflicts. You cannot install the client on a Tanium Appliance.

If you configure the Tanium Client to randomly select a new listening port at intervals, you must configure endpoint firewalls to allow incoming connections on any port that the Tanium Client process requests. See Randomize listening ports.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Some Tanium modules and shared services have additional port requirements for the Tanium Client: see Tanium Core Platform Deployment Reference Guide: Module- and service-specific port requirements.

On endpoints that run macOS 10.14 (Mojave) or later, you might have to configure a firewall rule to prevent end users from seeing a pop up for allowing connections during a Tanium Client upgrade. See Manage popups for Tanium Client upgrades.

The port number for the client API is one higher than the client-client listening port, which means that, by default, the API port is 17473. However, if the listening port changes, the API port also changes. For example, if you set ListenPort to 17473, the client API port becomes 17474. Because the API is on the loopback interface (localhost), the API port does not require a firewall rule for allowing traffic.

Host system security exclusions

Some environments use security software to monitor and block unknown host system processes. Work with your network and security team to define exclusions that allow TaaSTanium Core Platform components and processes to operate smoothly and at optimal performance. Typically, this means configuring security software to exempt Tanium Client installation directories from real-time inspection and configuring a policy to ignore input and output from Tanium binaries.

The following tools and files have specific requirements for the Tanium Client:

  • Microsoft Group Policy Objects (GPO) or other central management tools for managing host firewalls: You might need to create rules to allow inbound and outbound TCP traffic across the port that the client uses for Tanium traffic (default 17472) on any managed endpoints. See Network connectivity, ports, and firewalls.

  • McAfee Host Intrusion Prevention System (HIPS): Mark the Tanium Client as both Trusted for Firewall and Trusted for IPS, in accordance with McAfee KB71704.

  • Windows Update offline scan file (Wsusscn2.cab): The Tanium Client uses Wsusscn2.cab to assess endpoints for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, see the Microsoft KB for information on configuring those tools to interact appropriately with the Wsusscn2.cab file.

Some Tanium modules and shared services have their own security exclusions for the Tanium Client. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Table 3 lists Tanium Client directories that anti-virus software or other host-based security applications must exclude from on-access or real-time scans. Include subdirectories of these locations when you create the exception rules. The listed directory paths are the defaults. If you changed the directory locations to non-default paths, create rules that are based on the actual locations.

 Table 3: Security exclusions for Tanium Client directories
Endpoint OS Installation Directory
Windows 32-bit \Program Files\Tanium\Tanium Client
Windows 64-bit \Program Files (x86)\Tanium\Tanium Client
macOS /Library/Tanium/TaniumClient
Linux, Solaris, AIX /opt/Tanium/TaniumClient

For additional directory exclusions that are required when you use the Tanium Client Management service to install Tanium Clients, see Tanium Core Platform Deployment Reference Guide: Client Management.

Security applications must allow (not block, quarantine, or otherwise process) the following system processes. The <Tanium Client> variable indicates the Tanium Client installation directory.

 Table 4: Security exclusions for system processes on Tanium Client endpoints
Endpoint OS Notes Process
Windows, macOS, Linux   <Tanium Client>/Tools/StdUtils directory or all the files that it contains, including:
  • 7za.exe (Windows) or 7za (macOS, Linux)
  • runasuser.exe (Windows only)
  • runasuser64.exe (Windows only)
  • TaniumExecWrapper.exe (Windows) or TaniumExecWrapper (macOS, Linux)
  • TaniumFileInfo.exe (Windows only)
  • TPowerShell.exe (Windows only)
macOS, Linux, Solaris, AIX   TaniumClient
  taniumclient
macOS, Linux   distribute-tools.sh
  TaniumCX
  python
Windows   TaniumClient.exe
  TaniumCX.exe
  TPython.exe
  <Tanium Client>\Python27\*.dll
  <Tanium Client>\Python38\*.dll