Tanium Client and Client Management requirements

Review the requirements before deploying the Tanium Client to endpoints. Additionally, review the specific requirements for the Tanium Client Management shared service before installing it and using it to deploy clients, monitor client health, manage client settings, or upgrade clients.

Endpoint Configuration is also installed as part of Client Management. Also review the Endpoint Configuration requirements before installing Client Management.

Client version and host system requirements

Table 1 lists the supported operating systems on endpoint host systems where you install the Tanium Client.

Hardware resource requirements vary based on the actions that you deploy to the endpoints. See Hardware requirements for baseline RAM and disk space requirements.

Some Tanium modules and shared services have additional requirements for the Tanium Client and endpoint hosts. Table 3 provides links to the user guide sections that list these requirements.

Windows endpoints must have the following root certificate authority (CA) certificates because they are required to verify the integrity of the Tanium Client binaries:
  • DigiCert Assured ID Root CA (thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43)
  • DigiCert High Assurance EV Root CA (thumbprint 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25)
  • DigiCert SHA2 Assured ID CA (thumbprint E12D2E8D47B64F469F518802DFBD99C0D86D3C6A)
  • DigiCert SHA2 Assured ID Code Signing CA (thumbprint 92C1588E85AF2201CE7915E8538B492F605B80C6)

Supported operating systems

The following table lists operating systems that are supported by the Tanium Client and the Client Management service.

 Table 1: Supported OS versions for Tanium Client hosts
Operating system OS Version Available Executables Tanium Client Version Supported by Client Management Notes
Microsoft Windows Server
  • Windows Server 2022
  • Windows Server 2019 (currently supported releases in the Long-Term Servicing Channel and the last supported release in the Semi-Annual Channel)
  • Windows Server 2016
  • Windows Server 2012, 2012 R2
  • Windows Server 2008 R2
x86 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
  • Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported.

  • Some Tanium sensors and packages require Windows Management Instrumentation (WMI) queries, VBScript execution in Windows Script Host (WSH), and PowerShell. If you disable any of these features on endpoints, Tanium functionality is limited.

  • For Tanium Client versions 7.2.314.3584 and later, PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows Server 2008 or Windows Server 2008 R2 for PowerShell-based sensors to work on those endpoints.
  • Tanium™ Endpoint Configuration and Tanium modules do not support Windows Server 2008. On Windows Server 2008, the Tanium Client provides only basic visibility and endpoint information.
Windows Server 2008 x86 7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
Microsoft Windows Server
  • Windows Server 2022
  • Windows Server 2019 (currently supported releases in the Long-Term Servicing Channel and the last supported release in the Semi-Annual Channel)
  • Windows Server 2016
  • Windows Server 2012, 2012 R2
  • Windows Server 2008 R2
x86 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported.

  • Some Tanium sensors and packages require Windows Management Instrumentation (WMI) queries, VBScript execution in Windows Script Host (WSH), and PowerShell. If you disable any of these features on endpoints, Tanium functionality is limited.

  • PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows Server 2008 R2 for PowerShell-based sensors to work on those endpoints.
Microsoft Windows Workstation
  • Windows 11
  • Windows 10 (currently supported releases in both the Semi-Annual Channel and the Long-Term Servicing Channel)
  • Windows 8
  • Windows 7 (SP1)
x86 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
  • Some Tanium sensors and packages require Windows Management Instrumentation (WMI) queries, VBScript, and PowerShell. If you disable any of these features on endpoints, some Tanium functionality might be limited.

  • For Tanium Client versions 7.2.314.3584 and later, PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows 7 for PowerShell-based sensors to work on those endpoints.
Microsoft Windows Workstation
  • Windows 11
  • Windows 10 (currently supported releases in both the Semi-Annual Channel and the Long-Term Servicing Channel)
  • Windows 8
  • Windows 7 (SP1)
x86 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • Some Tanium sensors and packages require Windows Management Instrumentation (WMI) queries, VBScript, and PowerShell. If you disable any of these features on endpoints, some Tanium functionality might be limited.

  • PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows 7 for PowerShell-based sensors to work on those endpoints.
macOS
  • macOS 12 Monterey
  • macOS 11 Big Sur
  • macOS 10.15 Catalina
  • macOS 10.14 Mojave
  • macOS 10.13 High Sierra
Universal
x86-64
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3608
7.2.314.3476
7.2.314.3236
  • The universal binary is available only in Tanium Client 7.4.8.1042 or later.
  • The universal binary is supported and runs natively on both Intel-based Mac computers running macOS 10.15 or later and Apple "M" series-based Mac computers. Intel-based Mac computers running macOS 10.14 or earlier support only the x86-64 binary.
  • (macOS 10.15 or later) Apple introduced the app notarization requirement as a security process in macOS 10.15. If you enable the requirement, you must install Tanium Client 7.2.314.3608 or later on endpoints that run macOS 10.15 or later.

  • (macOS 10.14 or later) The Tanium Core Platform requires a certain content pack to manage endpoints that run macOS 10.14 Mojave or later:

    • Tanium Core Platform 7.0 or later: Tanium™ Default Content 7.1.7 or later
    • Tanium Core Platform 6.5: Tanium™ Initial Content 6.5.17 or later
  • Tanium Client 7.2.314.3608 and later has a different code signing requirement from earlier versions. If you are creating a Privacy Preferences Policy Control (PPPC) custom payload, see Prepare for deployment to Linux, macOS, or UNIX endpoints (for deployment with Client Management) or Deploy the Tanium Client to macOS endpoints using the installer.
macOS
  • macOS 12 Monterey
  • macOS 11 Big Sur
  • macOS 10.15 Catalina
  • macOS 10.14 Mojave
  • macOS 10.13 High Sierra
Universal
x86-64
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • The universal binary is available only in Tanium Client 7.4.8.1042 or later.
  • The universal binary is supported and runs natively on both Intel-based Mac computers running macOS 10.15 or later and Apple "M" series-based Mac computers. Intel-based Mac computers running macOS 10.14 or earlier support only the x86-64 binary.
  • Tanium Client 7.2.314.3608 and later has a different code signing requirement from earlier versions. If you are creating a Privacy Preferences Policy Control (PPPC) custom payload, see Prepare for deployment to Linux, macOS, or UNIX endpoints (for deployment with Client Management) or Deploy the Tanium Client to macOS endpoints using the installer.
Linux Amazon Linux 2 LTS x86-64
ARM64
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
  • ARM64 support currently applies only to the following solutions. For the earliest version of each solution that is required for ARM64 support, see the release notes for each solution. Tanium intends to add support for additional solutions over time.

    • Tanium™ Client Management
    • Tanium™ Endpoint Configuration
    • Tanium™ Asset
    • Tanium™ Comply
    • Tanium™ Deploy
    • Tanium™ Discover
    • Tanium™ Integrity Monitor
    • Tanium™ Patch
    • Tanium™ Performance
    • Tanium™ Reveal
    • Tanium™ Risk
  • ARM64 support is available only in Tanium Client 7.4.7.1130 or later.
Amazon Linux 1 AMI (2016.09, 2018.03) x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Debian 11.x x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
 
Debian 10.x

x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
 
Debian 9.x, 8.x

x86
x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Debian 7.x, 6.x x86-64 7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Oracle Linux 8.x x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.2.314.3660
7.2.314.3657
7.2.314.3632

 
Oracle Linux 7.x

x86
x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.2.314.3660
7.2.314.3657
7.2.314.3632

 
Oracle Linux 6.x

x86
x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.2.314.3660
7.2.314.3657
7.2.314.3632

 
Oracle Linux 5.x x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
7.2.314.3236
 
  • Red Hat Enterprise Linux (RHEL) 9.x
  • AlmaLinux 9.x
  • Rocky Linux 9.x
x86-64 7.4.9.1046  
  • Red Hat Enterprise Linux (RHEL) 8.x
  • CentOS 8.x
  • AlmaLinux 8.x
  • Rocky Linux 8.x
x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
  • (CentOS 8.x) CentOS Stream is a separate distribution and is not supported.

  • In Client Management, you can deploy only Tanium Client 7.4.5.1204 or later to AlmaLinux or Rocky Linux.
  • Red Hat Enterprise Linux (RHEL) 7.x
  • CentOS 7.x

x86
x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
  • Red Hat Enterprise Linux (RHEL) 6.x
  • CentOS 6.x

x86
x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
  • Red Hat Enterprise Linux (RHEL) 5.x
  • CentOS 5.x

x86
x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
7.2.314.3236
  • (CentOS 5.x) CentOS 5.x endpoints are included in summary client health information in Client Management, but you cannot use Direct Connect to access detailed client health information.

  • SUSE Linux Enterprise Server (SLES) 15
  • openSUSE 15.x

x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632

 
  • SUSE Linux Enterprise Server (SLES) 12
  • openSUSE 12.x
x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
 
  • SUSE Linux Enterprise Server (SLES) 11.3, 11.4
  • openSUSE 11.3, 11.4
x86-64 7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
 
Ubuntu 22.04 LTS x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
 
Ubuntu 20.04 LTS x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
 
Ubuntu 18.04 LTS x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Ubuntu 16.04 LTS x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Ubuntu 14.04 LTS x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Linux Amazon Linux 2 LTS x86-64
ARM64
7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • ARM64 support applies only to the following solutions:

    • Tanium™ Client Management
    • Tanium™ Endpoint Configuration
    • Tanium™ Asset
    • Tanium™ Comply
    • Tanium™ Deploy
    • Tanium™ Discover
    • Tanium™ Integrity Monitor
    • Tanium™ Patch
    • Tanium™ Performance
    • Tanium™ Reveal
    • Tanium™ Risk
    • Tanium™ Threat Response
  • ARM64 support is available only in Tanium Client 7.4.7.1130 or later.
Amazon Linux 1 AMI (2016.09, 2018.03) x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Debian 11.x x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
 
Debian 10.x

x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
 
Debian 9.x, 8.x

x86
x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Oracle Linux 8.x x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063

 
Oracle Linux 7.x x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Oracle Linux 6.x

x86
x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Oracle Linux 5.x

x86
x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
  • Red Hat Enterprise Linux (RHEL) 9.x
  • AlmaLinux 9.x
  • Rocky Linux 9.x
x86-64 7.4.9.1046  
  • Red Hat Enterprise Linux (RHEL) 8.x
  • CentOS 8.x
  • AlmaLinux 8.x
  • Rocky Linux 8.x
x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • (CentOS 8.x) CentOS Stream is a separate distribution and is not supported.

  • Red Hat Enterprise Linux (RHEL) 7.x
  • CentOS 7.x
x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
  • Red Hat Enterprise Linux (RHEL) 6.x
  • CentOS 6.x

x86
x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
  • Red Hat Enterprise Linux (RHEL) 5.x
  • CentOS 5.x

x86
x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • (CentOS 5.x) CentOS 5.x endpoints are included in summary client health information in Client Management, but you cannot use Tanium™ Direct Connect to access detailed client health information.

  • SUSE Linux Enterprise Server (SLES) 15
  • openSUSE 15.x

x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955

 
  • SUSE Linux Enterprise Server (SLES) 12
  • openSUSE 12.x

x86
x86-64

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Ubuntu 22.04 LTS x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
 
Ubuntu 20.04 LTS x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
 
Ubuntu 18.04 LTS x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Ubuntu 16.04 LTS x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Ubuntu 14.04 LTS x86-64 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
AIX

IBM AIX 7.1 TL4 or later

POWER 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
  • The Tanium Client for AIX requires a 64-bit operating system and the IBM XL C++ runtime environment file set (xlC.rte), and, in most cases, the IBM LLVM runtime libraries file set (libc++.rte). For specific requirements for each file set and installation steps, see Prepare for deployment to Linux, macOS, or UNIX endpoints (for deployment using Client Management) or Deploy the Tanium Client to AIX endpoints using a package file.

  • Summary client health information in Client Management includes AIX endpoints, but you cannot use Direct Connect to access detailed client health information.

  • The default Client Management action group does not target AIX endpoints.To use Client Management functionality with AIX endpoints, set the Client Management action group to target the computer group All Computers. For more information, see Configure the Client Management action group.
  • Tanium™ Endpoint Configuration and Tanium modules do not support AIX versions earlier than 7.1 TL4. On these versions of AIX, the Tanium Client provides only basic visibility and endpoint information.
  • IBM AIX 7.1 TL1 (Service Pack 10 or later)
  • IBM AIX 7.1 TL2
  • IBM AIX 7.1 TL3
POWER 7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
AIX

IBM AIX 7.1 TL4 or later

POWER 7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
  • The Tanium Client for AIX requires a 64-bit operating system and the IBM XL C++ runtime environment file set (xlC.rte), and the IBM LLVM runtime libraries file set (libc++.rte). For specific requirements for each file set and installation steps, see Deploy the Tanium Client to AIX endpoints using a package file.

  • Summary client health information in Client Management includes AIX endpoints, but you cannot use Direct Connect to access detailed client health information.

  • The default Client Management action group does not target AIX endpoints.To use Client Management functionality with AIX endpoints, set the Client Management action group to target the computer group All Computers. For more information, see Configure the Client Management action group.
  • You cannot download the AIX installer from Client Management. To obtain the installer for AIX, contact Tanium support.

Solaris
  • Oracle Solaris 11 SPARC
  • Oracle Solaris 11 x86
  • Oracle Solaris 10 U8 SPARC or higher
  • Oracle Solaris 10 U8 x86 or higher

SPARC
x86

7.4.9.1046
7.4.8.1054
7.4.8.1042
7.4.7.1183
7.4.7.1179
7.4.7.1130
7.4.7.1094
7.4.5.1225
7.4.5.1220
7.4.5.1219
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3660
7.2.314.3657
7.2.314.3632
7.2.314.3584
  • The Tanium Client for Solaris requires SUNWgccruntime on Solaris 10 and 11.0–11.3.

  • Summary client health information in Client Management includes Solaris endpoints, but you cannot use Direct Connect to access detailed client health information.

  • The default Client Management action group does not target Solaris endpoints.To use Client Management functionality with Solaris endpoints, set the Client Management action group to target the computer group All Computers. For more information, see Configure the Client Management action group.
  • You cannot download the Solaris installer from Client Management. To obtain the installer for Solaris, contact Tanium support.

Hardware requirements

The following minimums are recommended to install and run the Tanium Client on endpoints:

  • CPU cores: 2
  • Random-access memory (RAM): 2 GB
  • Available disk space: 1 GB

On an endpoint that does not use functionality from Tanium modules and uses the Tanium Client only for basic visibility and endpoint information, the Tanium Client can function with a single-core CPU. However, overall performance of the endpoint might be reduced.

Virtual desktop infrastructure (VDI) environments: For better performance, provide at least two CPU cores for each VDI instance, even if CPU cores are overprovisioned.

Installed modules or services might require additional RAM and disk space, depending on your usage. Contact Tanium support for guidance on specific configurations.

The modules that are listed in the following table have specific additional hardware requirements. Requirements for RAM refer to the total installed RAM that the client and all installed modules and services require. Requirements for disk space refer to the additional available disk space that each listed module requires. (For complete endpoint requirements for each listed modules, follow the links in the table. For links to endpoint requirements for all solutions, see Table 3.)

 Table 2: Additional hardware requirements for specific modules
Product Additional available disk space Total installed RAM
Tanium™ Comply 200 MB 2 GB1
Tanium™ Deploy 2 GB2 2 GB1
Tanium™ Integrity Monitor 1 GB3 4 GB
Tanium™ Map 200 MB 4 GB
Tanium™ Patch 5 GB2 2 GB1,4
Tanium™ Performance The amount specified in the Database maximum size parameter plus 100 MB 2 GB1
Tanium™ Reveal 2 GB3 2 GB1
Tanium™ Threat Response 3 GB3 4 GB

1 This module does not have a specific RAM requirement above the baseline 2 GB of RAM that the Tanium Client requires.

2 If both Deploy and Patch are installed, only 5 GB of additional available disk space is required for both solutions, for client cache space.

3 This solution uses Tanium™ Index and Tanium™ Recorder. Specific disk space requirements for Index depend on the file system on the endpoint, and specific disk space requirements for Recorder depend on the number of events recorded on the endpoint. Depending on these factors, the disk space that is required on the endpoint might be greater than the amount listed here.

4 The utilities that Patch uses for scanning use increased RAM for up to several minutes during endpoint scans. If an endpoint must also run other processes that use significant RAM during Patch scans, it might require more RAM than the minimum 2 GB.

Module and service requirements

Click the links in the following table to see the minimum Tanium Client version (Tanium dependencies) and client endpoint requirements for each Tanium module and shared service.

 Table 3: Solution-specific requirements for the Tanium Client and endpoints
Product Tanium Dependencies Endpoint Requirements
Tanium™ API Gateway Core platform dependencies N/A
Tanium™ Asset2 Core platform dependencies Endpoints
Tanium™ Client Management

Core platform dependencies (following this section)

The following sections:

Tanium™ Comply2 Core platform dependencies Endpoints
Tanium™ Connect Core platform dependencies N/A
Tanium™ Criticality Core platform dependencies N/A
Tanium™ Deploy2 Core platform dependencies Endpoints
Tanium™ Direct Connect2 Core platform dependencies Endpoints
Tanium™ Discover2 Core platform dependencies Endpoints
Tanium™ Endpoint Configuration1 Core platform dependencies Endpoints
Tanium™ End-User Notifications Core platform dependencies Endpoints
Tanium™ Enforce Core platform dependencies Endpoints
Tanium™ Feed Core platform dependencies N/A
Tanium™ Health Check Core platform dependencies N/A
Tanium™ Impact2 Core platform dependencies Endpoints
Tanium™ Integrity Monitor2 Core platform dependencies Endpoints
Tanium™ Interact Core platform dependencies Endpoints
Tanium™ Map2 Core platform dependencies Endpoints
Tanium™ Network Quarantine Core platform dependencies Endpoints
Tanium™ Patch2 Core platform dependencies Endpoints
Tanium™ Performance2 Core platform dependencies Endpoints
Tanium™ Provision Core platform dependencies Endpoints
Tanium™ Reporting Core platform dependencies N/A
Tanium™ Reputation Core platform dependencies N/A
Tanium™ Reveal2 Core platform dependencies Endpoints
Tanium™ Risk2 Core platform dependencies Endpoints
Tanium™ Threat Response2 Core platform dependencies Endpoints
Tanium™ Trends Core platform dependencies N/A

1 Endpoint Configuration is automatically installed when you install Client Management 1.5 or later.

2 This solution requires Endpoint Configuration, to deploy tools and configuration changes to endpoints. You must upgrade Client Management to version 1.5 or later to support the latest version of this solution. For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Tanium Client Management dependencies

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium™ Core Platform servers: 7.3.314.4250 or later

  • Tanium Client: Downloading client installers from Client Management does not require a pre-existing installation of Tanium Client. Using client profile and client health features, including using Direct Connect to access detailed client health information, requires a supported Tanium Client (see Supported OS versions for Tanium Client hosts).

Solution dependencies

Other Tanium solutions are required for specific Client Management features to work. The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Client Management dependencies have their own dependencies, which you can see by clicking the links in the lists of Tanium Client and Client Management requirements and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Client Management requires.

Endpoint Configuration is installed as part of Client Management 1.5 or later. When you install a version of Client Management that includes Endpoint Configuration:

  • Make sure you upgrade each module that uses Endpoint Configuration to a version from after support for Endpoint Configuration was introduced (follow links for Tanium Dependencies from Table 3 and see the release notes for each module).

  • After Endpoint Configuration is installed, do not use the Initial Content - Python solution to deploy Python to endpoints that support Endpoint Configuration (see Tanium Endpoint Configuration User Guide: Endpoints).

Tanium recommended installation

If you select Tanium Recommended Installation when you import Client Management, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Client Management to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Feature-specific dependencies

Client Management has the following feature-specific dependencies at the specified minimum versions:

  • Tanium Interact 2.4.50 or later is required to view charts on the Client Management Overview page
  • Tanium Direct Connect 1.4.3 or later is required to connect to endpoints to access detailed client health information
  • Tanium Discover 3.1 or later is required to target endpoints based on Discover tags

Client extensions

Tanium Endpoint Configuration installs client extensions for Client Management on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Client Management functions:

  • Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
  • Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
  • DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension. This is a feature-specific dependency for Client Management.
  • Discover CX - Performs satellite-based Nmap scans. Tanium Discover installs this client extension. This is a feature-specific dependency for Client Management.
  • Extras CX - Provides a helper library that contains re-usable functions for various client extensions to use. Tanium Discover installs this client extension. This is a feature-specific dependency for Client Management.
  • Support CX - Provides the ability to gather troubleshooting content from endpoints through Tanium Client Management. Tanium Client Management installs this client extension.
  • TSDB CX - Collects metrics about the Tanium Client and client extensions. This client extension is installed by Client Management. Tanium Client Management installs this client extension.

Tanium™ Module Server

Client Management is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Compatibility between Tanium Core Platform servers and Tanium Clients

Tanium Clients can connect only to Tanium Core Platform servers (Tanium Server, Tanium Module Server, and Tanium Zone Server) that run the same Tanium™ Protocol version as the clients or a later version than the clients. Servers and clients at version 7.3 run Tanium Protocol 314. Servers and clients at version 7.4 or later run Tanium Protocol 315. Effectively, this means that servers are backward-compatible with earlier clients; for example, servers at version 7.4 support Tanium Client 7.2 and 7.3, but Tanium Client 7.4.x cannot connect to servers at version 7.3.

For details about the Tanium Protocol, see Tanium Core Platform Deployment Reference Guide: Overview of TLS in the Tanium Core Platform.

The release numbers for Tanium Core Platform servers and Tanium Clients have the format <major release>.<minor release>.<point release>, such as 7.4.5. Clients can connect to the servers when their major and minor release numbers match regardless of whether the point release numbers match. For example, Tanium Client 7.4.5 can connect to Tanium Server 7.4.2.

  • To ensure that all the features and fixes in a release are available to Tanium Core Platform servers and Tanium Clients, upgrade both to the same major, minor, and point release.

  • Do not install the Tanium Client on the same host as a Tanium Core Platform server. Managing Tanium Core Platform servers as endpoints requires significantly more complex access restrictions in Tanium. Tanium users with management rights over Tanium Core Platform servers might be able to circumvent access restrictions within Tanium or inadvertently deploy actions that interfere with Tanium functionality. If you choose to install the client on Tanium Core Platform server machines, you must carefully restrict access to computer groups that include Tanium Core Platform servers, such as All Computers, All Servers, and All Windows. You cannot install the client on a Tanium Appliance, and you cannot use Tanium Client Management to install the client on the Tanium Module Server.

Endpoint accounts

Tanium Client service account

On Windows, the Tanium Client is installed as a service that runs in the context of the Local System account.

On AIX, Linux, macOS, and Solaris, the Tanium Client is installed as a system service, which must run with a User ID (UID) of 0.

Account permissions for Client Management

During client installation using Client Management, you must have an account configured with the appropriate permissions on each endpoint. You add credentials for these accounts during the deployment process (see Configure client credentials). These accounts and permissions are necessary only during deployment, and they can be removed or changed after you successfully deploy clients.

To protect credentials that are used for client deployment, use one of the following methods: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.

Windows endpoints

On each Windows endpoint, you must have an account with Local Administrator rights, or a local or domain account configured that has the following abilities:

  • Remotely connect to the endpoint and authenticate with SMB
  • Create folders within the installation directory for 32-bit applications, and, if applicable, the custom location where the Tanium Client will be installed (by default, C:\Program Files (x86)\ for 64-bit versions of Windows, or C:\Program Files\ for 32-bit versions of Windows)

    A custom installation directory must be located on drive C for deployment with Client Management. To install Tanium Client on a different drive, you must use an alternative deployment method. For more information, see Deploying the Tanium Client using an installer or package file.

  • Write and execute files in the Tanium installation directory (by default, C:\Program Files (x86)\Tanium\ for 64-bit versions of Windows, or C:\Program Files\Tanium\ for 32-bit versions of Windows)

Non-Windows endpoints

On each non-Windows endpoint, you must have an account configured that can remotely connect to the endpoint and authenticate with SSH. You must use one of the following options to configure a user with elevated privileges to perform installation:

  • The root user
  • A user that is listed in the sudoers file on each endpoint, to allow the account you are using for installation to use sudo

    If you restrict user commands in the sudoers file, you must allow the commands used by Client Management during deployment.

Specific distributions or your specific environment might have specific authentication requirements.

Amazon Linux: Amazon Linux requires key-based authentication. On the endpoint, be sure to enable SSH key-based authentication and enable NOPASSWD in the sudoers file for the admin user account. Add this user name and password to the credentials list. This configuration ensures that the key, and not a password, is used to elevate the admin permissions of the user so that the user can install the Tanium Client and start the service.

Network connectivity, ports, and firewalls

TCP/IP requirements for Tanium Client

Tanium Cloud uses Tanium Core Platform components use TCP/IP to communicate over IPv4 networks and IPv6 networks. Contact Tanium Support if you need IPv6 support in Tanium Core Platform. Work with your network administrator to ensure that the endpoints in your environment can reach the Tanium Cloud Client Edge URLsTanium components have IP addresses and can use the Domain Name System (DNS) to resolve the host names. For more information, see Tanium Cloud Deployment Guide: Getting started with Tanium Cloud.

Connectivity and TCP/IP requirements for Client Management

The Tanium Module Server must have a connection to endpoints to automatically deploy the Tanium Client using Client Management. Additionally, both the Tanium Server and endpoints must have IPv4 addresses; IPv6 addresses are not supported in Client Management. If you plan to deploy the Tanium Client to endpoints that cannot be reached directly from the Tanium Module Server, such as those connected to a Zone Server, or if you plan to deploy the Tanium Client where only IPv6 addresses are available, you can download and manually deploy an installation bundle. For more information, see Download the installation bundle or tanium-init.dat file for alternative deployment.

Port requirements for Tanium Client and Client Management

The following ports are the defaults that are required for Tanium Client communication, and those that are required forand Client Management communication.

 Table 4: Default portPort requirements for Tanium Client
SourceDestinationPort ProtocolPurpose
Tanium ClientTanium ServerTanium Cloud17472TCPUsed for communication between the Tanium Client and the Tanium ServerTanium Cloud
Tanium ClientZone Server117472TCPUsed for communication between the Tanium Client and the Zone Server
Tanium ClientPeer clients17472TCPUsed for communication between the Tanium Client and peer clients
Peer clientsTanium Client17472TCPUsed for communication between the Tanium Client and peer clients
Tanium ClientTanium Client (loopback)17473TCP

Used for the Tanium Client API

This port is used with the loopback interface and usually does not require a firewall rule.

Tanium Clientdistribute.cloud.tanium.com443

TCP (HTTPS)

Outbound communication from the Tanium Client and inbound communication for file part distribution

1This destination is required only when you use a Zone Server.

 Table 5: Port requirements for Client Management
SourceDestinationPort ProtocolPurpose
Module ServerEndpoints (non-Windows)22TCPUsed for SSH communication from the module server to the target endpoint during client installation
Module ServerEndpoints (Windows)135TCPUsed for initiating WMI communication from the module server to the target endpoint during client installation
445TCPUsed for SMB communication from the module server to the target endpoint during client installation
49152–65535TCPRandomly allocated dynamic ports used for WMI communication after it is initiated on port 135. If a different dynamic port range is configured for RPC communication, that port range must be allowed by the firewall.
Tanium Client (internal)Module Server17475TCPUsed for direct connection to endpoints for detailed client health information
Tanium Client (external)Zone Server117486TCPUsed for direct connection to endpoints for detailed client health information. The default port number is 17486. If needed, you can specify a different port number when you configure the Zone Proxy.
Module ServerZone Server117487TCP Used by the Zone Server for Module Server connections. The default port number is 17487. If needed, you can specify a different port number when you configure the Zone Proxy.
17488TCPAllows communication between the Zone Server and the Module Server. On TanOS, the Direct Connect Zone Proxy installer automatically opens port 17488 on the Zone Server. This port must be manually opened on Windows.

1These ports are required only when you use a Zone Server.

 Table 5: Port requirements for Client Management
SourceDestinationPort ProtocolPurpose
Tanium ClientTanium Cloud17486TCPUsed for direct connection to endpoints for detailed client health information

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Some Tanium modules and shared services have additional port requirements for the Tanium Client: see Tanium Core Platform Deployment Reference Guide: Solution-specific port requirementsTanium Cloud Deployment Guide: Solution-specific port requirements.

Work with your network security administrator to ensure that firewalls and security applications do not block port 17472, which the port that the Tanium Client uses for communication with Tanium Cloud the Tanium Server or Zone Server and with peer clients (default is port 17472). You can change the port that clients use to communicate with the server by configuring the ServerPort setting. You can also change the port that clients use for peer communication by configuring the ListenPort setting. If you do not configure ListenPort, clients default to using ServerPort for peer communication. The default client peering settings ensure that clients form linear chains only within the boundaries of local area networks (LANs). Therefore, firewalls must allow bi-directional TCP communication on the listening port between clients that are in the same LAN, but not necessarily between all clients across your enterprise wide area network (WAN). For more information about network port requirements in Tanium, see Tanium Core Platform Deployment Reference Guide: Tanium network portsTanium Cloud Deployment Guide: Host and network security requirements. For more information about client peering settings, see Configuring Tanium Client peering.

  • macOS: The Tanium Client service is signed to automatically allow communication through the default macOS firewall. However, the client installation process does not modify any host-based firewall that is in use. For more information about managing macOS firewalls, see Manage macOS firewall rules.

    On endpoints that run macOS 10.14 (Mojave) or later, you might have to configure a firewall rule to prevent end users from seeing a pop-up for allowing connections during a Tanium Client upgrade. See Manage pop-ups for Tanium Client upgrades.

  • Linux: For more information about managing Linux firewalls, see Manage Linux firewall rules.

  • The Tanium Server and Zone Server also use port 17472. Therefore, if you install the client on the same host as the server in a Windows deployment, the listening port for client-to-client communication automatically increments to 17473 on that host to prevent port conflicts. This installation is not a best practice: see Compatibility between Tanium Core Platform servers and Tanium Clients.

    If you configure the Tanium Client to randomly select a new listening port at intervals, you must configure endpoint firewalls to allow incoming connections on any port that the Tanium Client process requests. For more information, see Randomize listening ports.

  • The port number for the client API is one higher than the client-client listening port, which means that, by default, the API port is 17473. However, if the listening port changes, the API port also changes. For example, if you set ListenPort to 17473, the client API port becomes 17474. Because the API is on the loopback interface (localhost), the API port usually does not require a firewall rule for allowing traffic.

For additional information about preparing endpoints for remote installation using Client Management, see Prepare for deployment to Linux, macOS, or UNIX endpoints and Prepare for deployment to Windows endpoints.

The following figure illustrates a deployment with external and internal Tanium Clients. In this example, the external clients are in virtual private networks (VPNs) and therefore do not peer with each other (see Configure isolated subnets). Each external client has a leader connection to the Tanium Zone Server. The internal clients peer with each other in linear chains, and each chain connects to the Tanium Server through a backward and forward leader.

Figure  1:  Tanium Client connectivity

The following figure illustrates a deployment where Tanium Clients have direct endpoint connections to Tanium Cloud over port 17486 for Tanium modules that use the Tanium™ Direct Connect shared service. Therefore, the firewalls must allow traffic on port 17486 as well as port 17472. The clients in virtual private networks (VPNs) do not peer with each other and each of these clients has a leader connection to Tanium Cloud (see Configure isolated subnets). The clients that peer with each other connect to Tanium Cloud through backward and forward leaders at opposite ends of their linear chains.

Figure  2:  Tanium Client connectivity

Host system security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Security exclusions for Tanium Client

Some antivirus (AV) software might require excluding the installation directories of the Tanium Client from real-time inspection. Typically, configuring trusted exclusions also involves setting a policy to ignore the input and output of Tanium binaries. The configuration of these exclusions varies based on the AV software.

The following tools and files have specific requirements for the Tanium Client:

  • Microsoft Group Policy Objects (GPO) or other central management tools for managing host firewalls: Tanium recommends creating rules to allow inbound and outbound TCP traffic across the port that the client uses for Tanium traffic (default 17472) on any managed endpoints. See Network connectivity, ports, and firewalls.

  • McAfee Host Intrusion Prevention System (HIPS): Tanium recommends marking the Tanium Client as both Trusted for Firewall and Trusted for IPS, in accordance with McAfee KB71704.

  • Windows Update offline scan file (Wsusscn2.cab): The Tanium Client uses Wsusscn2.cab to assess endpoints for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, see the Microsoft KB for information on configuring those tools to interact appropriately with the Wsusscn2.cab file.

Some Tanium modules and shared services have their own security exclusions for the Tanium Client. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Table 6 lists Tanium Client directories that Tanium recommends AV software or other host-based security applications exclude from on-access or real-time scans. Include subdirectories of these locations when you create the exception rules. The listed directory paths are the defaults. If you changed the directory locations to non-default paths, create rules that are based on the actual locations.

 Table 6: Security exclusions for Tanium Client directories
Endpoint OSInstallation Directory
Windows (64-bit OS versions)\Program Files (x86)\Tanium\Tanium Client
Windows (32-bit OS versions)\Program Files\Tanium\Tanium Client
macOS/Library/Tanium/TaniumClient
Linux, Solaris, AIX/opt/Tanium/TaniumClient

Tanium recommends that security applications allow (not block, quarantine, or otherwise process) the following system processes. The <Tanium Client> variable indicates the Tanium Client installation directory, which is configurable during client installation.

 Table 7: Security exclusions for system processes on Tanium Client endpoints
Endpoint OSProcess
Windows, macOS, Linux<Tanium Client>/Tools/StdUtils directory or all the files that it contains, including:
  • 7za.exe (Windows) or 7za (macOS, Linux)
  • runasuser.exe (Windows only)
  • runasuser64.exe (Windows only)
  • TaniumExecWrapper.exe (Windows) or TaniumExecWrapper (macOS, Linux)
  • TaniumFileInfo.exe (Windows only)
  • TPowerShell.exe (Windows only)
macOS, Linux, Solaris, AIX<Tanium Client>/TaniumClient
<Tanium Client>/taniumclient
macOS, Linux<Tanium Client>/distribute-tools.sh
<Tanium Client>/TaniumCX
Windows<Tanium Client>\TaniumClient.exe
<Tanium Client>\TaniumCX.exe

Security exclusions for Client Management

For the Client Management solution, Tanium recommends the following exclusions.

The <Tanium Client> variable refers to the Tanium Client installation directory, which is configurable during client installation.

The <Module Server> variable refers to the Tanium Module server installation directory.

 Table 8: Client Management security exclusions
Target DeviceNotesExclusion TypeExclusion
Module Server Process<Module Server>\services\client-management-service\node.exe
 Process<Module Server>\services\client-profile-service\TaniumClientProfileService.exe
When Direct Connect is installedProcess<Module Server>\services\direct-connect-service\TaniumDirectConnectService.exe
When Discover is installedProcess<Module Server>\services\discover-service\node.exe
When Discover is installedProcess<Module Server>\plugins\content\discover-proxy\proxyplugin.exe
 Process<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
 Process<Module Server>\services\twsm-v1\twsm.exe
Zone ServerWhen Direct Connect is installedProcess<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe
When Direct Connect is installedProcess<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\twsm.exe
Windows x86 endpointsDuring client installationProcess\Program Files\Tanium\TaniumClientBootstrap.exe
During client installationProcess\Program Files\Tanium\SetupClient.exe
During client installationProcess<Tanium Client>\SetupClient.exe
 File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 Process<Tanium Client>\TaniumCX.exe
When Direct Connect is installedFile<Tanium Client>\extensions\TaniumDEC.dll
When Direct Connect is installedFile<Tanium Client>\extensions\TaniumDEC.dll.sig
When Discover is installed; satellite profiles onlyFile<Tanium Client>\extensions\TaniumDiscover.dll
When Discover is installed; satellite profiles onlyFile<Tanium Client>\extensions\TaniumDiscover.dll.sig
When Discover is installed; satellite profiles onlyFile<Tanium Client>\extensions\TaniumExtras.dll
When Discover is installed; satellite profiles onlyFile<Tanium Client>\extensions\TaniumExtras.dll.sig
When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)FolderC:\Program Files\Npcap
When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)Process<Tanium Client>\Tools\Discover\nmap\nmap.exe
Windows x64 endpointsDuring client installationProcess\Program Files (x86)\Tanium\TaniumClientBootstrap.exe
During client installationProcess\Program Files (x86)\Tanium\SetupClient.exe
During client installationProcess<Tanium Client>\SetupClient.exe
 File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 Process<Tanium Client>\TaniumCX.exe
When Direct Connect is installedFile<Tanium Client>\extensions\TaniumDEC.dll
When Direct Connect is installedFile<Tanium Client>\extensions\TaniumDEC.dll.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>\extensions\TaniumDiscover.dll
When Discover is installed (Satellite profiles only)File<Tanium Client>\extensions\TaniumDiscover.dll.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>\extensions\TaniumExtras.dll
When Discover is installed (Satellite profiles only)File<Tanium Client>\extensions\TaniumExtras.dll.sig
When Discover is installed (Distributed level 3, distributed level 4, and satellite profiles only)FolderC:\Program Files\Npcap
When Discover is installed (Distributed level 3, distributed level 4, and satellite profiles only)Process<Tanium Client>\Tools\Discover\nmap\nmap.exe
macOS endpointsDuring client installationProcess/Library/Tanium/TaniumClientBootstrap
During client installationProcess/Library/Tanium/SetupClient
During client installationProcess<Tanium Client>/SetupClient
 File<Tanium Client>/libTaniumClientExtensions.dylib
 File<Tanium Client>/libTaniumClientExtensions.dylib.sig
 Process<Tanium Client>/TaniumCX
When Direct Connect is installedFile<Tanium Client>/extensions/libTaniumDEC.dylib
When Direct Connect is installedFile<Tanium Client>/extensions/libTaniumDEC.dylib.sig
When Discover is installed (Distributed level 3, distributed level 4, and satellite profiles only)Process<Tanium Client>/Tools/Discover/nmap/nmap
When Discover is installed (Satellite profiles only)File

<Tanium Client>/extensions/libTaniumDEC.dylib

When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDEC.dylib.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDiscover.dylib
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDiscover.dylib.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumExtras.dylib
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumExtras.dylib.sig
Linux endpointsDuring client installationProcess/opt/Tanium/TaniumClientBootstrap
During client installationProcess/opt/Tanium/SetupClient
During client installationProcess<Tanium Client>/SetupClient
 File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
 Process<Tanium Client>/TaniumCX
When Direct Connect is installedFile<Tanium Client>/extensions/libTaniumDEC.so
When Direct Connect is installedFile<Tanium Client>/extensions/libTaniumDEC.so.sig
When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)Folder<Tanium Client>/Tools/Discover/nmap/nmap
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDiscover.so
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDiscover.so.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumExtras.so
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumExtras.so.sig
Solaris and AIX endpointsDuring client installationProcess/opt/Tanium/TaniumClientBootstrap
During client installationProcess/opt/Tanium/SetupClient
During client installationProcess<Tanium Client>/SetupClient
 Table 8: Client Management security exclusions
Target DeviceNotesExclusion TypeExclusion
Windows x86 endpointsDuring client installationProcess\Program Files\Tanium\TaniumClientBootstrap.exe
During client installationProcess\Program Files\Tanium\SetupClient.exe
During client installationProcess<Tanium Client>\SetupClient.exe
 File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 Process<Tanium Client>\TaniumCX.exe
When Direct Connect is installedFile<Tanium Client>\extensions\TaniumDEC.dll
When Direct Connect is installedFile<Tanium Client>\extensions\TaniumDEC.dll.sig
When Discover is installed; satellite profiles onlyFile<Tanium Client>\extensions\TaniumDiscover.dll
When Discover is installed; satellite profiles onlyFile<Tanium Client>\extensions\TaniumDiscover.dll.sig
When Discover is installed; satellite profiles onlyFile<Tanium Client>\extensions\TaniumExtras.dll
When Discover is installed; satellite profiles onlyFile<Tanium Client>\extensions\TaniumExtras.dll.sig
When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)FolderC:\Program Files\Npcap
When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)Process<Tanium Client>\Tools\Discover\nmap\nmap.exe
Windows x64 endpointsDuring client installationProcess\Program Files (x86)\Tanium\TaniumClientBootstrap.exe
During client installationProcess\Program Files (x86)\Tanium\SetupClient.exe
During client installationProcess<Tanium Client>\SetupClient.exe
 File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 Process<Tanium Client>\TaniumCX.exe
When Direct Connect is installedFile<Tanium Client>\extensions\TaniumDEC.dll
When Direct Connect is installedFile<Tanium Client>\extensions\TaniumDEC.dll.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>\extensions\TaniumDiscover.dll
When Discover is installed (Satellite profiles only)File<Tanium Client>\extensions\TaniumDiscover.dll.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>\extensions\TaniumExtras.dll
When Discover is installed (Satellite profiles only)File<Tanium Client>\extensions\TaniumExtras.dll.sig
When Discover is installed (Distributed level 3, distributed level 4, and satellite profiles only)FolderC:\Program Files\Npcap
When Discover is installed (Distributed level 3, distributed level 4, and satellite profiles only)Process<Tanium Client>\Tools\Discover\nmap\nmap.exe
macOS endpointsDuring client installationProcess/Library/Tanium/TaniumClientBootstrap
During client installationProcess/Library/Tanium/SetupClient
During client installationProcess<Tanium Client>/SetupClient
 File<Tanium Client>/libTaniumClientExtensions.dylib
 File<Tanium Client>/libTaniumClientExtensions.dylib.sig
 Process<Tanium Client>/TaniumCX
When Direct Connect is installedFile<Tanium Client>/extensions/libTaniumDEC.dylib
When Direct Connect is installedFile<Tanium Client>/extensions/libTaniumDEC.dylib.sig
When Discover is installed (Distributed level 3, distributed level 4, and satellite profiles only)Process<Tanium Client>/Tools/Discover/nmap/nmap
When Discover is installed (Satellite profiles only)File

<Tanium Client>/extensions/libTaniumDEC.dylib

When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDEC.dylib.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDiscover.dylib
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDiscover.dylib.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumExtras.dylib
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumExtras.dylib.sig
Linux endpointsDuring client installationProcess/opt/Tanium/TaniumClientBootstrap
During client installationProcess/opt/Tanium/SetupClient
During client installationProcess<Tanium Client>/SetupClient
 File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
 Process<Tanium Client>/TaniumCX
When Direct Connect is installedFile<Tanium Client>/extensions/libTaniumDEC.so
When Direct Connect is installedFile<Tanium Client>/extensions/libTaniumDEC.so.sig
When Discover is installed; (Distributed level 3, distributed level 4, and satellite profiles only)Folder<Tanium Client>/Tools/Discover/nmap/nmap
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDiscover.so
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumDiscover.so.sig
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumExtras.so
When Discover is installed (Satellite profiles only)File<Tanium Client>/extensions/libTaniumExtras.so.sig
Solaris and AIX endpointsDuring client installationProcess/opt/Tanium/TaniumClientBootstrap
During client installationProcess/opt/Tanium/SetupClient
During client installationProcess<Tanium Client>/SetupClient

Internet URL required for Client Management

The Module Server must be able to connect to https://content.tanium.com to allow Client Management to import the files needed to deploy the Tanium Client.

User role requirements for Client Management

The following tables list the role permissions required to use Client Management. To review a summary of the predefined roles, see Set up Client Management users.

For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

To install Client Management, you must be assigned the Administrator reserved role.

 Table 9: Client Management user role permissions
PermissionClient Management Administrator1,2,3Client Management User3Client Management Read-Only User3Client Management API User4Client Management Auditor4Client Management Operator1, 2Client Management Upgrade OperatorClient Management Endpoint Configuration Approver2 

Client-Management API

Access the Client Management API


EXECUTE

EXECUTE

EXECUTE

EXECUTE
 

Client-Management Configurations

Access client and deployment configurations


READ
WRITE

READ

READ
 

Client-Management Credentials

Access the credentials list (cannot view associated passwords or key data)


READ
WRITE

READ

READ
 

Client-Management Deployments

Access data about client deployments


READ
WRITE
EXECUTE

READ
EXECUTE

READ
 

Client-Management Direct

Connect to an endpoint using Direct Connect and read data from that endpoint


CONNECT

CONNECT
 

Client-Management Endpoint Configuration / Client Management Endpoint Configuration

Approve Endpoint Configuration items for Client Management


APPROVE
 

Client-Management Manage

Manage Client Management components

 

Client-Management Profile

Manage client profiles


READ
WRITE
DEPLOY

READ
DEPLOY

READ

READ
WRITE
DEPLOY
 

Client-Management Read Audit

Read audit log with API


LOG

LOG
 

Client-Management Settings

Access platform settings in the Client Management module


WRITE

WRITE
 

Client-Management Support Bundle

Access the Client Management support bundle


READ

READ
 

Client-Management Trends

Supply data to Trends and view charts from Trends in Client Management


READ
WRITE

READ

READ
 

Client-Management Upgrade

Manage and run client upgrades


READ
WRITE

READ

READ

READ
WRITE

READ
WRITE
RUN
 

Client-Management View

View client health charts


HEALTH
 

Client-Management

Download installation packages for the Tanium Client when using Client Management in Tanium Cloud


OPERATE
 

Clientmanagement

View the Client Management workbench


SHOW

SHOW

SHOW

SHOW

SHOW

SHOW

SHOW
 

1 This role provides module permissions for Tanium Direct Connect. You can view which Direct Connect permissions are granted to this role in the Tanium Console. For more information, see Tanium Direct Connect User Guide: User role requirements.

2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium™ Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

3 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

4 This role is used internally and is not typically assigned to users.

5 By default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

 

 

 Table 10: Provided Client Management Administration and Platform content user role permissions
PermissionRole TypeClient Management AdministratorClient Management UserClient Management Read-Only UserClient Management API UserClient Management AuditorClient Management OperatorClient Management Upgrade OperatorClient Management Endpoint Configuration ApproverClient Management Service Account
Action GroupAdministration
READ

READ

READ

READ

READ

READ

READ
WRITE
ActionPlatform Content
READ
WRITE

READ

READ
WRITE

READ
WRITE
Filter GroupPlatform Content
READ

READ

READ

READ

READ

READ

READ
Own ActionPlatform Content
READ

READ

READ

READ
PackagePlatform Content
READ

READ

READ

READ
WRITE
PluginPlatform Content
READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE
Saved QuestionPlatform Content
READ

READ

READ

READ

READ

READ

READ

READ
WRITE
SensorPlatform Content
READ

READ

READ

READ

READ

READ

READ

READ
You can view which content sets are granted to any role in the Tanium Console. 

 

 Table 11: Optional roles for Client Management
RoleEnables
Discover Read Only UserFor service account: Deploy to endpoints based on Discover labels

For more information and descriptions of content sets and permissions, see Tanium Core Platform User Guide: Managing roles.