Managing approvals

Approvals are not available in Tanium Cloud.

Enable configuration approvals

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable Configuration Approvals, and click Save.

If you do not enable configuration approvals, solution-specific configuration changes are made through individual Tanium solutions.

You can bypass configuration approvals for solution or user-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to a service or user role that is associated with one or more content sets to limit the scope of approvals.

Approve or reject configuration changes

When configuration approvals are enabled, and a configuration change is created or made in a supported Tanium solution, an approval appears in the Approvals page of Endpoint Configuration for a configuration approver to approve or reject. If approved, the configuration change is deployed to the targeted endpoints.

To approve a configuration change, you must have both Endpoint Configuration permissions and appropriate solution permissions. The approver cannot be the same user who made a configuration change. The Requires other approver status displays If a user who made a configuration change attempts to approve them.

  1. From the Endpoint Configuration menu, click Overview.
  2. Review configurations that are awaiting approval or rejection, which display a status of Proposed. Select one or more configurations. View the description of the configurations to understand the domain (Tanium solution) with which the approvals are associated, the functional area of the domain, and a description of the configuration change.

    By default, you can only see configurations for modules for which you have credentials to view.

    Additionally, a comparison of the configuration change is provided for an at-a-glance understanding of the impacts that the change has on the targeted endpoints.

  3. (Optional) Click Download data describing the domain endpoint configurations to view the content of the configuration.
  4. Click Approve or Reject. Confirm that you want to Approve or Reject the pending approvals.
  5. If an approval is in the Approved or Rejected state, click Dismiss to remove the approval from the Approvals page.

After a configuration is approved, it is immediately deployed to endpoints. Rejected approvals are automatically dismissed after 30 days by default. You can configure the Config Rejected Item Retention Days setting to adjust the time for automatic dismissal. See Global Endpoint Configuration settings.