Deploying Tanium Client

To deploy Tanium Client to unmanaged endpoints, configure your endpoints to accept connections from the Module Server. Create sets of client settings and credentials to define the types of clients to deploy and the information that is needed to log into the endpoints to perform the installations. Finally, use these configurations to create a deployment that targets a specific set of endpoints.

You can only install on endpoints that do not have a Tanium Client already installed. To upgrade the Tanium Client, see Tanium Client User Guide: Upgrading Tanium Clients.

Plan deployment targeting

You can deploy the Tanium Client to a single IP, computer name, IP or CIDR range, or a Discover label.

If you want to deploy to unmanaged interfaces that get defined in Discover, you can create a label and use the label as a deployment target. For example, you create a New Computers label with the condition: First Seen in the last 30 minutes AND Computer Id = "0". For more information about creating labels in Discover, see Tanium Discover User Guide: Labels.

Prepare for deployment to Linux, macOS, or UNIX endpoints

  1. Configure password-based or SSH key-based authentication based on what the endpoints expect.

    For all Linux distributions, macOS, and UNIX, use one of the following options to configure a user with elevated privileges to perform installation:

    • The root user on each endpoint.
    • A user that is listed in the sudoers file on each endpoint, to allow the account you are using for installation to use sudo.

    Amazon Linux requires key-based authentication. On the endpoint, be sure to enable SSH key-based authentication and enable NOPASSWD in the sudoers file for the admin user account. Add this user name and password to the credentials list. This configuration ensures that the key, and not a password, is used to elevate the admin permissions of the user so that the user can install the Tanium Client and start the service.

    Other distributions or your specific environment might have different authentication requirements.

  2. Allow traffic from the Module Server to endpoints on TCP port 22 (SSH port, configurable). For more information, see Host and network security requirements

  3. Configure any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation that is initiated through SSH. For more information, see Host and network security requirements.

  4. If you use the root account to install, make sure the sshd_config allows root login.

  5. Verify that you can log in to the remote system with SSH, using the same credentials that you will use for the Tanium Client deployment.

Prepare for deployment to Windows endpoints

  1. Enable Windows file-and-print sharing and remote procedure calls (RPCs) on the target endpoints. Enabling these settings is required only for installation. You can disable the sharing and RPCs after the installation.
  2. Configure any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation initiated through RPC. For more information, see Host and network security requirements.
  3. Allow TCP traffic on ports 135 and 445 from the Tanium Module Server host computer to the endpoints on which you want to deploy the Tanium Client. For more information, see Host and network security requirements.
  4. Verify that you can log in to the remote system with PSEXEC or WMIC command line utilities with the same credentials that you will use for the Tanium Client deployment. For example:

    psexec \\192.168.1.130 -u Administrator cmd /c dir C:\Users\Administrator\Documents

    wmic /node:"192.168.1.130" /user:"Administrator" useraccount list brief

Windows credential handling during login events might expose the user name and password in command line arguments on the source system that is initiating the deployment, and in memory on the remotely accessed endpoints. To protect credentials that are used for client deployment, use one of the following methods: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.

Configure client settings

Client settings define the Tanium Server, platforms, and installation directories for your client deployment. You can configure multiple client settings to deploy to different types of environments.

  1. From the Client Management menu, click Client Settings. Click Create.
  2. Specify the IP address or host name of the Tanium Server from which you want to perform the deployment.
  3. Select the platforms of the endpoints to which you are installing Tanium Client. You can leave the installation directories as their default values, or specify custom installation directories. and then use the label as a deployment target
  4. Click Save.

To download an installer bundle associated with a set of client settings, click Download Bundle in the Actions column.

Configure client credentials

Client credentials are a list of user name and password combinations for the target endpoints on which you want to install Tanium Client.

  1. From the Client Management menu, click Credentials. Click Create.
  2. Specify a name for the credentials list, and a set of user names and passwords to try for each operating system type. On macOS and Linux endpoints, you can also specify a key or keyphrase.
  3. Click Save.

Configure a deployment

  1. From the Client Management menu, click Deployments. Click Create.
  2. Specify a descriptive name for the deployment, and select the client configuration and credentials that you configured.
  3. Configure targeting. You can target endpoints by a single IP, computer name, IP or CIDR range, or Discover label. For information about configuring Discover labels, see Tanium Discover User Guide: Labels.
  4. Tune the settings in the Method section as needed.

  5. Click Save to save the deployment without running, or Save and Deploy to immediately deploy. To start the deployment after you save, click Start Deployment .

Monitor deployments

From the Client Management menu, click Deployments. Click the name in the Name column. You can then view the status of the deployment, including viewing a list of the targeted endpoints.

Deployment steps

When you start a deployment, the Module Server takes the following actions to install the Tanium Client: 

  1. Ping the targeted endpoints to verify they are online.
  2. Detect the operating system of the endpoints that respond to the ping.
  3. Try the credentials in the defined credentials list to log into the endpoint for installation.
  4. Copy the Tanium public key file for the Tanium Server to the endpoint.
  5. Install Tanium Client on the endpoint. The version and installation location are defined in the client configuration for the deployment.
  6. Display deployment status.

Deployment status

Deployments can have the following status: 

  • Install completed
  • Install failed
  • Not applicable

For more information about troubleshooting deployments, see Troubleshoot deployments.

Verify client installation

To verify the installation on an endpoint has completed: 

  1. From Interact, enter a question in the Ask a Question field to verify that the endpoints respond to the following query: Get Computer Name and Operating System and Tanium Client Version and Tanium Server Name from all machines
  2. Review the Question Results grid to verify that all endpoints where you deployed Tanium Client software are reporting.
  3. (Optional) From the main menu, go to the Administration > System Status page to review recent client registration details.