Deploying Tanium Client

Tanium as a Service: In Tanium as Service, you can download installers for Tanium Client. For more information, see Downloading Tanium Client.

To deploy Tanium Client to unmanaged endpoints, configure your endpoints to accept connections from the Module Server. Create sets of client settings and credentials to define the types of clients to deploy and the information that is needed to log into the endpoints to perform the installations. Finally, use these configurations to create a deployment that targets a specific set of endpoints.

You can only install on endpoints that do not have a Tanium Client already installed. To upgrade the Tanium Client, see Tanium Client User Guide: Upgrading Tanium Clients.

When you use Client Management to deploy the Tanium Client to endpoints, Client Management also installs Client Management tools on the endpoints to provide client health information. For more information, see Monitoring client health.

Plan deployment targeting

You can deploy the Tanium Client to a single IP, computer name, IP or CIDR range, or a Discover label.

If you want to deploy to unmanaged interfaces that get defined in Discover, you can create a label and use the label as a deployment target. For example, you create a New Computers label with the condition: First Seen in the last 30 minutes AND Computer Id = "0". For more information about creating labels in Discover, see Tanium Discover User Guide: Labels.

If you are deploying the Tanium Client to endpoints that cannot be reached directly from the Tanium Module Server, such as those connected to a Zone Server, you can configure client settings, and then download and manually deploy an installer bundle.

Prepare for deployment to Linux, macOS, or UNIX endpoints

  1. Configure password-based or SSH key-based authentication based on what the endpoints expect.

    On each non-Windows endpoint, you must have an account configured that can remotely connect to the endpoint and authenticate using SSH. You must use one of the following options to configure a user with elevated privileges to perform installation:

    • The root user
    • A user that is listed in the sudoers file on each endpoint, to allow the account you are using for installation to use sudo

      If you restrict user commands in the sudoers file, contact Tanium support to help determine the necessary commands to allow.

    Amazon Linux requires key-based authentication. On the endpoint, be sure to enable SSH key-based authentication and enable NOPASSWD in the sudoers file for the admin user account. Add this user name and password to the credentials list. This configuration ensures that the key, and not a password, is used to elevate the admin permissions of the user so that the user can install the Tanium Client and start the service.

    Other distributions or your specific environment might have different authentication requirements.

  2. Allow traffic from the Module Server to endpoints on TCP port 22 (SSH port, configurable). For more information, see Host and network security requirements

  3. Configure any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation that is initiated through SSH. For more information, see Host and network security requirements.

  4. If you use the root account to install, make sure the sshd_config allows root login.

  5. Verify that you can log in to the remote system with SSH, using the same credentials that you will use for the Tanium Client deployment.

To protect credentials that are used for client deployment, use one of the following methods: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.

Prepare for deployment to Windows endpoints

  1. Configure local or domain accounts with the necessary permissions.

    On each Windows endpoint, you must have an account with Local Administrator rights, or a local or domain account configured that has the following abilities:

    • Remotely connect to the endpoint and authenticate using SMB.
    • Create folders in the C:\Program Files (x86)\ directory for 64-bit Windows, or the C:\Program Files\ directory for 32-bit Windows.
    • Write and execute files in the C:\Program Files (x86)\Tanium\ directory for 64-bit Windows, or the C:\Program Files\Tanium\ directory for 32-bit Windows.

  2. Enable Windows file-and-print sharing and remote procedure calls (RPCs) on the target endpoints. Enabling these settings is required only for installation. You can disable the sharing and RPCs after the installation.
  3. Configure any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation initiated through RPC. For more information, see Host and network security requirements.
  4. Allow TCP traffic on ports 135 and 445 from the Tanium Module Server host computer to the endpoints on which you want to deploy the Tanium Client. For more information, see Host and network security requirements.
  5. Verify that you can log in to the remote system with PSEXEC or WMIC command line utilities with the same credentials that you will use for the Tanium Client deployment. For example:

    psexec \\192.168.1.130 -u Administrator cmd /c dir C:\Users\Administrator\Documents

    wmic /node:"192.168.1.130" /user:"Administrator" useraccount list brief

To protect credentials that are used for client deployment, use one of the following methods: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.

Configure client settings

Client settings define the Tanium Server, platforms, and installation directories for your client deployment. You can configure multiple client settings to deploy to different types of environments.

  1. From the Client Management menu, click Client Settings, and then click Create.
  2. Specify a descriptive name for the client settings.
  3. Specify the IP address or fully qualified domain name of the Tanium Server. In high-availability deployments and deployments with Zone Servers, you can enter a comma-separated list of all servers, such as: ts1.example.com,ts2.example.com,zs1.example.com.

    The Tanium Module Server must have a connection to endpoints in order to automatically deploy the Tanium Client using Client Management. If you are deploying the Tanium Client to endpoints that cannot be reached directly from the Tanium Module Server, such as those connected to a Zone Server, you can download and manually deploy an installer bundle. For more information, see Download and deploy the installer bundle.

  4. Select the Client Version to install.
  5. Select the Client Platforms of the endpoints to which you are installing Tanium Client. You can leave the installation directories as their default values, or specify custom installation directories.
  6. Leave the installation directories blank to use the defaults, or enter a custom Installation Directory on Windows or Installation Directory on Non Windows.

    You cannot customize the installation directory on macOS. The fixed installation directory for macOS is /Library/Tanium/TaniumClient.

  7. Enter a Log Level.

    The following decimal values are best practices for specific use cases:

    • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: This is the best practice value during normal operation.
    • 41: This is the best practice value during troubleshooting.
    • 91 or higher: Enable the most detailed log levels for short periods of time only.
  8. Leave the default Client Port, or enter a custom port.
  9. In the Space Required for each operating system, enter the space that should be available on a targeted endpoint for the client to be installed.
  10. To change a default client settings, click Add Client Setting, and then enter a Key and Value. For information about specific client settings, see Tanium Client User Guide: Tanium Client settings.
  11. To add a custom tag to the client during deployment, click Add Client Tag and enter a tag name. The InstalledByTCM tag is included by default so that you can later easily target clients that were installed using Client Management.

    Do not include spaces in a tag name.

  12. Click Save.

Configure client credentials

Client credentials are a list of user name and password combinations for the target endpoints on which you want to install Tanium Client. For specific requirements for authentication and permissions, see Account permissions.

  1. From the Client Management menu, click Credentials. Click Create.
  2. Enter a name for the credentials list.
  3. Add a set of credentials to try for each operating system type.
    • For Windows endpoints, if you are using domain credentials, you must enter the user name in the format domain\username. If you are using local credentials, enter only username for the user name.
    • On non-Windows endpoints, you can also add an SSH key. If you are using an SSH key, the private key is required. Click + key, copy the contents of the private key, and paste the contents in the Key field. If the key requires a passphrase, click + keyphrase and enter the passphrase in the Keyphrase field. When you use an SSH key for authentication, a user name is required, and a password is optional.

  4. Click Save.

Configure a deployment

  1. From the Client Management menu, click Deployments, and then click Create.
  2. Specify a descriptive name for the deployment, and select the client configuration and credentials that you configured.
  3. Configure targeting. You can target endpoints by a single IP address, a list of IP addresses, a computer name, an IP or CIDR range, or a Discover label. For information about configuring Discover labels, see Tanium Discover User Guide: Labels.

    To define an additional target for the deployment, click Add Target. To remove a target, click Delete .

  4. Tune the settings in the Method section as needed.

  5. Click Save to save the deployment without running, or Save and Deploy to immediately deploy.

Deploy clients

From the Client Management menu, click Deployments. In the Name column, click the name of a deployment.

To run the deployment, click Start .

If you re-run a deployment that has previously installed the client on some endpoints, those endpoints then report the Install Status: ERROR_EXISTING_INSTALL. The previously installed client remains in place. To upgrade the Tanium Client, see Tanium Client User Guide: Upgrading Tanium Clients.

You can then view the status of the deployment, including viewing a list of the targeted endpoints.

Deployment steps

When you start a deployment, the Module Server takes the following actions to install the Tanium Client:

  1. Pings the targeted endpoints to verify they are online.
  2. Detects the operating system of the endpoints that respond to the ping.
  3. Tries the credentials in the defined credentials list to log into the endpoint for installation.
  4. Checks for the space required on the endpoint as specified in the client settings.
  5. Copies the Tanium public key file for the Tanium Server to the endpoint.
  6. Installs Tanium Client on the endpoint. The version and installation location are defined in the client configuration for the deployment.
  7. Displays the deployment status.

Deployment status

Each successful deployment reports a status of COMPLETE in the Install Status column.

Filter the endpoints by clicking the status buttons in the grid, or enter filter text in the Filter logs and details box.

For more information about other status messages and troubleshooting deployments, see Troubleshoot deployments.

Download and deploy the installer bundle

For endpoints that are connected to a Zone Server or that cannot be reached directly from the Tanium Module Server for any other reason, you can download and manually deploy the installer bundle associated with client settings.

After creating or updating client settings, the Module Server must retrieve the necessary client installers before you can download the installer bundle. The Download Bundle button becomes available when the download is ready.

  1. From the Client Management menu, click Client Settings
  2. To download the installer bundle associated with a set of client settings, click Download Bundle in the Actions column.
  3. Deploy the installer bundle to the appropriate endpoints.

For more information about deploying the client using an installer, see:

Verify client installation

To verify the installation on an endpoint has completed:

  1. From Interact, enter a question in the Ask a Question field to verify that the endpoints respond to the following query: Get Computer Name and Operating System and Tanium Client Version and Tanium Server Name from all machines
  2. Review the Question Results grid to verify that all endpoints where you deployed Tanium Client software are reporting.
  3. (Optional) From the main menu, go to Administration > Management > System Status to review recent client registration details.