Client Management requirements

Review the requirements before you install and use Client Management.

Tanium dependencies

In addition to a license for Client Management, make sure that your environment meets the following requirements.

Component Requirement
Tanium™ Core Platform 7.2 or later
Tanium™ Client

Downloading client installers from Client Management Client Management does not require a pre-existing installation of Tanium Client.

Using Tanium™ Direct Connect to access detailed client health information requires Tanium Client 7.2.314.32117.4.1.1955 or later.
Tanium products

If you clicked Install with Recommended Configurations when you installed Client Management, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install any other modules you are using, as described under Tanium Console User Guide: Manage Tanium modules.

The following modules are optional, but Client Management requires the given minimum versions to work with them:

  • (Optional) Tanium™ Discover 3.1 or later. With Discover, you can target endpoints based on Discover tags.
  • (Optional) Tanium™ Trends 2.4 or later. With Trends, you can view boards that provide data visualizations of client deployment information.
  • (Optional) Tanium Direct Connect 1.4.3 or later. With Direct Connect, you can connect to endpoints to access detailed client health information.

Tanium™ Module Server

Client Management is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoints

For a list of supported operating systems for the Tanium Client, see Tanium Client Guide: Host system requirements.

Supported operating systems

The following endpoint operating systems are supported with Client Management.

Tanium Client 7.2.314.3211 is the earliest version that is deployed by Client Management. Client Management supports only operating systems that are supported by Tanium Client 7.2.314.3211 or later.

Operating System Version
Microsoft Windows Server 2008 R2 with Service Pack 1 or later
Microsoft Windows Workstation 7 or later
macOS Same as Tanium Client support, for versions that are supported by Tanium Client 7.4.1.1955 and later. See Tanium Client User Guide: Host system requirements.
Linux

Same as Tanium Client support, for distributions and versions that are supported by Tanium Client 7.2.314.32117.4.1.1955 and later. See Tanium Client User Guide: Host system requirements.

The following Linux distributions have specific version requirements to be supported by Tanium Client 7.2.314.3211 and later:

  • Ubuntu: 14.04 LTS or later
  • SUSE Linux Enterprise Server (SLES) or openSUSE: 11.3 or later

Using Direct Connect to access detailed client health information on a CentOS client requires CentOS version 6.0 or later.
Solaris

Same as Tanium Client support. See Tanium Client User Guide: Host system requirements.

You cannot use Direct Connect to access detailed client health information with Solaris.
AIX

Same as Tanium Client support. See Tanium Client User Guide: Host system requirements.

You cannot use Direct Connect to access detailed client health information with AIX.

Account permissions

During client installation using Client Management, you must have an account configured with the appropriate permissions on each endpoint. You add credentials for these accounts during the deployment process. For more information, see Configure client credentials. These accounts and permissions are necessary only during deployment, and they can be removed or changed after you successfully deploy clients.

To protect credentials that are used for client deployment, use one of the following methods: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.

Windows endpoints

On each Windows endpoint, you must have a local or Active Directory account configured that has the following abilities:

  • Remotely connect to the endpoint and authenticate using SMB.
  • Create folders in the C:\Program Files (x86)\ directory for 64-bit Windows, or the C:\Program Files\ directory for 32-bit Windows.
  • Write and execute files in the C:\Program Files (x86)\Tanium\ directory for 64-bit Windows, or the C:\Program Files\Tanium\ directory for 32-bit Windows.

Non-Windows endpoints

On each non-Windows endpoint, you must have an account configured that can remotely connect to the endpoint and authenticate using SSH. You must use one of the following options to configure a user with elevated privileges to perform installation:

  • The root user
  • A user that is listed in the sudoers file on each endpoint, to allow the account you are using for installation to use sudo

Host and network security requirements

Specific ports and processes are needed to run Client Management.

For information about preparing endpoints for remote installation, see Prepare for deployment to Linux, macOS, or UNIX endpoints and Prepare for deployment to Windows endpoints.

Ports

The following ports are required for Client Management communication.

Source Destination Port Protocol Purpose
Module Server Endpoints (non-Windows) 22 TCP Used for communication with the module server during client installation.
Module Server1 Endpoints (Windows) 135 TCP Used for communication with the module server during client installation.
139 TCP Used as a backup port for communication with the module server during client installation if port 445 is unavailable.
445 TCP Used for communication with the module server during client installation.
Tanium Client (internal) Module Server 17475 TCP Used for direct connection to endpoints for detailed client health information.
Tanium Client (external) Zone Server2 17486 TCP Used for direct connection to endpoints for detailed client health information. The default port number is 17486. If needed, you can specify a different port number when you configure the Zone Proxy.
Module Server Zone Server2 17487 TCP Used by the Zone Server for Module Server connections. The default port number is 17487. If needed, you can specify a different port number when you configure the Zone Proxy.
17488 TCP Allows communication between the Zone Server and the Module Server. On TanOS, the Direct Connect Zone Proxy installer automatically opens port 17488 on the Zone Server. This port must be manually opened on Windows.

1RPC must be enabled from the module server.

2These ports are required only when you use a Zone Server.
Source Destination Port Protocol Purpose
Tanium Client TaaS 17475 TCP Used for direct connection to endpoints for detailed client health information.
Tanium Client (external) Zone Server1 17486 TCP Used for direct connection to endpoints for detailed client health information. The default port number is 17486. If needed, you can specify a different port number when you configure the Zone Proxy.
TaaS Zone Server1 17487 TCP Used by the Zone Server for Module Server connections. The default port number is 17487. If needed, you can specify a different port number when you configure the Zone Proxy.
17488 TCP Allows communication between the Zone Server and the Module Server.
1These ports are required only when you use a Zone Server.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

The <Tanium Client> variable refers to the Tanium Client installation path, which is configurable during client deployment. For default client installation paths, see Tanium Client User Guide: Tanium Client installation paths.

The <Tanium Module Server> variable refers to the Tanium Module server installation path.

Security exclusions for the Tanium Core Platform are also required to install Tanium clients using Client Management. For a list of these exclusions, see Tanium Core Platform Deployment Reference Guide: Tanium Core Platform folders and Tanium Core Platform Deployment Reference Guide: Tanium Core Platform system processes.

Table 1:   Client Management security exclusions
Target Device Notes Process
Module Server   "<Tanium Module Server>\services\client-management-service\node.exe" service.js
  <Tanium Module Server>\services\twsm-v1\twsm.exe
Windows x86 endpoints During client installation \Program Files\Tanium\TaniumClientBootstrap.exe
During client installation \Program Files\Tanium\SetupClient.exe
During client installation <Tanium Client>\SetupClient.exe
  <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
  <Tanium Client>\extensions\TaniumDEC.dll
  <Tanium Client>\extensions\TaniumDEC.dll.sig
  <Tanium Client>\TaniumCX.exe
Windows x64 endpoints During client installation \Program Files (x86)\Tanium\TaniumClientBootstrap.exe
During client installation \Program Files (x86)\Tanium\SetupClient.exe
During client installation <Tanium Client>\SetupClient.exe
  <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
  <Tanium Client>\extensions\TaniumDEC.dll
  <Tanium Client>\extensions\TaniumDEC.dll.sig
  <Tanium Client>\TaniumCX.exe
macOS endpoints During client installation /Library/Tanium/TaniumClientBootstrap
During client installation /Library/Tanium/SetupClient
During client installation <Tanium Client>/SetupClient
  <Tanium Client>/libTaniumClientExtensions.dylib
  <Tanium Client>/libTaniumClientExtensions.dylib.sig
  <Tanium Client>/extensions/libTaniumDEC.dylib
  <Tanium Client>/extensions/libTaniumDEC.dylib.sig
  <Tanium Client>/TaniumCX
Linux endpoints During client installation /opt/Tanium/TaniumClientBootstrap
During client installation /opt/Tanium/SetupClient
During client installation <Tanium Client>/SetupClient
  <Tanium Client>/libTaniumClientExtensions.so
  <Tanium Client>/libTaniumClientExtensions.so.sig
  <Tanium Client>/extensions/libTaniumDEC.so
  <Tanium Client>/extensions/libTaniumDEC.so.sig
  <Tanium Client>/TaniumCX
Solaris and AIX endpoints During client installation /opt/Tanium/TaniumClientBootstrap
During client installation /opt/Tanium/SetupClient
During client installation <Tanium Client>/SetupClient
Table 2:   Client Management security exclusions
Target Device Notes Process
Windows x86 endpoint   <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
  <Tanium Client>\extensions\TaniumDEC.dll
  <Tanium Client>\extensions\TaniumDEC.dll.sig
  <Tanium Client>\TaniumCX.exe
Windows x64 endpoints   <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
  <Tanium Client>\extensions\TaniumDEC.dll
  <Tanium Client>\extensions\TaniumDEC.dll.sig
  <Tanium Client>\TaniumCX.exe
macOS endpoints   <Tanium Client>/libTaniumClientExtensions.dylib
  <Tanium Client>/libTaniumClientExtensions.dylib.sig
  <Tanium Client>/extensions/libTaniumDEC.dylib
  <Tanium Client>/extensions/libTaniumDEC.dylib.sig
  <Tanium Client>/TaniumCX
Linux endpoints   <Tanium Client>/libTaniumClientExtensions.so
  <Tanium Client>/libTaniumClientExtensions.so.sig
  <Tanium Client>/extensions/libTaniumDEC.so
  <Tanium Client>/extensions/libTaniumDEC.so.sig
  <Tanium Client>/TaniumCX

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to add the following URL to the approved list.

  • https://content.tanium.com

User role requirements

The following tables list the role permissions required to use Client Management. For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

To install Client Management, you must have the reserved role of Administrator.

Table 3:   Client Management user role permissions
Permission Client Management Administrator Client Management User Client Management API User Client Management Auditor Client Management Operator Client Management Read-Only User

Show Clientmanagement

View the Client Management workbench
1
1
1


1

Client-management Configurations Read

Read client and deployment configurations
1





Client-management Configurations Write

Create and modify client and deployment configurations






Client-management Credentials Read

Read credentials list, but not view associated passwords or key data
1





Client-management Credentials Write

Create and modify credentials lists






Client-management Deployments Read

View data about client deployments
1
1




Client-management Deployments Write

Create deployments of Tanium Client to unmanaged endpoints






Client-management Direct Connect

Connect to an endpoint using Direct Connect and read data from that endpoint







Client-management Operate

Download installer packages for the Tanium Client






Client-management Settings Write

Write access to global settings in the Client Management module





Client-management Read Audit Log

Read audit log with API 





Client-management Use API

Write access to global settings in the Client Management module






Direct Connect Session Read

Allows users to view endpoint connections
1



1


Direct Connect Session Write

Allows users to create and manage endpoint connections
1



1

Trends Data Read2

Run data queries against sources





Trends API Board Read2

View boards, sections, and panels for specified content sets





Trends API Board Write2

Create, edit, delete, and configure boards, sections, and panels for specified content sets





Trends API Source Read2

View and list sources for specified content sets





Trends API Source Write2

Create, edit, and delete sources for specified content sets





1 Denotes a provided permission.

2 Denotes a permission that applies to the Reserved content set.

 

Table 4:   Provided Client Management Micro Admin and Advanced user role permissions
Permission Role Type Content Set for Permission Client Management Administrator Client Management User Client Management API User Client Management Auditor Client Management Operator Client Management Read-Only User
Read System Status Micro Admin  
Read Sensor Advanced Tanium Client Management
Read Sensor Advanced Reserved
Read Sensor Advanced Base
Read Sensor Advanced Client Extensions
Read Sensor Advanced Direct Connect
Read Action Advanced Reserved
Read Action Advanced Direct Connect
Write Action Advanced Reserved
Write Action Advanced Direct Connect
Execute Plugin Advanced Tanium Client Management
Execute Plugin Advanced Reserved
Read Package Advanced Reserved
Read Package Advanced Direct Connect
Write Package Advanced Reserved
Write Package Advanced Direct Connect
Read Saved Question Advanced Tanium Client Management
Read Saved Question Advanced Reserved
Read Saved Question Advanced Direct Connect
Read Filter Group Advanced Tanium Client Management
Read Filter Group Advanced Reserved
Read Filter Group Advanced Default Filter Groups

 

Table 5:   Optional roles for Client Management
Role Enables
Discover Read Only User For service account: Deploy to endpoints based on Discover labels

For more information and descriptions of content sets and permissions, see Tanium Core Platform User Guide: Managing roles.