Client Management requirements
Review the requirements before you install and use Client Management.
Tanium dependencies
In addition to a license for Client Management, make sure that your environment meets the following requirements.
Component | Requirement |
---|---|
Tanium™ Core Platform | 7.3 or later |
Tanium™ Client |
Using client health features, including using Tanium™ Direct Connect to access detailed client health information, requires a supported Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client User Guide: Client version and host system requirements. |
Tanium products |
If you clicked Install with Recommended Configurations when you installed Client Management, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install any other modules you are using, as described under Tanium Console User Guide: Manage Tanium modules. Client Management requires the given minimum versions to work with the following modules:
|
Tanium™ Endpoint Configuration is automatically installed when you install Client Management 1.5 or later. You must upgrade Client Management to version 1.5 or later to support the latest versions of Tanium solutions that use Endpoint Configuration to deploy tools and configuration changes to endpoints. For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.
Tanium™ Module Server
Client Management is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.
For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.
Endpoints
For a list of supported operating systems for the Tanium Client, see Tanium Client Guide: Host system requirements.
Supported operating systems
The following endpoint operating systems are supported with Client Management.
Operating System | Version |
---|---|
Microsoft Windows Server | 2008 R2 with Service Pack 1 or later |
Microsoft Windows Workstation | 7 or later |
macOS | Same as Tanium Client support. See Tanium Client User Guide: Host system requirements. |
Linux |
Same as Tanium Client support. See Tanium Client User Guide: Host system requirements. Using Direct Connect to access detailed client health information on a CentOS client requires CentOS version 6.0 or later. |
Solaris |
Same as Tanium Client support. See Tanium Client User Guide: Host system requirements. Tanium Tanium Client installers for Solaris are not available in Client Management. To obtain the installer for Solaris, contact Tanium support. You cannot use Direct Connect to access detailed client health information with Solaris. |
AIX |
Same as Tanium Client support. See Tanium Client User Guide: Host system requirements. Tanium Tanium Client installers for AIX are not available in Client Management. To obtain the installer for AIX, contact Tanium support. You cannot use Direct Connect to access detailed client health information with AIX. |
Account permissions
During client installation using Client Management, you must have an account configured with the appropriate permissions on each endpoint. You add credentials for these accounts during the deployment process. For more information, see Configure client credentials. These accounts and permissions are necessary only during deployment, and they can be removed or changed after you successfully deploy clients.
- Use a temporary account that is removed after deployment.
- Disable or change the password for the account after client deployment is complete.
Windows endpoints
On each Windows endpoint, you must have an account with Local Administrator rights, or a local or domain account configured that has the following abilities:
- Remotely connect to the endpoint and authenticate using SMB.
- Create folders in the C:\Program Files (x86)\ directory for 64-bit Windows, or the C:\Program Files\ directory for 32-bit Windows.
- Write and execute files in the C:\Program Files (x86)\Tanium\ directory for 64-bit Windows, or the C:\Program Files\Tanium\ directory for 32-bit Windows.
Non-Windows endpoints
On each non-Windows endpoint, you must have an account configured that can remotely connect to the endpoint and authenticate using SSH. You must use one of the following options to configure a user with elevated privileges to perform installation:
- The root user
-
A user that is listed in the sudoers file on each endpoint, to allow the account you are using for installation to use sudo
If you restrict user commands in the sudoers file, contact Tanium support to help determine the necessary commands to allow.
Amazon Linux requires key-based authentication. On the endpoint, be sure to enable SSH key-based authentication and enable NOPASSWD in the sudoers file for the admin user account. Add this user name and password to the credentials list. This configuration ensures that the key, and not a password, is used to elevate the admin permissions of the user so that the user can install the Tanium Client and start the service.
Other distributions or your specific environment might have different authentication requirements.
Host and network security requirements
Specific ports and processes are needed to run Client Management.
For information about preparing endpoints for remote installation, see Prepare for deployment to Linux, macOS, or UNIX endpoints and Prepare for deployment to Windows endpoints.
Ports
The following ports are required for Client Management communication.
Source | Destination | Port | Protocol | Purpose |
---|---|---|---|---|
Module Server | Endpoints (non-Windows) | 22 | TCP | Used for SSH communication from the module server to the target endpoint during client installation. |
Module Server | Endpoints (Windows) | 135 | TCP | Used for WMI communication from the module server to the target endpoint during client installation. |
445 | TCP | Used for SMB communication from the module server to the target endpoint during client installation. | ||
Tanium Client (internal) | Module Server | 17475 | TCP | Used for direct connection to endpoints for detailed client health information. |
Tanium Client (external) | Zone Server1 | 17486 | TCP | Used for direct connection to endpoints for detailed client health information. The default port number is 17486. If needed, you can specify a different port number when you configure the Zone Proxy. |
Module Server | Zone Server1 | 17487 | TCP | Used by the Zone Server for Module Server connections. The default port number is 17487. If needed, you can specify a different port number when you configure the Zone Proxy. |
17488 | TCP | Allows communication between the Zone Server and the Module Server. On TanOS, the Direct Connect Zone Proxy installer automatically opens port 17488 on the Zone Server. This port must be manually opened on Windows. | ||
1These ports are required only when you use a Zone Server. |
Source | Destination | Port | Protocol | Purpose |
---|---|---|---|---|
Tanium Client | TaaS | 17475 | TCP | Used for direct connection to endpoints for detailed client health information. |
Tanium Client (external) | Zone Server1 | 17486 | TCP | Used for direct connection to endpoints for detailed client health information. The default port number is 17486. If needed, you can specify a different port number when you configure the Zone Proxy. |
TaaS | Zone Server1 | 17487 | TCP | Used by the Zone Server for Module Server connections. The default port number is 17487. If needed, you can specify a different port number when you configure the Zone Proxy. |
17488 | TCP | Allows communication between the Zone Server and the Module Server. | ||
1These ports are required only when you use a Zone Server. |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.
The <Tanium Client> variable refers to the Tanium Client installation path, which is configurable during client deployment. For default client installation paths, see Tanium Client User Guide: Tanium Client installation paths.
The <Module Server> variable refers to the Tanium Module server installation path.
Security exclusions for the Tanium Core Platform are also required to install Tanium clients using Client Management. For a list of these exclusions, see Tanium Core Platform Deployment Reference Guide: Tanium Core Platform folders and Tanium Core Platform Deployment Reference Guide: Tanium Core Platform system processes.
Target Device | Notes | Process |
---|---|---|
Module Server | <Module Server>\services\client-management-service\node.exe | |
<Module Server>\services\twsm-v1\twsm.exe | ||
Windows x86 endpoints | During client installation | \Program Files\Tanium\TaniumClientBootstrap.exe |
During client installation | \Program Files\Tanium\SetupClient.exe | |
During client installation | <Tanium Client>\SetupClient.exe | |
<Tanium Client>\TaniumClientExtensions.dll | ||
<Tanium Client>\TaniumClientExtensions.dll.sig | ||
<Tanium Client>\extensions\TaniumDEC.dll | ||
<Tanium Client>\extensions\TaniumDEC.dll.sig | ||
<Tanium Client>\TaniumCX.exe | ||
Windows x64 endpoints | During client installation | \Program Files (x86)\Tanium\TaniumClientBootstrap.exe |
During client installation | \Program Files (x86)\Tanium\SetupClient.exe | |
During client installation | <Tanium Client>\SetupClient.exe | |
<Tanium Client>\TaniumClientExtensions.dll | ||
<Tanium Client>\TaniumClientExtensions.dll.sig | ||
<Tanium Client>\extensions\TaniumDEC.dll | ||
<Tanium Client>\extensions\TaniumDEC.dll.sig | ||
<Tanium Client>\TaniumCX.exe | ||
macOS endpoints | During client installation | /Library/Tanium/TaniumClientBootstrap |
During client installation | /Library/Tanium/SetupClient | |
During client installation | <Tanium Client>/SetupClient | |
<Tanium Client>/libTaniumClientExtensions.dylib | ||
<Tanium Client>/libTaniumClientExtensions.dylib.sig | ||
<Tanium Client>/extensions/libTaniumDEC.dylib | ||
<Tanium Client>/extensions/libTaniumDEC.dylib.sig | ||
<Tanium Client>/TaniumCX | ||
Linux endpoints | During client installation | /opt/Tanium/TaniumClientBootstrap |
During client installation | /opt/Tanium/SetupClient | |
During client installation | <Tanium Client>/SetupClient | |
<Tanium Client>/libTaniumClientExtensions.so | ||
<Tanium Client>/libTaniumClientExtensions.so.sig | ||
<Tanium Client>/extensions/libTaniumDEC.so | ||
<Tanium Client>/extensions/libTaniumDEC.so.sig | ||
<Tanium Client>/TaniumCX | ||
Solaris and AIX endpoints | During client installation | /opt/Tanium/TaniumClientBootstrap |
During client installation | /opt/Tanium/SetupClient | |
During client installation | <Tanium Client>/SetupClient |
Target Device | Notes | Process |
---|---|---|
Windows x86 endpoint | <Tanium Client>\TaniumClientExtensions.dll | |
<Tanium Client>\TaniumClientExtensions.dll.sig | ||
<Tanium Client>\extensions\TaniumDEC.dll | ||
<Tanium Client>\extensions\TaniumDEC.dll.sig | ||
<Tanium Client>\TaniumCX.exe | ||
Windows x64 endpoints | <Tanium Client>\TaniumClientExtensions.dll | |
<Tanium Client>\TaniumClientExtensions.dll.sig | ||
<Tanium Client>\extensions\TaniumDEC.dll | ||
<Tanium Client>\extensions\TaniumDEC.dll.sig | ||
<Tanium Client>\TaniumCX.exe | ||
macOS endpoints | <Tanium Client>/libTaniumClientExtensions.dylib | |
<Tanium Client>/libTaniumClientExtensions.dylib.sig | ||
<Tanium Client>/extensions/libTaniumDEC.dylib | ||
<Tanium Client>/extensions/libTaniumDEC.dylib.sig | ||
<Tanium Client>/TaniumCX | ||
Linux endpoints | <Tanium Client>/libTaniumClientExtensions.so | |
<Tanium Client>/libTaniumClientExtensions.so.sig | ||
<Tanium Client>/extensions/libTaniumDEC.so | ||
<Tanium Client>/extensions/libTaniumDEC.so.sig | ||
<Tanium Client>/TaniumCX |
Internet URLs
If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to add the following URL to the approved list.
- https://content.tanium.com
User role requirements
The following tables list the role permissions required to use Client Management. For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.
To install Client Management, you must have the reserved role of Administrator.
Permission | Client Management Administrator1 | Client Management User1 | Client Management API User | Client Management Auditor | Client Management Operator | Client Management Read-Only User1 |
---|---|---|---|---|---|---|
Show Clientmanagement View the Client Management workbench |
|
|
|
|
|
|
Client-management Configurations Read Read client and deployment configurations |
|
|
|
|
|
|
Client-management Configurations Write Create and modify client and deployment configurations |
|
|
|
|
|
|
Client-management Credentials Read Read credentials list, but not view associated passwords or key data |
|
|
|
|
|
|
Client-management Credentials Write Create and modify credentials lists |
|
|
|
|
|
|
Client-management Deployments Read View data about client deployments |
|
|
|
|
|
|
Client-management Deployments Write Create deployments of Tanium Client to unmanaged endpoints |
|
|
|
|
|
|
Connect to an endpoint using Direct Connect and read data from that endpoint |
|
|
|
|
|
|
Download installer packages for the Tanium Client |
|
|
|
|
|
|
Client-management Settings Write Write access to global settings in the Client Management module |
|
|
|
|
|
|
Client-management Read Audit Log Read audit log with API |
|
|
|
|
|
|
Client-management Use API Write access to global settings in the Client Management module |
|
|
|
|
|
|
Allows users to view endpoint connections |
|
|
|
|
|
|
Allows users to create and manage endpoint connections |
|
|
|
|
|
|
1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. |
Permission | Role Type | Content Set for Permission | Client Management Administrator | Client Management User | Client Management API User | Client Management Auditor | Client Management Operator | Client Management Read-Only User |
---|---|---|---|---|---|---|---|---|
Read System Status | Micro Admin |
|
|
|
|
|
|
|
Read Sensor | Advanced | Tanium Client Management |
|
|
|
|
|
|
Read Sensor | Advanced | Reserved |
|
|
|
|
|
|
Read Sensor | Advanced | Base |
|
|
|
|
|
|
Read Sensor | Advanced | Client Extensions |
|
|
|
|
|
|
Read Sensor | Advanced | Direct Connect |
|
|
|
|
|
|
Read Action | Advanced | Reserved |
|
|
|
|
|
|
Read Action | Advanced | Direct Connect |
|
|
|
|
|
|
Write Action | Advanced | Reserved |
|
|
|
|
|
|
Write Action | Advanced | Direct Connect |
|
|
|
|
|
|
Execute Plugin | Advanced | Tanium Client Management |
|
|
|
|
|
|
Execute Plugin | Advanced | Reserved |
|
|
|
|
|
|
Read Package | Advanced | Reserved |
|
|
|
|
|
|
Read Package | Advanced | Direct Connect |
|
|
|
|
|
|
Write Package | Advanced | Reserved |
|
|
|
|
|
|
Write Package | Advanced | Direct Connect |
|
|
|
|
|
|
Read Saved Question | Advanced | Tanium Client Management |
|
|
|
|
|
|
Read Saved Question | Advanced | Reserved |
|
|
|
|
|
|
Read Saved Question | Advanced | Direct Connect |
|
|
|
|
|
|
Read Filter Group | Advanced | Tanium Client Management |
|
|
|
|
|
|
Read Filter Group | Advanced | Reserved |
|
|
|
|
|
|
Read Filter Group | Advanced | Default Filter Groups |
|
|
|
|
|
|
Role | Enables |
---|---|
Discover Read Only User | For service account: Deploy to endpoints based on Discover labels |
For more information and descriptions of content sets and permissions, see Tanium Core Platform User Guide: Managing roles.
Last updated: 1/8/2021 5:53 PM | Feedback