Deploying the Tanium Client using an installer or package file

Download installation packages for the Tanium Client from Tanium Cloud and install the client on endpoints.

If you are deploying the Tanium Client to virtual desktop infrastructure (VDI) instances or other endpoints with limited resources, you might need to adjust certain client settings to help to reduce resource usage. For more information, see Tuning Tanium Client settings for VDI endpoints and other endpoints with limited resources.

If you use an operating system (OS) image to deploy an OS to new endpoints, you can install the Tanium Client on the template image (as described in this section) and perform additional steps to prepare the Tanium Client for deployment through the image. For the procedures to prepare OS images that include the Tanium Client, see Preparing the Tanium Client on OS images.

Download installation packages for the Tanium Client

Download Tanium Client installation packages for each operating system from the Tanium Tanium Cloud Overview page:

  1. From the Main menu, go to Administration > Shared Services > Tanium Cloud.

  2. Click Download Windows Package, Download macOS Package, or Download Linux Package.

To obtain the installers for Solaris or AIX, contact Tanium Support.

Deploy the Tanium Client to Windows endpoints using the installer

For additional Windows information, see the following sections:

You can use the installation wizard, client command-line interface (CLI), or third-party software distribution tools, such as System Center Configuration Manager (SCCM), to deploy the Tanium Client to Windows endpoints. For details on using a third-party tool with Tanium installers, refer to the documentation for that tool.

If you encounter issues when deploying the Tanium Client, examine the Tanium Client installation log.

All these deployment methods use the Tanium Client installer SetupClient.exe, which makes the following changes to the target endpoints:

  • Creates the Tanium Client installation directories for the client application files and related content files.
  • Creates the Tanium Client Windows registry key along with an initial set of registry values.
  • Adds the Tanium Client program to the Windows Add/Remove Programs list.
  • Creates the Tanium Client service with a Startup Type set to Automatic.

For information about managing the Tanium Client service or uninstalling the Tanium Client after deployment, see Manage the Tanium Client on Windows.

Prepare for installation

  1. Ensure that the Windows endpoint meets the basic requirements for the Tanium Client.
  2. Sign in to the Windows endpoint with a local user or domain account that has administrative permissions.

  3. Use the Tanium Tanium Cloud service to download the client installer bundle (windows-client-bundle.zip) to the Windows endpoint. The download link is available on the Tanium Cloud Overview page.

    The bundle contains the following files:

    • install.bat
    • SetupClient.exe
    • tanium‑init.dat
    Be careful not to allow the tanium-init.dat file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though this file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use it to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  4. Copy the installer bundle to a temporary directory on the Windows endpoint and unzip the bundle. Make sure to keep the tanium‑init.dat in the same directory as SetupClient.exe.

Installation wizard

  1. Sign in to the Windows endpoint with a local user or domain account that has administrative permissions.
  2. Right-click SetupClient.exe and select Run as administrator to start the wizard.

  3. Respond to the wizard prompts to accept the license agreement, select an installation directory, and complete the installation.

  4. (Optional) Use the CLI on Windows endpoints to configure additional Tanium Client settings that you did not set through the installation wizard. For information about configuring additional settings at a later time, see Modify client settings.
  5. Wait a few minutes for the Tanium Client to register with Tanium Cloud, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Command-line interface (CLI)

You can use the endpoint CLI to install the Tanium Client. For details on using the CLI, see CLI on Windows endpoints.

The install.bat file provides an example of a script that installs the Tanium Client silently. By default, the script checks for administrative access and runs a silent express installation. You can modify this script with other arguments that are necessary for your environment. You can then use the modified script for automated deployment of the Tanium Client.

If User Account Control (UAC) is enabled and you are using an account other than the default Administrator account, you must run the install.bat script as an Administrator to prevent a UAC prompt when the script runs the Tanium Client installer.

  1. Sign in to the Windows endpoint with a local user or domain account that has administrative permissions.

  2. Access the endpoint command prompt.

    If User Account Control (UAC) is enabled and you are using an account other than the default Administrator account, open the command prompt as an Administrator to prevent a UAC prompt when you run the Tanium Client installer.

  3. Navigate to the directory where the Tanium Client installer resides.

  4. Use the following command to run the Tanium Client installer.

    SetupClient.exe [/LogVerbosityLevel=<LogLevel>] [/ProxyAutoConfigAddress=<URL/filename.pac>] [/ProxyServers=<FQDN|IPaddress:PortNumber>] [/S] [/D=<DirectoryPath>]

    Table 1 describes the arguments for the SetupClient.exe command.

    Before running the installer, determine which installation type to use based on whether the Tanium Client requires default or custom settings:

    • Express: The installer uses default values and requires only the /S argument to specify silent installation.
    • Custom: Specify the arguments from Table 1 for settings that require custom values instead of default values. If you omit the /S argument, the Tanium Client installation wizard opens and prompts you to configure the settings.

    Table 2 shows examples of how to use the CLI for express and custom installations.

    To configure settings other than those that Table 1 describes, see Modify client settings.

  5. Wait a few minutes for the Tanium Client to register with Tanium Cloud, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)
 Table 1: Tanium Client installation command syntax
Argument Guidance
/ServerAddress

Fully qualified domain names (FQDNs) from the Tanium Cloud Client Edge URLs with which the client can connect.

Typically, the tanium-init.dat file included with the installation package includes the appropriate FQDNs and you omit this argument. If you need to specify server addresses manually, contact Tanium Support for the appropriate FQDNs. Use a comma to separate the entry for each FQDN.

When you specify multiple values, they populate the ServerNameList registry entry.

You can omit this argument when reinstalling or upgrading any version of the client.
/LogVerbosityLevel

The level of logging on the endpoint.

The following values are best practices for specific use cases:

  • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
  • 1 (default): Use this value during normal operation.
  • 41: Use this value during troubleshooting.
  • 91 or higher: Use this value for full logging, for short periods of time only.
/KeyPath

The full path and file name that the Tanium Client installer program uses to locate the tanium‑init.dat file and copy it to the Tanium Client installation directory.

Typically, the tanium-init.dat file included with the installation package is located in the same directory as the installer and you omit this argument. Only include this argument in a specific case where you cannot provide the tanium-init.dat file in the same directory as the installer.

No quotation marks are necessary, except to enclose path or file names with spaces. The KeyPath argument requires a fully qualified path name when the installer runs directly from a command prompt. However, in a batch file, you can use the batch file command variable %~dp0 to expand a relative path before passing the KeyPath value to SetupClient.exe. For example: /KeyPath=%~dp0<My\Relative\Path>\tanium‑init.dat

If you omit the KeyPath argument for silent installations (/S argument), the tanium‑init.dat or tanium.pub file must be in the same directory as SetupClient.exe.
/S Run the installation command silently, which means the Tanium Client installation wizard does not open and prompt you to configure settings.

If you include this argument without specifying the /KeyPath argument, tanium‑init.dat must be in the same directory as SetupClient.exe.

For examples of how to run silent installations, see Table 2.
/D

Sets the destination path for the Tanium Client installation directory. No quotation marks are necessary to enclose path names with spaces. Because environment variables are expanded, the argument value can include path variables, such as %programfiles%.

  • Because the value of this argument can include spaces, it must be the last argument on the command line if you include it. This includes appearing after the /S argument if you also include that argument.

  • You must install the Tanium Client on a local fixed drive.

If you omit this argument, the installer uses a default directory based on whether the endpoint is running a 64-bit or 32-bit version of Windows:

  • 64-bit versions of Windows\Program Files (x86)\Tanium\Tanium Client
  • 32-bit versions of Windows\Program Files\Tanium\Tanium Client

For an example commmand that includes the /D argument, see Tanium Client installation command examples.

If you are using the command line to reinstall or upgrade an existing Tanium Client, you cannot change the installation directory. The installer ignores this argument and automatically reinstalls or upgrades the Tanium Client in the existing directory, whether it is the default directory or a custom directory.
/ProxyAutoConfigAddress Include this setting if the Tanium Client connects to Tanium Cloud through a Hypertext Transfer Protocol Secure (HTTPS) proxy server. The setting specifies the URL and file name of a proxy auto configuration (PAC) file that the client can access. Specify the value in the format http[s]://<URL>/<file name>.pac. The client downloads the file from the URL that you specify and runs a script that the file contains to select the correct proxy for connecting to a particular Tanium Cloud Client Edge URL. If no proxy is available, the client ignores the setting and connects directly to Tanium Cloud. For details, see Configure proxy connections with a PAC file.
/ProxyServers Include this setting if the Tanium Client connects to Tanium Cloud through an HTTPS proxy server but cannot access a PAC file. The setting specifies the IP address or FQDN, and port number, of the HTTPS proxy server. You can specify multiple proxies as a comma-separated list in the format "<proxy1>:<port>,...,<proxyN>:<port>". The client tries to connect to the proxies in the order that you list them. After any single connection succeeds, the client stops trying to connect with more proxies. If no proxy is available, the client ignores the setting and connects directly to Tanium Cloud. For details, see Configure proxy connections without a PAC file.

The following are examples of using the CLI command to install the Tanium Client.

 Table 2: Tanium Client installation command examples
Example Description
Silent express installation In an express installation, SetupClient.exe installs and configures the Tanium Client with default values for all the arguments. Before starting, make sure that the Tanium initialization file tanium‑init.dat is in the same directory as SetupClient.exe.

SetupClient.exe /S

In specific cases where you need to specify server addressees, specify the FQDN for each Tanium Cloud Client Edge URL in /ServerAddress:

SetupClient.exe /ServerAddress=^
taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.com /S
Silent custom installation

The following example specifies a non-default value in a silent installation:

SetupClient.exe /LogVerbosityLevel=1 /S

To use a custom installation directory, add the /D parameter. Note that it must be the last argument in the command, even when you include /S.

SetupClient.exe /LogVerbosityLevel=1 /S ^
/D=C:\Custom Installation Directory\Tanium\Tanium Client

Batch file format When you run a batch file, the Windows command interpreter expands the variable %~dp0 to the full drive and path name of the batch file working directory. The following example of a batch file instruction performs a silent installation:

"%~dp0SetupClient.exe" /S

Deploy the Tanium Client to macOS endpoints using the installer

For additional macOS information, see the following sections:

On macOS endpoints, the Tanium Client is installed as a system service. The client files are installed in the /Library/Tanium/TaniumClient directory.

You can use the installation wizard or CLI to deploy the Tanium Client to macOS endpoints. You must perform the installation as a user with an administrator account.

You cannot install the universal version of the macOS Tanium Client on an endpoint where the x86-64 version is already installed. You must first uninstall the existing Tanium Client.

For information about managing the Tanium Client service, managing firewall rules or pop-ups, or uninstalling the Tanium Client after deployment, see Manage the Tanium Client on macOS.

Prepare for installation

  1. Ensure that the macOS endpoint meets the basic requirements for the Tanium Client.
  2. Ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on port 17472 and the port that the client uses for peer Tanium Client traffic (default 17472). See Manage macOS firewall rules.

  3. (macOS 10.14 or later only) Create a mobile device management (MDM) profile that provides the necessary permissions for the following Tanium applications:

    Application Location Required Permissions Apple Events
    Tanium Client /Library/Tanium/TaniumClient/TaniumClient All System Files, Admin System Files, Post Events System Events, SystemUIServer, Finder
    Tanium Client Extensions /Library/Tanium/TaniumClient/TaniumCX All System Files, Admin System Files, Post Events System Events, SystemUIServer, Finder
    Tanium End User Notifications /Library/Tanium/EndUserNotifications/bin/end-user-notifications.app Post Events System Events, SystemUIServer, Finder

    An MDM administrator must create a Privacy Preferences Policy Control (PPPC) custom payload that specifies the necessary permissions for each application. The PPPC custom payload must be delivered using a User-Approved MDM (UAMDM) payload in a device profile.

    If you use Mac Device Configuration Profile policies in Tanium Enforce 2.3 or later, the PPPC payload is available in each policy. See Tanium Enforce User Guide: Create a Mac Device Configuration Profile policy.

    The team identifier for Tanium applications is TZTPM3VTUU.

    If you previously created a PPPC custom payload for a version of the Tanium Client earlier than 7.2.314.3608, you must update the code signing requirement for version 7.2.314.3608 or later.

    For more information about MDM on macOS, see Apple Platform Deployment.

  4. Sign in to the macOS endpoint.

  5. Use the Tanium Tanium Cloud service to download the client installer bundle (mac-client-bundle.zip) to the macOS endpoint. The download link is available on the Tanium Cloud Overview page.

    The bundle contains the following files:

    • TaniumClient‑<version>-universal.pkg
    • TaniumClient‑<version>-x64.pkg
    • tanium‑init.dat
    • install.sh
    Be careful not to allow the tanium-init.dat file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though this file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use it to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  6. Copy the installer bundle to a temporary directory on the macOS endpoint and unzip the bundle. Make sure to keep the tanium‑init.dat in the same directory as the installer pacakges.

Installation wizard

  1. Sign in locally to the macOS endpoint as a user with an administrator account.

  2. Double-click TaniumClient‑<version>-universal.pkg or TaniumClient‑<version>-x64.pkg to start the installation wizard.

    Tanium recommends the universal binary for all Mac computers running macOS 11 or later. The universal binary is supported and runs natively on both Intel-based Mac computers running macOS 11 or later and Apple "M" series-based Mac computers.

  3. Respond to the wizard prompts. Specify the User Name and Password of a local administrator when the wizard prompts you for credentials.

  4. Use the CLI (see CLI on non-Windows endpoints) to configure the following basic Tanium Client settings.

    ServerNameList

    Fully qualified domain names (FQDNs) from the Tanium Cloud Client Edge URLs with which the client can connect, separated with commas.

    Typically, the tanium-init.dat file included with the installation package includes the appropriate FQDNs and you omit this argument. If you need to specify server addresses manually, contact Tanium Support for the appropriate FQDNs.

    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.

    For information about configuring additional settings, see Modify client settings and Tanium Client settings reference.

    The following example commands are for a Tanium Cloud deployment:

    sudo /Library/Tanium/TaniumClient/TaniumClient config set LogVerbosityLevel 1

  5. Use the following command to copy tanium‑init.dat from the temporary directory to the Tanium Client installation directory:

    sudo cp <extracted installer bundle directory>/tanium-init.dat /Library/Tanium/TaniumClient

  6. Wait a few minutes for the Tanium Client to register with Tanium Cloud, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Command-line interface (CLI)

To install the Tanium Client, you must have root or sudo permissions to run the installer command. For details on using the CLI, see CLI on non-Windows endpoints.

The install.sh file provides an example of a script that performs a CLI installation of the Tanium Client. By default, the script checks for a supported version of macOS, installs the Tanium Client, and copies the tanium‑init.dat file. You can modify this script with CLI commands that configure the Tanium Client settings that are necessary for your environment. You can then use the modified script for automated deployment of the Tanium Client. To run the install.sh script, you must have root or sudo permissions.

  1. Sign in locally to the macOS endpoint as a user with an administrator account.
  2. Open Terminal.

  3. Run the following command in the directory into which you copied TaniumClient‑<version>-universal.pkg or TaniumClient‑<version>-x64.pkg to install the client :

    sudo installer -pkg TaniumClient-<version>-binary.pkg -target /
    installer: Package name is TaniumClient
    installer: Installing at base path /
    installer: The install was successful.

    Tanium recommends the universal binary for all Mac computers running macOS 11 or later. The universal binary is supported and runs natively on both Intel-based Mac computers running macOS 11 or later and Apple "M" series-based Mac computers.

  4. Use the CLI (see CLI on non-Windows endpoints) to configure the following basic Tanium Client settings.

    ServerNameList

    Fully qualified domain names (FQDNs) from the Tanium Cloud Client Edge URLs with which the client can connect, separated with commas.

    Typically, the tanium-init.dat file included with the installation package includes the appropriate FQDNs and you omit this argument. If you need to specify server addresses manually, contact Tanium Support for the appropriate FQDNs.

    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.

    For information about configuring additional settings, see Modify client settings and Tanium Client settings reference.

    The following example commands are for a Tanium Cloud deployment:

    sudo /Library/Tanium/TaniumClient/TaniumClient config set LogVerbosityLevel 1

  5. Use the following command to copy tanium‑init.dat to the Tanium Client installation directory:

    sudo cp tanium-init.dat /Library/Tanium/TaniumClient

  6. Wait a few minutes for the Tanium Client to register with Tanium Cloud, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Deploy the Tanium Client to Linux endpoints using package files

For additional Linux information, see the following sections:

On Linux endpoints, the Tanium Client is installed as a system service. The default installation directory for Tanium Client files is /opt/Tanium/TaniumClient.

If your environment requires a different installation location for applications, you can create a symbolic link during installation.

For information about managing the Tanium Client service, managing firewall rules, or uninstalling the Tanium Client after deployment, see Manage the Tanium Client on Linux.

Tanium Client package files for Linux

The Linux installer bundle (linux‑client-bundle.zip) that you download through Tanium Tanium Cloud contains package installer files for every Linux distribution. Contact Tanium Support for other means to obtain the package file for your Linux distribution.

To verify the digital signature on RPM package files, use the public key at Tanium public key for Linux RPM files.

 Table 3: Tanium Client package files for Linux
Linux Distribution Latest Installation Package Files
Amazon Linux 2 LTS TaniumClient-7.4.10.1034-1.amzn2.x86_64.rpm

TaniumClient-7.4.10.1034-1.amzn2.aarch64.rpm
Amazon Linux AMI 2018.3 TaniumClient-7.4.10.1034-1.amzn2018.03.x86_64.rpm
Debian 11.x taniumclient-7.4.10.1034-debian11_i386.deb

taniumclient-7.4.10.1034-debian11_amd64.deb
Debian 10.x taniumclient-7.4.10.1034-debian10_amd64.deb
Debian 9.x taniumclient-7.4.10.1034-debian9_i386.deb

taniumclient-7.4.10.1034-debian9_amd64.deb
Debian 8.x taniumclient-7.4.10.1034-debian8_i386.deb

taniumclient-7.4.10.1034-debian8_amd64.deb
Oracle Linux 9.x TaniumClient-7.4.10.1034-1.oel9.x86_64.rpm

TaniumClient-7.4.10.1034-1.oel9.aarch64.rpm
Oracle Linux 8.x TaniumClient-7.4.10.1034-1.oel8.x86_64.rpm
Oracle Linux 7.x TaniumClient-7.4.10.1034-1.oel7.x86_64.rpm
Oracle Linux 6.x TaniumClient-7.4.10.1034-1.oel6.i686.rpm

TaniumClient-7.4.10.1034-1.oel6.x86_64.rpm
Oracle Linux 5.x TaniumClient-7.4.10.1034-1.oel5.i386.rpm

TaniumClient-7.4.10.1034-1.oel5.x86_64.rpm
Red Hat / AlmaLinux / Rocky Linux 9.x TaniumClient-7.4.10.1034-1.rhe9.x86_64.rpm

TaniumClient-7.4.10.1034-1.rhe9.aarch64.rpm
Red Hat / CentOS / AlmaLinux / Rocky Linux 8.x TaniumClient-7.4.10.1034-1.rhe8.x86_64.rpm
Red Hat / CentOS 7.x TaniumClient-7.4.10.1034-1.rhe7.x86_64.rpm
Red Hat / CentOS 6.x TaniumClient-7.4.10.1034-1.rhe6.i686.rpm

TaniumClient-7.4.10.1034-1.rhe6.x86_64.rpm
Red Hat / CentOS 5.x TaniumClient-7.4.10.1034-1.rhe5.i386.rpm

TaniumClient-7.4.10.1034-1.rhe5.x86_64.rpm
SUSE Linux Enterprise Server (SLES) / OpenSUSE 15.x TaniumClient-7.4.10.1034-1.sle15.i586.rpm

TaniumClient-7.4.10.1034-1.sle15.x86_64.rpm
SUSE Linux Enterprise Server (SLES) / OpenSUSE 12.x TaniumClient-7.4.10.1034-1.sle12.i586.rpm

TaniumClient-7.4.10.1034-1.sle12.x86_64.rpm
Ubuntu 22.04 LTS taniumclient_7.4.10.1034-ubuntu22_amd64.deb
Ubuntu 20.04 LTS taniumclient_7.4.10.1034-ubuntu20_amd64.deb
Ubuntu 18.04 LTS taniumclient_7.4.10.1034-ubuntu18_amd64.deb
Ubuntu 16.04 LTS taniumclient_7.4.10.1034-ubuntu16_amd64.deb
Ubuntu 14.04 LTS taniumclient_7.4.10.1034-ubuntu14_amd64.deb

Install the Tanium Client on Linux using the package file

Use the endpoint CLI to install the Tanium Client. For details on using the CLI, see CLI on non-Windows endpoints.

The install.sh file provides an example of a script that performs an installation of the Tanium Client. By default, the script determines the distribution and version of Linux, installs the appropriate Tanium Client package, and copies the tanium‑init.dat file. You can modify this script with CLI commands that configure the Tanium Client settings that are necessary for your environment. You can then use the modified script for automated deployment of the Tanium Client. To run the install.sh script, you must have root or sudo permissions.

  1. Ensure that the Linux endpoint meets the basic requirements for the Tanium Client.
  2. Ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on the ports that the Tanium Client uses. See Manage Linux firewall rules.
  3. Sign in to the endpoint using an account that has administrative privileges, or that is listed in the sudoers file to allow the account you are using to use sudo.

  4. Use the Tanium Tanium Cloud service to download the client installer bundle (linux-client-bundle.zip) to the Linux endpoint. The download link is available on the Tanium Cloud Overview page.

    The bundle contains the following files:

    • Installer package files for each Linux distribution (such as TaniumClient-7.4.4.1250-1.oel8.x86_64.rpm)
    • install.sh
    • tanium-init.dat
    Be careful not to allow the tanium-init.dat file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though this file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use it to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  5. Copy the installer bundle to a temporary directory on the Linux endpoint and unzip the bundle:

    unzip linux-client-bundle.zip

    Make sure to keep the tanium‑init.dat in the same directory as the installer packages.

  6. (Optional) To use a directory other than the default for the client installation, create a symbolic link. For example, to use the directory /appbin/Tanium, run the following command:

    ln -s /appbin/Tanium /opt/Tanium

    You must install the Tanium Client on a local fixed drive.

  7. Run the appropriate installation command to install the package and generate a default configuration file.

    The RPM installers for Redhat and SUSE have command syntax similar to the following example:

    sudo rpm -Uvh TaniumClient-7.4.4.1362-1.oel6.x86_64.rpm

    The Debian installers for Debian and Ubuntu have command syntax similar to the following example:

    sudo dpkg -i taniumclient_7.4.4.1362-debian6_amd64.deb

  8. Copy tanium-init.datto the installation directory. For example:

    cp tanium-init.dat /opt/Tanium/TaniumClient

  9. Use the CLI (see CLI on non-Windows endpoints) to configure the following basic Tanium Client settings.

    ServerNameList

    Fully qualified domain names (FQDNs) from the Tanium Cloud Client Edge URLs with which the client can connect, separated with commas.

    Typically, the tanium-init.dat file included with the installation package includes the appropriate FQDNs and you omit this argument. If you need to specify server addresses manually, contact Tanium Support for the appropriate FQDNs.

    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.

    For information about configuring additional settings, see Modify client settings and Tanium Client settings reference.

    The following example commands are for a Tanium Cloud deployment:

    cd <Tanium Client installation directory>sudo ./TaniumClient config set LogVerbosityLevel 1

  10. Start the Tanium Client service. (See Manage the Tanium Client service on Linux.)
  11. Wait a few minutes for the Tanium Client to register with Tanium Cloud, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Deploy the Tanium Client to Solaris endpoints using a package file

For additional Solaris information, see the following sections:

On Solaris endpoints, the Tanium Client is installed as a system service. The Tanium Client files are installed by default in the /opt/Tanium/TaniumClient directory.

If your environment requires a different installation location for applications, you can create a symbolic link during installation.

The following procedures describe how to use the endpoint CLI to install the Tanium Client. For details on using the CLI, see CLI on non-Windows endpoints.

For information about managing the Tanium Client service or uninstalling the Tanium Client after deployment, see Manage the Tanium Client on Solaris.

Prepare for installation

  1. Ensure that the Solaris endpoint meets the basic requirements for the Tanium Client.
  2. Contact Tanium Support for the Tanium Client installer file: TaniumClient‑<client_version>‑SunOS‑5.10‑<platform>.pkg.

  3. Work with your network security team to ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on port 17472 and the port that the client uses for peer Tanium Client traffic (default 17472). See Network connectivity, ports, and firewalls.

    The installation process does not modify any host-based firewall that might be in use.

  4. (Solaris 11.4 only) Install the legacy pkgadd utilities:

    1. Access the endpoint CLI.

    2. Find the pkgadd IPS package name:

      pkg search pkgadd

      INDEX     ACTION VALUE     PACKAGE
      basename  file            usr/sbin/pkgadd pkg:/package/[email protected]

    3. Install the pkgadd utilities:

      pkg install pkg:/package/[email protected]

  5. (Solaris 10 or 11.0–11.3 only) Install the SUNWgccruntime package if it is not yet installed.

    Although this package is part of a default Solaris installation, some organizations omit it in their standard image.

    1. Determine whether the package is installed:

      pkginfo -l SUNWgccruntime

      The following example output indicates the package is installed:

      PKGINST: SUNWgccruntime
      NAME: GCC Runtime libraries
      CATEGORY: system
      ARCH: sparc
      VERSION: 11.11.0,REV=2010.05.25.01.00
      BASEDIR: /
      VENDOR: Oracle Corporation
      DESC: GCC Runtime - Shared libraries used by gcc and other gnu components
      INSTDATE: Dec 01 2015 11:43
      HOTLINE: Please contact your local service provider
      STATUS: completely installed

    2. If the SUNWgccruntime package is not yet installed, run one of the following commands:

      • Solaris 10 or 11.0–11.3 (without using Image Packing System [IPS]):

        # pkgadd -d /path/to/SUNWGccruntime.pkg SUNWgccruntime

      • Solaris 11.0–11.3 using IPS:

        # pkg install SUNWgccruntime

Install the Tanium Client on Solaris using a package file

  1. Sign in to the Solaris endpoint.
  2. Copy the installer file TaniumClient‑<client_version>‑SunOS‑5.10‑<platform>.pkg to a temporary location on the Solaris endpoint.

  3. Use the Tanium Tanium Cloud service to download a client installer bundle that contains the tanium‑init.dat file.

    Tanium Cloud does not provide an installer bundle for Solaris endpoints, but you can use the DAT file from the bundle that is provided for any other OS (Windows, macOS, or Linux). Download links are available on the Tanium Cloud Overview page.

    Be careful not to allow the tanium-init.dat file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though this file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use it to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  4. Copy the installer bundle to the same temporary directory as the installer file and unzip the bundle.

    The DAT file is the only file that you need from the bundle, so you can delete the other files in the bundle.

  5. (Optional) To use a directory other than the default for the client installation, create a symbolic link, and set the PKG_NONABI_SYMLINKS environment variable to true. For example, to use the directory /appbin/Tanium, run the following commands:

    ln -s /appbin/Tanium /opt/Tanium
    PKG_NONABI_SYMLINKS=true
    export PKG_NONABI_SYMLINKS

    You must install the Tanium Client on a local fixed drive.

  6. Run the following command from the temporary directory to install the package and generate a default configuration file:

    sudo pkgadd -d ./TaniumClient‑<client_version>‑SunOS‑5.10‑<platform>.pkg TaniumClient

    Note: If you are signed into the Global Zone and want to install only in the current zone, specify the ‑G flag. If you have questions, consult your system administrator for proper zone behavior.

  7. Use the CLI (see CLI on non-Windows endpoints) to configure the following basic Tanium Client settings.

    ServerNameList

    Fully qualified domain names (FQDNs) from the Tanium Cloud Client Edge URLs with which the client can connect, separated with commas.

    Typically, the tanium-init.dat file included with the installation package includes the appropriate FQDNs and you omit this argument. If you need to specify server addresses manually, contact Tanium Support for the appropriate FQDNs.

    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.
    Resolver Add the Resolver=nslookup setting to enable host name resolution.

    For information about configuring additional settings, see Modify client settings and Tanium Client settings reference.

    The following example commands are for a Tanium Cloud deployment:

    cd <Tanium Client installation directory>sudo ./TaniumClient config set LogVerbosityLevel 1
    sudo ./TaniumClient config set Resolver nslookup

  8. Copy the tanium‑init.dat file to the Tanium Client installation directory on the Solaris endpoint.

  9. Run the following command to start the Tanium Client service:

    svcadm enable taniumclient

  10. Wait a few minutes for the Tanium Client to register with Tanium Cloud, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Perform unattended Tanium Client installation

By default, the pkgadd utility performs a manual installation. The utility prompts for user intervention when it encounters operations that might be a security issue or conflict, such as running scripts with SUID, creating directories, or changing permissions. The utility provides a method to bypass these interventions and perform or abandon the installation. You accomplish this with a tanium.admin file, which contains operator identifiers and specifies what to do when the utility encounters security issues or conflicts.

  1. Create the tanium.admin file with the following contents:

    mail=
    instance=overwrite
    partial=nocheck
    runlevel=nocheck
    idepend=nocheck
    rdepend=nocheck
    space=nocheck
    setuid=nocheck
    conflict=nocheck
    action=nocheck
    networktimeout=60
    networkretries=3
    authentication=quit
    keystore=/var/sadm/security
    proxy=
    basedir=default

  2. Run pkgadd with the ‑a option:

    pkgadd ‑a tanium.admin ‑d ./TaniumClient‑<client_version>‑SunOS‑5.10‑<platform>.pkg TaniumClient

Configure the Tanium Client on Solaris

The Tanium Client binary has statically linked libraries. All the libraries are in the standard default location (/lib) except libstdc++ and gcc. These two libraries are assumed to be in /usr/sfw/lib. If they are not, the client does not start. If libstdc++ and gcc are not in /usr/sfw/lib, you must add the library search path to the Service Management Facility (SMF) taniumclient service:

  1. Find the directory location of libgcc.* and libstdc++.*.

  2. Run the following command to add the search path to the SMF service:

    svccfg -s application/taniumclient setenv LD_LIBRARY_PATH /lib:/usr/lib:/usr/local/lib:/usr/sfw/lib

Deploy the Tanium Client to AIX endpoints using a package file

For additional AIX information, see the following sections:

On AIX endpoints, the Tanium Client is installed as a system service. The default installation directory for Tanium Client files is /opt/Tanium/TaniumClient.

If your environment requires a different installation location for applications, you can create a symbolic link during installation.

The following procedures describe how to use the endpoint CLI to install the Tanium Client. For details on using the CLI, see CLI on non-Windows endpoints.

For information about managing the Tanium Client service or uninstalling the Tanium Client after deployment, see Manage the Tanium Client on AIX.

Prepare for installation

  1. Ensure that the AIX endpoint meets the basic requirements for the Tanium Client.
  2. Contact Tanium Support for the Tanium Client installer file: TaniumClient‑<client_version>‑powerpc.pkg.

  3. Work with your network security team to ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on port 17472 and the port that the client uses for peer Tanium Client traffic (default 17472). See Network connectivity, ports, and firewalls.

    The installation process does not modify any host-based firewall that might be in use.

  4. If they are not yet installed, install the IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte).

    Install the file sets as follows:

    1. Access the operating system CLI on the endpoint.

    2. Run the following commands to determine the versions of the currently installed xlC.rte bundle and the libc++.rte bundle:

      lslpp -l xlC\.*
      lslpp -l libc++\.*

      If the appropriate version of each bundle is already installed, skip to Install the Tanium Client on AIX using a package file. Otherwise, complete the remaining steps for each bundle that needs to be installed or updated.

    3. Obtain the appropriate xlC.rte and libc++.rte bundles for your system from IBM Fix Central.
    4. Download each bundle to your endpoint.
    5. Extract, unzip, or untar each bundle to the /usr/sys/inst.images directory.

    6. Install the bundles:

      sudo installp -aXYgd /usr/sys/inst.images -e /tmp/install.log all

    7. Review the installation log /tmp/install.log for any errors.

Install the Tanium Client on AIX using a package file

  1. Sign in to the target endpoint.
  2. Copy the Tanium Client installer file  TaniumClient‑<client_version>‑powerpc.pkg to a temporary location on the target endpoint.

  3. Use the Tanium Tanium Cloud service to download a client installer bundle that contains the tanium‑init.dat file.

    Tanium Cloud does not provide an installer bundle for AIX endpoints, but you can use the DAT file from the bundle that is provided for any other OS (Windows, macOS, or Linux). Download links are available on the Tanium Cloud Overview page.

    Be careful not to allow the tanium-init.dat file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though this file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use it to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  4. Copy the installer bundle to the same temporary directory as the installer file and unzip the bundle.

    You must first install the unzip utility if it is not already installed on the AIX endpoint.

    The DAT file is the only file that you need from the bundle, so you can delete the other files in the bundle.

    The following example command uncompresses the Linux bundle for the Tanium Client:

    unzip linux-client-bundle.zip

  5. (Optional) To use a directory other than the default for the client installation, create a symbolic link. For example, to use the directory /appbin/Tanium, run the following command:

    ln -s /appbin/Tanium /opt/Tanium

    You must install the Tanium Client on a local fixed drive.

  6. Run the following command from the temporary directory to install the package and generate a default configuration file:

    sudo installp -agqXYd ./TaniumClient‑<client_version>‑powerpc.pkg TaniumClient

  7. Use the CLI (see CLI on non-Windows endpoints) to configure the following basic Tanium Client settings.

    ServerNameList

    Fully qualified domain names (FQDNs) from the Tanium Cloud Client Edge URLs with which the client can connect, separated with commas.

    Typically, the tanium-init.dat file included with the installation package includes the appropriate FQDNs and you omit this argument. If you need to specify server addresses manually, contact Tanium Support for the appropriate FQDNs.

    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1 (default): Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.
    Resolver The default hostname resolver for Tanium is getent. Because AIX generally does not have the getent command, add the Resolver=nslookup setting.

    For information about configuring additional settings, see Modify client settings and Tanium Client settings reference.

    The following example commands are for a Tanium Cloud deployment:

    cd <Tanium Client installation directory>sudo ./TaniumClient config set LogVerbosityLevel 1
    sudo ./TaniumClient config set Resolver nslookup

  8. Copy the tanium‑init.dat file to the Tanium Client installation directory on the AIX endpoint.

  9. Use the following command to start the Tanium Client service:

    startsrc -s taniumclient

  10. Wait a few minutes for the Tanium Client to register with Tanium Cloud, and then verify that the client installed correctly and is communicating properly. (See Verify the Tanium Client installation.)

Verify the Tanium Client installation

Wait a few minutes after installation for the Tanium Client to register with Tanium Cloud.

After you deploy the Tanium Client, perform the following steps to verify that the client installed correctly and can communicate with Tanium Cloud.

  1. From Interact, ask a question to verify that the endpoints respond to the following query: Get Computer Name and Operating System and Tanium Client Version and Tanium Server Name from all machines
  2. Review the Question Results grid to verify that all endpoints where you deployed Tanium Client software are reporting.

  3. (Optional) From the main menu, go to Administration > Configuration > Client Status , and review recent client registration details.

    To find a specific Tanium Client, enter a text string in the Filter items field above the grid to filter it by Host Name or Network Location (IP address).