Getting started with Tanium Cloud

Step 1: Prepare for Tanium Cloud provisioning

Prior to using Tanium Cloud, you must provide Tanium with the information necessary to configure your Tanium Cloud instance, and you must prepare your environment for use with Tanium Cloud.

Make initial elections

Make the following elections and provide the information to Tanium:

  • Service vanity URL for the Tanium Console and clients: Select a subdomain for the Tanium Cloud URLs that you use to access Tanium Console and to connect clients to the service. Choose a string for <customerURL> that meets the following requirements:
    • Allowed characters: a-z, 0-9, and hyphen
    • Maximum length: 40 characters

    For more information including specific URLs, see Internet URLs or IP addresses.

  • Primary Tanium administrator email address: Provide the email address for whomever is the primary Tanium administrator. The primary administrator can manage identity provider configurations, create other users, and configure RBAC as needed.

    The email address must be able to authenticate with the identity provider the customer wants to use with Tanium Cloud.

    To change your designated primary administrator email address, contact Tanium Support.

  • Data hosting region selection: Select the region where your Tanium data will be hosted. The region choice is not related to performance dependencies; it is only for compliance with regional data hosting requirements. For more information, see Data regions.

Unless otherwise stated in your agreement with Tanium, Tanium Cloud entitles customers to a single service instance by default. It is a best practice to use a single service instance in most cases. This simplifies usage and reporting for your endpoint environment; however, additional instances can be purchased. Contact your sales representative if you require more than a single service instance.

Review requirements

Review the Tanium Cloud requirements and Tanium Client requirements. Make sure that endpoints in your environment meet the minimum requirements, that you have configured the necessary exclusions in your security software, and that the necessary ports and URLs are accessible on your network.

Step 2: Configure users

After Tanium configures your Tanium Cloud instance, sign in to Cloud Management Portal (CMP) and configure an identity provider to provide Tanium Console and CMP users.

Configure an identity provider for Tanium Console users

Production Tanium Cloud instances require that you have a SAML 2.0 compliant identity provider with 2FA enabled. The identity provider must be authoritative for its user email domain. A Get Started link to sign in to CMP is sent to you with your temporary credentials.

See Configuring identity providers and user provisioning in CMP.

The email address must be able to authenticate with the identity provider the customer wants to use with Tanium Cloud.

The following are example instructions to manually configure different identity providers:

Configure administrative users for CMP

Users with the Cloud Management Admin role have full write permission in CMP. To assign the Cloud Management Admin role, you configure a group claim value in your identity provider that you want to use to associate with the role. Then, during identiy provider configuration, you specify this group claim value to enable CMP to assign the role to the appropriate users.

See (Optional) Step 3: Configure administrative users for CMP in Configuring identity providers and user provisioning in CMP.

For evaluation or demonstration purposes, you can configure local users who can access CMP and optionally Tanium Console. See Manage local users for evaluation or demonstration.

Step 3: Configure a custom maintenance window

By default, maintenance updates for Tanium Cloud services happen between the following times based on the deployment region Monday to Friday:

  • EMEA/Northwest Europe - 1:00 AM to 7:00 AM UTC
  • Americas/Canada/South America - 7:00 AM to 1:00 PM UTC
  • Asia Pacific/Oceania - 1:00 PM to 7:00 PM UTC

You can override the default maintenance window and configure one of the following starting times (and corresponding time ranges) that is more convenient for your organization:

  • 1:00 AM (1:00 AM to 7:00 AM UTC)
  • 7:00 AM (7:00 AM to 1:00 PM UTC)
  • 1:00 PM (1:00 PM to 7:00 PM UTC)
  • 7:00 PM (7:00 PM to 1:00 AM UTC)

Tanium imposes a global freeze on Tanium Cloud routine maintenance during US holidays. This includes Thanksgiving Day through the following Monday (Cyber Monday), Christmas Day through New Year’s Day, and other US holiday weekends throughout the year.

Select a starting time to view the maintenance update window in the local time zone.

  1. From CMP Administration page, click Edit next to Maintenance Window.
  2. Select a Maintenance Window start time.

    The end time of the maintenance window automatically updates after you select a start time.

    Click Info to read the disclaimer about Tanium Cloud maintenance windows.

  3. Save your changes.

Step 4: Configure client security exceptions

  • Configure open communication on ports 17472 and 17486 on all your endpoints to enable communication between endpoints and Tanium Cloud, and between endpoints.
  • Configure security software exceptions on your endpoints to prevent interference with Tanium Client activities.

See Host and network security requirements.

Tanium Cloud uses the Tanium™ Protocol for communication among managed endpoints and for communication between the endpoints and Tanium Cloud. It is an application protocol that is proprietary to Tanium and that uses TLS 1.2 to encrypt communication. You cannot use network devices such as firewalls to decrypt and inspect Tanium Protocol traffic.

Step 5: Create additional roles, groups, users

To control access to the Tanium Cloud platform and solutions, assign users to groups and roles. See Tanium Console User Guide: RBAC overview.

Though this step is optional to operate Tanium in your environment, it is a best practice to provide individual Tanium users with only the privileges required to access the Tanium features they need. For more information, see Tanium Maintenance User Guide: Review and update RBAC permissions and authentication settings.

Step 6: Deploy Tanium Client

The Tanium™ Client is the service installed on endpoint computers that connects those endpoints to the Tanium platform.

Use Tanium™ Client Management to deploy the Tanium Client. Client Management uses a satellite endpoint to deploy the Tanium Client to other endpoints in the same network. Download a client installer bundle from Client Management, and use a third-party deployment tool or manual installation to deploy the Tanium Client to an endpoint that will be configured as the satellite used in deployment. After you configure that endpoint as a satellite, you can use Client Management to automatically deploy the Tanium Client to remaining endpoints on the network.

For more information about deploying the Tanium Client and using Tanium Client Management, see Tanium Client Management User Guide.

On the CMP Administration page, note the values for the Client Edge URLs. Make sure the endpoints in your environment can reach these URLs. For more information, see Tanium Client Management User Guide: Network connectivity, ports, and firewalls.

If you are migrating from an on-premises Tanium™ Server to Tanium Cloud, Contact Tanium Support for migration guidance.

Step 7: Use the Tanium Platform and solutions

After the initial setup is complete, you can use the Tanium platform and solutions that you have provisioned. To get started with the Tanium platform, see Tanium Console User Guide.

You can access a historical view of all the modules that were installed or upgraded in your Tanium Cloud instance. See View module installation activity.

Tanium installs and configures all entitled solutions so that you can start getting value from Tanium the first time you sign in to the Tanium Console. For default settings that are configured for each solution, see Reference: Default solution configurations.

If you plan to use the Tanium Cloud APIs, you must first create an API Token for access. For more information, see API access and Tanium Console User Guide: Create API tokens.