Setting up Endpoints

Scan endpoints by configuring engines for targeted computer groups.

Configure engines

Target deployments to computer groups based on the architecture and platform of the targeted endpoints to deploy engines and JREs to endpoints on a schedule. For example, you might want to create the following deployments:

  • Windows 64-bit
  • Windows 32-bit
  • macOS 64-bit
  • Linux 64-bit

  • Ensure that the computer groups targeted by each deployment include all applicable endpoints. Review the deployments to confirm that no computer groups are missing.
  • Ensure that deployments are created for all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.

By default, Tanium provides the Tanium Scan Engine (powered by JovalCM), but if you uploaded another supported engine, you can select that engine. For more information on scan engines, see Working with scan engines and JREs.

  1. Go to Setup > Configuration.
  2.  In the Engines tab, do the following:
  3. Click for an engine in the list to open the targeting window.
  4. Select Computer Groups you want to target.
    • Default: Default targeting uses the Comply action group.

    • Custom Targeting: Choose this option to build your own groupings. Use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. When finished, click Apply for each selection and then click Save.

    • Do not distribute to endpoints: Choose this option to prevent the engine from being distributed to endpoint systems.

  5. Click Save.

The Encrypt JRE option is selected by default. This option encrypts the ZIP file on the endpoint that contains the JRE and prevents access to the JRE. When you use JRE encryption, reports that require the JRE distribute a key file to decrypt the JRE. After the report runs, the key file and decrypted JRE are removed. The encrypted JRE remains and is used the next time it is required. On the Reports page, any report with an encrypted JRE will show a lock next to that engine.

If a JRE encryption key is lost or overwritten, you can recreate the JRE encryption key. See Recreate JRE encryption key.

Custom settings

Set limits for engines on endpoints using targeting.

On the Setup > Configuration page, select the Custom Settings tab.

    The default configuration with suggested "best practice" parameters is displayed:

      • For CPU Count, 1 CPU is selected.
      • For Java Heap Size, a default value 768 MB is set.
      • For Distribute Downloads, 0 is the value.
      • For Targeting, Default is selected for the action group.

  1. To create a custom configuration, click the Customize button to set the following:
    • CPU Count - Select the maximum number of CPUs for scanning.
    • Java Heap Size - Set limits for the amount of Java heap memory consumed for scanning.
    • Distribute Downloads - Set a randomized time, in minutes, for endpoint downloads to take place in order to reduce network load. If you set this value to 0 minutes, there is no randomization.
    • Custom Targeting - Use the Row and Grouping buttons to select computer groups for targeting. Also use the And and Or buttons to widen or narrow the group of targeted systems.
  2. Click Save.