Setting up endpoints
Scan endpoints by configuring engines for targeted computer groups.
Target deployments to computer groups based on the architecture and platform of the targeted endpoints to deploy engines and JREs to endpoints on a schedule. For example, you might want to create the following deployments:
- Windows 64-bit
- Windows 32-bit
- macOS 64-bit
- Linux 64-bit
- Ensure that the computer groups targeted by each deployment include all applicable endpoints. Review the deployments to confirm that no computer groups are missing.
- Ensure that deployments are created for all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.
By default, Tanium provides the Tanium Scan Engine (powered by JovalCM), but if you uploaded another supported engine, you can select that engine. For more information on scan engines, see Working with scan engines and JREs.
- Go to Setup > Configuration.
- In the Engines tab, do the following:
- Click for an engine in the list to open the targeting window.
- Select Computer Groups you want to target.
Default: Default targeting uses the Comply action group.
Custom Targeting: Choose this option to build your own groupings. Use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. When finished, click Apply for each selection and then click Save.
Do not distribute to endpoints: Choose this option to prevent the engine from being distributed to endpoint systems.
- Click Save.
The Encrypt JRE option is selected by default (located under Settings > JRE Encryption). This option encrypts the ZIP file on the endpoint that contains the JRE and prevents access to the JRE. When you use JRE encryption, reports that require the JRE, distribute a key file to decrypt the JRE. After the report runs, the key file and decrypted JRE are removed. The encrypted JRE remains and is used the next time it is required. On the Assessments page, any assessment with an encrypted JRE will show a lock next to that engine.
If a JRE encryption key is lost or overwritten, you can recreate the JRE encryption key. See Recreate JRE encryption key.
Set limits for engines on endpoints using targeting.
On the Setup > Configuration page, select the Custom Settings tab.
The default configuration with suggested "best practice" parameters is displayed:
- For CPU Count, 1 CPU is selected.
- For Java Heap Size, a default value 768 MB is set.
- For Distribute Downloads, 0 is the value.
- For Targeting, Default is selected for the action group.
- Resource mode: The default setting is Normal. Change this setting to Low, and the Tanium scan engine will utilize fewer resources on the endpoint.
It only applies to the Tanium scan engine.
Scans take more time to complete.
The CPU Count automatically defaults to 1 and the Max Java Heap size is set to 256 MB.
CPU Utilization (Windows OS types only) can be set as low as 10%. If other resources are using CPU, the scan will pause until the set amount of CPU is available.
- CPU Count: Set a maximum number of CPUs for scanning. The default recommendation is 1 CPU.
- Java Heap Size: Set the maximum amount of Java heap memory used for scanning. The default recommendation is 512 MB.
- Distribute Downloads Over (Minutes): To distribute network load, set a delay time-frame. By default, this is set to zero, which disables the setting.
- Targeting: Select endpoints to receive these customized settings. Select Default or Custom Targeting.
- Custom Targeting: Choose this option to build your own groupings. Use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. When finished, click Apply for each selection.
Note the following about Low Resource Mode:
Last updated: 5/4/2021 4:56 PM | Feedback