Setting up Endpoints

Scan endpoints by configuring engines for targeted computer groups.


Configure engines

Target deployments to computer groups based on the architecture and platform of the targeted endpoints to deploy engines and JREs to endpoints on a schedule. For example, you might want to create the following deployments:

  • Windows 64-bit
  • Windows 32-bit
  • macOS 64-bit
  • Linux 64-bit

  • Ensure that the computer groups targeted by each deployment include all applicable endpoints. Review the deployments to confirm that no computer groups are missing.
  • Ensure that deployments are created for all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.

By default, Tanium provides the Tanium Scan Engine (powered by JovalCM), but if you uploaded another supported engine, you can select that engine. For more information on scan engines, see Working with scan engines and JREs.

  1. Got to Setup > Configuration.
  2.  In the Engines tab, do the following:
    • Click Use Default Targeting to automatically target all endpoints in the Tanium Comply action group.
    • Click Do Not Use Default Targeting to manually target computer groups.
  3. Click for an engine in the list to open the targeting window.
  4. Select Computer Groups you want to target. You can select multiple computer groups in this field.
  5. Click Save.

The Encrypt JRE option is selected by default. This option encrypts the ZIP file on the endpoint that contains the JRE and prevents access to the JRE. When you use JRE encryption, reports that require the JRE distribute a key file to decrypt the JRE. After the report runs, the key file and decrypted JRE are removed. The encrypted JRE remains and is used the next time it is required. On the Reports page, any report with an encrypted JRE will show a lock next to that engine.

If a JRE encryption key is lost or overwritten, you can recreate the JRE encryption key. See Recreate JRE encryption key.

General settings

Set limits for engines on endpoints using targeting.

  1. On the Setup > Configuration page, select the General Settings tab.

    There is a default configuration (labeled as Default in the Targeting column) with suggested "best practice" parameters:

      • For CPU Count, 1 CPU is selected.
      • For Java Heap Size, a default value 768 MB is set.
      • For Distribute Downloads, 0 is the value.
      • For Targeting, Default is selected for the action group.

  1. To create a custom configuration, click the Add General Settings button to set the following:
    • CPU Count - Select the maximum number of CPUs for scanning.
    • Java Heap Size - Set limits for the amount of Java heap memory consumed for scanning.
    • Distribute Downloads - Set a randomized time, in minutes, for endpoint downloads to take place in order to reduce network load. If you set this value to 0 minutes, there is no randomization.
    • Custom Targeting - Use the Row and Grouping buttons to select computer groups for targeting. Also use the And and Or buttons to widen or narrow the group of targeted systems.
  2. Click Save.