Configuring Deploy

If you did not install Deploy with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Deploy action group to target the No Computers filter group by enabling restricted targeting before adding Deploy to your Tanium licenseimporting Deploy. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Deploy action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Deploy with automatic configuration, the following default settings are configured:

The following default settings are configured for Deploy:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account.
Deploy deployment templates

The following deployment templates are created:

  • [Standard Deployment] - default
  • [Deployment with Reboot]
  • [Deployment with Pre-Notification]

Deploy maintenance windows

An Always On maintenance window is created, and enforced against the All Computers computer group.
Deploy configurations For action locked machines, only applicability scanning is enabled, so that deployments cannot run on action locked machines.

Configure platform settings

You can configure the Tanium platform for optimal delivery of larger payloads, which are typically associated with downloading and installing software.

  1. From the Main menu, go to Administration > Configuration > Platform Settings.
  2. To increase the client cache size, click Create Setting, provide the following information, and click Save.
    Setting Type: Client
    Name: ClientCacheLimitInMB
    Value Type: Numeric
    Value 2048
  3. To increase the hot cache percentage, click Create Setting, provide the following information, and click Save.
    Setting TypeClient
    Name: HotCachePercentage
    Value Type: Numeric
    Value 80

Changes to platform settings can take up to five hours to propagate to clients.

Install and configure Configure Tanium End-User Notifications

With the Tanium End-User Notifications solution, you can create a notification message with your deployment to Windows and macOS endpoints to notify the user that the system is about to begin a deployment, has completed a deployment, and if postponements are enabled, to give the user the option to postpone the deployment or restart now.

For more information, see Tanium End-User Notifications User Guide: End-User Notifications overview.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Deploy, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:

  • Creating, stopping, or reissuing deployments
  • Adding or removing maintenance window enforcements
  • Creating, editing, or removing self service profiles
  • User-initiated actions, such as initializing endpoints, distributing the software package catalog, updating Deploy Settings

Configure Deploy

Configure service account

The service account is a user that runs several background processes for Deploy. This user requires the Content Administrator, Deploy Service Account, and End-User Notifications Read Only User roles, or the Tanium Administrator role. If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. For more information about Deploy permissions, see User role requirements.

If you imported Deploy with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

  1. On the Deploy Overview page, click Settings and then click Service Account if needed.
  2. Provide a user name and password, and then click Save.

Organize computer groups

One way to deploy packages or bundles is by computer group. Create relevant computer groups to organize your endpoints. Some options include:

  • Endpoint type, such as servers or employee workstations
  • Endpoint location, such as by country or time zone
  • Endpoint priority, such as business-critical machines

Manual computer groups are not supported in Deploy. For more information, see Tanium Core Platform User Guide: Managing computer groups.

Add computer groups to Deploy action group

Importing the Deploy module automatically creates an action group to target specific endpoints. Select the computer groups to include in the Deploy action group. By default, Deploy targets No Computers.

Ensure that all operating systems that are supported by Deploy are included in the Deploy action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Deploy.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Set up Deploy users

You can use the following set of predefined user roles to set up Deploy users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Deploy Administrator

Assign the Deploy Administrator role to users who manage the configuration and deployment of Deploy functionality to endpoints.
This role can perform the following tasks:

  • Manage all Deploy settings
  • Manage deployments, maintenance windows, and Self Service profiles

Deploy Endpoint Configuration Approver

Assign the Deploy Endpoint Configuration Approver role to a user who approves or rejects Deploy configuration items in Tanium Endpoint Configuration.
This role approves, rejects, or dismisses changes that target endpoints where Deploy is installed.

Deploy Operator

Assign the Deploy Operator role to users who manage the configuration and deployment of Deploy functionality to endpoints.
This role can perform the following tasks:

  • Create, edit, import, or delete software packages and software bundles

  • Manage deployments, maintenance windows, and Self Service profiles

Deploy Package Administrator

Assign the Deploy Package Administrator role to users who manage the configuration of Deploy functionality.
This role can perform the following tasks:

  • Reject or dismiss Deploy configuration changes

  • Create, edit, import, or delete software packages and software bundles

  • View all configurations, graphs, and reporting data in Deploy

Deploy Read Only User

Assign the Deploy Read Only User role to users who need visibility into Deploy data.
This role can view all configurations, graphs, and reporting data in Deploy.

Deploy Service Account

Assign the Deploy Service Account role to the account that configures system settings for Deploy.
This role can perform several background processes for Deploy.

Deploy User

Assign the Deploy User role to users who manage the deployment of Deploy functionality to endpoints.
This role can manage deployments, maintenance windows, and Self Service profiles.

Initialize Deploy endpoints

Deploy installs a set of tools on each endpoint that you have targeted. Initializing the endpoints starts the Deploy service and starts the Deploy process on every endpoint where it is not running.

  1. On the Deploy Overview page, click Help , and then click Support if needed.
  2. Click Initialize Endpoints and confirm your action.

After deploying the tools for the first time, endpoints can take up to four hours to display status.