Requirements

Review the requirements before you install and use Deploy.

Tanium dependencies

In addition to a license for the Deploy product module, make sure that your environment also meets the following requirements.

Component Requirement
Tanium Core Platform 7.3.314.4250 or later
Tanium Client Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Tanium products

If you clicked Install with Recommended Configurations when you installed Deploy, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Deploy requires to function, as described under Tanium Console User Guide: Manage Tanium modules.

Modules at the following minimum versions The following modules are required:

  • Tanium Endpoint Configuration 1.2 or later (installed as part of Tanium Client Management 1.5 or later)
  • Tanium End-User Notifications 1.6.5 or later
  • Tanium Interact 2.4.74 or later (use the latest version of Interact for best results)
  • Tanium Trends 3.6 or later
Computer groups When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Deploy requires: All Computers.

Tanium Server and Module Server

Deploy is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For more information about Tanium Server and Module Server sizing guidelines, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoints

Contact Tanium Support for customized tuning to your environment. For more information, see Tanium Platform User Guide: Managing Global Settings.

Table 1:   Supported operating systems
Operating System Version Notes
Windows Server Windows Server 2008 R2 Service Pack 1 or later Windows Server Core not supported for End-User Notifications functionality.
Windows Workstation Windows 7 Service Pack 1 or later Windows 7 Service Pack 1 requires Microsoft KB2758857.
macOS
  • macOS 11.0 Big Sur
  • macOS 10.15 Catalina
  • macOS 10.14.6 Mojave
  • macOS 10.13.6 High Sierra
  • macOS 10.12 Sierra
  • OS X 10.11 El Capitan
  • OS X 10.10 Yosemite
 
Linux
  • Amazon Linux 1 or later
  • Oracle Linux 6 or later
  • Red Hat Enterprise Linux (RHEL) 6 or later
  • CentOS 6 or later
 

Windows System environment variables

The use of environment variables when you refer to file paths in Deploy is recommended over the use of explicit file paths. This method provides independence from differing paths based on operating system language or architecture, and allows the construction of a dynamic path at the time of execution.

Process Architecture System Environment Variable Path
32-bit process on 32-bit Windows %PROGRAMFILES% C:\Program Files
%COMMONPROGRAMFILES% C:\Program Files\Common Files
32-bit process on 64-bit Windows %PROGRAMFILES% C:\Program Files (x86)
%PROGRAMFILESX86% C:\Program Files (x86)
%COMMONPROGRAMFILES% C:\Program Files (x86)\Common Files
%COMMONPROGRAMFILES(X86)% C:\Program Files (x86)\Common Files
%COMMONPROGRAMW6432% C:\Program Files\Common Files
%PROGRAMW6432% C:\Program Files

Additional environment variables that are available to the System account, such as %SystemDrive%, %SystemRoot%, %WinDir%, are also supported.

Host and network security requirements

Specific ports, processes, and URLs and processes are needed to run Deploy.

Ports

The following ports are required for Deploy communication.

Source Destination Port Protocol Purpose
Module Server Module Server (loopback) 17463 TCP Internal purposes; not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium as a Service ports, see Tanium as a Service Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Table 2:   Deploy security exclusions
Target device Notes Process
Module Server   <Module Server>\services\deploy-service\node.exe
Required when Endpoint Configuration is installed <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints Required only for the Microsoft Windows 10 Upgrade packages C:\Deploy\Tanium\*
  <Tanium Client>\Python27\TPython.exe
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\Tools\Deploy\7za.exe
  <Tanium Client>\Tools\SoftwareManagement\7za.exe
  <Tanium Client>\TaniumCX.exe
Linux endpoints   <Tanium Client>/python27/bin/pybin
7.2.x clients <Tanium Client>/python27/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/TaniumCX
macOS endpoints   <Tanium Client>/python27/bin/pybin
7.2.x clients <Tanium Client>/python27/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/TaniumCX
Table 3:   Deploy security exclusions
Target device Notes Process
Windows endpoints Required only for the Microsoft Windows 10 Upgrade packages C:\Deploy\Tanium\*
  <Tanium Client>\Python27\TPython.exe
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\Tools\Deploy\7za.exe
  <Tanium Client>\Tools\SoftwareManagement\7za.exe
  <Tanium Client>\TaniumCX.exe
Linux endpoints   <Tanium Client>/python27/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/TaniumCX
macOS endpoints   <Tanium Client>/python27/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/TaniumCX

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs on the Tanium Module Server for the Deploy service.

The Tanium Server requires access to the following websites to download binaries for the Predefined Package Gallery templates.

Software Package Domain Port
7-zip 7-zip.org 443
Adobe Acrobat DC1 download.adobe.com 443
Adobe Acrobat Reader DC ardownload2.adobe.com 443
download.adobe.com
Adobe AIR download.macromedia.com 443
Adobe Digital Editions adedownload.adobe.com 443
Adobe Flash Player fpdownload.macromedia.com 443
Adobe Shockwave EOL2 fpdownload.macromedia.com 443
Box Drive e3.boxcdn.net 443
Citrix Workspace (formerly Citrix Receiver) downloadplugins.citrix.com 443
DB Browser for SQLite sqlitebrowser.org 443
Dropbox clientupdates.dropboxstatic.com 443
FileZilla download.filezilla-project.org 443
Google Android Studio dl.google.com 443
Google Chrome dl.google.com 443
Google Drive File Stream dl.google.com 443
Microsoft Office 2019 officecdn-microsoft-com.akamaized.net 443
Microsoft Office 2019 with Teams officecdn-microsoft-com.akamaized.net 443
Microsoft Power BI Desktop downloads.microsoft.com 443
Microsoft Silverlight go.microsoft.com 443
Microsoft Skype Desktop Client *.azureedge.net 443
Microsoft Visual Studio Code code.visualstudio.com 443
Microsoft Windows 10 Upgrade3 content.tanium.com 443
Mozilla Firefox releases.mozilla.org 443
NodeJS nodejs.org 443
Notepad++ github.com 443
Oracle Java Runtime javadl.oracle.com 443
sdlc-esd.oracle.com
Oracle MySQL Community dev.mysql.com 443
PuTTY the.earth.li 443
Royal Apps GmbH Royal TS download.royalapplications.com 443
Slack downloads.slack-edge.com 443
VideoLAN VLC Media Player download.videolan.org 443
VMware Workstation Player4 download3.vmware.com 443
Wireshark 2.na.dl.wireshark.org 443
Zoom d11yldzmag5yn.cloudfront.net 443
zoom.us
Zoom Outlook Plugin zoom.us 443

1 Update operation only.

2 Remove operation only.

3 Windows 10 Operating System media is not included in this package template. For more information, see Tanium Community: How to execute a Windows 10 upgrade with Tanium Deploy: Setup.

4 Update and Remove operations only.

User role requirements

The following tables list the role permissions required to use Deploy. For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Table 4:   Deploy user role permissions
Permission Deploy Administrator1 Deploy Endpoint Configuration Approver21 Deploy Operator1,2 Deploy Package Administrator1,2 Deploy Read Only User12 Deploy Service Account1,3 Deploy User1,2

Show Deploy

View the Deploy workbench








Deploy Deployments Write

Create and modify deployments








Deploy Endpoint Configuration Approve

Approve endpoint configuration approvals








Deploy Endpoint Configuration Register

Register with Endpoint Configuration








Deploy Maintenance Windows Write

Create, modify, and delete maintenance windows








Deploy Module Read

Read access to the Deploy module








Deploy Module Write

Write access to the Deploy module








Deploy Settings Write

Write access to global settings in the Deploy module








Deploy Operator Settings Write

Write access to a subset of global settings in the Deploy module








Deploy Profiles Write

Create, modify, and delete self service profiles








Deploy Use Api

Perform Deploy operations using the API








1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

21 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

2 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

3 If you installed Tanium Client Management, Endpoint Configuration is installed, and byBy default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

 

Table 5:   Provided Deploy Micro Admin and Advanced user role permissions
Permission Role Type Content Set for Permission Deploy Administrator Deploy Endpoint Configuration Approver Deploy Operator Deploy Package Administrator Deploy Read Only User Deploy Service Account Deploy User
Read User Micro Admin  
Read User Group Micro Admin  
Read Computer Group Micro Admin  
Ask Dynamic Questions Advanced  
Read Sensor Advanced Reserved
Read Sensor Advanced Default
Read Sensor Advanced Base
Read Sensor Advanced Deploy Content Set
Read Action Advanced Deploy Content Set
Read Action1 Advanced End-User Notifications
Write Action Advanced Deploy Content Set
Write Action1 Advanced End-User Notifications
Approve Action Advanced Deploy Content Set
Execute Plugin Advanced Deploy Content Set
Execute Plugin2 Advanced Endpoint Configuration
Execute Plugin3 Advanced Tanium Data Service
Execute Plugin4 Advanced Trends
Read Package Advanced Deploy Content Set
Read Package1 Advanced End-User Notifications
Write Package Advanced Deploy Content Set
Read Saved Question Advanced Deploy Content Set
Read Saved Question1 Advanced End-User Notifications
Write Saved Question Advanced Deploy Content Set
Write Saved Question1 Advanced End-User Notifications

1 Denotes a provided permission when the Tanium End-User Notifications shared service is installed.

2 Denotes a provided permission when Tanium Endpoint Configuration is installed.

3 Denotes a provided permission when Tanium Interact is installed.

4 Denotes a provided permission when Tanium Trends is installed.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.