Deploy requirements

Review the requirements before you install and use Deploy.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium license that includes Deploy

  • Tanium™ Core Platform servers: 7.4.3.1204 or later

  • Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

    If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server, the server Tanium™ Cloud automatically imports the All Computers computer group, which Deploy requires.

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Deploy to function (required dependencies) or for specific Deploy features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Deploy dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Deploy requirements. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Deploy requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Deploy, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Deploy to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Deploy, the server automatically updates those dependencies to the latest available versions.

If you select only Deploy to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Deploy has the following required dependencies at the specified minimum versions:

Optional dependencies

Deploy has the following optional dependencies at the specified minimum versions:

  • Tanium Reporting 1.12 or later. Creates charts on the Overview page. If this version is not installed, Trends creates the charts.

Tanium Server and Module Server

Deploy is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For more information about Tanium Server and Module Server sizing guidelines, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoints

Contact Tanium Support for customized tuning to your environment. For more information, see Tanium Platform User Guide: Managing Tanium Core Platform Settings.

Supported operating systems
Operating System Version Notes
Windows Server Windows Server 2008 R2 Service Pack 1 or later

  • Windows Server Core not supported for End-User Notifications functionality.

  • Windows Server 2008 R2 Service Pack 1 requires Microsoft KB2758857.

  • Windows Server 2012 R2 requires Microsoft KB2919394 or KB2919355 for End-User Self Service functionality.
Windows Workstation Windows 7 Service Pack 1 or later

  • Windows 7 Service Pack 1 requires Microsoft KB2758857.

  • Windows 8.1 requires Microsoft KB2919394 or KB2919355 for End-User Self Service functionality.
macOS
  • macOS 13 Ventura
  • macOS 12 Monterey
  • macOS 11 Big Sur
  • macOS 10.15 Catalina
  • macOS 10.14.6 Mojave
  • macOS 10.13.6 High Sierra

Apple does not provide security updates for macOS 10.15 and earlier versions and Tanium does not test these versions. macOS 10.13 has known issues with file extraction and other features may not work as expected. For full Deploy functionality and support, upgrade to macOS 11 or later.
Linux
  • AlmaLinux 8 or later
  • Amazon Linux 1 or later
  • CentOS 6 or 7
  • Debian 8 or later
  • openSUSE Linux 11.x Service Pack 3 or later, 12.x, 15.x
  • Oracle Linux 6 or later
  • Red Hat Enterprise Linux (RHEL) 6 or later
  • Rocky Linux 8 or later
  • SUSE Linux Enterprise Desktop 11.3, 11.4, 12.x, 15.x
  • SUSE Linux Enterprise Server 11.3, 11.4, 12.x, 15.x
  • Ubuntu 14.04 or later
  

Windows System environment variables

The use of environment variables when you refer to file paths in Deploy is recommended over the use of explicit file paths. This method provides independence from differing paths based on operating system language or architecture, and allows the construction of a dynamic path at the time of execution.

Process Architecture System Environment Variable Path
32-bit process on 32-bit Windows %PROGRAMFILES% C:\Program Files
%COMMONPROGRAMFILES% C:\Program Files\Common Files
32-bit process on 64-bit Windows %PROGRAMFILES% C:\Program Files (x86)
%PROGRAMFILESX86% C:\Program Files (x86)
%COMMONPROGRAMFILES% C:\Program Files (x86)\Common Files
%COMMONPROGRAMFILES(X86)% C:\Program Files (x86)\Common Files
%COMMONPROGRAMW6432% C:\Program Files\Common Files
%PROGRAMW6432% C:\Program Files

Additional environment variables that are available to the System account, such as %SystemDrive%, %SystemRoot%, %WinDir%, are also supported.

Host and network security requirements

Specific ports, processes, and URLs and processes are needed to run Deploy.

Ports

The following ports are required for Deploy communication.

Source Destination Port Protocol Purpose
Module Server Module Server (loopback) 17463 TCP Internal purposes; not externally accessible

No additional ports required.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

For Windows endpoints, review and follow the Microsoft antivirus security exclusion recommendations for enterprise computers. For more information, see Microsoft Support: Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows (KB822158).

Deploy security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\deploy-service\node.exe
Required when Endpoint Configuration is installed Process <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints Required only for the Microsoft InPlace Upgrade packages Folder C:\Deploy\Tanium
  Process <Tanium Client>\Python38\TPython.exe
  Folder <Tanium Client>\Python38
  Process <Tanium Client>\Tools\SoftwareManagement\7za.exe
  Process <Tanium Client>\TaniumCX.exe
  File <Tanium Client>\extensions\TaniumSoftwareManager.dll
  File <Tanium Client>\extensions\TaniumSoftwareManager.dll.sig
Linux endpoints   Process <Tanium Client>/python38/python
  Folder <Tanium Client>/python38
  Process <Tanium Client>/TaniumCX
  File <Tanium Client>/Tools/SoftwareManagement/data/software-management.db
  File <Tanium Client>/Tools/SoftwareManagement/data/software-management.db-wal
  File <Tanium Client>/Tools/SoftwareManagement/data/software-management.db-shm
  File <Tanium Client>/extensions/libTaniumSoftwareManager.so
  File <Tanium Client>/extensions/libTaniumSoftwareManager.so.sig
macOS endpoints   Process <Tanium Client>/python38/python
  Folder <Tanium Client>/python38
  Process <Tanium Client>/TaniumCX
  File <Tanium Client>/extensions/libTaniumSoftwareManager.dylib
  File <Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig
Deploy security exclusions
Target Device Notes Exclusion Type Exclusion
Windows endpoints Required only for the Microsoft Windows 10 Upgrade packages Folder C:\Deploy\Tanium
  Process <Tanium Client>\Python38\TPython.exe
  Folder <Tanium Client>\Python38
  Process <Tanium Client>\Tools\SoftwareManagement\7za.exe
  Process <Tanium Client>\TaniumCX.exe
  File <Tanium Client>\extensions\TaniumSoftwareManager.dll
  File <Tanium Client>\extensions\TaniumSoftwareManager.dll.sig
Linux endpoints   Process <Tanium Client>/python38/python
  Folder <Tanium Client>/python38
  Process <Tanium Client>/TaniumCX
  File <Tanium Client>/Tools/SoftwareManagement/data/software-management.db
  File <Tanium Client>/Tools/SoftwareManagement/data/software-management.db-wal
  File <Tanium Client>/Tools/SoftwareManagement/data/software-management.db-shm
  File <Tanium Client>/extensions/libTaniumSoftwareManager.so
  File <Tanium Client>/extensions/libTaniumSoftwareManager.so.sig
macOS endpoints   Process <Tanium Client>/python38/python
  Folder <Tanium Client>/python38
  Process <Tanium Client>/TaniumCX
  File <Tanium Client>/extensions/libTaniumSoftwareManager.dylib
  File <Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs on the Tanium Server and the Tanium Module Server for the Deploy service.

The Tanium Server and the Tanium Module Server require access to the following websites to download binaries for the Predefined Package Gallery templates.

Software Package Domain Port
Adobe Acrobat DC1 download.adobe.com 443
Adobe Acrobat Reader DC ardownload2.adobe.com 443
download.adobe.com
Adobe AIR download.macromedia.com 443
Adobe Digital Editions adedownload.adobe.com 443
Adobe Flash Player fpdownload.macromedia.com 443
Adobe Shockwave EOL2 fpdownload.macromedia.com 443
AgileBits 1Password 7 c.1password.com 443
Apache Tomcat dlcdn.apache.org 443
Apple iTunes secure-appldnld.apple.com 443
Apple macOS Upgrade (Big Sur, Monterey, and Ventura)
swscan.apple.com
swcdn.apple.com
swdist.apple.com
443
Arco Software CutePDF Writer www.cutepdf.com 443
Arduino IDE downloads.arduino.cc 443
Atlassian Sourcetree product-downloads.atlassian.com 443
Bare Bones BBEdit s3.amazonaws.com/BBSW-download 443
BlueJeans Network, Inc BlueJeans swdl.bluejeans.com 443
Box Inc. Box Drive e3.boxcdn.net 443
Cisco Jabber binaries.webex.com 443
Cisco Network Recording Player akamai.webex.com 443
Cisco Webex Recorder and Player welcome.webex.com 443
Citrix Workspace (formerly Citrix Receiver) downloadplugins.citrix.com 443
Corel Corporation WinZip download.winzip.com 443
DB Browser for SQLite Team DB Browser for SQLite sqlitebrowser.org 443
Devolutions Inc. Remote Desktop Manager http://cdn.devolutions.net 443
Discord, Inc Discord dl.discordapp.net 443
Docker Desktop desktop.docker.com 443
www.docker.com/products/docker-desktop/
Dropbox Desktop Client clientupdates.dropboxstatic.com 443
Eclipse Adoptium Temurin JDK/JRE github.com 443
Evernote Corporation Evernote cdn1.evernote.com 443
Foxit Software Inc PDF Reader cdn01.foxitsoftware.com 443
George Nachman iTerm2 iterm2.com 443
GN Audio Jabra Direct jabraxpressonlineprdstor.blob.core.windows.net 443
Google Android Studio *.gvt1.com 443
Google Chrome dl.google.com 443
Google Drive File Stream dl.google.com 443
Helios TextPad www.textpad.com 443
Igor Pavlov 7-Zip crl.identrust.com 80
7-zip.org 443
iterate GmbH Cyberduck update.cyberduck.io 443
JAM Software TreeSize Free downloads.jam-software.de 443
JetBrains DataGrip download.jetbrains.com 443
JetBrains GoLand download-cdn.jetbrains.com 443
JetBrains PyCharm download-cdn.jetbrains.com 443
Licecap Licecap https://www.cockos.com/licecap/ 443
KeePass KeePass 1 and 2 sourceforge.net 443
MacPaw The Unarchiver dl.devmate.com 443
Martin Prikryl WinSCP sourceforge.net 443
Microsoft .NET Framework download.visualstudio.microsoft.com 443
Microsoft Edge msedge.sf.dl.delivery.mp.microsoft.com 443
officecdn-microsoft-com.akamaized.net
Microsoft Feature Update to Windows 10, version 21H2 (KB5003791) catalog.s.download.windowsupdate.com 443
Microsoft Office 2019 officecdn-microsoft-com.akamaized.net 443
Microsoft Office 2019 with Teams officecdn-microsoft-com.akamaized.net 443
Microsoft Office Click-to-Run download.microsoft.com 443
Microsoft Power BI Desktop download.microsoft.com 443
Microsoft Skype Desktop Client download.skype.com 443
Microsoft SQL Server Management Studio aka.ms 443
Microsoft Teams statics.teams.cdn.office.net 443
Microsoft Visual Studio Code code.visualstudio.com 443
Microsoft Windows 10 Upgrade3 content.tanium.com 443
Mozilla Firefox releases.mozilla.org 443
Node.js Foundation NodeJS nodejs.org 443
Notepad++ Team Notepad++ download.notepad-plus-plus.org 443
Oracle Java Runtime javadl.oracle.com 443
sdlc-esd.oracle.com
Oracle MySQL Community dev.mysql.com 443
Oracle VirtualBox download.virtualbox.org 443
pgAdmin pgAdmin 4 ftp.postgresql.org 443
Piriform Software CCleaner Standard bits.avcdn.net 443
Postman Postman postman.com 443
Royal Apps GmbH Royal TS download.royalapplications.com 443
Running with Crayons Ltd Alfred 5 cachefly.alfredapp.com 443
Scooter Software Beyond Compare www.scootersoftware.com 443
Simon Tatham PuTTY the.earth.li 443
Slack Slack downloads.slack-edge.com 443
Splunk Universal Forwarder download.splunk.com 443
docs.splunk.com
Stamps.com, Inc Stamps.com resources.stamps.com 443
Tableau Reader downloads.tableau.com 443
TechSmith Camtasia download.techsmith.com 443
support.techsmith.com
TechSmith Snagit download.techsmith.com 443
support.techsmith.com
The Wireshark developer community Wireshark 2.na.dl.wireshark.org 443
3T Software Labs Ltd Studio 3T (Arm) and (Intel) download.studio3t.com 443
TortoiseSVN TortoiseSVN osdn.net 443
VideoLAN VLC Media Player download.videolan.org 443
VMware Tools packages.vmware.com 443
VMware Workstation Player4 download3.vmware.com 443
win.rar GmbH WinRAR 32-bit and WinRAR 64-bit www.win-rar.com 443
Yubico Authenticator developers.yubico.com 443
Zoom Outlook Plugin zoom.us 443

Zoom Rooms

On macOS, the MDM profile needs to allow access to camera, microphone, and screen sharing to avoid permission prompts on the endpoint.

 d11yldzmag5yn.cloudfront.net 443
zoom.us
Zoom Zoom d11yldzmag5yn.cloudfront.net 443
zoom.us

1 Update operation only.

2 Remove operation only.

3 Windows 10 Operating System media is not included in this package template. For more information, see Use case: Upgrading Windows.

4 Update and Remove operations only.

User role requirements

The following tables list the role permissions required to use Deploy. To review a summary of the predefined roles, see Set up Deploy users.

On installation, Deploy creates a Deploy user to automatically manage the Deploy service account. Do not edit or delete the Deploy user.

For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Deploy user role permissions
Permission Deploy Administrator1,2,3,4 Deploy Endpoint Configuration Approver1,2 Deploy Operator1,2,3,4 Deploy Package Administrator1,2,3,4 Deploy Read Only User2,3,4 Deploy User1,2,3

Deploy

View the Deploy workbench
SHOW
SHOW
SHOW
SHOW
SHOW
SHOW

Deploy API

Perform Deploy operations using the API
EXECUTE
EXECUTE
EXECUTE
EXECUTE
EXECUTE
EXECUTE

Deploy Deployments

Create and modify deployments
WRITE
WRITE
WRITE

Deploy Endpoint Configuration

APPROVE: Approve Deploy items for Endpoint Configuration

REGISTER: Register with Endpoint Configuration
APPROVE

Deploy Maintenance Windows

Create, modify, and remove maintenance windows
WRITE
WRITE
WRITE

Deploy Module

Read and write access to the Deploy module, including creating, editing, deleting, and importing software packages
READ
WRITE
READ
READ
WRITE
READ
WRITE
READ
READ
WRITE

Deploy Operator Settings

Write access to a subset of platform settings in the Deploy module
WRITE
WRITE

Deploy Profiles

Create, modify, and delete self service profiles
WRITE
WRITE
WRITE

Deploy Settings

Write access to platform settings in the Deploy module
WRITE

1 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

2 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

3 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

4 This role provides module permissions for Tanium Reporting. You can view which Reporting permissions are granted to this role in the Tanium Console. For more information, see Tanium Reporting User Guide: User role requirements.

 

Provided Deploy administration and platform content permissions
Permission Permission Type Deploy Administrator1,2,3,4 Deploy Endpoint Configuration Approver2,3,4 Deploy Operator1,2,3,4 Deploy Package Administrator1,2,3,4 Deploy Read Only User2,3,4 Deploy User2,3,4
User Administration
READ
READ
Action Platform Content
READ
WRITE
READ
READ
WRITE
READ
WRITE
READ
READ
WRITE
Approve Action Platform Content
SPECIAL
SPECIAL
SPECIAL
SPECIAL
Filter Group Platform Content
READ
READ
READ
READ
READ
READ
Own Action Platform Content
READ
READ
READ
READ
READ
READ
Package Platform Content
READ
WRITE
READ
READ
WRITE
READ
WRITE
READ
READ
WRITE
Plugin Platform Content
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
Saved Question Platform Content
READ
WRITE
READ
READ
WRITE
READ
WRITE
READ
READ
WRITE
Sensor Platform Content
READ
READ
READ
READ
READ
READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.

1 This role provides content set permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration content sets are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

2 This role provides content set permissions for Tanium Interact. You can view which Interact content sets are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

3 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

4 This role provides module permissions for Tanium Reporting. You can view which Reporting permissions are granted to this role in the Tanium Console. For more information, see Tanium Reporting User Guide: User role requirements.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.