Opening screen sharing sessions

You can open a screen sharing session to perform troubleshooting on remote endpoints. Help desk agents can use the screen sharing tools to escalate between L1 and L2 support in the same screen sharing session.

You must purchase the ScreenMeet offering for this functionality to be enabled. With the ScreenMeet offering provided through Tanium, you must initiate all interactions with ScreenMeet through the Tanium console. Contact Tanium for details.

Requirements

  • Obtain Screen Sharing per-operator licenses based on the number of Tanium Console operators you expect to establish screen sharing sessions.

    • A per-operator license is allocated to each Tanium Console operator establishing a screen sharing session or accessing the ScreenMeet console from the Tanium Console. Each Tanium Console operator can create unlimited concurrent screen sharing sessions.
    • The license allocation lasts for 30 days and counts as an active operator license. The 30-day license allocation restarts each time that a Tanium Console operator establishes a screen sharing session or opens the ScreenMeet console.
    • If the active operator license count exceeds your total per-seat license count, additional Tanium console operators cannot establish a screen sharing session.
  • Set up screen sharing users in Tanium. For more information about permissions provided by these roles, see Screen Sharing user role permissions.
    • Screen Sharing Administrator: Change settings, features, policies, can access data, join active sessions created by active users. A user assigned with this role in Tanium is automatically assigned ScreenMeet Admin role in ScreenMeet.
    • Screen Sharing Agent: Start sharing sessions and use standard ScreenMeet features. A user assigned with this role in Tanium is automatically assigned ScreenMeet Agent role in ScreenMeet.
    • Screen Sharing Support Session Unattended permission: Establish unattended sessions with Windows endpoints that do not require endpoint user permission. This permission is not assigned to any default role.
  • Verify endpoint operating systems. See Screen sharing operating systems.
  • Verify network requirements.
    • Allow ScreenMeet application traffic through port 443/TCP and 443/UDP. ScreenMeet application traffic goes through TLS-encrypted connections.

    • If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to allow the following URLs for screen sharing.

      Allowing these URLs is not required for Direct Connect.


      URLDescription
      *.screenmeet.comestablish screen sharing connections
      *.scrn.mtestablish screen sharing connections
      https://onpremapi.ssc.cloud.tanium.com/redeemOTPfrom the Tanium Module Server, obtain a one-time passcode (OTP) over port 443/TCP for provisioning an on-premises installation

      For a list of hosts and IP addresses to allow for ScreenMeet, see: ScreenMeet Docs: Firewall configuration.

      If you deployed proxy servers to your network, for the best results, allow traffic from these URLs to bypass the proxy servers. Screen sharing traffic passed through proxy servers negatively impacts performance. For more information, see ScreenMeet Docs: ScreenMeet Enterprise Deployment Guide.

    • Check ScreenMeet network security requirements: ScreenMeet Docs: Security.

Link ScreenMeet with an on-premises installation

Before you can establish screen sharing sessions, a Tanium administrator must link your Tanium on-premises installation with a ScreenMeet account, using a one-time passcode (OTP) to securely establish the link and enable screen sharing functionality. Tanium sends an email from the tanium.com domain containing the Screen Sharing OTP to your customer contact email address. The 15 alphanumeric character OTP is valid for 48 hours.

If the OTP expires, Contact Tanium Support. Do not reply to the email address that sent the email containing the OTP.

Your Tanium user account must have the Screen Sharing Administrator role to use the OTP and establish the link.

  1. From the Direct Connect Overview page, click Settings .
  2. Open the Screen Sharing tab.
  3. Enter your customer contact Email Address. This email address must match the email address that received the OTP.
  4. Enter the One-Time Passcode from the email.
  5. Click Link ScreenMeet Account.

Open an endpoint screen sharing session

To open a screen sharing session, you must have access to the endpoint in Tanium. After you initiate a connection, the connection screen for the endpoint shows the status. Establishing connections can take between one and three minutes.

You can establish an attended connection, which requires the endpoint user to accept the screen sharing connection, or an unattended connection, which allows you to establish the connection without endpoint user permission.

Screen Sharing sessions are only established on endpoints that are included in the Screen Share action group. Therefore, the Open Screen Sharing button is only available for endpoints that are included in the Screen Share action group. By default, the action group is set to All Computers.

The first time a Tanium console operator establishes a screen sharing session with a macOS endpoint, the endpoint user must select ScreenMeetSupport in the Screen Recording and Accessibility permissions in System Preferences, then click Later when prompted. For more information, see ScreenMeet Docs: Connecting to Mac devices.

During the connection process, a ScreenMeet executable file is deployed to the endpoint with a Tanium Action. This executable file connects to the ScreenMeet services and establishes a connection with Tanium. The connection behavior depends on the endpoint operating system and whether you establish an attended or unattended connection:

  • For attended connections to Windows endpoints, the endpoint user must accept the screen sharing session to continue. This establishes an active session and the Tanium Console operator takes control.

  • For attended connections to macOS endpoints, if the endpoint user has allowed the proper screen sharing permissions on the endpoint, a view-only session is initially established. The Tanium Console operator must request control, and the endpoint user must accept, which then allows the operator to take control.

  • For unattended connections to Windows endpoints, a new session is created without endpoint user permission and the Tanium Console operator takes control.

  • Unattended connections to macOS endpoints are not supported.

If no endpoint users are logged in to an endpoint and you establish an unattended connection, after you enter operating system login information, the session displays a disconnection message. Wait several seconds for the login process to complete and reestablish the connection.

When you configure session recording in the ScreenMeet console (Organization > Settings and Policies > Remote Support Features > Session Recording), if you select:

  • Always, the Tanium screen sharing session is always recorded.
  • Let the Agent Decide, the Tanium console operator is prompted to record a screen sharing session. If the session is recorded, users have the option to disable recording before joining the session.
  • Never, the Tanium screen sharing session is never recorded.

For more information on configuring session recording, see ScreenMeet Docs: Remote Support Settings.

When you configure session recording in the ScreenMeet console (Organization > Settings and Policies > Remote Support Features > Session Recording), Let the Agent Decide does not prompt the Tanium Console operator to record a screen sharing session, and never records the session. If you select Always, the Tanium screen sharing session is always recorded. If you select Never, the Tanium screen sharing session is never recorded. For more information on configuring session recording, see ScreenMeet Docs: Remote Support Settings.

Open a screen sharing session from an endpoint

  1. From the Tanium Home page, go to Search Endpoints and type the IP address or computer name of the computer, then click the computer name.

  2. Click Open Screen Sharing.
  3. For only Windows endpoints, if you have the Screen Sharing Support Session Unattended permission, you have the following options:
    • Select Ask the endpoint user for permission to start an attended session.
    • Clear Ask the endpoint user for permission to start an unattended session.
  4. Click Open.

  5. A Tanium action is deployed to the endpoint that includes an executable file that connects to ScreenMeet services. Establishing connections can take between one and three minutes. If the attended session is on an end user's computer, the user must accept the session on the endpoint to continue.

  6. When the screen sharing session is connected, your screen switches to ScreenMeet in Tanium. You can use Support Tools in ScreenMeet to run Windows commands, tasks, tools, and so on.

Open a screen sharing from Direct Connect

  1. From the Direct Connect Overview page, search for the computer by IP address or computer name.

  2. In the result list, click Open Screen Sharing for the endpoint.
  3. For only Windows endpoints, if you have the Screen Sharing Support Session Unattended permission, you have the following options:
    • Select Ask the endpoint user for permission to start an attended session.
    • Clear Ask the endpoint user for permission to start an unattended session.
  4. Click Open.

  5. A Tanium action is deployed to the endpoint that includes an executable file that connects to ScreenMeet services. Establishing connections can take between one and three minutes. If the attended session is on an end user's computer, the user must accept the session on the endpoint to continue.

  6. When the screen sharing session is connected, your screen switches to ScreenMeet in Tanium. You can use Support Tools in ScreenMeet to run Windows commands, tasks, tools, and so on.

Open a screen sharing from Reporting

Tanium Reporting 1.12.144 or later is required to open screen sharing sessions in Reporting. Use Reporting 1.20.25 or later for best results with screen sharing functionality.

When you view, create, or edit a report that contains the Computer Name column, you can click an endpoint in the column to view details for the endpoint and to deploy an action to it. For information about Reporting, see Tanium Reporting User Guide: View and manage a single endpoint.

  1. Open a report that contains the Computer Name column.
  2. Click Endpoint Details next to the name of an endpoint in the Computer Name column.
    An Endpoint Details dialog opens with basic details for the endpoint. If multiple endpoints have the same Computer Name, click Previous Previous or Next Next in the Multiple Results Found banner to find the details for a specific endpoint.
  3. Click View Details to open a page that shows a single endpoint view with detailed information.
  4. Click Open Screen Sharing to connect to the endpoint.


  5. For only Windows endpoints, if you have the Screen Sharing Support Session Unattended permission, you have the following options:
    • Select Ask the endpoint user for permission to start an attended session.
    • Clear Ask the endpoint user for permission to start an unattended session.
  6. Click Open.

  7. A Tanium action is deployed to the endpoint that includes an executable file that connects to ScreenMeet services. Establishing connections can take between one and three minutes. If the attended session is on an end user's computer, the user must accept the session on the endpoint to continue.

  8. When the screen sharing session is connected, your screen switches to ScreenMeet in Tanium. You can use Support Tools in ScreenMeet to run Windows commands, tasks, tools, and so on.

View and join screen sharing sessions

If you have Screen Sharing Administrator role, you can see all sessions, and you can join sessions that were started by other Tanium Console operators.

If you have Screen Sharing Agent role, you can see and rejoin sessions that you started.

Multiple Tanium Console operators can join an endpoint screen sharing session, but only one operator at a time can take control of the session.

Join active sessions in the list of sessions

  1. From the Direct Connect Overview page, go to the Screen Sharing Sessions tab. A list of sessions is displayed that includes active sessions.

  2. Select one or more active sessions to an endpoint, then click Join Screen Sharing to join the sessions.

Search for an endpoint to join the active session

  1. From the Direct Connect Overview page, search for the computer by IP address or computer name.

  2. In the result list, click Join Screen Sharing for the endpoint.

View screen sharing session history

If you have Screen Sharing Administrator role, you can go to the Audit Log page to view a history of screen sharing sessions.

From the Direct Connect menu, go to Audit Log and then open the Screen Sharing Sessions tab.

End an endpoint screen sharing session

When you stop a session, screen sharing processes are removed from the endpoint.

For attended connections to macOS endpoints, after the Tanium Console operator ends the session, a message is displayed to the endpoint user that the session is closed. The endpoint user must close the ScreenMeet application before a Tanium Console operator can establish another connection to that endpoint.

End active sessions in the list of sessions

  1. From the Direct Connect Overview page, go to the Screen Sharing Sessions tab. The tab contains a list of sessions that includes active sessions.
  2. Select one or more endpoints and click End Screen Sharing.

Search for an endpoint to end the active session

  1. From the Direct Connect Overview page, search for the computer by IP address or computer name.

  2. In the result list, click End Screen Sharing for the endpoint.

Configure ScreenMeet settings

To configure settings in ScreenMeet, you must have a Screen Sharing Administrator role.

  1. From the Direct Connect Overview page, click Settings , then open the Screen Sharing tab. The following options are available on the tab:

    • Click the ScreenMeet Console link. In the ScreenMeet console, you can view session history, detailed logging of actions taken during a session, and so on. For more information, see ScreenMeet Docs: Remote Support Settings.

      Opening the ScreenMeet console from the Tanium Console allocates a per-operator license to your user account, regardless of whether you establish a screen sharing session with this account.

    • In the License Usage section, click Users to expand the table and view a list of users allocated a per-user license, and the time that each user most recently logged in to the Tanium Console.
    • Click Export and select Export to CSV to export a comma-separated value (CSV) file containing the list of users.
    • Enter an Alert Threshold percentage to receive alerts in the Tanium Console when the ratio of allocated per-user licenses to total licenses exceeds this percentage.

Unlink a provisioned ScreenMeet account

If you want to stop using screen sharing functionality, a Tanium administrator can unlink the ScreenMeet account associated with your Tanium on-premises installation.

If you unlink the ScreenMeet account, you must obtain a new OTP to relink the existing ScreenMeet account or provision a new ScreenMeet account. For more information, Contact Tanium Support.

  1. From the Direct Connect Overview page, click Settings , then open the Screen Sharing tab.

  2. Click Unlink ScreenMeet Account , then confirm your selection.

Contact support

If you require assistance with ScreenMeet tools, contact ScreenMeet support.