Deploying Tanium Client to unmanaged endpoints

Discover Client Deploy 1.4.0

After you discover unmanaged endpoints through your configured discovery methods, you can deploy the Tanium Client to the supported unmanaged endpoints to bring the computers under management by Tanium Server.

In Discover 2.0 and later, you must install a separate solution to get the Discover Client Deploy components. For more information, see Install Discover Client Deploy solution.

Tanium Client deployment overview

The Tanium Client Deployment service runs as a Windows service on your Tanium Module Server. You first configure this service and stage to the Module Server the versions of Tanium Client installer that you want to deploy. After this initial configuration, you can perform the deployment of Tanium Client to your targeted endpoints.

The client deployment process involves three basic steps: target, prepare, and deploy.

Figure  1:  Target Prepare Deploy

An example of how the deployment process might work follows: 

  1. Target: You target 30 computers that you believe are running the Windows operating system. You also think that these 30 targeted endpoints also share the same credentials and infrastructure keys.
  2. Prepare: You configure the credentials, infrastructure keys, and other installation options for the 30 targeted endpoints. For the specifics of preparing each type of endpoint, see Prepare endpoints for deployment .
  3. Deploy: After you review your settings and attempt to deploy, you might see that 20 of the targeted endpoints had the Tanium Client installed successfully. 10 of the targeted endpoints had errors during the deployment process. For the 10 remaining endpoints, you can review the logs and create another deployment with new settings.

Connection methods

On Windows, you can use either the PsExec or the Windows Management Instrumentation Command-line (WMIC) utilities to deploy the Tanium Client to the unmanaged endpoints.

The PsExec utility generally performs faster, but you can use the WMIC option on computers that initially return an Unknown OS during deployment.

On Linux and Mac, use the SSH utility to deploy the Tanium Client.

Set up the Client Deployment service

To deploy the Tanium Client to unmanaged endpoints, configure the Client Deployment service. The service runs on the Tanium Module Server.

  1. (Discover 2.0 and later) Install the Discover Client Deploy solution.
    In Discover 2.0 and later, you must install a separate solution to get the Discover Client Deploy components. For more information, see Install Discover Client Deploy solution.

  2. Set up Discover Client Deployment.

    Click Settings and then the Client Deploy tab.

    When the service configuration is successful, the page displays a message: The Tanium Discover Client Deploy service is installed.

    By default, the Client Deployment service starts the service as Local System, which is compatible only with SSH and WMIC. PsExec requires administrative credentials. To set up PsExec, see (Optional) Set up PsExec on Tanium Module Server.

  3. Configure targeted infrastructures.

    If you have your Tanium Server and Tanium Module Server running on the same computer in a testing environment, you can use the Default infrastructure that is already configured.

    If your Tanium Module Server and Tanium Server are on separate computers, as recommended for production deployments, you must download the .pub file from your Tanium Server and add it as a targeted infrastructure.

    1. Download the.pub file from the \Program Files\Tanium\Tanium Server\ directory.
    2. Click Add another target infrastructure and add the Tanium.pub file that you downloaded from your Tanium Server.

    If you have multiple Tanium Servers, such as for a production and lab environment, you might set up multiple targeted infrastructures. You could run the deployment from your lab infrastructure but have the resulting Tanium Client installations connected with the production infrastructure.

  4. Stage client installers.

    For the Client Deployment Service to install Tanium Client on the unmanaged endpoints, you must have a copy of the installer for each targeted client platform on the Tanium Module Server.

    • If your Tanium Module Server has Internet access, you can stage the installers automatically.
      Click the Stage button to put the installer on the Tanium Module Server. The installers are copied into the \Program Files\Tanium\Tanium Module Server\services\clientdeploy\stage directory. When the staging is complete, the row for the installer says Staged and includes the file size for the installer.
    • If your Tanium Module Server is in an air-gapped environment, you can upload the installer. Click the Upload Client Installer link next to the platform installer that you want to upload.
  5. (Optional) In Discover 2.0 and later, if you want to use the PsExec command line utility to deploy the Tanium Client to unmanaged interfaces, you must complete some additional steps to set up PsExec on the Module Server. For more information, see (Optional) Set up PsExec on Tanium Module Server.

(Optional) Set up PsExec on Tanium Module Server

PsExec performs faster than WMIC to install the Tanium Client on Windows endpoints. However, with Discover 2.0 and later you must perform a few extra configuration steps to set up PsExec on your Tanium Module Server. PsExec requires administrative credentials and cannot be run as the default local system.

  1. Download the pstools.zip file from Microsoft TechNet: PsExec.
  2. Expand the archive file. Copy the psexec.exe file to the: \Program Files\Tanium\Tanium Module Server\services\clientdeploy directory.
  3. Update the Tanium Client Deploy service ownership to an Administrator.
    1. Open Windows services. From the Windows Start Menu, click Run. Type services.msc and click OK.
    2. Find the Tanium Client Deploy service in the list. Right-click the service and select Properties.
    3. In the Log On tab, set the account that is running the service to be an administrator user on the Tanium Module Server. Click Apply.
    4. Restart the Tanium Client Deploy service.

Prepare endpoints for deployment

To deploy the Tanium Client installer, you must enable the target endpoints for remote software installation.

Configure Windows computers

The use of PsExec and WMIC by Tanium Client Deployment can result in credential exposure. Windows credential handling during logon events might expose user name and password in command line arguments on the source system that is initiating the deployment, and in memory on the remotely accessed endpoints. To protect credentials that are used for client deployment, use one of the following options: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.
  • Enable Remote Procedure Call (RPC).
  • Enable File and Print Sharing.
  • Disable any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation initiated through RPC.
  • Verify that you can log in to the remote system with PsExec or WMIC command line utilities with the same credentials you are planning to use for the Tanium Client Deployment. For example: 

    psexec \\192.168.1.130 -u Administrator -p [email protected] cmd /c dir C:\Users\Administrator\Documents

Configure Linux or Macintosh computers

  • Enable SSH and verify that it is running. Configuring SSH also enables file sharing.
  • Disable any host-based firewalls or other security tools on the endpoint that might interfere with a remote installation that is initiated through SSH.
  • If you are using the root account to install, make sure the sshd_config allows root login.
  • Verify that you can log in to the remote system with SSH, using the same credentials you are planning to use for the Tanium Client Deployment.

Deploy Tanium Client

After you configure the Client Deploy service and prepare your endpoints, you can start deploying Tanium Client to your unmanaged interfaces.

  1. Target endpoints.

    In Discover, go to an interfaces view. For example, click Interfaces > All Unmanaged Interfaces. Select the interfaces to which you want to deploy the Tanium Client and click Deploy Tanium Client.

  2. Prepare deployment settings.
    1. In the Credentials for Targeted Endpoints section, set the user name and password that you want to use to log in to the targeted endpoints.
    2. In the Client Installer and Connection method section, create the following configuration:
      • Choose the Connection Method that you want to use to install.
      • Specify the Tanium Server information (Server Name, Server Port, and Infrastructure) with which you want the targeted interfaces to connect.
        The Infrastructure field displays only if you have multiple infrastructures defined.
        After the deployment completes, the Tanium Client that is installed on the targeted interface communicates with the Tanium Server that you specified, and uses the .pub file to validate messages that come from the Tanium Server.
      • (Optional) Define Advanced Client Options for your Tanium Client installation, including the version, logging, and installation path.
  3. Deploy Tanium Client to selected interfaces.
    1. In the Selected Interfaces for the Tanium Client Deployment section, review the number of endpoints that are selected and click the Deploy button. As the deployment runs, the status of how many endpoints have received the Tanium Client is updated on the page.

      You can navigate away from the page during the deployment process and review the results later.

    2. Review the results of the deployment.
      To view the status of a client deployment later, click Client Deployment > Deployment Status. The deployment status shows how many of the deployments succeeded, and the errors that occurred with the failed deployments. To view the error logs for an interface, select the interface and click View Logs.
    3. Try the deployment process again on the failed deployments.
      From the Deployment Status page, select the interfaces and click Redeploy. Clicking this button creates a new deployment for the selected interfaces. From there, you can update the deployment settings and run the deployment process again. This new deployment displays as a child deployment on the Deployment Status page.

    Results

    After the next background process import runs, interfaces that have the Tanium Client and are reporting to the Tanium Server are listed on the Managed Interfaces page.

Last updated: 7/11/2018 2:53 PM | Feedback