End-User Notifications requirements

Review the requirements before you install and use End-User Notifications.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium license that includes End-User Notifications

  • Tanium™ Core Platform servers: 7.2 or later

  • Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

    If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server 7.4.2 or later, the server Tanium™ Cloud automatically imports the All Computers computer group, which End-User Notifications requires.

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for End-User Notifications to function (required dependencies) or for specific End-User Notifications features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some End-User Notifications dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that End-User Notifications requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import End-User Notifications, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only End-User Notifications to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

End-User Notifications has the following required dependencies at the specified minimum versions:

Feature-specific dependencies

End-User Notifications has the following feature-specific dependencies at the specified minimum versions:

  • Tanium Deploy 2.9 or later for end-user notifications or end-user self service
  • (Windows) Tanium Patch 2.1 or later for end-user notifications
  • (macOS) Tanium Patch 3.6 or later for end-user notifications
  • Tanium Enforce 1.5 or later for end-user notifications for BitLocker or FileVault policies
  • Tanium Trends 3.6 or later

Feature-specific dependencies

End-User Notifications has the following feature-specific dependencies:

  • Tanium Deploy for end-user notifications or end-user self service
  • (Windows/macOS) Tanium Patch for end-user notifications
  • Tanium Enforce for end-user notifications for BitLocker or FileVault policies
  • Tanium Trends

Tanium™ Module Server

End-User Notifications is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

Endpoints

End-User Notifications supports the following client operating systems:

Operating System Version Notes
Windows Server Windows Server 2008 R2 Service Pack 1 or later
  • Windows Server Core not supported for End-User Notifications functionality.

  • Windows Server 2008 R2 Service Pack 1 requires Microsoft KB2758857.

  • Windows Server 2012 R2 requires Microsoft KB2919394 or KB2919355 for End-User Self Service functionality.

Windows Workstation Windows 7 Service Pack 1 or later
  • Windows 7 Service Pack 1 requires Microsoft KB2758857.

  • Windows 8.1 requires Microsoft KB2919394 or KB2919355 for End-User Self Service functionality.

macOS
  • macOS 12.0 Monterey
  • macOS 11.0 Big Sur
  • macOS 10.15 Catalina
  • macOS 10.14.6 Mojave
  • macOS 10.13.6 High Sierra
 

Host and network security requirements

Specific ports and processes are needed to run End-User Notifications.

Ports

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

The following ports are required for End-User Notifications communication.

Source Destination Port Protocol Purpose
Module Server Module Server (loopback) 17476 TCP Internal purposes; not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

End-User Notifications security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server Required when Endpoint Configuration is installed Process <Module Server>\temp\endpoint-configuration-service\TaniumEndpointConfigService.exe
  Process <Module Server>\services\end-user-notifications-service\node.exe
  Process <Module Server>\services\twsm-v1\twsm.exe
Windows endpoints 7.2.x clients Process <Tanium Client>\Python27\TPython.exe
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
64-bit OS versions Process %programfiles(x86)%\Tanium\Tanium End User Notification Tools\UserSessionProxy.exe
32-bit OS versions Process %programfiles%\Tanium\Tanium End User Notification Tools\UserSessionProxy.exe
64-bit OS versions Process %programfiles(x86)%\Tanium\Tanium End User Notification Tools\bin\end-user-notifications.exe
32-bit OS versions Process %programfiles%\Tanium\Tanium End User Notification Tools\bin\end-user-notifications.exe
exclude from on-access or real-time scans (64-bit OS versions) Folder %programfiles(x86)%\Tanium\Tanium End User Notification Tools
exclude from on-access or real-time scans (32-bit OS versions) Folder %programfiles%\Tanium\Tanium End User Notification Tools
  Folder %programdata%\Tanium
macOS endpoints 7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x clients Process <Tanium Client>/python38/bin/pybin
  Process /Library/Tanium/EndUserNotifications/bin/end-user-notifications.app
  Folder /Library/Tanium/EndUserNotifications
End-User Notifications security exclusions
Target Device Notes Exclusion Type Exclusion
Windows endpoints 7.4.x clients Process <Tanium Client>\Python38\TPython.exe
64-bit OS versions Process %programfiles(x86)%\Tanium\Tanium End User Notification Tools\UserSessionProxy.exe
32-bit OS versions Process %programfiles%\Tanium\Tanium End User Notification Tools\UserSessionProxy.exe
64-bit OS versions Process %programfiles(x86)%\Tanium\Tanium End User Notification Tools\bin\end-user-notifications.exe
32-bit OS versions Process %programfiles%\Tanium\Tanium End User Notification Tools\bin\end-user-notifications.exe
exclude from on-access or real-time scans (64-bit OS versions) Folder %programfiles(x86)%\Tanium\Tanium End User Notification Tools
exclude from on-access or real-time scans (32-bit OS versions) Folder %programfiles%\Tanium\Tanium End User Notification Tools
  Folder %programdata%\Tanium
macOS endpoints 7.4.x clients Process <Tanium Client>/python38/bin/pybin
  Process /Library/Tanium/EndUserNotifications/bin/end-user-notifications.app
  Folder /Library/Tanium/EndUserNotifications

User role requirements

The following tables list the role permissions required to use End-User Notifications. To review a summary of the predefined roles, see Set up End-User Notifications users.

For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

End-User Notifications user role permissions
Permission End-User Notifications Administrator1,2 End-User Notifications Endpoint Configuration Approver1,2 End-User Notifications Operator1,2 End-User Notifications Read Only User1,2

End-User Notifications Endpoint Configuration

APPROVE: Approve End-User Notifications items for Endpoint Configuration

REGISTER: Access to register with Endpoint Configuration


REGISTER

APPROVE

End-User Notifications Module

Read and write access to the End-User Notifications shared service


READ
WRITE

READ

READ

READ

End-User Notifications Operator Module

Write access to a subset of the End-User Notifications shared service


WRITE

WRITE

End-User Notifications Use API

Access to the End-User Notifications API


EXECUTE

EXECUTE

EXECUTE

EXECUTE

Endusernotifications

View the End-User Notifications shared service


SHOW

SHOW

SHOW

SHOW

1 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

2 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

 

Provided End-User Notifications administration and platform content permissions
Permission Permission Type End-User Notifications Administrator1 End-User Notifications Endpoint Configuration Approver1 End-User Notifications Operator1 End-User Notifications Read Only User1
Computer Group Administration
READ

READ

READ

READ
User Administration
READ

READ
User Group Administration
READ

READ

READ

READ
Action Platform Content
WRITE

WRITE
Approve Action Platform Content
SPECIAL

SPECIAL
Own Action Platform Content
READ

READ
Package Platform Content
READ
WRITE

READ
WRITE
Plugin Platform Content
READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE
Saved Question Platform Content
READ
WRITE

READ
WRITE
Sensor Platform Content
READ

READ

READ

READ

You can view which content sets are granted to any role in the Tanium Console.

1 This role provides content set permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration content sets are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

For more information and descriptions of content sets and permissions, see Tanium Core Platform User Guide: Users and user groups.