Configuring Endpoint Configuration

Tanium as a Service automatically handles initial configuration for Endpoint Configuration, but you can set up additional Endpoint Configuration users.

The following default setting is configured:

When you import Client Management (regardless of whether you use automatic configuration), the following default settings are configured for Endpoint Configuration:

Setting Default Value
Action group

The action group is set to the All Computers computer group.

  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group

If you use restricted targeting to set the Endpoint Configuration action group to target the No Computers filter group, make sure you set the action group to target the appropriate endpoints (typically All Computers) before using any modules: see Configure the Endpoint Configuration action group. Modules cannot deploy configurations or tools to endpoints that are not targeted by the Endpoint Configuration action group. Use the appropriate targeting groups within modules to control targeted deployment of configurations or tools.

If you import Client Management with restricted targeting disabled. leave Leave the Endpoint Configuration action group set to the default of All Computers. If you use restricted targeting to set the Endpoint Configuration action group to target the No Computers filter group, set the action group to target the All Computers computer group before using any modules. If you have endpoints with operating systems that are not supported by Endpoint Configuration, contact Tanium Support.

Service account

The service account is set to the account that you used to import the Client Management service.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure the service account.

After you import Client Management, you can reconfigure the default settings for Endpoint Configuration.

Configure the service account

The service account is a user that runs several background processes for Endpoint Configuration. This user requires one of the following combinations of roles:

  • Tanium Administrator
  • Endpoint Configuration Service Account and Endpoint Configuration Service Account Read All Sensors

If action approval is enabled for Tanium Core Platform, you must either use the Endpoint Configuration Service Account and Endpoint Configuration Service Account Read All Sensors roles for the service account, or, if you are using the Tanium Administrator role, grant the Bypass Action Approval permission to the Endpoint Configuration service account. For more information, see Tanium Console User Guide: Managing action approval.

For more information about Endpoint Configuration permissions, see User role requirements.

If you imported Client Management with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

  1. From the Main menu, click Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and open the Service Account tab.
  3. Update the service account settings and click Save.

Configure the Endpoint Configuration action group

Importing the Client Management module automatically creates an Endpoint Configuration action group to target specific endpoints. Select the computer groups to include in the Endpoint Configuration action group.

If you import Client Management with restricted targeting disabled. leave Leave the Endpoint Configuration action group set to the default of All Computers. If you use restricted targeting to set the Endpoint Configuration action group to target the No Computers filter group, set the action group to target the All Computers computer group before using any modules. If you have endpoints with operating systems that are not supported by Endpoint Configuration, contact Tanium Support.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Endpoint Configuration.
  3. Select the computer groups to include in the action group, and click Save.

    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Set up Endpoint Configuration users

You can use the following set of predefined user rolesrole to set up Endpoint Configuration users.

To review specific permissions for eachthis role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Endpoint Configuration Administrator

Assign the Endpoint Configuration Administrator role to users who manage the configuration and deployment of Endpoint Configuration functionality to endpoints.

This role can configure Endpoint Configuration service settings.

Endpoint Configuration Approver

Assign the Endpoint Configuration Approver role to a user who approves or rejects configuration changes and tool deployments that are initiated by Endpoint Configuration itself.

Endpoint Configuration Service Account

Assign the Endpoint Configuration Service Account role to the account that performs background processes for Endpoint Configuration. You must also assign the Endpoint Configuration Service Account Read All Sensors role to this account. For more information, see Configure the service account.

Endpoint Configuration Service Account Read All Sensors

Assign the Endpoint Configuration Service Account Read All Sensors role to the account that performs background processes for Endpoint Configuration. You must also assign the Endpoint Configuration Service Account role to this account. For more information, see Configure the service account.