Configuring Endpoint Configuration

Tanium™ Cloud automatically handles initial configuration for Endpoint Configuration, but you can set up additional Endpoint Configuration users.

The following default setting is configured:

When you import Client Management (regardless of whether you use automatic configuration), the following default setting is configured for Endpoint Configuration:

Setting	Default Value
Action group	The action group is set to the All Computers computer group. Restricted targeting disabled (default): All Computers computer group Restricted targeting enabled: No Computers computer group If you use restricted targeting to set the Client Management and Endpoint Configuration action groups to target the No Computers filter group, then make sure that before using any modules, you first set the Client Management action group to target the appropriate endpoints (typically All Computers), and then set the Endpoint Configuration action group to target the same endpoint. For more information, see Tanium Client Management User Guide: Configure the Endpoint Configuration action group and Configure the Endpoint Configuration action group in this guide. Modules cannot deploy configurations or tools to endpoints that are not targeted by the Endpoint Configuration action group. Use the appropriate targeting groups within modules to control targeted deployment of configurations or tools. If you import Client Management with restricted targeting disabled, leave Leave the Endpoint Configuration action group set to the default of All Computers. If you use restricted targeting to set the Client Management and Endpoint Configuration action group to target the No Computers filter group, then before using any modules, first set the Client Management action group to target the All Computers computer group, and then set the Endpoint Configuration action group to target the All Computers computer group. If you have endpoints with operating systems that are not supported by Endpoint Configuration, contact Tanium Support.

Setting

Default Value

Action group

The action group is set to the All Computers computer group.

Restricted targeting disabled (default): All Computers computer group
Restricted targeting enabled: No Computers computer group

If you use restricted targeting to set the Client Management and Endpoint Configuration action groups to target the No Computers filter group, then make sure that before using any modules, you first set the Client Management action group to target the appropriate endpoints (typically All Computers), and then set the Endpoint Configuration action group to target the same endpoint. For more information, see Tanium Client Management User Guide: Configure the Endpoint Configuration action group and Configure the Endpoint Configuration action group in this guide. Modules cannot deploy configurations or tools to endpoints that are not targeted by the Endpoint Configuration action group. Use the appropriate targeting groups within modules to control targeted deployment of configurations or tools.

If you import Client Management with restricted targeting disabled, leave Leave the Endpoint Configuration action group set to the default of All Computers. If you use restricted targeting to set the Client Management and Endpoint Configuration action group to target the No Computers filter group, then before using any modules, first set the Client Management action group to target the All Computers computer group, and then set the Endpoint Configuration action group to target the All Computers computer group. If you have endpoints with operating systems that are not supported by Endpoint Configuration, contact Tanium Support.

After you import Client Management, you can reconfigure the default settings for Endpoint Configuration.

Configure the Endpoint Configuration action group

Importing the Endpoint Configuration module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Endpoint Configuration, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Endpoint Configuration, configuring the Endpoint Configuration action group is optional.

Select the computer groups to include in the Endpoint Configuration action group.

From the Main menu, go to Administration > Actions > Action Groups.
Click Tanium Endpoint Configuration.
Select the computer groups to include in the action group, and click Save.

If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Set up Endpoint Configuration users

You can use the following set of predefined user rolesrole to set up Endpoint Configuration users.

To review specific permissions for eachthis role, see User role requirements.

On installation, Endpoint Configuration creates an Endpoint Configuration user to automatically manage the Endpoint Configuration service account. Do not edit or delete the Endpoint Configuration user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Endpoint Configuration Administrator

Assign the Endpoint Configuration Administrator role to users who manage the configuration and deployment of Endpoint Configuration functionality to endpoints.

This role can configure Endpoint Configuration service settings.

Endpoint Configuration Approver

Assign the Endpoint Configuration Approver role to a user who approves or rejects configuration changes and tool deployments that are initiated by Endpoint Configuration itself.

Endpoint Configuration Read Only User

Assign the Endpoint Configuration Read Only User role to users who can review settings and configuration items in Endpoint Configuration.

Do not assign the Endpoint Configuration Service Account and Endpoint Configuration Service Account - All Content Sets roles to users. These roles are for internal purposes only.