Verifying and configuring Endpoint Configuration
Tanium as a Service automatically handles initial configuration for Endpoint Configuration.
Endpoint Configuration is installed as part of Tanium Client Management. When you install Client Management the Endpoint Configuration workbench becomes available from the Tanium Console. For more information, see Tanium Client Management User Guide: Installing Client Management.
The Tanium Endpoint Configuration action group is set to the computer group All Computers.
When you import Client Management (regardless of whether you use automatic configuration), the following default settings are configured for Endpoint Configuration:
- The Endpoint Configuration service account is set to the account that you used to import the Client Management service.
- The Tanium Endpoint Configuration action group is set to the computer group All Computers.
When you import Client Management, sign in to the Tanium Console with the account that will be used as the Client Management and Endpoint Configuration service account. The Endpoint Configuration service account is set to the account that you used to import the Client Management service, regardless of whether you use automatic configuration when you import Client Management.(Tanium Core Platform 7.4.5 or later only) Optionally, you can set the Endpoint Configuration action group to target the No Computers filter group by enabling restricted targeting before importing Client Management. This option prevents Endpoint Configuration from automatically deploying tools to endpoints. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.
If you use restricted targeting to set the Endpoint Configuration action group to target the No Computers filter group, make sure you set the action group to target the appropriate endpoints (typically All Computers) before using any modules. Modules cannot deploy configurations or tools to endpoints that are not targeted by the Endpoint Configuration action group. Use the appropriate targeting groups within modules to control targeted deployment of configurations or tools.
After you import or upgrade Client Management, verify that the correct version of Endpoint Configuration is installed:
- Refresh your browser.
- From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint ConfigurationOverview page.
- To display version information, click Info .
After you import Client Management, you can reconfigure the default settings for Endpoint Configuration.
Leave the Endpoint Configuration action group set to the default of All Computers. If you have endpoints with operating systems that are not supported by Endpoint Configuration, contact Tanium Support.
The service account is a user that runs several background processes for Endpoint Configuration. This user requires one of the following combinations of roles:
- Tanium Administrator
- Endpoint Configuration Service Account and Endpoint Configuration Service Account Read All Sensors
If action approval is enabled for Tanium Core Platform, you must either use the Endpoint Configuration Service Account and Endpoint Configuration Service Account Read All Sensors roles for the service account, or, if you are using the Tanium Administrator role, grant the Bypass Action Approval permission to the Endpoint Configuration service account. For more information, see Tanium Console User Guide: Managing action approval.
For more information about Endpoint Configuration permissions, see User role requirements.
- From the Main menu, click Endpoint Configuration to open the Endpoint Configuration Overview page.
- Click Settings and open the Service Account tab.
- Update the service account settings and click Save.
If you experience problems with configuring Endpoint Configuration, see Troubleshooting Endpoint Configuration.
Last updated: 8/3/2021 4:55 PM | Feedback