Endpoint Configuration requirements
For more information about Client Management, see Tanium Client Management User Guide.
Core platform dependencies
Make sure that your environment meets the following requirements:
-
Tanium™ Core Platform servers: 7.3.314.4250 or later
-
Tanium™ Client:
Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.
Some Tanium solutions that manage the deployment of configuration changes with Tanium Endpoint Configuration might require a higher client version.
Computer group dependencies
Endpoint Configuration requires only the All Computers computer group.
If you use restricted targeting to set the Endpoint Configuration action group to target the No Computers filter group, make sure you set the action group to target the appropriate endpoints (typically All Computers) before using any modules: see Configure the Endpoint Configuration action group. Modules cannot deploy configurations or tools to endpoints that are not targeted by the Endpoint Configuration action group. Use the appropriate targeting groups within modules to control targeted deployment of configurations or tools.
Solution dependencies
Other Tanium solutions are required for specific Endpoint Configuration features to work. The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.
Some Endpoint Configuration dependencies have their own dependencies, which you can see by clicking the links in the lists of Endpoint Configuration requirements and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Endpoint Configuration requires.
-
Make sure you upgrade each module that uses Endpoint Configuration to a version from after support for Endpoint Configuration was introduced (follow links for Tanium Dependencies from Tanium Client Management User Guide: Module- and service-specific requirements for the Tanium Client and endpoints and see the release notes for each module).
-
After Endpoint Configuration is installed, do not use the Initial Content - Python solution to deploy Python to endpoints that support Endpoint Configuration (see Endpoints).
Tanium recommended installation
If you select Tanium Recommended Installation when you import Endpoint Configuration, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.
Import specific solutions
If you select only Endpoint Configuration to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.
Feature-specific dependencies
Endpoint Configuration has the following feature-specific dependencies at the specified minimum versions:
-
Tanium Connect 5.9 or later is required to use Endpoint Configuration audit logs as a connection source.
Tanium™ Module Server
Endpoint Configuration is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.
For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.
Endpoints
Supported operating systems
The following endpoint operating systems are supported with Endpoint Configuration.
Operating System | Version | Notes |
---|---|---|
Windows | A minimum of Windows 7 SP1 or Windows Server 2008 R2 SP1 is required. | |
macOS | Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements. | |
Linux | Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements. | |
AIX | A minimum of AIX 7.1.4 is required. | The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploy the Tanium Client to AIX endpoints using a package file. |
Solaris | Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements. |
For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.
Some modules that work with Endpoint Configuration have more specific requirements for endpoints. For more information, see the user guide for each module.
Host and network security requirements
Ports
The following ports are required for Endpoint Configuration communication.
Source | Destination | Port | Protocol | Purpose |
---|---|---|---|---|
Module Server | Module Server (loopback) | 17499 | TCP |
Used for internal communication for Endpoint Configuration This port is used with the loopback interface and usually does not require a firewall rule. |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
Target Device | Notes | Exclusion Type | Exclusion |
---|---|---|---|
Module Server | Process | <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe |
User role requirements
The following
For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.
Each Tanium Solution features a role such as <Solution Name> Configuration Approver that grants a <solution name> endpoint configuration approve permission. This permission is required for a user to make approvals in Endpoint Configuration. For the exact names of solution-specific roles and permissions, see the user guide for the specific Tanium solution.
Permission | Endpoint Configuration Administrator | Endpoint Configuration Approver | Endpoint Configuration Read Only User | Endpoint Configuration Service Account | Endpoint Configuration Service Account Read All Sensors |
---|---|---|---|---|---|
Endpoint Configuration View the Endpoint Configuration workbench, and access and manage configuration changes |
SHOW WRITE |
APPROVE1 DISMISS1 |
SHOW READ |
READ WRITE1 |
|
Endpoint Configuration Administrator Provides write privileges for actions and read privileges for sensors and packages in Endpoint Configuration |
ADMINISTER |
|
|
|
|
Endpoint Configuration API Perform Endpoint Configuration operations using the API |
EXECUTE |
|
|
EXECUTE |
|
Endpoint Configuration Module Register or use the Endpoint Configuration module |
USE |
|
|
REGISTER USE |
|
Endpoint Configuration Read Only Provides read privileges for sensors, packages and actions in Endpoint Configuration |
|
|
USER |
|
|
Endpoint Configuration Service Account Access the service account settings for Endpoint Configuration, and provide the service account with the necessary permissions |
READ WRITE |
|
|
EXECUTE |
|
Endpoint Configuration Settings Access Endpoint Configuration settings |
READ WRITE |
|
SHOW READ |
|
|
Endpoint Configuration Support Bundle Access the support bundle for Endpoint Configuration |
READ |
|
|
|
|
Endpoint Configuration Bypass2 You can apply this permission to module service accounts, and based on the content set, it bypasses approval for solution-generated configuration items, for example tools or intel deployment. You can apply this permission to a user account, and based on the content set, it bypasses approval for user-generated configuration items. |
|
|
|
|
|
1 This permission is provided to a solution-specific role for managing configuration approvals. 2 This permission is not provided by default to any roles. |
Permission | Role Type | Endpoint Configuration Administrator | Endpoint Configuration Approver | Endpoint Configuration Read Only User | Endpoint Configuration Service Account | Endpoint Configuration Service Account Read All Sensors |
---|---|---|---|---|---|---|
Action Group | Administration |
|
|
|
READ |
|
Allowed URLs | Administration |
|
|
|
READ WRITE |
|
Computer Group | Administration |
|
|
|
READ |
|
Persona | Administration |
|
|
|
READ |
|
User | Administration |
|
|
|
READ |
|
Action | Platform Content |
|
|
READ |
READ WRITE |
|
Bypass Action Approval | Platform Content |
|
|
|
SPECIAL |
|
Own Action | Platform Content |
|
|
READ |
READ |
|
Package | Platform Content |
|
|
READ |
READ WRITE |
|
Plugin | Platform Content |
|
|
READ |
READ EXECUTE |
|
Sensor | Platform Content |
|
|
READ |
READ |
READ |
You can view which content sets are granted to any role in the Tanium Console. |
Last updated: 5/12/2022 11:54 AM | Feedback