Endpoint Configuration requirements

Endpoint Configuration is installed as part of Tanium Client Management. Review the requirements before you install Client Management and use Endpoint Configuration.

For more information about Client Management, see Tanium Client Management User Guide.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium™ Core Platform servers: 7.4.3.1204 or later

  • Tanium™ Client:

    Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

    If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

    Some Tanium solutions that manage the deployment of configuration changes with Tanium Endpoint Configuration might require a higher client version.

Computer group dependencies

Endpoint Configuration requires only the All Computers computer group.

If you import Client Management with restricted targeting disabled, leave Leave the Endpoint Configuration action group set to the default of All Computers. If you use restricted targeting to set the Client Management and Endpoint Configuration action group to target the No Computers filter group, then before using any modules, first set the Client Management action group to target the All Computers computer group, and then set the Endpoint Configuration action group to target the All Computers computer group. If you have endpoints with operating systems that are not supported by Endpoint Configuration, contact Tanium Support.

(Tanium Core Platform 7.4.5 or later only) Optionally, you can set the Endpoint Configuration action group to target the No Computers filter group by enabling restricted targeting before importing Client Management. This option prevents Endpoint Configuration from automatically deploying tools to endpoints. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

If you use restricted targeting to set the Client Management and Endpoint Configuration action groups to target the No Computers filter group, then make sure that before using any modules, you first set the Client Management action group to target the appropriate endpoints (typically All Computers), and then set the Endpoint Configuration action group to target the same endpoint. For more information, see Tanium Client Management User Guide: Configure the Endpoint Configuration action group and Configure the Endpoint Configuration action group in this guide. Modules cannot deploy configurations or tools to endpoints that are not targeted by the Endpoint Configuration action group. Use the appropriate targeting groups within modules to control targeted deployment of configurations or tools.

Solution dependencies

Other Tanium solutions are required for specific Endpoint Configuration features to work. The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Endpoint Configuration dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Endpoint Configuration requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Endpoint Configuration, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Endpoint Configuration to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Endpoint Configuration, the server automatically updates those dependencies to the latest available versions.

If you select only Endpoint Configuration to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Endpoint Configuration has the following required dependencies at the specified minimum versions:

  • Tanium™ RDB 1.2.11 or later
  • Tanium™ System User service 1.0.77 or later

Feature-specific dependencies

Endpoint Configuration has the following feature-specific dependencies at the specified minimum versions:

  • Tanium Connect 5.9 or later is required to use Endpoint Configuration audit logs as a connection source.

Tanium™ Module Server

Endpoint Configuration is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Endpoint Configuration.

Operating System Version Notes
Windows A minimum of Windows 7 SP1 or Windows Server 2008 R2 SP1 is required.  
macOS Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.  
Linux Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.  
AIX A minimum of AIX 7.1.4 is required. The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploy the Tanium Client to AIX endpoints using a package file.
Solaris Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.  

For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.

Some modules that work with Endpoint Configuration have more specific requirements for endpoints. For more information, see the user guide for each module.

Host and network security requirements

Ports

The following ports are required for Endpoint Configuration communication.

Source Destination Port Protocol Purpose
Module Server Module Server (loopback) 17499 TCP

Used for internal communication for Endpoint Configuration

This port is used with the loopback interface and usually does not require a firewall rule.

No additional ports are required.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Endpoint Configuration security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe

User role requirements

The following tables list table lists the role permissions required to use Endpoint Configuration. To review a description of the predefined rolesummary of the predefined roles, see Set up Endpoint Configuration users.

Each Tanium Solution features a role such as <Solution Name> Configuration Approver that grants a <solution name> endpoint configuration approve permission. This permission is required for a user to make approvals in Endpoint Configuration. For the exact names of solution-specific roles and permissions, see the user guide for the specific Tanium solution.

Do not assign the Endpoint Configuration Service Account and Endpoint Configuration Service Account - All Content Sets roles to users. These roles are for internal purposes only.

For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Endpoint Configuration user role permissions
Permission Endpoint Configuration Administrator Endpoint Configuration Approver Endpoint Configuration Auditor Endpoint Configuration Read Only User

Endpoint Configuration

View the Endpoint Configuration workbench, and access and manage configuration changes
SHOW
READ
WRITE
APPROVE1
DISMISS1
REJECT
SHOW
READ
SHOW
READ
SHOW
READ

Endpoint Configuration Administrator

Provides write privileges for actions and read privileges for sensors and packages in Endpoint Configuration
ADMINISTER

Endpoint Configuration API

Perform Endpoint Configuration operations using the API
EXECUTE
EXECUTE
EXECUTE
EXECUTE

Endpoint Configuration Audit

Review Endpoint Configuration audit logs
READ
WRITE
READ

Endpoint Configuration Content Only

Access and manage content-only solution information in Endpoint Configuration
READ
WRITE
READ
READ

Endpoint Configuration Module

Register or use the Endpoint Configuration module
USE

Endpoint Configuration Read Only

Provides read privileges for sensors, packages and actions in Endpoint Configuration
USER

Endpoint Configuration Service Account

Provides the service account with the necessary permissions
READ
WRITE
EXECUTE

Endpoint Configuration Settings

Access Endpoint Configuration settings
READ
WRITE
READ
READ

Endpoint Configuration Support Bundle

Access the support bundle for Endpoint Configuration
READ
READ

Endpoint Configuration Bypass2

You can apply this permission to module service account roles, and based on the content set, it bypasses approval for solution-generated configuration items, for example tools or intel deployment.

You can apply this permission to a user account, and based on the content set, it bypasses approval for user-generated configuration items.

1 This permission is provided to a solution-specific role for managing configuration approvals.

2 This permission is not provided by default to any roles.
Provided Endpoint Configuration administration and platform content permissions
Permission Role Type Endpoint Configuration Administrator Endpoint Configuration Approver Endpoint Configuration Auditor Endpoint Configuration Read Only User
Action Platform Content
READ
WRITE
READ
Endpoint Configuration Platform Content
READ
WRITE
SPECIAL
READ
READ
READ
Endpoint Configuration Module Platform Content
SPECIAL
Own Action Platform Content
READ
READ
Package Platform Content
READ
READ
Plugin Platform Content
READ
EXECUTE
READ
EXECUTE
READ
READ
EXECUTE
Sensor Platform Content
READ
READ
Show Endpoint Platform Content
SPECIAL

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.