Endpoint Configuration requirements

Endpoint Configuration is installed as part of Tanium Client Management. Review the requirements before you install Client Management and use Endpoint Configuration.

For more information about Client Management, see Tanium Client Management User Guide.

Tanium dependencies

In addition to a license for Endpoint Configuration, make sure that your environment meets the following requirements.

Component Requirement
Tanium™ Core Platform 7.3.314.4250 or later
Tanium™ Client Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Some Tanium solutions that manage the deployment of configuration changes with Tanium Endpoint Configuration might require a higher client version.

Tanium products

If you selected Tanium Recommended Installation when you installed Client Management, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules with which you are using Endpoint Configuration, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.

Computer groups

When you first log into the Tanium Console after a fresh installation of Tanium Server 7.4.2 or later, the serverTaaS automatically imports the computer groups that Endpoint Configuration requires.

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups: see Create a computer group.

Leave the Endpoint Configuration action group set to the default of All Computers. If you have endpoints with operating systems that are not supported by Endpoint Configuration, contact Tanium Support.

(Tanium Core Platform 7.4.5 or later only) Optionally, you can set the Endpoint Configuration action group to target the No Computers filter group by enabling restricted targeting before importing Client Management. This option prevents Endpoint Configuration from automatically deploying tools to endpoints. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

If you use restricted targeting to set the Endpoint Configuration action group to target the No Computers filter group, make sure you set the action group to target the appropriate endpoints (typically All Computers) before using any modules. Modules cannot deploy configurations or tools to endpoints that are not targeted by the Endpoint Configuration action group. Use the appropriate targeting groups within modules to control targeted deployment of configurations or tools.

Tanium™ Module Server

Endpoint Configuration is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Endpoint Configuration.

Operating System Version Notes
Windows A minimum of Windows 7 SP1 or Windows Server 2008 R2 SP1 is required.  
macOS Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.  
Linux Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.  
AIX A minimum of AIX 7.1.4 is required. The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploy the Tanium Client to AIX endpoints using a package file.
Solaris Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.  

For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.

Some modules that work with Endpoint Configuration have more specific requirements for endpoints. For more information, see the user guide for each module.

Host and network security requirements

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Endpoint Configuration security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe

User role requirements

The following tables list table lists the role permissions required to use Endpoint Configuration. For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Each Tanium Solution features a role such as <Solution Name> Configuration Approver that grants a <solution name> endpoint configuration approve permission. This permission is required for a user to make approvals in Endpoint Configuration. For the exact names of solution-specific roles and permissions, see the user guide for the specific Tanium solution.

Endpoint Configuration user role permissions
Permission Endpoint Configuration Administrator Endpoint Configuration Approver Endpoint Configuration Service Account Endpoint Configuration Service Account Read All Sensors

Endpoint Configuration

View the Endpoint Configuration workbench, and access and manage configuration changes


SHOW
WRITE

APPROVE1
DISMISS1

READ
WRITE1

Endpoint Configuration API

Perform Endpoint Configuration operations using the API


EXECUTE

EXECUTE

Endpoint Configuration Module

Register or use the Endpoint Configuration module


USE

REGISTER
USE

Endpoint Configuration Service Account

Access the service account settings for Endpoint Configuration, and provide the service account with the necessary permissions


READ
WRITE

EXECUTE

Endpoint Configuration Settings

Access Endpoint Configuration settings


READ
WRITE

Endpoint Configuration Support Bundle

Access the support bundle for Endpoint Configuration


READ

Endpoint Configuration Bypass2

You can apply this permission to module service accounts, and based on the content set, it bypasses approval for solution-generated configuration items, for example tools or intel deployment.

You can apply this permission to a user account, and based on the content set, it bypasses approval for user-generated configuration items.

1 This permission is provided to a solution-specific role for managing configuration approvals.

2 This permission is not provided by default to any roles.

Provided Endpoint Configurationadministration and platform content permissions
Permission Role Type Endpoint Configuration Administrator Endpoint Configuration Approver Endpoint Configuration Service Account Endpoint Configuration Service Account Read All Sensors
Action Group Administration
READ
Allowed URLs Administration
READ
WRITE
Computer Group Administration
READ
Persona Administration
READ
User Administration
READ
Action Platform Content
READ
WRITE
Bypass Action Approval Platform Content
SPECIAL
Own Action Platform Content
READ
Package Platform Content
READ
WRITE
Plugin Platform Content
READ
EXECUTE
Sensor Platform Content
READ

READ

You can view which content sets are granted to any role in the Tanium Console.