Configuring Enforce

If you did not install Enforce with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the module action group to target the No Computers filter group by enabling restricted targeting before adding the module to your Tanium licenseimporting the module. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the module action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Enforce with automatic configuration, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account.

Computer groups The Enforce tools group is set to All Computers.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Enforce, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:

  • Updating policy priorities
  • All policy enforcement updates

Configure Enforce

Configure service account

The service account is a user that runs several background processes for Enforce. This user requires the following roles and access:

  • Tanium Administrator role
  • If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

For more information about Enforce permissions, see User role requirements.

If you imported Enforce with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

  1. From the Main menu, go to Modules > Enforce to open the Enforce Overview page.
  2. Click Settings and then click General.
  3. Update the service account settings and click Save.

Configure Enforce action group

By default, the Enforce action group is set to the All Computers. You can update the action group if needed.

  1. From the Main menu, go to  Administration > Actions > Action Groups.
  2. Click Tanium Enforce to update the action group and then click Save.

(Tanium Core Platform 7.4.5 or later only) You can set the module action group to target the No Computers filter group by enabling restricted targeting before adding the module to your Tanium licenseimporting the module. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the module action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

Set up Enforce users

You can use the following set of predefined user roles to set up Enforce users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Enforce Administrator

Assign the Enforce Administrator role to users who manage the configuration and deployment of Enforce functionality to endpoints.
This role can perform the following tasks:

  • Configure all Enforce service settings
  • Manage policies, policy templates, policy types, policy priorities, and enforcements
  • Manage recovery portal configuration

Enforce Defender Scan User

Assign the Enforce Defender Scan User role to users who view and create Defender scans.

Enforce Defender Scan Viewer

Assign the Enforce Defender Scan Viewer role to users who view Defender scans.

Enforce Endpoint Configuration Approver

Assign the Enforce Endpoint Configuration Approver role to a user who approves or rejects Enforce configuration items in Tanium Endpoint Configuration.

Enforce Operator

Assign the Enforce Operator role to users who manage the configuration and deployment of Enforce functionality to endpoints.
This role can perform the following tasks:

  • Configure most Enforce service settings
  • Manage policies, policy templates, policy types, policy priorities, and enforcements

Enforce * Policy Administrator

Assign the Enforce * Policy Administrator role to users who manage and prioritize policies.
This role can perform the following tasks:

  • View, create, and delete policies, policy templates, policy types, and reports
  • Prioritize policy priorities
  • Enforce policies and edit any policy enforcements

* You can additionally limit access by assigning the Linux, Mac, or Windows roles.

Enforce * Policy User

Assign the Enforce * Policy User role to users who manage policies.
This role can perform the following tasks:

  • View and create policies and policy types
  • View, create, and delete reports
  • View policy templates
  • View and create policy priorities
  • Enforce policies

* You can additionally limit access by assigning the Linux, Mac, or Windows roles.

Enforce * Policy Viewer

Assign the Enforce * Policy Viewer role to users who view policies, policy templates, policy types, and reports.

* You can additionally limit access by assigning the Linux, Mac, or Windows roles.

Enforce Recovery Key Administrator

Assign the Enforce Recovery Key Administrator role to users who manage disk encryption recovery keys.

Enforce Recovery Key User

Assign the Enforce Recovery Key User role to users who manage disk encryption recovery keys.

Enforce Recovery Key Viewer

Assign the Enforce Recovery Key Viewer role to users who view disk encryption recovery keys.

Enforce Recovery Portal

Assign the Enforce Recovery Portal role to users who view disk encryption recovery keys and can be used as the Enforce Recovery Portal.

Enforce Recovery Portal Administrator

Assign the Enforce Recovery Portal Administrator role to users who manage recovery portal configuration.

Enforce Recovery Portal Viewer

Assign the Enforce Recovery Portal Viewer role to users who view recovery portal configuration and status.

Enforce Service Account

Assign the Enforce Service Account role to the account that configures system settings for Enforce. You must also assign Tanium Administrator to this account.
This role can perform several background processes for Enforce.

Enforce Write Content Wipe Action

Assign the Enforce Content Wipe Action role to users who issue Windows Remediation actions that wipe, freeze, or recover endpoints.