Configuring Enforce
If you did not install Enforce with the Apply All Tanium recommended configurations option, you must enable and configure certain features.
When you import Enforce with automatic configuration, the following default settings are configured:
The following default settings are configured:
Setting | Default value |
---|---|
Action group |
|
Computer groups | The Enforce tools group is set to All Computers. |
Install and configure
Configure Tanium Endpoint Configuration
Manage solution configurations with Tanium Endpoint Configuration
Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.
For information about installing Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Installing Endpoint Configuration.
Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Enforce, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.
and select Global.
For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.
If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:
- Updating policy priorities
- All policy enforcement updates
Configure Enforce
(Optional) Configure Enforce action group
Importing the Enforce module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Enforce, the action group targets No Computers.
If you used automatic configuration and restricted targeting was disabled when you imported Enforce, configuring the Enforce action group is optional.
Select the computer groups to include in the Enforce action group.
By default, the Enforce action group is set to the All Computers. You can update the action group if needed.
- From the Main menu, go to Administration > Actions > Action Groups.
- Click Tanium Enforce to update the action group and then click Save.
Set up Enforce users
You can use the following set of predefined user roles to set up Enforce users.
To review specific permissions for each role, see User role requirements.
During installation, Enforce creates an Enforce user to automatically manage the Enforce service account. Do not edit or delete the Enforce user.
For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.
Enforce Administrator
Assign the Enforce Administrator role to users who manage the configuration and deployment of Enforce functionality to endpoints.
This role can perform the following tasks:
- Configure all Enforce service settings
- Manage policies, policy templates, policy types, policy priorities, and enforcements
- Manage recovery portal configuration
Enforce Defender Scan User
Assign the Enforce Defender Scan User role to users who view and create Defender scans.
Enforce Defender Scan Viewer
Assign the Enforce Defender Scan Viewer role to users who view Defender scans.
Enforce Endpoint Configuration Approver
Assign the Enforce Endpoint Configuration Approver role to a user who approves or rejects Enforce configuration items in Tanium Endpoint Configuration.
Enforce Operator
Assign the Enforce Operator role to users who manage the configuration and deployment of Enforce functionality to endpoints.
This role can perform the following tasks:
- Configure most Enforce service settings
- Manage policies, policy templates, policy types, policy priorities, and enforcements
Enforce * Policy Administrator
Assign the Enforce * Policy Administrator role to users who manage and prioritize policies.
This role can perform the following tasks:
- View, create, and delete policies, policy templates, policy types, and reports
- Prioritize policy priorities
- Enforce policies and edit any policy enforcements
* You can additionally limit access by assigning the Linux, Mac, or Windows roles.
Enforce * Policy User
Assign the Enforce * Policy User role to users who manage policies.
This role can perform the following tasks:
- View and create policies and policy types
- View, create, and delete reports
- View policy templates
- View and create policy priorities
- Enforce policies
* You can additionally limit access by assigning the Linux, Mac, or Windows roles.
Enforce * Policy Viewer
Assign the Enforce * Policy Viewer role to users who view policies, policy templates, policy types, and reports.
* You can additionally limit access by assigning the Linux, Mac, or Windows roles.
Enforce Recovery Key Administrator
Assign the Enforce Recovery Key Administrator role to users who manage disk encryption recovery keys.
Enforce Recovery Key User
Assign the Enforce Recovery Key User role to users who manage disk encryption recovery keys.
Enforce Recovery Key Viewer
Assign the Enforce Recovery Key Viewer role to users who view disk encryption recovery keys.
Enforce Recovery Portal
Assign the Enforce Recovery Portal role to users who view disk encryption recovery keys and can be used as the Enforce Recovery Portal.
Enforce Recovery Portal Administrator
Assign the Enforce Recovery Portal Administrator role to users who manage recovery portal configuration.
Enforce Recovery Portal Viewer
Assign the Enforce Recovery Portal Viewer role to users who view recovery portal configuration and status.
Enforce Write Content Wipe Action
Assign the Enforce Content Wipe Action role to users who issue Windows Remediation actions that wipe, freeze, or recover endpoints.
Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.
Last updated: 9/26/2023 2:18 PM | Feedback