Configuring Enforce

If you did not install Enforce with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Enforce action group to target the No Computers filter group by enabling restricted targeting before adding Enforce to your Tanium licenseimporting Enforce. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Enforce action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Enforce with automatic configuration, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group
Computer groups The Enforce tools group is set to All Computers.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Enforce, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:

  • Updating policy priorities
  • All policy enforcement updates

Configure Enforce

(Optional) Configure Enforce action group

Importing the Enforce module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Enforce, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Enforce, configuring the Enforce action group is optional.

Select the computer groups to include in the Enforce action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Enforce are included in the Enforce action group.

By default, the Enforce action group is set to the All Computers. You can update the action group if needed.

  1. From the Main menu, go to  Administration > Actions > Action Groups.
  2. Click Tanium Enforce to update the action group and then click Save.

Set up Enforce users

You can use the following set of predefined user roles to set up Enforce users.

To review specific permissions for each role, see User role requirements.

During installation, Enforce creates an Enforce user to automatically manage the Enforce service account. Do not edit or delete the Enforce user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Enforce Administrator

Assign the Enforce Administrator role to users who manage the configuration and deployment of Enforce functionality to endpoints.
This role can perform the following tasks:

  • Configure all Enforce service settings
  • Manage policies, policy templates, policy types, policy priorities, and enforcements
  • Manage recovery portal configuration

Enforce Defender Scan User

Assign the Enforce Defender Scan User role to users who view and create Defender scans.

Enforce Defender Scan Viewer

Assign the Enforce Defender Scan Viewer role to users who view Defender scans.

Enforce Endpoint Configuration Approver

Assign the Enforce Endpoint Configuration Approver role to a user who approves or rejects Enforce configuration items in Tanium Endpoint Configuration.

Enforce Operator

Assign the Enforce Operator role to users who manage the configuration and deployment of Enforce functionality to endpoints.
This role can perform the following tasks:

  • Configure most Enforce service settings
  • Manage policies, policy templates, policy types, policy priorities, and enforcements

Enforce * Policy Administrator

Assign the Enforce * Policy Administrator role to users who manage and prioritize policies.
This role can perform the following tasks:

  • View, create, and delete policies, policy templates, policy types, and reports
  • Prioritize policy priorities
  • Enforce policies and edit any policy enforcements

* You can additionally limit access by assigning the Linux, Mac, or Windows roles.

Enforce * Policy User

Assign the Enforce * Policy User role to users who manage policies.
This role can perform the following tasks:

  • View and create policies and policy types
  • View, create, and delete reports
  • View policy templates
  • View and create policy priorities
  • Enforce policies

* You can additionally limit access by assigning the Linux, Mac, or Windows roles.

Enforce * Policy Viewer

Assign the Enforce * Policy Viewer role to users who view policies, policy templates, policy types, and reports.

* You can additionally limit access by assigning the Linux, Mac, or Windows roles.

Enforce Recovery Key Administrator

Assign the Enforce Recovery Key Administrator role to users who manage disk encryption recovery keys.

Enforce Recovery Key User

Assign the Enforce Recovery Key User role to users who manage disk encryption recovery keys.

Enforce Recovery Key Viewer

Assign the Enforce Recovery Key Viewer role to users who view disk encryption recovery keys.

Enforce Recovery Portal

Assign the Enforce Recovery Portal role to users who view disk encryption recovery keys and can be used as the Enforce Recovery Portal.

Enforce Recovery Portal Administrator

Assign the Enforce Recovery Portal Administrator role to users who manage recovery portal configuration.

Enforce Recovery Portal Viewer

Assign the Enforce Recovery Portal Viewer role to users who view recovery portal configuration and status.

Enforce Write Content Wipe Action

Assign the Enforce Content Wipe Action role to users who issue Windows Remediation actions that wipe, freeze, or recover endpoints.

Manage Stream profiles

With Tanium Stream, you can send events generated from Tanium Removable Storage Access Control policies to external Splunk destinations using an HTTP Event Collector (HEC) or TCP connection. With Stream profiles, you can create different Stream configurations to target specific endpoints.

  • Tanium Removable Storage Access Control policies are available only for Windows endpoints.
  • You must have the Enforce Endpoint Configuration All permission to create a Stream profile.

Create a Stream profile

  1. From the Enforce Overview page, click Settings .
  2. Click the Stream Profiles tab.
  3. Enter a Name and optional Description for the profile.
  4. Select a Management Method. You can manually provide configuration parameters, or upload a JSON file of a Stream configuration that you previously exported. Select either Manual or File Upload. If you select File Upload, click Browse for File and select a JSON file to upload. The JSON file contains the configuration parameters for the Stream configuration. If you select Manual, complete the following tasks.
  5. In the Configuration section, select a Destination Type. The Destination Type you select determines the additional required configuration settings that you are prompted to provide.

    Splunk HEC

    • URL - The URL or IP address to access the Splunk REST API.
    • Authorization Token - The authorization token to access your Splunk environment. Do not include the Splunk prefix in this token.

    Splunk TCP

    • Host - The fully-qualified Splunk host domain name or IP address.
    • Port - The port for the stream communication to the host.

    Select Dry Run if you want to collect statistics about the data that would be streamed to the destination, but not actually send data.

    Select Dry Run when you first create a stream configuration. Analyze the amount of event data that would be streamed to a destination before you deselect Dry Run. While this setting is enabled, no data is streamed to a destination; it must be disabled for data streaming to occur.

    You can use the Enforce - Daily Stream Stats sensor to gain an understanding of the amount of data that would be sent.

  6. (Optional) If you want to use a proxy to provide a gateway, provide the host, port, and a username and password for the proxy.
  7. In the Event Types subsection, select the event types that you want to stream:
    • Device Inserted
    • Device Removed
    • Device Blocked Mount
    • Device Blocked File Access

    At least one event type is required. Audit log entries for blocking events are identified with the policy ID and name. Events corresponding to read/write or read only rules in a policy are logged with the policy ID, policy name, and the rule name for the rule that allowed access.

  8. Click Select Computer Groups and select the computer groups from which you want to send events generated by Tanium Removable Storage Access Control policies to an external Splunk destination.
  9. In the Additional Filtering Criteria section, specify additional filtering parameters as needed:
    • None: Select None to use the selected computer groups with no additional filtering applied.
    • Specify Individual Endpoints: Provide a case-insensitive, comma-separated list of computer names. Due to a possible performance impact, this list cannot exceed 50 entries. Duplicate entries are ignored.
    • Ask a question: Ask a question to filter the selected computer groups. For example, if the selected computer groups contain non-Windows endpoints, you can filter the endpoints by asking the question: Operating System contains Windows.
    • Define a Rule: Define a rule to use when filtering the selected computer groups.
  10. Click Create.

Prioritize Stream profiles

If an endpoint is targeted by multiple Stream profiles, the profile with the highest priority applies to that endpoint. The profile with the highest priority has the lowest priority number. For example, a profile with a priority of 1 takes precedence over a profile with a priority of 10.

  1. From the Enforce Overview page, click Settings .
  2. Click the Stream Profiles tab.
  3. Click Prioritize.
  4. Click and drag the profiles to set the priority. Click Save.

Take actions on Stream profiles

You can delete, edit, duplicate, or export Stream profiles.

  1. From the Enforce Overview page, click Settings .
  2. Click the Stream Profiles tab.
  3. Select a profile.
  4. Click Actions and select an action to take on the profile:
    • Delete: Delete the selected profile.
    • Edit: Edit the selected profile.
    • Duplicate: Create a new Stream profile using the settings in the selected profile as a starting point.
    • Export: Export the selected profile in JSON format, which you can apply in a different Enforce environment. For example, you can export profiles that you have tested from a lab environment and import them into a production environment.