Enforcing policies

Create enforcements

You can create an enforcement from the policy list page, the policy details page, or the enforcements page.

  1. From the Enforce menu, click Policies.
  2. Click the icon for the policy. From the three dots icon you can Duplicate the policy or select Enforce Computer Group or Enforce Individual Computers.
  3. If you selected:
      • Enforce Computer Group - Choose a computer group that has been defined in the Administration section of Tanium Console. See Tanium Platform User Guide: Managing Computer Groups. To search for a group, type the first few letters of the group into the search field.
      • Enforce Individual Computers - Enter an enforcement Name, and paste a comma-separated list of computer names into the Computer Names field. This list must be no longer than 50 computers.
  4. Click Save. Click Yes to confirm and create the enforcement.

To un-enforce or remove a policy from an endpoint, delete the enforcement.

To view the status of an enforcement, click the arrow on the Enforcements page to expand the details section. See Enforcement for information on each enforcement state.

Create enforcements from policy details

  1. From the Enforce menu, click Policies.
  2. Click the policy to be enforced. This takes you to the details page for that policy.
  3. Click the Enforce button and select Enforce Computer Group or Enforce Individual Computers. Refer to Create enforcements for the remaining instructions.

Enforce policies from enforcements

  1. From the Enforce menu, click Enforcements.
  2. Click the Create Enforcement and select Enforce Computer Group or Enforce Individual Computers. Refer to Create enforcements for the remaining instructions.

Prioritize policies

A single policy can contain multiple settings. When several policies are enforced on an endpoint, unique settings across all policies are applied. If duplicate settings exist for an endpoint, the setting with the lowest priority number takes precedence. See Enforce overview for more information about how policy settings are applied to endpoints.

The policy with the highest priority has the lowest priority number. For example, a policy with a priority of 1 takes precedence over a policy with a priority of 10.

Set the prioritization of policies to determine which policy setting is applied if a conflict exists.

  1. Navigate to Policies and click the Prioritize button to make the priority fields editable.
  2. Click the priority field for the policy you want to change and enter a new priority number. Click the to accept the change or the to undo the change. When you click the check mark, the priority number for all policies update based on your change.
  3. Click Save to keep the new priorities or cancel to undo them and revert back to the original priorities.

Role-based access control and configuration visibility

When policies are put in content sets by different users with different permissions, a user might have partial visibility into configuration items or lose visibility into items to which that user originally had access. For example, if you create a policy and apply it to a group of endpoints, then another user applies that same policy to a different group of endpoints on which you do not have permissions, you lose the permissions to edit that policy.

If you move a policy from one content set to another content set, it can take up to an hour for all configuration changes to take place. The policy is updated immediately, but packages and saved content can take up to an hour to align because they require a sync activity to take place.