Getting started with policies

Perform the following tasks to get started with Enforce policies.

Configure Distribute Over Time settings for policies

Policy enforcement occurs in the following scenarios:

  • The enforcement is first created
  • Changes are made to the policy corresponding to the enforcement
  • The Tanium Client or Tanium Client process restarts on an endpoint
  • At the beginning and end of the enforcement schedule
  • Enforce detects a failed or incomplete verification of policies
  • (User Administrative Template policies) When a user signs in to an endpoint

These scenarios should be infrequent, but because endpoints check in with the Active Directory server for policy conflicts, they can temporarily cause a surge in traffic to Active Directory servers if a policy is enforced on many endpoints or many policies are enforced at the same time.

You can configure the intervals when endpoints verify and apply policies and also distribute checks with the Active Directory server over time to diffuse the traffic to the Active Directory server. To configure these settings, you must be assigned the Enforce Administrator or Enforce Operator role.

These settings do not apply to remediation policies: Remediation - Windows, Remediation - Linux, and Remediation - Mac.

  1. From the Enforce Overview page, click Settings .
  2. On the General tab, update the following settings as needed:

    Policy Update:

    When an enforcement is created or an enforced policy is updated, endpoints immediately update their policies and policy status.

    • Specify a value in the Distribute Over Time setting to randomize the check in with the Active Directory server for each endpoint by an amount of time up to the value configured.

    Policy Verification:

    By default, endpoints verify policies and update their policy status every 15 minutes.

    • Update the Interval value to change the frequency of this check. The value must be between 10 minutes and 60 minutes.
    • Specify a value in the Distribute Over Time setting to randomize the check in with the Active Directory server for each endpoint by an amount of time up to the value configured. The Distribute Over Time value must be less than the Interval value.

    Policy Application:

    By default, endpoints reapply policies and update policy status every hour.

    • Update the Interval value to change the frequency of this check. The value must be between 60 minutes and 480 minutes.
    • Specify a value in the Distribute Over Time setting to randomize the check in with the Active Directory server for each endpoint by an amount of time up to the value configured. The Distribute Over Time value must be less than the Interval value.

  3. Click Save.

Upload Anti-malware

Anti-malware policies require that either SCEP or Windows Defender is installed on endpoints. When SCEP installation is enabled, enforcing an Anti-malware policy automatically installs SCEP on endpoints that do not support Windows Defender.

From the Enforce Overview page, click Settings and then click Anti-Malware. Review settings to determine if you should modify them.

Microsoft System Center Endpoint Protection (SCEP) Installation

You can choose one of the following installations:

  • Disable SCEP Installation: This is the default state. Leave disabled if you are creating Anti-malware SCEP rules and already have SCEP installed on your endpoints.
  • Enable SCEP Installation: Use this option to automatically install SCEP on endpoints that do not support Windows Defender. After it is enabled, click Choose File or Update File to upload an installer file.

    • The Microsoft System Center Configuration Manager includes the SCEP client installation file.

For more information about SCEP, see Microsoft Technet: Endpoint Protection.

If Enforce has an issue with an anti-malware definition, an Error displays next to the definition in the Anti-Malware Definitions Status section of the Health tab on the Enforce Anti-Malware page. View the error reason from Anti-Malware tab of the Enforce Settings .

Windows Defender Platform Updates

Microsoft releases monthly updates to the Windows Defender anti-malware platform. To keep the platform up to date and to help ensure compliance with all applicable security standards, enable Defender platform updates in Enforce. When enabled, Enforce automatically downloads and installs new monthly Defender anti-malware platform update packages on managed Windows endpoints.

Windows Defender platform updates are supported on Defender 4.18.2001.10 or later. Use the Enforce - Defender Platform Version sensor in Interact to find endpoints that do not have the required Defender Platform version.

To enable Defender platform updates:

  1. From the Enforce Overview page, click Settings .
  2. Click the Anti-Malware tab.
  3. In the Windows Defender Platform Updates section, select Enable Platform Updates and click Save.

Action Lock Override

You can override action locks on endpoints for anti-malware enforcements. For more information about action locks, see Tanium Console User Guide: Managing action locks.

To override action locks for anti-malware enforcements:

  1. From the Enforce Overview page, click Settings .
  2. On the Anti-Malware tab, select the Anti-Malware Override option.

Distribute Over Time

Control whether endpoints apply anti-malware enforcements the moment they receive the action (immediate) or at unique moments within the saved action interval (diffused). Diffusing enforcements over time can help prevent a surge in network traffic in exchange for a slower time to compliance.

  1. From the Enforce Overview page, click Settings .

  2. On the Anti-Malware tab, select Immediate or Diffused for the Distribute Over Time setting.

Distribute Over Time settings are added when Enforce creates new managed definition packages. New packages are created whenever new definition updates are downloaded from Microsoft. To apply Distribute Over Time settings immediately, you can manually delete the managed definition packages and scheduled actions.

Reissue Action Interval

Control the amount of time the server waits between anti-malware enforcement action attempts.

  1. From the Enforce Overview page, click Settings .

  2. On the Anti-Malware tab, set the Reissue Action Interval.

Managed Anti-Malware definitions download URLs

Windows Anti-malware policies can use Tanium to download and distribute Windows Anti-malware definitions.

You can choose one of the following options:

  • Automatically retrieve definitions from Microsoft: This is the default setting. Definitions are downloaded from Microsoft.
  • Download definitions from custom URLs: Use this option if your network cannot reach Microsoft, and you want to host the files on a local server and specify that URL.

The URLs listed in the Managed Anti-Malware Definitions Download URLs section of the Anti-Malware tab in the Enforce Settings specify the Microsoft links that Enforce uses to download definitions. See Internet URLs

For more information, see Create an Anti-malware policy.

Set defaults for AppLocker

From the Enforce Overview page, click Settings and then click AppLocker to access the AppLocker settings.

In AppLocker settings, you can select a Rule Template and define default Allow and Deny rules. A rule template contains the default AppLocker rules that are included automatically in any AppLocker policy you create. The rule template includes Allow and Deny rules to specify which files are allowed to run or are blocked. You can modify these rules in individual policies as needed. You must include at least one Allow rule.

In AppLocker settings, you can select a Rule Template and define default Allow and Deny rules. A rule template contains the default AppLocker rules that are included automatically in any AppLocker policy you create. The rule template includes Allow and Deny rules to specify which files are allowed to run or are blocked. You can modify these rules in individual policies as needed. You must include at least one Allow rule.

AppLocker Deny rules take precedence over AppLocker Allow rules. For more information, see Microsoft: Understanding AppLocker allow and deny actions on rules.

Block List rule template

The Block List rule templates allow Everyone to run all applications through the (Default Rule) All files allow rule. This rule is the only rule that is included in this rule template by default. Define the specific applications you want to block by adding Deny rules.

You cannot delete or modify the (Default Rule) All files allow rule in this rule template because this rule template is intended to allow all files to run except those that you specifically block through a Deny rule.

The Block List rule template is the default rule template used in Enforce until you change it.

Allow List rule template

The Allow List rule template, by default, allows only applications that Administrators run, or that are run out of these folders:

  • All files located in the Program Files folder: applies to Everyone
  • All files located in the Windows folder: applies to Everyone
  • All files: applies to Administrators

The default rules in the allow list rule templates are based on the Windows AppLocker default rules. For more information, see Microsoft: Understanding AppLocker default rules.

If you choose to enforce the default Allow List rule template, you might block applications unintentionally. The Allow List rule template blocks applications without explicitly listing the applications. For example, a program being run by a user out of that user’s profile directory is blocked. For best results, deploy allow list policies initially in Audit Only mode until audit reports can be reviewed and the intended results are confirmed. See AppLocker policies workflow for an example workflow.

The Tanium Client uses BAT, EXE, and VBS files. Be sure that you do not block files in the Tanium Client directory that might break the client functions.

Add to the existing default rules to allow or deny applications rather than modifying the default rules. Test any modifications in audit mode first to ensure that they are running as intended before you switch to blocking mode.

When you edit a block list or allow list template, it becomes a custom template.

Custom rule template

Use the Custom rule template to create your own template. This rule template does not contain any rules by default.

You can customize any of these rule templates by adding additional Allow rules or Deny rules. Click Save to save your changes. To go back to the original default settings, click Restore to Default.

Create Default AppLocker rules

Use rule exceptions to specify files or folders to exclude from a default AppLocker rule. You can create default executable rules, default Windows installer rules, and default script rules.

  1. Expand a category: Default Executable Rules, Default Windows Installer Rules, or Default Script Rules and select a template: Allow List, Block List, Custom.
  2. Click Create to add a new default rule. Each rule type contains the same configuration fields.
    1. Enter a Name for the rule.
    2. Select a type: Hash, Path, Publisher.
    3. For Hash, provide the Hash and optional File Size (bytes). Optionally, click the + sign to add another hash rule.
    4. For Path, provide the full path or file name in the Path field.
    5. For Publisher, provide the Publisher, Product Name, and File Name. In the File Version field, use the dropdown list to indicate whether you want earlier or later versions included or only the exact version you specify. You can use the * character as a wildcard character in any of these values.
  3. In the Windows User section, select whether this rule applies to Everyone or only Administrators.
  4. Click Save for the rule.
  5. Click Create for the policy.

Configure Endpoint Encryption settings

Install Shared Services

Tanium BitLocker and FileVault policies require the installation of shared services. A checklist displays in the Endpoint Encryption tab of the Enforce Settings to show you the status of each of the required services. See Core platform dependencies for shared service version requirements.

  1. The End-User Notifications service must be installed and the End-User Notifications package must be pushed out to endpoints where the BitLocker policy is enforced.
  2. The Direct Connect service must be installed and the Direct Connect package must be pushed out to endpoints where the BitLocker policy is enforced.
  3. Core Content must be installed and pushed out to endpoints.

You can create disk encryption policies even if one or more of these components are not in place, but the policy is not successfully enforced until the entire configuration is on the endpoint.

Specify the Encryption Key

Before you create a BitLocker or FileVault policy, you must specify the Key Encryption Key:

  1. From the Enforce Overview page, click Settings and then click Endpoint Encryption.
  2. Click Generate Key.
  3. Click Save Key to copy the key to the clipboard. Then store it outside of the Tanium Console for safe-keeping. In a disaster recovery scenario, you must use this key.

Create an endpoint encryption recovery database

Before you create endpoint encryption policies, you must configure a database to store the recovery keys. This database can be hosted on the Tanium Module Server or it can be a separate database you set up and configure.

Choose where to host the database:

  • Tanium Module Server hosted - If you select to host the database on the Tanium Module Server, you must agree to back up the database by selecting the checkbox. No further configuration is required.

    The database files are located in the Tanium\Tanium Module Server\services\enforce-services-files\postgresql directory. For more information about backup instructions, see Tanium Platform Deployment Guide: Back up Tanium Core Platform servers and databases.

  • Self hosted - If you select to host the database on your own server, you must configure it as follows:

Self hosted recovery key Database Requirements

Requirements for Postgres and Microsoft SQL Server databases.

  • CPU: 4 Cores
  • RAM: 8 GB
  • Hard Drive: 80 GB

Configure the self hosted encryption database

  • You must first generate and save the key encryption key as detailed in Specify the Encryption Key.
  • Select a database server type: Postgresql or Microsoft SQL Server.

Connect to postgresql

The following information is used to connect to your Postgresql database.

The provided database must be SSL enabled.

  1. Enter the database server Host Name.
  2. Enter the Port number.
  3. Enter the User name and Password to sign in to the database.
  4. Enter the Database name.
  5. Click Choose File to upload the Postgres server certificate file and then click Save.
    This file is used to securely connect the recovery portal to the Postgres database to retrieve lost keys.

    The Postgres server certificate must be signed by a trusted certificate authority. You cannot use a self-signed certificate.

Connect to Microsoft SQL server

The following information is used to connect to your Microsoft SQL server database.

The provided database must be SSL enabled.

  1. Enter the database server Host Name.
  2. Enter the Port number.
  3. Enter the User name to sign in to the database.
  4. Enter the Password to sign in to the database.
  5. (Optional) Provide the Domain name of the database server.
  6. Enter the Database name and then click Save.

See Create a BitLocker policy or Create a FileVault policy for further instructions.

Optionally, you can configure a self-service recovery portal that users can access if they forget their PIN or password. See Reference: Encryption management recovery portal.

Manage Windows device classes and devices

From the Enforce Overview page, click Settings and go to Device Control to manage the global list of Windows device classes and devices for use with Windows device control policies.

Device Classes

The list includes the predefined device classes that are provided by Microsoft and any additional device classes that were added, either from this page or through a device control policy. Click Device Classes to manage the global list of device classes.

The list includes the predefined device classes that are provided by Microsoft and any additional device classes that were added, either from this page or through a device control policy. Click Device Classes to manage the global list of device classes.

  • Use the sort menu to sort the list by Name, Type, or Associated Policy.
  • Use the Filter by name field to filter the list by a specific name.
  • Click Create to add a custom device class to the global list.
  • You can edit or delete custom device classes:
    • Select a custom device class and click Edit to update the configuration for that device class.
    • Select a custom device class and click Delete to delete that device class.

Only custom device classes can be modified or deleted. You cannot modify or delete the default device classes. Changes that are made to device classes through the global list are pushed out to all policies that reference the device class. If you delete a device class, it is removed from all policies where it is referenced.

Devices

This list includes devices that were added from this page or through a device control policy. Click Devices to manage the global list of devices.

  • Use the sort menu to sort the list by Name or Associated Policy.
  • Use the Filter by name field to filter the list by a specific name.
  • Click Create to add a new device to the global list.
  • Select a device and click Edit to update the configuration for that device.
  • Select a device and click Delete to delete that device.

Changes that are made to devices through the global list are pushed out to all policies that reference the device. If you delete a device class, it is removed from all policies where it is referenced.

See Create a Windows device control policy for further instructions.

Manage Stream profiles

With Tanium Stream, you can send events generated from Tanium Removable Storage Access Control policies to external Splunk destinations using an HTTP Event Collector (HEC) or TCP connection. With Stream profiles, you can create different Stream configurations to target specific endpoints.

  • Tanium Removable Storage Access Control policies are available only for Windows endpoints.
  • You must have the Enforce Endpoint Configuration All permission to create a Stream profile.

Create a Stream profile

  1. From the Enforce Overview page, click Settings .
  2. Click the Stream Profiles tab.
  3. Click Create.
  4. Enter a Name and optional Description for the profile.
  5. Select a Management Method. You can manually provide configuration parameters, or upload a JSON file of a Stream configuration that you previously exported. Select either Automated or File Upload. If you select File Upload, click Browse for File and select a JSON file to upload. The JSON file contains the configuration parameters for the Stream configuration. If you select Automated, complete the following tasks.
  6. In the Configuration section, select a Destination Type. The Destination Type you select determines the additional required configuration settings that you are prompted to provide.

    Splunk HEC

    • URL - The URL or IP address to access the Splunk REST API.
    • Authorization Token - The authorization token to access your Splunk environment. Do not include the Splunk prefix in this token.

    Splunk TCP

    • Host - The fully-qualified Splunk host domain name or IP address.
    • Port - The port for the stream communication to the host.

    Select Dry Run if you want to collect statistics about the data that would be streamed to the destination, but not actually send data.

    Select Dry Run when you first create a stream configuration. Analyze the amount of event data that would be streamed to a destination before you deselect Dry Run. While this setting is enabled, no data is streamed to a destination; it must be disabled for data streaming to occur.

    You can use the Enforce - Daily Stream Stats sensor to gain an understanding of the amount of data that would be sent.

  7. (Optional) If you want to use a proxy to provide a gateway, provide the host, port, and a username and password for the proxy.
  8. In the Event Types subsection, select the event types that you want to stream:
    • Device Inserted
    • Device Removed
    • Device Blocked Mount
    • Device Blocked File Access

    At least one event type is required. Audit log entries for blocking events are identified with the policy ID and name. Events corresponding to read/write or read only rules in a policy are logged with the policy ID, policy name, and the rule name for the rule that allowed access.

  9. Click Select Computer Groups and select the computer groups from which you want to send events generated by Tanium Removable Storage Access Control policies to an external Splunk destination.
  10. In the Additional Filtering Criteria section, specify additional filtering parameters as needed:
    • None: Select None to use the selected computer groups with no additional filtering applied.
    • Specify Individual Endpoints: Provide a case-insensitive, comma-separated list of computer names. Due to a possible performance impact, this list cannot exceed 50 entries. Duplicate entries are ignored.
    • Ask a question: Ask a question to filter the selected computer groups. For example, if the selected computer groups contain non-Windows endpoints, you can filter the endpoints by asking the question: Operating System contains Windows.
    • Define a Rule: Define a rule to use when filtering the selected computer groups.
  11. Click Create.

Prioritize Stream profiles

If an endpoint is targeted by multiple Stream profiles, the profile with the highest priority applies to that endpoint. The profile with the highest priority has the lowest priority number. For example, a profile with a priority of 1 takes precedence over a profile with a priority of 10.

  1. From the Enforce Overview page, click Settings .
  2. Click the Stream Profiles tab.
  3. Click Prioritize.
  4. Click and drag the profiles to set the priority. Click Save.

Take actions on Stream profiles

You can delete, edit, duplicate, or export Stream profiles.

  1. From the Enforce Overview page, click Settings .
  2. Click the Stream Profiles tab.
  3. Select a profile.
  4. Click Actions and select an action to take on the profile:
    • Delete: Delete the selected profile.
    • Edit: Edit the selected profile.
    • Duplicate: Create a new Stream profile using the settings in the selected profile as a starting point.
    • Export: Export the selected profile in JSON format, which you can apply in a different Enforce environment. For example, you can export profiles that you have tested from a lab environment and import them into a production environment.

Install and configure Configure Mac Device Enrollment

Mac Device Enrollment is currently public beta software.

If you want to use Mac Device Configuration Profile policies, you must install and configure Mac Device Enrollment. For more information, see Mac Device Enrollment User Guide: Overview.

Next steps

Create Policies

Configure Windows administrative policies for computer groups. See Creating policies.

Enforcements

After policies are configured, create enforcements to apply them to endpoints. See Enforcing policies.

Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.