Installing Enforce

Tanium as a Service automatically handles module installations and upgrades.

For information about configuring Enforce for Tanium as a Service (TaaS), see Configuring Enforce.

Use the Solutions page to install Enforce and choose either automatic or manual configuration:

  • Automatic configuration with default settings: (supported on Tanium Core Platform 7.4.2 or later only) Enforce is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For more information about the automatic configuration for Enforce, see Import Enforce with default settings.
  • Manual configuration with custom settings: After installing Enforce, you must manually configure required settings. Select this option only if Enforce requires settings that differ from the recommended default settings. For more information, see Import Enforce with custom settings.

Before you begin

  • Read the release notes.
  • Review the Enforce requirements.
  • If you are upgrading from a previous version, see Upgrade Enforce.
  • Assign the correct roles to users for Enforce. Review the User role requirements.
    • To import the Enforce solution, you must be assigned the Administrator reserved role.
    • To configure the Enforce action group, you must be assigned the Administrator reserved role, Content Administrator reserved role, or a role that has the Write Action Group permission.

Import Enforce with default settings

(Tanium Core Platform 7.4.5 or later only) You can set the Enforce action group to target the No Computers filter group by enabling restricted targeting before adding Enforce to your Tanium licenseimporting Enforce. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Enforce action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Enforce with automatic configuration, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account.

Computer groups The Enforce tools group is set to All Computers.

To import Enforce and configure default settings, see Tanium Console User Guide: Import all modules and services. After the import, verify that the correct version is installed: see Verify Enforce version.

Import Enforce with custom settings

To import Enforce without automatically configuring default settings, be sure to clear the Apply All Tanium recommended configurations checkbox while performing the steps in Tanium Console User Guide: Import, re-import, or update specific solutions. After the import, verify that the correct version is installed: see Verify Enforce version.

(Re-imports only) Do not use Enforce until the re-import process finishes. Otherwise, you might lose work still in progress.

To configure the service account, see Configure service account.

To configure the Enforce action group, see Configure Enforce action group.

Manage dependencies for Tanium solutions

When you start the Enforce workbench for the first time, the Tanium Console ensures that all of the required dependencies for Enforce are installed at the required version. You must install all required Tanium dependencies before the Enforce workbench can load. A banner appears if one or more Tanium dependencies are not installed in the environment. The Tanium Console lists the required Tanium dependencies and the required versions.

  1. Install the modules and shared services that the Tanium Console lists as dependencies, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.
  2. From the Main menu, go to Modules > Enforce to open the Enforce Overview page.

Upgrade Enforce

For the steps to upgrade Enforce, see Tanium Console User Guide: Import, re-import, or update specific solutions. After the upgrade, verify that the correct version is installed: see Verify Enforce version.

Verify Enforce version

After you import or upgrade Enforce, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, go to Modules > Enforce to open the Enforce Overview page.
  3. To display version information, click Info Info.