Creating policies

You can create the following policies in Enforce.

Anti-Malware

Anti-malware policies use the Microsoft Anti-malware engine to protect your endpoints from viruses. Configured using Machine administrative templates- Windows Defender Antivirus Active Directory administrative group policy objects on Windows systems. See Create an Anti-malware policy.

AppLocker

Use AppLocker policies to prevent unwanted executables from running on your endpoints (Deny rules) or to allow only certain applications to run on endpoints (Allow rules). See Create an AppLocker policy.

BitLocker

Use BitLocker policies to encrypt drives on endpoints using Windows BitLocker Drive Encryption. For more information about BitLocker Drive Encryption. See Create a BitLocker policy.

Device Control - All Devices

Use this policy to restrict the installation of new devices. With this policy type, the installation of any new device is blocked unless the device is explicitly allowed by either the device class or the hardware ID of the device. See Create a Windows device control policy.

Device Control - Removable Storage

Use this policy to control access permissions to specific removable media categories. The types of removable media predefined by Microsoft are CD-ROM and DVD drives, floppy disk drives, removable disk drives, tape drives, and Windows Portable Devices (WPD). See Create a Windows device control policy.

FileVault Policy

Use FileVault policies to encrypt drives on endpoints using macOS FileVault Encryption. For more information about FileVault, see Create a FileVault policy.

Firewall Management - Windows and Linux

Firewall management policies consist of rules that block or allow network traffic using the built-in operating system firewall. See Create a Windows firewall management policy and Create a Linux firewall management policy.

Machine Administrative Templates

Machine administrative template policies target machine-based Active Directory administrative template (ADMX) group policy objects on Windows systems. Use machine administrative policies to apply consistent rules to Windows devices regardless of the logged in user. See Create a Machine administrative template policy

The following Microsoft packages are used in Windows administrative template policies: Windows 10 baseline, Google Chrome, MS Office, Microsoft Edge, and Windows Security Baseline ADMX files (MSS-legacy and SecGuide).

Remediation Policy

A remediation policy is a list of tasks that run sequentially on the endpoint(s). See Create a remediation policy.

Remediation Purge Policy

Use these policies to take action on lost or stolen endpoints by remotely wiping all nonessential data or freezing the endpoint to prevent attempts to sign in. See Create a purge remediation policy.

Software Restriction Policy (SRP)

SRPs consist of rules that block the execution of applications and are created using Windows SRP component. See Create an SRP management policy

Create an Anti-malware policy

Anti-malware policies consist of groups of settings. You can only have one Anti-malware rule per policy; however, a single Anti-malware rule within one policy can have multiple settings.

Make sure you have completed the steps detailed in the Upload Anti-malware section before configuring anti-malware policies.

Default Windows Defender policy

Enforce provides a default Windows Defender policy. View this policy in the Enforce menu > Policies page. The default policy contains settings for client interface, antivirus quarantining, scanning, and exclusions. Expand each policy to view the pre-configured settings. You can edit or delete this policy. Create an enforcement to deploy it to endpoints.

Configure a new anti-malware policy

  1. From the Enforce menu, go to Policies and then click Create Policy.
  2. In the General Information section, enter a Name and optional Description for the policy.
  3. (Optional) Expand Content Set and select a content set.
  4. In the Policy Type section, select Machine Administrative Templates and then click Next.
  5. You can filter policy types by operating system (All, Windows, Mac, Linux).

  6. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. In the Starting Point section, select an existing policy.
  7. (Optional) To configure anti-malware settings, expand the Anti-Malware Specific Settings section and select Enable.
    1. To automatically add the required Tanium exclusions to the policy, click Create exclusions for Tanium processes.
    2. Determine if you should select Deploy definition update using Tanium for Managed Definitions and then complete the fields for Definition Grace Period to specify how often endpoints use Tanium to check for Anti-malware definition updates. This value represents how old an Anti-malware definition can be before the policy is considered unenforced. The default grace period is 1 day.

      By default, anti-malware rules are configured to retrieve definitions directly from Microsoft. If an endpoint does not receive an update within the specified grace period, it is considered unenforced. When this option is selected, anti-malware rules are configured to use Tanium to deploy anti-malware definition updates.

  8. Expand Filters and search for Windows Defender in the Settings text field.

    Anti-malware policies require that endpoints have either SCEP or Windows Defender installed. When SCEP Installation is enabled, enforcing an Anti-malware policy automatically installs SCEP on endpoints that do not support Windows Defender.

    1. Enable Windows Defender policies and enter settings as needed.
    2. Click Add to policy after you configure a policy setting.
  9. After all settings for the policy are complete, click Create.
    The policy now appears in the Policies list in the Machines tab. When you create an Anti-Malware policy, you can add settings to control the user experience.

You can enforce a policy from three different places in Enforce:

  • The Enforcements page
  • The Policies page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create an AppLocker policy

For successful AppLocker rule enforcement, Enforce starts the Application Identity service on the endpoint.

The Enforce settings include default rule templates for each rule type used in AppLocker policies. The Block list rule template is used by default until you change it. For more information about changing the default rule templates, see Set defaults for AppLocker.

Only one AppLocker policy is in effect on an endpoint at a given time. Therefore, if you want to enforce rules for multiple app types (Executable, Windows Installer, or Script) on a particular endpoint, you must use one AppLocker policy with rules for each app type (and not a separate policy for each one). If there are multiple policies with the same policy type applied to an endpoint, the priority of the policy is used to resolve the conflict.

  1. From the Enforce menu, go to Policies and then click Create Policy.
  2. In the General Information section, enter a Name and optional Description for the policy.
  3. (Optional) Expand Content Set and select a content set.
  4. In the Policy Type section, select AppLocker and then click Next.

    You can filter policy types by operating system (All, Windows, Mac, Linux).

  5. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. In the Starting Point section, select an existing policy.
  6. (Optional) Provide a Support URL if you want to display a custom URL when a user tries to run an app that is blocked.
  7. You can import AppLocker rules using the XML files you generate in the AppLocker section of the Windows Local Security Policy Tool or an exported Enforce AppLocker policy to quickly add multiple rules to a policy. For more information, see Import an AppLocker rule
  8. Select one or more rule types to configure for the policy: Executable, Windows Installer, or Script and configure each rule type that you select. Deny and Allow rules are populated with the default rule template you chose in the Enforce Settings > AppLocker section.
  9. Add additional rules, if necessary, as follows.
    • Click Create in the Deny section to create a deny rule that prevents the specified files from running on endpoints where the policy is enforced.
    • Click Create in the Allow section to create an allow rule that allows the specified files to run on endpoints where the policy is enforced.

      AppLocker Deny rules take precedence over AppLocker Allow rules. You must include at least one Allow rule. For more information about best practices and rule precedence, see Set defaults for AppLocker.

      Be aware of AppLocker allow or deny rules that are set in your Domain Policy. These rules might take precedence over AppLocker rules created in Enforce.

      Add to the existing default rules to allow or deny files rather than modifying the default rules. Test any modifications in audit mode first to ensure that they are running as intended before you switch to blocking mode.

      The Tanium Client uses BAT, EXE, and VBS files. Be sure that you do not block scripts in the Tanium Client directory that might break the client functions.

    • Specify the following settings for each rule that you add:
      1. Select whether the rule is Audit Only or Blocking.
      2. Click Create and provide a Name for the rule.
      3. In the Type section, select Path, Hash, or Publisher.
      4. Specify the settings for the file:
        • If you selected Path, provide the file name or path in the Path field.
        • If you selected Hash, provide the Hash and optional file size in bytes. Optionally, click the + sign to add another hash rule.
        • If you selected Publisher, provide the Publisher, Product Name, File Name, and File Version, using the dropdown list to indicate whether you want earlier or later versions included or only the version you specify. Use the * character as a wildcard character for any of these values.
      5. Select Everyone or Administrators in the Windows User section.
  10. Click Create.

You can enforce a policy from three different places in Enforce:

  • The Enforcements page
  • The Policies page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Import an AppLocker rule

  1. Click Browse for File in the Import Rules From XML section.
  2. Select the XML file that contains the exported AppLocker rules and click Open.
  3. The Import Pending Review window shows up to three tabs, depending on the content in the XML file: the new rules added to the policy from the imported XML file, the rules Enforce cannot import, and duplicate rules.
  4. Click Proceed to import the XML file and then click Save.

Create a BitLocker policy

Make sure you have completed the steps detailed in the Configure Endpoint Encryption settings section before configuring BitLocker policies.

Optionally, you can configure a self-service recovery portal that users can access if they forget their PIN or password. See Reference: Encryption management recovery portal.

  1. From the Enforce menu, go to Policies and then click Create Policy.
  2. In the General Information section, enter a Name and optional Description for the policy.
  3. (Optional) Expand Content Set and select a content set.
  4. In the Policy Type section, select BitLockerand then click Next.

    You can filter policy types by operating system (All, Windows, Mac, Linux).

  5. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. In the Starting Point section, select an existing policy.
  6. If requirements for this policy are missing, that information is displayed in the Configuration Status section. For more information about BitLocker requirements,s ee Configure Endpoint Encryption settings.

  7. In the Global Encryption Settings section, select the Encryption Type: Hardware, Software, or Hardware and Software.
    • If you select Hardware and Software, BitLocker software-based encryption is used if the drive does not support hardware-based encryption.
    • If you select Software or Hardware and Software, set the Encryption Method for each operating system.
    • This setting applies only to software-based encryption. It configures the encryption algorithm and key cipher strength for the drive. For more information about this setting, see Microsoft: BitLocker Group Policy settings.
  8. (Optional) In the Operating System Disk Encryption section, select Encrypt Operating System Drives.
    1. Choose: Full or Used Disk Space Only. For more information on this option, see Microsoft: Overview of BitLocker Device Encryption in Windows 10.
    2. For computers that have a TPM chip, specify the behavior of the computer at startup or reboot when the drive is encrypted:

      TPM only

      If you choose TPM only, the drive is unlocked at startup or reboot using the integrated TPM chip with no user interaction.

      With TPM only, the drive can be encrypted when no end user is signed in to the computer. Keys are backed up to the Tanium database. One or more reboots are required, and you can use a Tanium package to accomplish that. It is recommended that you monitor the system status and push the reboot when needed.

      TPM + PIN

      If you choose TPM + PIN, the user configures a PIN during the initial BitLocker setup on the computer. The user must enter that PIN when the computer starts or reboots.

      If you use a PIN, you must set the Minimum PIN Length. Set this value to a number between 6 and 20. By default, PINs can only include numbers. If you want to allow PINs to include uppercase and lowercase letters, symbols, numbers, and spaces, select Enhanced PIN. If you do not want to allow PINs or passwords that consist of all the same character (11111111) or a sequence of characters (12345678), select Enforce minimum complexity requirements.

    3. (Optional) For computers without a TPM chip, specify whether you want to Allow BitLocker to run without a compatible TPM and specify a minimum password length. If you select this option, you can enforce the policy on computers that do not have a compatible TPM chip. Users must enter a password to access the encrypted drive. You can also specify whether you want to Enforce minimum complexity requirements for PINs or passwords to prevents PINs from using duplicate or sequential characters.
  9. (Optional) In the Fixed Disk Encryption section, select Encrypt Fixed Data Drives.
    1. Choose Full or Used Disk Space Only. For more information on this option, see Microsoft: Overview of BitLocker Device Encryption in Windows 10.
    2. (Optional) Select Deny write access to removable drives not protected by BitLocker.

      If you select this option, all fixed data drives that are not protected by BitLocker are mounted as read-only. If the drive is protected by BitLocker, it is mounted.

  10. (Optional) In the Removable Disk Encryption section, select Deny write access to removable drives not protected by BitLocker.
  11. In the End User Notifications section:
    1. Select or drag and drop an image file (PNG, GIF, or JPG/JPEG) and title to use in the notifications window for all BitLocker notifications.
    2. For Reboot Computer, provide the notification Title and Message that you want to display to users before the computer is rebooted. This message is the first message that displays to the user after the policy is enforced. It should prompt them to reboot their computer when possible to prepare their drive for encryption.
    3. In the Encrypt Hard Drive section, provide the notification Title and Message that you want to display to users to notify them that they must reboot their computer to begin the encryption process. This message displays when the user's drive is prepared for encryption, which occurs after the first reboot. This message should prompt the user to reboot their computer when possible to start the encryption.
    4. Inform users that drive encryption is not a disruptive process and that they can continue to work while encryption occurs.

    5. If applicable, in the message, notify users that they must reset the password or PIN. This option is available only when you choose the TPM + PIN or Allow BitLocker to run without a compatible TPM options.

    Click Restore Default for any of these sections to remove your text and return to the default text.

  12. In the Key Recovery section:
    1. Specify the Pre-Boot Recovery Message. If you chose the TPM + PIN or Allow BitLocker to run without a compatible TPM option, this message displays to users at startup and reboot on the screen where the PIN or password is entered. As a best practice, include the URL for the recovery portal.
    2. Select how often you want keys to rotate from the Recovery Key Rotation drop-down menu.
    3. Due to Microsoft Windows OS constraints, if you change the protection settings in an existing BitLocker policy, you must decrypt endpoints and re-encrypt them again for the changes to be applied.

  13. Click Create.

You can enforce a policy from three different places in Enforce:

  • The Enforcements page
  • The Policies page
  • When you click on a policy to view it

For more information, see Enforcing policies.

View BitLocker recovery keys

View recovery key information, such as computer name, user name, recovery key ID, and last rotation.

From the Enforce menu, click Endpoint Encryption to view health date and recovery key information.

Create a Windows device control policy

Windows device control policies provide two modes for administering devices on Windows endpoints.

Removable Storage

Controls access permissions on removable media. The types of removable media predefined by Microsoft are CD-ROM and DVD drives, floppy disk drives, removable disk drives, tape drives, and Windows Portable Devices (WPD).

With this mode, you can deny specific permissions to categories of removable devices. On the endpoint, the permissions are managed using local group policy settings located in Administrative Templates > System > Removable Storage Access.

All Devices

Restricts the installation of new devices. This advanced mode provides more granular control by using a list-based approach.

With this mode, the installation of any new device is blocked unless the device is explicitly allowed by either the device class or the hardware ID of the device. Optional settings allow administrators to bypass all restrictions and to uninstall existing USB storage devices that are not on the allowed list of devices. On the endpoint, the permissions are managed using local group policy settings located in Administrative Templates > System > Device Installation > Device Installation Restrictions.

Make sure you complete the steps that are detailed in the Manage Windows device classes and devices section before configuring device control policies.

  1. From the Enforce menu, go to Policies and then click Create Policy.
  2. In the General Information section, enter a Name and optional Description for the policy.
  3. (Optional) Expand Content Set and select a content set.

Create a Windows device control policy to administer removable devices

  1. In the Policy Type section, select Device Control - Removable Storage - Windows and then click Next.

    You can filter policy types by operating system (All, Windows, Mac, Linux).

  2. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. In the Starting Point section, select an existing policy.
  3. In the Device Control section, select the type of removable storage that you want to administer and the access that you want to deny for that storage type.
  4. Click Create.

Create a Windows device control policy to administer all devices

This mode blocks new installations of all devices by default. This mode includes an optional setting to uninstall existing USB storage devices that are not on the policy allow list. All other existing devices remain installed and will not be blocked, including devices that are not currently connected but were installed previously. You must add devices to the policy allow list to allow installation to endpoints. Carefully test configurations and their impacts before you deploy them widely.

  1. In the Policy Type section, select Device Control - All Devices - Windows and then click Next.

    You can filter policy types by operating system (All, Windows, Mac, Linux).

  2. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. In the Starting Point section, select an existing policy.
  3. (Optional) In the Notification section, select Provide a notification message for users when a device is denied access and specify a message to display when a user attempts to install a restricted device.
  4. In the General Device Rules section, configure the following settings:
    1. In the Administrator Permissions section, select the Allow Administrators to bypass all restrictions option to enable users to bypass the restrictions if they are signed in as an administrator.

      Devices do not install automatically when this option is selected. Administrators must manually install the device through Device Manager.

    2. In the Existing USB Devices section, select the Uninstall existing USB storage devices not on the allowed list of devices option to uninstall USB storage devices that are not on the allow list.


      As a safeguard against uninstalling devices that are required for the system to run, other devices that are currently installed on an endpoint, including devices that are not currently connected but were installed previously, are not uninstalled when this option is selected. If the device is in use when the policy is enforced on the endpoint, the device is uninstalled at the next reboot of the endpoint. In this scenario, the policy status sensor returns a status indicating that prohibited devices are still installed.

  5. In the Device Classes section, define groups of devices that you want to allow in your environment. Many device classes are predefined by Microsoft, and you can define custom device classes. Each device class has a globally unique identifier (GUID). For more information about device classes, see Microsoft: Hardware Dev Center: Device Classes. When you add a device class, it is stored in the global device class list, which you can access from the Settings page.

    If you add a device by device class, you must allow all of the device nodes in the device tree for that class. For example, if you want to allow the installation of a USB storage device, you must allow the installation of Disk Drives and USB Bus Devices (hubs and host controllers). For more information, see Microsoft: Hardware Dev Center: Device nodes and device stacks.

    • Click Import to query all Windows endpoints for their installed device classes and import them to the allow list. With this option, you can quickly add any custom device classes that might be used in your environment. Device classes that are already known to Enforce, marked with a warning icon , are not imported to avoid duplicates. From this page, you can select all device classes that were found on endpoints or you can select individual device classes. Click Proceed to add the selected device classes to the allow list.
    • Click Manage Existing to add existing device classes to the allow list. This list contains the predefined device classes that are provided by Microsoft and any device classes that were manually added previously. From this page, you can add or remove all available device classes, or add or remove individual device classes.

    If you added a device class using the Create option, you will not see it in this list until you save the policy.

    • Click Create to add a new device class. Specify a device class name, valid GUID, and optional description. Click Create again to add the device class to the allow list.
  6. In the Devices section, define individual devices that you want to allow in your environment. This option is useful if, for example, you want to allow a USB storage device from a specific manufacturer that is supported by your company, but no other USB storage devices. You do not need to allow the associated device classes when you allow a specific device. When you add a device, it is stored in the global device list, which you can access from the Enforce settings page. For more information on the global list, see Manage Windows device classes and devices.
    • Click Create to add a new device. Specify a device name and an optional ID. Click Create again to add the device to the allow list.

      Most devices have several hardware IDs. These IDs range from the most specific, which identifies a particular device, to a more general ID, which might identify a device type. Use the hardware ID that is appropriate for your environment.

    • Click Import to query all Windows endpoints for their installed USB storage devices and import them to the allow list. With this option, you can quickly add any USB storage devices that might be used in your environment. USB storage devices that are already known to Enforce, marked with a warning icon , are not imported to avoid duplicates. From this page, you can select all USB storage devices that were found on endpoints or you can select individual USB storage devices. Click Proceed to add the selected USB storage devices to the allow list.
    • Click Manage Existing to add existing devices to the allow list. This list contains devices that were manually added previously. From this page, you can add or remove all available devices, or add or remove individual devices.
  7. Click Create.

You can enforce a policy from three different places in Enforce:

  • The Enforcements page
  • The Policies page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create a FileVault policy

Before you create a FileVault policy, you must have the following configuration in place:

  • A database to store encryption keys. For more information, see Configure Endpoint Encryption settings.
  • The End-User Notifications service must be installed and the End-User Notifications package must be pushed out to endpoints where the FileVault policy is enforced.
  • The Direct Connect service must be installed and the Direct Connect package must be pushed out to endpoints where the FileVault policy is enforced.

You can create FileVault policies even if one or more of these components are not in place, but the policy will not successfully enforce until the entire configuration is on the endpoint.

Optionally, you can configure a self-service recovery portal that users can access if they forget their PIN or password. See Reference: Encryption management recovery portal.

If endpoints already have FileVault enabled without using the Tanium Enforce FileVault policy, you must run the Enforce - Decrypt FileVault package on those endpoints first. Then you can deploy the Enfore FileVault policy. If you fail to do this, the Enforce FileVault policy appears to be successfully enforced, but the recovery key is not backed up. Therefore recovery keys will not work.

Create the policy

  1. From the Enforce menu, go to Policies and then click Create Policy.
  2. In the General Information section, enter a Name and optional Description for the policy.
  3. (Optional) Expand Content Set and select a content set.
  4. In the Policy Type section, select FileVaultand then click Next.

    You can filter policy types by operating system (All, Windows, Mac, Linux).

  5. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. In the Starting Point section, select an existing policy.
  6. If requirements for this policy are missing, that information is displayed in the Configuration Status section. For more information about FileVault requirements, see Configure Endpoint Encryption settings.

  7. In the End User Notification section:
    1. Select an image file (PNG, GIF, or JPG/JPEG) to use in the notifications window for all FileVault notifications.
    2. In the Window Title section, provide a concise name for the window prompt, such as FileVault Encryption.
    3. In the Message Title section, provide a brief description of the policy for the user. In the Message section, provide the message that you want to display to users. This message is the first message that displays to the user after the policy is enforced.
  8. In the Key Recovery section:
    • Select Enable Private Key if you are using an Institutional Recovery Key. For more information about generating institutional recovery keys, see macOS: Set a FileVault recovery key for computers in your institution.
      After the keychain is generated, remove the private key from the master keychain. Then in the Enforce policy, click Upload Public Key to locate the public key and upload it to the Tanium console. This key is sent to endpoints along with the FileVault policy. The public key, in combination with the private key you securely store elsewhere, is used to recover encrypted data if a user forgets their password.
    • Select Enable Public Key if you are using a unique, machine-generated Personal Recovery Key that is accessible to end users. If you are using the recovery portal (Postgres DB), select this key type. For more information about recovery portal configuration details, see Reference: Encryption management recovery portal.

    For Institutional Recovery Key, you must remove the private key from the master keychain before sending the FileVault policy to endpoints. If you fail to do this, the private key will be placed on each endpoint along with the public key.

    After you upload a key, a Download Public Key link appears that allows you to retrieve the key to verify it, if necessary.

    After the disk is encrypted after a reboot, it can take up to an hour for recovery keys to be backed up.

  9. Configure Additional Options as needed:
    1. Select Prompt user to enable FileVault at log in only to prompt the user for the Enable FileFault password at the next attempt to sign in. If you do not select this option, the user is prompted for the Enable FileVault password at the next attempt to sign out.
    2. Select Allow user to cancel Enable FileVault log in prompt and choose a Condition.
      • Select Always allow user to cancel prompt to give the user unlimited access to the cancel the Enable FileVault password prompt.
      • Select Only allow user to cancel prompt to put a limit on the number of times the user can cancel the prompt before being forced to enter a password to enable FileVault.
  10. Click Create.

You can enforce a policy from three different places in Enforce:

  • The Enforcements page
  • The Policies page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create a Windows firewall management policy

When a Windows firewall management policy is enforced on an endpoint, Enforce starts the MpsSvc (Windows Firewall) service on that endpoint.

The maximum number of firewall rules for each policy is 1000.

  1. From the Enforce menu, go to Policies and then click Create Policy.
  2. In the General Information section, enter a Name and optional Description for the policy.
  3. (Optional) Expand Content Set and select a content set.
  4. In the Policy Type section, select Firewall Management - Windows and then click Next.

    You can filter policy types by operating system (All, Windows, Mac, Linux).

  5. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. In the Starting Point section, select an existing policy.
  6. In the Rule Management section, choose Replace or Merge.
    The Replace option removes all existing firewall rules on the endpoint and replaces them with the rules in this policy. The Merge option leaves the existing firewall policies on the endpoint in place and adds the rules in this policy.
  7. Configure the following settings in the Firewall Profiles section:
    1. Expand Domain, Private, and/or Public to define the policy profiles. For more information about protocols, see Microsoft Technet: Understanding Firewall Profiles.
    2. For Network Selection, choose Default, Enabled, or Disabled.




Create a new Windows firewall rule

  1. In the Firewall Rules section, click Add Rule.
  2. Complete the following fields for your firewall rule and then click Create:
  3. Field Description
    Name This is a required field. Enter a brief name for the rule.
    Direction This is a required field. Select Outbound, Inbound, or Bi-directional for the direction of the connection.
    Action This is a required field. Select either Block or Allow depending on the type of rule you are creating.
    Network Protocol

    This is a required field. Select a protocol. If you specify UDP or TCP for the protocol, then you must specify at least one value in the following fields: Application Path, Local Address(es), Local Port(s), Remote Address(es), Remote Port(s), or Service Name.

    For more information about protocols, see Microsoft Technet: Firewall Rule Properties.

    Group This is an optional field. You can specify a group name here or choose one that already exists that can help organize your firewall rules.
    Profiles Select the applicable profiles. If you do not select one or more profiles, the rule is created as if all profiles were selected.
    Application Path An example of an application path is C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
    Local Address(es) Use this field to target the rule to specific local IP addresses. Separate IP addresses with commas.
    Local Port(s) This field is most likely populated for Inbound connections. You can specify port ranges, for example: 80, 443, 5000-5010.
    Remote Address(es) This field can be used to target the rule to a specific remote IP address. Separate IP addresses with commas.
    Remote Port(s) This field is most likely populated for Outbound connections. You can specify port ranges, for example: 80, 443, 5000-5010.
    Service Name This field can be used for a Windows Service Display name.

Import firewall rules from a Windows TSV file

Before you can import a firewall policy into Enforce from a Windows TSV file, you must export it from Windows.

  1. In Windows, go to Windows Firewall Advanced Security.
  2. In the left pane, right-click on Inbound Rules and click Export List..., and then save the file as a Text (Tab Delimited) .txt file.
  3. In the Firewall Rules section, click Import.
  4. Click Select TSV File to locate the files that contains the exported firewall rules and click Open. The Import window shows the file name and how many rules are being imported.
  5. Select the Direction and then click Proceed.
  6. Repeat these steps for Outbound Rules to export them from Windows and import them into Enforce.

If the file you are importing does not include a Service column, a warning displays. If your firewall rules depend on the Service field, add the Service column and re-export the firewall rules from Windows.

To add a Service column

  1. In Windows, go to Windows Firewall with Advanced Security.
  2. Select Add/Remove Columns from the View menu.
  3. Select Service from Available columns, click Add, and then click OK.
  4. Select Export List from the Action menu and save it to a file.

Import firewall rules from Tanium Endpoints

  1. In the Firewall Rules section, click Import Rules from Tanium Endpoints from the Import drop-down menu.
  2. In the Import Rules from Tanium Endpoints window, select the rules already existing on Tanium endpoints that you want to import.
  3. Click Add Rules.

You can enforce a policy from three different places in Enforce:

  • The Enforcements page
  • The Policies page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create a Linux firewall management policy

  1. From the Enforce menu, go to Policies and then click Create Policy.
  2. In the General Information section, enter a Name and optional Description for the policy.
  3. (Optional) Expand Content Set and select a content set.
  4. In the Policy Type section, select Firewall Management - Linux and then click Next.

    You can filter policy types by operating system (All, Windows, Mac, Linux).

  5. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. In the Starting Point section, select an existing policy.
  6. In the Linux Firewall Default Chain Policies section, select ACCEPT or DROP for the Input, Output, and Forward fields.

  7. In the Linux Firewall Default Rules section, view the default input, output, and forward rules. You cannot edit these defaults.

Create a new Linux firewall rule

  1. In the Firewall Rules section, click Add Rule.
  2. Complete the following fields for your firewall rule:
  3. Field Description
    Name This is a required field. Enter a brief name for the rule.
    Table Filter is the only supported table at this time.
    Chain This is a required field. Select INPUT, OUTPUT, or FORWARD to specify where in a packet's delivery path a rule is evaluated.
    Target

    This is a required field. Select one of the following:

    ACCEPT: Allows the packet.

    DROP: Drops the packet.

    QUEUE: Pass the packet to userspace.

    REJECT: Send a response back and drop the packet.

    Network Protocol

    This is an optional field where you can select the protocol of the rule or of the packet to check. The specified protocol can be one of the predefined options or it can be a numeric value, representing one of these protocols or a different one. Protocol all is the default when this option is omitted.

    Select the Inverse check box include everything but the selected protocol.

    State

    Select one of the following:

    • New: The packet has started a new connection.
    • Established: The packet is associated with a connection which has seen packets in both directions.
    • Related: The packet is starting a new connection, but is associated with an existing connection.
    • Invalid: The packet could not be identified for some reason.
    Source Address

    A comma separated list of network names, IP addresses with masks, plain IP addresses, or IP address ranges.

    Select the Inverse check box to include everything but addresses you entered.

    Destination Address

    A comma separated list of network names, IP addresses with masks, plain IP addresses, or IP address ranges.

    Select the Inverse check box to include everything but addresses you entered.

    Optional fields that might appear depending on choices you make for some of the fields above:
    Source port(s) A comma separated list of ports or port ranges.
    Destination ports(s) A comma separated list of ports or port ranges.
    In Interface Name of an interface via which a packet was received.
    Out Interface Name of an interface via which a packet is going to be sent.

    Depending on the choices you make for the Chain, Target, and Network Protocol fields, additional optional fields might appear that you can complete.

  4. Click Create .

Import Linux firewall rules from Tanium endpoints

  1. In the Linux Firewall Rules section, click Import > Import Rules from Tanium Endpoints.
  2. In the Import Firewall Rules from Tanium Endpoints window, select the check boxes for rules already existing on Tanium endpoints that you want to import.
  3. Click Add Rules.

Some rules might specify rule not supported..., which means that Enforce does not support this rule. But the entire rule configuration is shown in the rule listing so that you can configure it manually if needed.

You can enforce a policy from three different places in Enforce:

  • The Enforcements page
  • The Policies page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create a Machine administrative template policy

  1. From the Enforce menu, go to Policies and then click Create Policy.
  2. In the General Information section, enter a Name and optional Description for the policy.
  3. (Optional) Expand Content Set and select a content set.
  4. In the Policy Type section, select Machine Administrative Templates and click Next.
    Machine administrative template policies target machine-based ADMX (Active Directory administrative templates) group policy objects.

    You can filter policy types by operating system (All, Windows, Mac, Linux).

  5. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. In the Starting Point section, select an existing policy.
  6. (Optional) To configure anti-malware settings, expand the Anti-Malware Specific Settings section and select Enable.
    1. To automatically add the required Tanium exclusions to the policy, click Create exclusions for Tanium processes.
    2. Determine if you should select Deploy definition update using Tanium for Managed Definitions and then complete the fields for Definition Grace Period to specify how often endpoints use Tanium to check for Anti-malware definition updates. This value represents how old an Anti-malware definition can be before the policy is considered unenforced. The default grace period is 1 day.

      By default, anti-malware rules are configured to retrieve definitions directly from Microsoft. If an endpoint does not receive an update within the specified grace period, it is considered unenforced. When this option is selected, anti-malware rules are configured to use Tanium to deploy anti-malware definition updates.

  7. From the list of setting categories, expand or select a category to view and edit the available settings for that category.
    When you configure a policy, the following settings are available: Not Configured, Enabled, and Disabled. Both Not Configured and Disabled use default Microsoft settings. When you change the state to Enabled, you can enter your own settings. For more information about detailed explanations of each state, see Microsoft: Use the Settings app Group Policy in Windows 10.

    Expand Filters to enter criteria to filter the list of categories and settings. Additional filters can also be applied to the policy names within the categories.

    Some high-level categories for Machine administrative template policies are listed in the following Machine Administrative Templates Policy Categories Example table.

    Machine Administrative Templates Policy Categories Example
    Category (top level)Overview
    Control PanelIncludes display, personalization, regional and language options, and printers.
    Google ChromeIncludes cookies, Javascript, and image settings.
    MS Security GuideIncludes UAC restrictions and SMB server and client.
    MSS (Legacy)Includes legacy Windows registry values that predate group policy.
    Microsoft EdgeIncludes download restrictions and autofill.
    Microsoft OfficeIncludes Window security restrictions and storage of user passwords.
    MozillaIncludes authentication, certificates, cookies, location, notifications, extensions, bookmarks, and other preferences.
    NetworkIncludes network connections.
    OneDriveIncludes OneDrive sync app, accounts, permissions, bandwidth management, and disk space options.
    Printers Includes prevention of security issues with print driver installation.
    Start Menu and TaskbarIncludes notifications.
    SystemIncludes driver installation, display, locale services, group policy, mitigation options, logon, power management, removable storage access, and user profiles.
    Windows ComponentsIncludes app runtime, attachment manager, autoplay policies, cloud content, credential user interface, edge UI, and Windows Defender antivirus.

    For the full list of policy settings included in Windows administrative template files, see Microsoft: Group Policy Settings Reference for Windows and Windows Server and Microsoft Security Compliance Toolkit 1.0.

  8. Click Add to policy after you configure a policy setting.
  9. After all settings for the policy are complete, click Create. The policy now appears in the Policies list.

You can enforce a policy from three different places in Enforce:

  • The Enforcements page
  • The Policies page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create a remediation policy

  1. From the Enforce menu, go to Policies and then click Create Policy.
  2. You can also create a remediation policy from the Remediations tab of the Policies page.

  3. In the General Information section, enter a Name and optional Description for the policy.
  4. (Optional) Expand Content Set and select a content set.
  5. In the Policy Type section, select Remediation - Windows, Mac, or Linux and then click Next.

    You can filter policy types by operating system (All, Windows, Mac, Linux).

  6. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. In the Starting Point section, select an existing policy.
  7. In the Remediation section, select the task that you want to run on your endpoint(s) from the Add Task drop-down menu.

    You can add the following types of tasks to a Windows remediation policy:

    • Delete File: deletes a single file or multiple files matching a glob pattern. See Remediation policy file pattern matching examples.
    • Delete Registry Key: deletes a registry key if it exists.
    • Edit Registry Data: modifies an existing registry value if it exists; optionally, the value can be created if it does not exist.
    • Kill Process: kills all processes that match the specified Process Type options: name, path, or hash. You can also optionally enter Command Line Args to use a regular expression to match against process command line arguments for any of the Process Type options.
    • Run Service Action: changes the running state of the specified service.

      For the Service Name field, enter the Service Name instead of the Service Display Name.

    • Run Service Configuration: changes the startup config of the specified service.

      For the Service Name field, enter the Service Name instead of the Service Display Name.

    • Update Registry Value: changes the name of a registry value if it exists or deletes the value if the delete option is selected.

      For tasks that modify the registry and target the HKEY_USERS hive, if you use the wildcard character (*) to target all users, users that are signed out when the policy is enforced are skipped.

    • Purge - Delete all nonessential files: provides a destructive, non-recoverable wipe of all non-Tanium and non-Windows files from the targeted system.
    • Purge - Freeze and lockout: provides a non-destructive lockout of the targeted system using BitLocker on computers that have a TPM chip and forces a BitLocker recovery.
    • Purge - Recover from freeze: reverses the purge - freeze and lockout policy by displaying the Bitlocker recovery window. At that time a key can be entered to recover the system.

      For more information about purge remediation policy types, see Create a purge remediation policy.

  8. You can add the following types of tasks to a Mac or Linux remediation policy:

    • Delete File: deletes a single file or multiple files matching a glob pattern.
    • Kill Process: kills all processes that match the specified Process Type options: name, path, or hash. You can also optionally enter Command Line Args to use a regular expression to match against process command line arguments for any of the Process Type options.
    • Run Service Action: changes the running state of the specified service.

      For the Service Name field, enter the Service Name instead of the Service Display Name.

  9. Complete the required fields for the task that you are defining.
  10. Add other tasks as needed for the policy. When you are finished adding all tasks, click Create.

You can enforce a policy from three different places in Enforce:

  • The Enforcements page
  • The Policies page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Remediation policy file pattern matching examples

Enforce support globs for pattern matching in remediation policies. See the Python documentation for details.

Recursive matching is not supported. Each directory level must be specified.

Definition Example
Match a file by name in an unknown directory path.

Actual Path: c:\a\b\c\file.exe

Wildcard: c:\*\*\*\file.exe

Match any file in a known directory path.

Actual Path: c:\a\b\c\file.exe

Wildcard: c:\a\b\c\*

Match a specific file type in a partially known directory path.

Actual Path: c:\a\b\c\file.exe

Wildcard: c:\a\*\c\*.exe

Disable case sensitivity for the first character in a file name.

Actual Path: c:\a\b\c\File.exe

Wildcard: c:\a\b\c\[Ff]ile.exe

Match a single character in a file name.

Actual Path: c:\a\b\c\cat.exe

Actual Path: c:\a\b\c\bat.exe

Wildcard: c:\a\b\c\?at.exe

Do not match a character in a file name.

Actual Path: c:\a\b\c\cat.exe

Wildcard: c:\a\b\c\[!c]at.exe

Create a purge remediation policy

Use a purge remediation policy to take action on lost or stolen endpoints by remotely wiping all nonessential data or freezing the endpoint to prevent attempts to sign in.

Test these policies prior to implementing them in a production environment.

The following information applies to remediation purge policies:

  • A remediation policy that contains a purge cannot have any other tasks. Conversely, if there is already a task in a remediation policy, you cannot add a purge task.
  • A remediation policy that contains a purge can only be targeted to individual computers, not computer groups.
  • The Enforce Endpoint Wipe Action privilege is required for this policy.

To create a purge remediation policy, complete the following steps:

  1. From the Enforce menu, go to Policies and then click Create Policy.
  2. You can also create a remediation policy from the Remediations tab of the Policies page.

  3. In the General Information section, enter a Name and optional Description for the policy.
  4. (Optional) Expand Content Set and select a content set.
  5. In the Policy Type section, select Remediation - Windows and then click Next.

    You can filter policy types by operating system (All, Windows, Mac, Linux).

  6. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. In the Starting Point section, select an existing policy.
  7. In the Remediation section, select the task that you want to run on your endpoint(s) from the Add Task drop-down menu.

    The following purge tasks are available:

    • Purge - Delete all nonessential files: provides a destructive, non-recoverable wipe of all non-Tanium and non-Windows files from the targeted system by completing the following tasks.

      BitLocker and TPM are not required. This process can take up to an hour to complete.

      • Locks the endpoint with UAL content and reboots the system to close open programs
      • Takes ownership and gains permission for all files possible
      • Deletes all files that are not open or in the c:\windows\ and %programfiles%\Tanium\Tanium Client\ folders 
      • Deletes the BitLocker key from the hardware TPM (if BitLocker is enabled)
      • Performs a three pass wipe on the freed disk space
      • At start-up, displays the BitLocker recovery screen instead of booting into Windows (if BitLocker is enabled)
      1. In the Requested By field, enter the name of the person or business group that is requesting the purge.
      2. Enter a BitLocker Pre-Boot Recovery Message. This message displays to users at start-up (if BitLocker is enabled).
      3. Enter the MAC address for the selected target to ensure that the correct target receives the action, as a MAC address is a more distinct identifier than a host name.
    • Purge - Freeze and lockout: provides a non-destructive user lockout of the targeted system using BitLocker on computers that have a TPM chip by completing the following tasks.
    • For both freeze and lockout features, the endpoint must have BitLocker enabled and disk encryption with TPM. If BitLocker is not enabled, the user is still prevented from signing in, but the endpoint is not prevented from booting.

      • Sets up a scheduled action after verifying endpoint requirements are met
      • Deletes the BitLocker key from the hardware TPM
      • Forces a shutdown of the endpoint
      • At start-up, displays the BitLocker recovery screen instead of booting into Windows
      1. In the Requested by field, enter the name of the person or business group requesting the freeze.
      2. Enter a BitLocker Pre-Boot Recovery Message. This message displays to users at start-up.
      3. Enter the MAC address for the selected target. This is to ensure that the correct target receives the action as MAC address is a more distinct identifier than host name.
    • Purge - Recover from freeze: reverses the freeze and lockout. This task runs after the user manually recovers BitLocker by using the recovery key, but still cannot sign in due to the account lockout. This task restores the user account, which allows the user to sign in again.
      • Adds TPM back to the BitLocker protectors list
      • Recovers locked out account
      • The user must input the recovery key and boot to windows before the machine can be unfrozen.
  8. Click Create.

You can enforce a policy from three different places in Enforce:

  • The Enforcements page
  • The Policies page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create an SRP management policy

When you enable Windows SRP for the first time, targeted endpoints must be rebooted in order for SRP Management policies to be enforced.

You might want to enforce an SRP Management policy that does not block anything or allows a path that is always trusted, such as the Tanium Client. With this practice, the required reboot does not have to take place when you need to push out an urgent policy, such as a policy to block a malicious application.

  1. From the Enforce menu, go to Policies and then click Create Policy.
  2. In the General Information section, enter a Name and optional Description for the policy.
  3. (Optional) Expand Content Set and select a content set.
  4. In the Policy Type section, select SRP Management and then click Next.

    You can filter policy types by operating system (All, Windows, Mac, Linux).

  5. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. In the Starting Point section, select an existing policy.

Create an SRP process rule using a path

  1. In the Path Rules section, click Create.
  2. Enter a Name for the rule.
  3. Enter the path or filename in the Path field. Full paths, environment variables, and filenames are supported.
  4. Continue adding rules as necessary and click Create when you are finished.


Create an SRP process rule using a hash

  1. In the Hash Rules section, click Create.
  2. Enter a Name for the rule.
  3. Enter the MD5 Hash.
  4. Enter the File Size in bytes and click Save.
  5. Continue adding rules as necessary and click Create when you are finished.


You can enforce a policy from three different places in Enforce:

  • The Enforcements page
  • The Policies page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Be aware of AppLocker Allow or Deny rules set in your Domain Policy – these rules might prevent SRP process rules created in Enforce from being enforced.

Import policies

You can import one or more policies from a JSON file.

  1. From the Enforce menu, click Policies.
  2. Click Import Policy from any tab on the Policies page.
  3. Click Browse for file, select the JSON file, and click Import.
  4. Make any necessary changes and then click Save.

    You might have to change an imported policy name if the name conflicts with the name of an existing policy.

Imported policies appear on the Policies page.

Export policies

  1. From the Enforce menu, click Policies.
  2. Select the policies that you want to export and then click Export.

Each policy is downloaded as a separate JSON file. You can use each downloaded JSON file to import each policy.

Prioritize policies

A single policy can contain multiple settings. When several policies are enforced on an endpoint, unique settings across all policies are applied. If duplicate settings exist for an endpoint, the setting with the lowest priority number takes precedence. See Overview for more information about how policy settings are applied to endpoints.

The policy with the highest priority has the lowest priority number. For example, a policy with a priority of 1 takes precedence over a policy with a priority of 10.

Set the prioritization of policies to determine which policy setting is applied if a conflict exists.

  1. From the Enforce menu, go to Policies and click Prioritize to make the priority fields editable.
  2. Click the priority field for the policy you want to change and enter a new priority number. Click Preview updated priorities to accept the change or Cancel to undo the change. When you click Preview updated priorities , the priority number for all policies update based on your change.
  3. (Optional) To revert your changes back to the original priorities, click Cancel.
  4. To keep the new priorities, click Save.