Enforce requirements

Review the requirements before you install and use Enforce.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium™ Core Platform servers: 7.3.314.4250 or later

  • Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

    If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Solution dependencies

Other Tanium solutions are required for Enforce to function (required dependencies) or for specific Enforce features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Enforce dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Enforce requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Enforce, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Enforce to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Enforce has the following required dependencies at the specified minimum versions:

  • Tanium™ Endpoint Configuration 1.5.252 or later (installed as part of Tanium Client Management 1.8.181 or later)
  • Tanium™ Interact 2.12.82 or later
  • Tanium™ Trends 3.8.117 or later
  • Tanium™ System User Service 1.0.72 or later
  • Tanium™ RDB Service 1.0.148 or later

If the Tanium Core Content version is missing or not up to date, the following alert is displayed: Tanium Core Content solution is missing or minimum version is not satisfied. Install the Core Content solution and then restart the Enforce module service.

After you install the latest version, restart the Enforce module service. For Windows, restart the service in the Service Manager on the Tanium Module Server. For TanOS, see Tanium Appliance Deployment Guide: Start, stop, or restart Tanium services.

Feature-specific dependencies

Enforce has the following feature-specific dependencies at the specified minimum versions:

  • Tanium™ Core Content 1.2.1 or later is required for BitLocker and FileVault policies
  • Tanium™ Direct Connect 1.1.0 or later is required for BitLocker and FileVault policies
  • Tanium™ End-User Notifications 1.6.5 or later is required for BitLocker and FileVault policies

Client extensions

Tanium Endpoint Configuration installs client extensions for Enforce on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Enforce functions:

  • Enforce CX - Provides Enforce functions on the endpoint. Tanium Enforce installs this client extension.
  • Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
  • Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
  • Recorder CX - Provides the ability to save event data on each endpoint and monitor the endpoint kernel and other low-level subsystems to capture a variety of events. Tanium Enforce, Tanium Integrity Monitor, Tanium Map, or Tanium Threat Response installs this client extension.
  • DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension.

Tanium™ Module Server

Enforce is installed and runs as a service on the Tanium Module Server host computer. The impact on the Module Server is minimal and depends on usage.

Endpoints

Supported Internet protocols

Enforce supports IPv4 addresses.

Supported operating systems

Enforce policies support the following endpoint operating systems:

All Windows editions that support the Group Policy feature are supported for each of the following Windows versions. Available Group Policy settings vary depending on Windows version and edition.

PolicyOperating SystemNotes
Anti-malware: System Center Endpoint Protection (SCEP)
  • Windows 7 SP1 or later Enterprise, Professional or Ultimate
  • Windows Server 2008 R2 SP1 or later
  • Windows 7 SP1 requires Microsoft KB2758857

    .
  • Windows Server 2008 R2 SP1 requires Microsoft KB2758857.

Anti-malware: Windows Defender
  • Windows 8.1 or later Enterprise or Professional
  • Windows Server 2016 or later
 
Applocker
  • Windows 7 SP1 Enterprise, Ultimate, Embedded, or Windows Embedded POSReady 7
  • Windows 8.1 Enterprise
  • Windows 10 Enterprise
  • Windows 11 Enterprise
  • Windows Server 2008 R2 SP1 or later
  • Windows 7 SP1 requires Microsoft KB2758857

    .
  • Windows Server 2008 R2 SP1 requires Microsoft KB2758857.

BitLocker
  • Windows 7 SP1 Enterprise or Ultimate
  • Windows 8.1 Enterprise or Pro
  • Windows 10 Education, Pro Education, Enterprise, or Pro
  • Windows 11 Enterprise or Pro
  • Windows 7 SP1 requires Microsoft KB2758857.

    Windows 7 endpoints must have a TPM chip to use BitLocker.

Device Control - Windows
  • Windows 7 SP1 or later
  • Windows Server 2008 R2 SP1 or later
  • Windows 7 SP1 requires Microsoft KB2758857

    .
  • Windows Server 2008 R2 SP1 requires Microsoft KB2758857.

FileVault
  • macOS 10.13.6 High Sierra or later
 
Firewall Management - Linux
  • CentOS 6, 7, or 8
  • Red Hat Enterprise Linux (RHEL) 6, 7, or 8
  • Oracle Linux (OEL) 6, 7, or 8
  • Ubuntu 16 or 18
 
Firewall Management - Windows
  • Windows 7 SP1 or later
  • Windows Server 2008 R2 SP1 or later
  • Windows 7 SP1 requires Microsoft KB2758857

    .
  • Windows Server 2008 R2 SP1 requires Microsoft KB2758857.

Machine Administrative Templates
  • Windows 7 SP1 or later
  • Windows Server 2008 R2 SP1 or later
  • Requires Windows Pro or Enterprise edition.
  • Windows 7 SP1 requires Microsoft KB2758857

    .
  • Windows Server 2008 R2 SP1 requires Microsoft KB2758857.

Remediation - Linux
  • CentOS 6, 7, or 8
  • Red Hat Enterprise Linux (RHEL) 6, 7, or 8
  • Ubuntu 16 or 18
 
Remediation - Mac
  • macOS 10.13.6 High Sierra or later
 
Remediation - Windows
  • Windows 7 SP1 or later
  • Windows Server 2008 R2 SP1 or later
  • Requires Windows Pro or Enterprise edition.
  • Windows 7 SP1 requires Microsoft KB2758857

    .

    Windows 7 is not supported for purge tasks.

  • Windows Server 2008 R2 SP1 requires Microsoft KB2758857.

SRP Management
  • Windows 7 SP1 or later
  • Windows Server 2008 R2 SP1 or later
  • Requires Windows Pro or Enterprise edition.
  • Windows 7 SP1 requires Microsoft KB2758857

    .
  • Windows Server 2008 R2 SP1 requires Microsoft KB2758857.

Host and network security requirements

Specific ports and processes are needed to run Enforce.

Required ports

The following ports are required for Enforce communication.

The following port is required for Enforce communication.

ComponentDirectionPort ProtocolPurpose
Module ServerTanium Cloud

Inbound

17475TCP

Required only when you use disk encryption policies. Allows communication between the Module Server and endpoints for Direct Connect.

Module ServerTanium Cloud (Loopback)17476TCPRequired only when you use disk encryption policies. Allows notifications on endpoints from the End-User Notifications shared service.
Module ServerTanium Cloud (Loopback)17497TCPInternal purposes; not externally accessible.
Module ServerTanium Cloud (Loopback)17512TCPRequired only when you use BitLocker and when the BitLocker recovery database is hosted on the Module ServerTanium Cloud.
Recovery portal serverInbound 443 TCPRequired only when you use the recovery portal with disk encryption policies. Allows users to access the recovery portal.
Outbound443TCPRequired only when you use the recovery portal with disk encryption policies. Allows the recovery portal to access the Tanium Server.
Zone ServerTanium CloudInbound17486TCPRequired only when you use disk encryption policies for external endpoints that connect through a Zone Server.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Enforce security exclusions
Target DeviceNotesExclusion TypeExclusion
Module Server Process<Module Server>\services\enforce-service\node.exe
Windows x86 endpoints Process<Tanium Client>\Tools\StdUtils\7za.exe
 Process<Tanium Client>\Tools\Enforce\devcon32.exe
 Process<Tanium Client>\Tools\Enforce\LocalPolicyTool.exe

7.4.x clients

7.2.x clients

Process<Tanium Client>\Python38\TPython.exe

7.4.x clients

7.2.x clients

Folder<Tanium Client>\Python38
 Process<Tanium Client>\TaniumClient.exe
 Process<Tanium Client>\TaniumCX.exe
Windows x64 endpoints Process<Tanium Client>\Tools\StdUtils\7za.exe
 Process<Tanium Client>\Tools\Enforce\devcon64.exe
 Process<Tanium Client>\Tools\Enforce\LocalPolicyTool.exe

7.4.x clients

7.2.x clients

Process<Tanium Client>\Python38\TPython.exe

7.4.x clients

7.2.x clients

Folder<Tanium Client>\Python38
 Process<Tanium Client>\TaniumClient.exe
 Process<Tanium Client>\TaniumCX.exe
macOS and Linux x86 and x64 endpoints

7.4.x clients

7.2.x clients

Process<Tanium Client>/python38/python

7.4.x clients

7.2.x clients

Folder<Tanium Client>/python38
 Process<Tanium Client>/python38/bin/pybin
 Process<Tanium Client>/TaniumClient
 Process<Tanium Client>/TaniumCX
Zone Server Process<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe
 Process<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\twsm.exe

To use Enforce features that require End-User Notifications or Direct Connect, you must also configure the required security exclusions for each of these services to allow them to run without interference.

Internet URLs

For anti-malware policies, allow outbound communication from the Tanium Module Server to the following Microsoft download URLs. See Managed Anti-Malware definitions download URLs for configuration details.

Enforce Internet URLs
ArchitectureURL
Windows x86 endpointshttps://go.microsoft.com/fwlink/?LinkID=121721&arch=x86
https://go.microsoft.com/fwlink/?LinkId=211053
https://definitionupdates.microsoft.com
http://catalog.update.microsoft.com1
http://catalog.s.download.windowsupdate.com1
Windows x64 endpointshttps://go.microsoft.com/fwlink/?LinkID=121721&arch=x64
https://go.microsoft.com/fwlink/?LinkId=211054
https://definitionupdates.microsoft.com
http://catalog.update.microsoft.com1
http://catalog.s.download.windowsupdate.com1

1 Required for Microsoft Defender Platform updates. For more information, see Windows Defender Platform Updates.

User role requirements

The following tables list the role permissions required to use Enforce. To review a summary of the predefined roles, see Set up Enforce users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

The Enforce service account role is for internal use only. It is automatically managed by the Enforce user. Do not assign the Enforce service account role to users.

Enforce Global user role permissions
PermissionEnforce Administrator1,2Enforce Defender Scan User1,2Enforce Defender Scan Viewer1,2Enforce Endpoint Configuration Approver1,2,3Enforce Operator1,2Enforce Policy Administrator (Global)1,2Enforce Policy User (Global)1,2Enforce Policy Viewer (Global)1,2Enforce Quarantine Administrator 1,2Enforce Write Content Wipe Action1,2

Enforce

SHOW: View the Enforce workbench

OPERATOR: Read, edit, and delete most Enforce objects (except edit access to Enforce settings)


SHOW4
OPERATOR

SHOW4

SHOW4

SHOW4

SHOW4
OPERATOR

SHOW4

SHOW4

SHOW4

SHOW4

SHOW4

Enforce Administrator

Unrestricted access to Enforce


ADMINISTER

Enforce Create

Enforce policies in given content sets


ENFORCEMENT

ENFORCEMENT

ENFORCEMENT

ENFORCEMENT

Enforce Defender Scan

View, create, or delete Defender scans


READ
WRITE

READ
WRITE

READ

READ
WRITE

Enforce Edit Any

Edit available policy enforcements. Users always have access to enforcements that they created.


ENFORCEMENT

ENFORCEMENT

ENFORCEMENT

Enforce Endpoint Configuration

Approve Enforce items in Endpoint Configuration


APPROVER

Enforce Endpoint Configuration All

View or create Endpoint Configuration items for Enforce


WRITE

WRITE

WRITE

WRITE

READ

Enforce Endpoint Wipe

Issue Windows Remediation actions that wipe, freeze, or recover endpoints


ACTION

ACTION

Enforce Operator Settings

Globally read or edit most Enforce settings


READ
WRITE

READ
WRITE

Enforce Policy

Prioritize, view, create, or edit Enforce policy priorities in given content sets


PRIORITIZE
READ
WRITE

PRIORITIZE
READ
WRITE

PRIORITIZE
READ
WRITE

READ
WRITE

READ

Enforce Recovery Portal

View recovery portal configuration and status, or write recovery portal configuration and download the installer


READ
WRITE

Enforce Settings

Globally read or edit all Enforce settings


READ
WRITE

Enforce Write Policy

Create policy packages for enforcements

Policy Template

Read, edit, or delete policy templates in given content sets


READ
WRITE
DELETE

READ
WRITE
DELETE

READ
WRITE
DELETE

READ

READ

Policy Type

Read or edit policy types in given content sets


READ
WRITE

READ
WRITE

READ
WRITE
DELETE

READ
WRITE

READ

Reports

Read, edit, or delete reports in given content sets


READ
WRITE
DELETE

READ
WRITE
DELETE

READ
WRITE
DELETE

READ
WRITE
DELETE

READ

Restore from Quarantine

Restore files quarantined by Microsoft Defender.

ADMINISTER

ADMINISTER

ADMINISTER

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: User role requirements.

2 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

3 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

4 To import the Enforce solution, you must be assigned the Administrator reserved role.

Global Template (Permissions restricted by operating system content sets: Windows, macOS, or Linux) user role permissions
PermissionEnforce Policy Administrator (Template)1,2Enforce Policy User (Template)1,2Enforce Policy Viewer (Template)1,2Enforce Quarantine Administrator 1,2Enforce Recovery Key Administrator (Template)1,2

Enforce Recovery Key User (Template)1,2
Enforce Recovery Key Viewer (Template)1,2Enforce Recovery Portal (Template)1,2Enforce Recovery Portal Administrator (Template)1,2Enforce Recovery Portal Viewer (Template)1,2

Disk Encryption Recovery Keys

Read, edit, or delete recovery keys for disk encryption in given content sets


READ
DELETE

READ

READ

Enforce

SHOW: View the Enforce workbench

OPERATOR: Read, edit, and delete most Enforce objects (except edit access to Enforce settings)


SHOW3

SHOW3

SHOW3

SHOW3

SHOW3

SHOW3

SHOW3

SHOW3

SHOW3

Enforce Create

Enforce policies in given content sets


ENFORCEMENT

ENFORCEMENT

Enforce Edit Any

Edit available policy enforcements. Users always have access to enforcements that they created.



ENFORCEMENT

 

 






Enforce Endpoint Configuration (Template)

View or create Endpoint Configuration items for OS


WRITE

WRITE

READ

Enforce Policy

Prioritize, view, create, or edit Enforce policy priorities in given content sets


READ
WRITE

READ
WRITE

READ

Enforce Recovery

Allows the user to be used as the Enforce Recovery Portal


PORTAL

Enforce Recovery Portal

View recovery portal configuration and status, or write recovery portal configuration and download the installer


READ
WRITE

READ

Policy Template

Read, edit, or delete policy templates in given content sets


READ
WRITE
DELETE

READ

READ

Policy Type

Read or edit policy types in given content sets


READ
WRITE

READ
WRITE

READ

Quarantine

Restore files quarantined by Microsoft Defender

ADMINISTER

ADMINISTER

Reports

Read, edit, or delete reports in given content sets


READ
WRITE
DELETE

READ
WRITE
DELETE

READ

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: User role requirements.

2 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

3 To import the Enforce solution, you must be assigned the Administrator reserved role.

Module Objects with Access Control by Content Sets
Access Control TypePolicy DefinitionPolicy TypePolicy TemplatesPolicy ItemManaged Definition FilesReportsDisk Encryption Recovery Keys
Global
Content Set

Provided administration and platform content permissions
PermissionPermission TypeEnforce Administrator1Enforce Defender Scan User1Enforce Defender Scan Viewer1

Enforce Endpoint Configuration Approver1
Enforce Operator1

Enforce Policy Administrator1

Enforce Policy User1
Enforce Policy Viewer1Enforce Quarantine Administrator 1Enforce Recovery Key Administrator1

Enforce Recovery Key User1

Enforce Recovery Key Viewer1

Enforce Recovery Portal Administrator1

Enforce Recovery Portal Viewer1
Enforce Recovery Portal1Enforce Write Content Wipe Action1
Action GroupAdministration
WRITE

READ
Computer GroupAdministration
WRITE

READ

READ

READ
Token - UseAdministration
WRITE

SPECIAL
Token - ViewAdministration
WRITE

SPECIAL
ActionPlatform Content
WRITE

WRITE

WRITE

WRITE

WRITE
Action for Saved QuestionPlatform Content
WRITE

WRITE
Filter GroupPlatform Content
READ

READ

READ

READ

READ

READ

READ

READ

READ
Own ActionPlatform Content
READ

READ

READ

READ

READ
PackagePlatform Content
READ

READ

READ

READ

READ
PluginPlatform Content
READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE


READ

EXECUTE


READ
EXECUTE

READ
EXECUTE

READ
EXECUTE
Saved QuestionPlatform Content
READ
WRITE

READ
WRITE

READ
WRITE
SensorPlatform Content
READ
WRITE

READ

READ

READ
WRITE

READ

READ

READ

READ

READ

You can view which content sets are granted to any role in the Tanium Console.

1 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.