Enforce requirements

Review the requirements before you install and use Enforce.

Tanium dependencies

In addition to a license for the Enforce module, make sure that your environment meets the following requirements.

Component Requirement
Tanium™ Core Platform 7.3.314.4250 or later
Tanium™ Client Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Tanium products

If you selected Tanium Recommended Installation when you installed Enforce, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Enforce requires to function, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.

Enforce requires the given minimum versions to work with the following modules:

  • Tanium™ Endpoint Configuration 1.2 or later (installed as part of Tanium Client Management 1.5 or later)
  • Tanium™ Interact 2.6 or later
  • Tanium™ Trends 3.6 or later

The following modules are optional, but Enforce requires the specified minimum versions to work with them:

  • Tanium™ Core Content 1.2.1 or later is required for BitLocker and FileVault policies
  • Tanium™ Direct Connect 1.1.0 or later is required for BitLocker and FileVault policies
  • Tanium™ End-User Notifications 1.6.5 or later is required for BitLocker and FileVault policies
  • Tanium™ Threat Response 3.1 or later is required for alert remediation

If the Tanium Core Content version is missing or not up-to-date, you will see the following alert. "Tanium Core Content solution is missing or minimum version is not satisfied. Install the Core Content solution and then restart the Enforce module service."
After you install the latest version, restart the Enforce module service on TanOS referencing these instructions. Tanium Appliance Deployment Guide. Restart the service on Windows through Service Manager on the Tanium Module Server.

Tanium™ Module Server

Enforce is installed and runs as a service on the Tanium Module Server host computer. The impact on the Module Server is minimal and depends on usage.

Endpoints

Supported Internet protocols

Enforce supports only IPv4 addresses.

Supported operating systems

Enforce policies support the following endpoint operating systems:

Policy Operating System Notes
Anti-malware: System Center Endpoint Protection (SCEP)
  • Windows 7
  • Windows Server 2008 R2, 2012, or 2012 R2
 
Anti-malware: Windows Defender
  • Windows 8 or 10
  • Windows Server 2016 or 2019
 
Applocker
  • Windows 7 Enterprise, Ultimate, Embedded, or Windows Embedded POSReady 7
  • Windows 8 Enterprise, 8.1 Enterprise, or 10 Enterprise
  • Windows Server 2008 R2 or later
 
BitLocker
  • Windows 7 Enterprise or Ultimate
  • Windows 8 Enterprise or Pro
  • Windows 10 Education, Pro Education, Enterprise, or Pro

Windows 7 endpoints must have a TPM chip to use BitLocker.

Device Control - Windows
  • Windows 7 SP1 or later
  • Windows Server 2008 R2 or later
 
FileVault
  • macOS 10.15 Catalina
  • macOS 10.14.6 Mojave
  • macOS 10.13.6 High Sierra
  • macOS 11.0 Big Sur
 
Firewall Management - Linux
  • CentOS 6, 7, or 8
  • Red Hat Enterprise Linux (RHEL) 6, 7, or 8
  • Ubuntu 16 or 18
 
Firewall Management - Windows
  • Windows 7 SP1 or later
  • Windows Server 2008 or later
 
Machine Administrative Templates
  • Windows 7 SP1 or later
  • Windows Server 2008 R2 or later
 
Remediation - Linux
  • CentOS 6, 7, or 8
  • Red Hat Enterprise Linux (RHEL) 6, 7, or 8
  • Ubuntu 16 or 18
 
Remediation - Mac
  • Mac OS X Yosemite 10.10.5 or later
 
Remediation - Windows
  • Windows 7 SP1 or later
  • Windows Server 2008 R2 or later
 
SRP Management
  • Windows 7 SP1 or later
  • Windows Server 2008 or later
 

Host and network security requirements

Specific ports and processes are needed to run Enforce.

Required ports

The following ports are required for Enforce communication.

Component Direction Port Protocol Purpose
Module Server Tanium as a Service Inbound 17475 TCP Required only when you use disk encryption policies. Allows communication between the Module ServerTanium as a Service and endpoints for Direct Connect.
Module Server Tanium as a Service (Loopback) 17476 TCP Required only when you use disk encryption policies. Allows notifications on endpoints from the End-User Notifications shared service.
Outbound 5432 TCP Required only when you use disk encryption policies. Allows communication between the Module ServerTanium as a Service and the database where the recovery keys are stored. This port is 5432 by default. If you use a different port, ensure that port is open.
Inbound 17481 TCP Required only when you use the recovery portal with disk encryption policies. Allows communication between the Module Server and the recovery portal.
Recovery portal server Inbound 443 TCP Required only when you use the recovery portal with disk encryption policies. Allows users to access the recovery portal.
Outbound 443 TCP Required only when you use the recovery portal with disk encryption policies. Allows the recovery portal to access the Tanium Server.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium as a Service ports, see Tanium as a Service Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Enforce security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\enforce-service\7za.exe
  Process <Module Server>\services\enforce-service\node.exe
Windows x86 endpoints   Process <Tanium Client>\Tools\StdUtils\7za.exe
  Process <Tanium Client>\Tools\Enforce\devcon32.exe
  Process <Tanium Client>\Tools\Enforce\LocalPolicyTool.exe
7.2.x clients Process <Tanium Client>\Python27\TPython.exe
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
  Process <Tanium Client>\TaniumCX.exe
Windows x64 endpoints   Process <Tanium Client>\Tools\StdUtils\7za.exe
  Process <Tanium Client>\Tools\Enforce\devcon64.exe
  Process <Tanium Client>\Tools\Enforce\LocalPolicyTool.exe
7.2.x clients Process <Tanium Client>\Python27\TPython.exe
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
  Process <Tanium Client>\TaniumCX.exe
macOS and Linux x86 and x64 endpoints 7.2.x clients Process <Tanium Client>/python27/python
  Process <Tanium Client>/python27/bin/pybin
7.4.x clients Process <Tanium Client>/python38/python
  Process <Tanium Client>/python38/bin/pybin
  Process <Tanium Client>/TaniumCX

Internet URLs

For anti-malware policies, allow outbound communication from the Tanium Module Server to the following Microsoft download URLs. See Managed Anti-Malware definitions download URLs for configuration details.

Architecture URL
Windows x86 endpoints https://go.microsoft.com/fwlink/?LinkID=121721&arch=x86
https://go.microsoft.com/fwlink/?LinkId=211053
https://definitionupdates.microsoft.com
Windows x64 endpoints https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64
https://go.microsoft.com/fwlink/?LinkId=211054
https://definitionupdates.microsoft.com

User role requirements

Enforce Global user role permissions
Permission Enforce Administrator1,2 Enforce Defender Scan User1,2 Enforce Defender Scan Viewer1,2 Enforce Endpoint Configuration Approver1,2,3 Enforce Operator1,2 Enforce Policy Administrator (Global)1,2 Enforce Policy User (Global)1,2 Enforce Policy Viewer (Global)1,2 Enforce Service Account1,2 Enforce Write Content Wipe Action1,2

Enforce

SHOW: View the Enforce workbench

OPERATOR: Read, edit, and delete most Enforce objects (except edit access to Enforce settings)


SHOW4
OPERATOR

SHOW4

SHOW4

SHOW4

SHOW4
OPERATOR

SHOW4

SHOW4

SHOW4

SHOW4
OPERATOR

SHOW4

Enforce Administrator

Unrestricted access to Enforce


ADMINISTER

ADMINISTER

Enforce Create

Enforce policies in given content sets


ENFORCEMENT

ENFORCEMENT

ENFORCEMENT

ENFORCEMENT

ENFORCEMENT

Enforce Defender Scan

View, create, or delete Defender scans


READ
WRITE

READ
WRITE

READ

READ
WRITE

READ
WRITE

Enforce Edit Any

Edit available policy enforcements. Users always have access to enforcements that they created.


ENFORCEMENT

ENFORCEMENT

ENFORCEMENT

ENFORCEMENT

Enforce Endpoint Configuration

Approve Enforce items in Endpoint Configuration


APPROVER

Enforce Endpoint Configuration All

View or create Endpoint Configuration items for Enforce


WRITE

WRITE

WRITE

WRITE

READ

Enforce Endpoint Wipe

Issue Windows Remediation actions that wipe, freeze, or recover endpoints


ACTION

PACKAGE

ACTION

Enforce Operator Settings

Globally read or edit most Enforce settings


READ
WRITE

READ
WRITE

READ
WRITE

Enforce Policy

Prioritize, view, create, or edit Enforce policy priorities in given content sets


PRIORITIZE
READ
WRITE

PRIORITIZE
READ
WRITE

PRIORITIZE
READ
WRITE

READ
WRITE

READ

PRIORITIZE
READ
WRITE

Enforce Recovery Portal

View recovery portal configuration and status, or write recovery portal configuration and download the installer


READ
WRITE

READ
WRITE

Enforce Service Account

Service Account permissions


EXECUTE

Enforce Settings

Globally read or edit all Enforce settings


READ
WRITE

READ
WRITE

Enforce Write Policy

Create policy packages for enforcements


PACKAGE

Policy Template

Read, edit, or delete policy templates in given content sets


READ
WRITE
DELETE

READ
WRITE
DELETE

READ
WRITE
DELETE

READ

READ

READ
WRITE
DELETE

Policy Type

Read or edit policy types in given content sets


READ
WRITE

READ
WRITE

READ
WRITE
DELETE

READ
WRITE

READ

READ
WRITE

Reports

Read, edit, or delete reports in given content sets


READ
WRITE
DELETE

READ
WRITE
DELETE

READ
WRITE
DELETE

READ
WRITE
DELETE

READ

READ
WRITE
DELETE

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: User role requirements.

2 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

3 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

4 To import the Enforce solution, you must be assigned the Administrator reserved role or a role that has the Import Signed Content permission.

Global Template (Permissions restricted by operating system content sets: Windows, macOS, or Linux) user role permissions
Permission Enforce Policy Administrator (Template)1,2 Enforce Policy User (Template)1,2 Enforce Policy Viewer (Template)1,2 Enforce Recovery Key Administrator (Template)1,2

Enforce Recovery Key User (Template)1,2
Enforce Recovery Key Viewer (Template)1,2 Enforce Recovery Portal (Template)1,2 Enforce Recovery Portal Administrator (Template)1,2 Enforce Recovery Portal Viewer (Template)1,2

Disk Encryption Recovery Keys

Read, edit, or delete recovery keys for disk encryption in given content sets


READ
DELETE

READ

READ

Enforce

SHOW: View the Enforce workbench

OPERATOR: Read, edit, and delete most Enforce objects (except edit access to Enforce settings)


SHOW3

SHOW3

SHOW3

SHOW3

SHOW3

SHOW3

SHOW3

SHOW3

Enforce Create

Enforce policies in given content sets


ENFORCEMENT

ENFORCEMENT

Enforce Edit Any

Edit available policy enforcements. Users always have access to enforcements that they created.



ENFORCEMENT







Enforce Endpoint Configuration (Template)

View or create Endpoint Configuration items for OS


WRITE

WRITE

READ

Enforce Policy

Prioritize, view, create, or edit Enforce policy priorities in given content sets


READ
WRITE

READ
WRITE

READ

Enforce Recovery

Allows the user to be used as the Enforce Recovery Portal


PORTAL

Enforce Recovery Portal

View recovery portal configuration and status, or write recovery portal configuration and download the installer


READ
WRITE

READ

Policy Template

Read, edit, or delete policy templates in given content sets


READ
WRITE
DELETE

READ

READ

Policy Type

Read or edit policy types in given content sets


READ
WRITE

READ
WRITE

READ

Reports

Read, edit, or delete reports in given content sets


READ
WRITE
DELETE

READ
WRITE
DELETE

READ

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: User role requirements.

2 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

3 To import the Enforce solution, you must be assigned the Administrator reserved role or a role that has the Import Signed Content permission.

Module Objects with Access Control by Content Sets
Access Control Type Policy Definition Policy Type Policy Templates Policy Item Managed Definition Files Reports Disk Encryption Recovery Keys
Global
Content Set

Provided administration and platform content permissions
Permission Permission Type Enforce Administrator1 Enforce Defender Scan User1 Enforce Defender Scan Viewer1

Enforce Endpoint Configuration Approver1
Enforce Operator1

Enforce Policy Administrator1

Enforce Policy User1
Enforce Policy Viewer1 Enforce Recovery Key Administrator1

Enforce Recovery Key User1

Enforce Recovery Key Viewer1

Enforce Recovery Portal Administrator1

Enforce Recovery Portal Viewer1
Enforce Recovery Portal1 Enforce Service Account Enforce Write Content Wipe Action1
Action Group Administration
WRITE

READ

READ
Computer Group Administration
WRITE

READ

READ

READ

READ
Token - Use Administration
WRITE

SPECIAL
Token - View Administration
WRITE

SPECIAL
Action Platform Content
WRITE

WRITE

WRITE

WRITE

WRITE
Action for Saved Question Platform Content
WRITE

WRITE

WRITE
Filter Group Platform Content
READ

READ

READ

READ

READ

READ

READ

READ

READ
Own Action Platform Content
READ

READ

READ

READ

READ
Package Platform Content
READ

READ

READ

READ
WRITE

READ
Plugin Platform Content
READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE
Saved Question Platform Content
READ
WRITE

READ
WRITE

READ
WRITE

READ
WRITE
Sensor Platform Content
READ
WRITE

READ

READ

READ
WRITE

READ

READ

READ

READ
WRITE

READ

You can view which content sets are granted to any role in the Tanium Console.

1 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.