Enforce requirements

Review the requirements before you install and use Enforce.

Tanium dependencies

In addition to a license for the Enforce module, make sure that your environment meets the following requirements.

Component Requirement
Tanium™ Core Platform 7.3.314.4250 or later
Tanium™ Client Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Tanium products

If you clicked the Install with Recommended Configurations button when you installed Enforce, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Enforce requires, as described under Tanium Console User Guide: Manage Tanium modules.

Enforce requires the given minimum versions to work with the following modules:

  • Tanium™ Endpoint Configuration 1.2 or later for tools deployment (installed as part of Tanium Client Management 1.5 or later)
  • Tanium™ Interact 2.6 or later
  • Tanium™ Trends 3.6 or later

The following modules are optional, but Enforce requires the specified minimum versions to work with them:

  • Tanium™ Core Content 1.2.1 or later is required for BitLocker and FileVault policies
  • Tanium™ Direct Connect 1.1.0 or later is required for BitLocker and FileVault policies
  • Tanium™ End-User Notifications 1.6.5 or later is required for BitLocker and FileVault policies
  • Tanium™ Threat Response 3.1 or later is required for alert remediation

If the Tanium Core Content version is missing or not up-to-date, you will see the following alert. "Tanium Core Content solution is missing or minimum version is not satisfied. Install the Core Content solution and then restart the Enforce module service."
After you install the latest version, restart the Enforce module service on TanOS referencing these instructions. Tanium Appliance Deployment Guide. Restart the service on Windows through Service Manager on the Tanium Module Server.

Tanium™ Module Server

Enforce is installed and runs as a service on the Tanium Module Server host computer. The impact on the Module Server is minimal and depends on usage.

Endpoints

Enforce policies support the following endpoint operating systems:

Anti-malware policy

System Center Endpoint Protection (SCEP)

  • Windows 7
  • Windows Server 2008 R2, 2012 or 2012 R2

Windows Defender

  • Windows 8 or 10
  • Windows Server 2019 and 2016

AppLocker

  • Windows 7 Enterprise, Ultimate, Embedded, or Windows Embedded POSReady 7

  • Windows 8 Enterprise, 8.1 Enterprise, or 10 Enterprise

  • Windows Server 2008 R2 or later

BitLocker policy

  • Windows 7 Enterprise or Ultimate
  • Windows 7 endpoints must have a TPM chip to use BitLocker.

  • Windows 8 Enterprise or Pro
  • Windows 10 Education, Pro Education, Enterprise, or Pro

Device Control - Windows policy

  • Windows 7 SP1 or later
  • Windows Server 2008 R2 or later

FileVault policy

  • macOS 10.15 Catalina
  • macOS 10.14.6 Mojave
  • macOS 10.13.6 High Sierra
  • macOS 11.0 Big Sur

Firewall Management - Windows

  • Windows 7 SP1 or later

  • Windows Server 2008 or later

Firewall Management - Linux

  • CentOS 6, 7, and 8

  • Red Hat Enterprise Linux (RHEL) 6, 7, and 8

  • Ubuntu 16 and 18

Machine Administrative Templates

  • Windows 7 SP1 and later

  • Windows Server 2008 R2 and later

Remediation - Windows

  • Windows 7 SP1 and later

  • Windows Server 2008 R2 and later

Remediation - Linux

  • CentOS 6, 7, and 8

  • Red Hat Enterprise Linux (RHEL) 6, 7, and 8

  • Ubuntu 16 and 18

Remediation - Mac

  • Mac OS X Yosemite 10.10.5 or later

SRP Management

  • Windows 7 SP1 or later

  • Windows Server 2008 or later

Host and network security requirements

Specific processes are needed to run Enforce.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Target Device Notes Process
Module Server   <Module Server>\services\enforce-service\7za.exe
  <Module Server>\services\enforce-service\node.exe
Windows x86 endpoints   <Tanium Client>\Tools\StdUtils\7za.exe
  <Tanium Client>\Tools\Enforce\devcon32.exe
7.2.x clients <Tanium Client>\Python27\TPython.exe
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumCX.exe
Windows x64 endpoints   <Tanium Client>\Tools\StdUtils\7za.exe
  <Tanium Client>\Tools\Enforce\devcon64.exe
7.2.x clients <Tanium Client>\Python27\TPython.exe
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumCX.exe
macOS and Linux x86 and x64 endpoints 7.2.x clients <Tanium Client>/python27/python
  <Tanium Client>/python27/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/python38/bin/pybin
  <Tanium Client>/TaniumCX

Internet URLs

For anti-malware policies, allow outbound communication from the Tanium Module Server to the following Microsoft download URLs. See Managed Anti-Malware definitions download URLs for configuration details.

Architecture URL
Windows x86 endpoints https://go.microsoft.com/fwlink/?LinkID=121721&arch=x86
https://go.microsoft.com/fwlink/?LinkId=211053
https://definitionupdates.microsoft.com
Windows x64 endpoints https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64
https://go.microsoft.com/fwlink/?LinkId=211054
https://definitionupdates.microsoft.com

Required ports

The following ports are required for Enforce communication.

Component Port Direction Purpose
Module Server 17475 Inbound Required only when you use disk encryption policies. Allows communication between the Module Server and endpoints for Direct Connect.
Module Server 17476 Loopback Required only when you use disk encryption policies. Allows notifications on endpoints from the End-User Notifications service.
Module Server 5432 Outbound Required only when you use disk encryption policies. Allows communication between the Module Server and the database where the recovery keys are stored. This port is 5432 by default. If you use a different port, ensure that port is open.
Module Server 17481 Inbound Required only when you use the recovery portal with disk encryption policies. Allows communication between the Module Server and the recovery portal.
Recovery portal server 443 Inbound Required only when you use the recovery portal with disk encryption policies. Allows users to access the recovery portal.
Recovery portal server 443 Outbound Required only when you use the recovery portal with disk encryption policies. Allows the recovery portal to access the Tanium server.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

User role requirements

Enforce Global user role permissions
Permission Enforce Administrator2 Enforce Operator2 Enforce Service Account2 Enforce Policy Administrator (Global)2 Enforce Policy User (Global)2 Enforce Policy Viewer (Global)2

Enforce Operator

Read, edit, and delete most Enforce objects (except edit access to Enforce settings)







Enforce Administrator

Unrestricted access to Enforce







Enforce Settings Read

Globally read all Enforce settings







Enforce Settings Write

Globally edit all Enforce settings







Enforce Operator Settings Read

Globally read most Enforce settings







Enforce Operator Settings Write

Globally edit most Enforce settings







Show Enforce1

View the Enforce workbench







Enforce Policy Read

Read Enforce policies







Enforce Policy Write

Edit Enforce policies







Enforce Policy Prioritize

Edit Enforce policy priorities







Enforce Create Enforcement

Enforce policies







Enforce Edit Any Enforcement

Edit available policy enforcements. Users always have access to enforcements that they created.







Enforce Endpoint Wipe Action

Issue Windows Remediation actions that wipe, freeze, or recover endpoints.







Enforce Managed Definitions Read

Read managed definitions







Enforce Managed Definitions Write

Edit managed definitions







Enforce Disk Encryption Recovery Keys - Read

Read recovery keys for disk encryption







Enforce Disk Encryption Recovery Keys - Delete

Delete recovery keys for disk encryption







Enforce Policy Template Read

Read policy templates in given content sets







Enforce Policy Template Write

Edit policy templates in given content sets







Enforce Policy Template Delete

Delete policy templates in given content sets







Enforce Policy Type Read

Read policy types in given content sets







Enforce Policy Type Write

Edit policy types in given content sets







Enforce Policy Type Delete

Delete policy types in given content sets







Enforce Reports Read

Read reports in given content sets







Enforce Reports Write

Edit reports in given content sets







Enforce Reports Delete

Delete reports in given content sets







1 To install Enforce, you must have the Import Signed Content micro admin permission (Tanium Core Platform 7.4 or later) or the reserved role of Administrator.

2 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

Global Template (Permissions restricted by operating system content sets: Windows, macOS, or Linux) user role permissions
Permission Enforce Policy Administrator (Template)2 Enforce Policy User (Template)2 Enforce Policy Viewer (Template)2 Enforce Recovery Key Administrator (Template) Enforce Recovery Key User (Template) Enforce Recovery Key Viewer (Template)

Enforce Operator

Read, edit, and delete most Enforce objects (except edit access to Enforce settings)







Enforce Administrator

Unrestricted access to Enforce







Enforce Settings Read

Globally read all Enforce settings







Enforce Settings Write

Globally edit all Enforce settings







Enforce Operator Settings Read

Globally read most Enforce settings







Enforce Operator Settings Write

Globally edit most Enforce settings







Show Enforce1

View the Enforce workbench







Enforce Policy Read

Read the Enforce policy in given content sets







Enforce Policy Write

Edit the Enforce policy in given content sets







Enforce Policy Prioritize

Edit the Enforce policy priorities







Enforce Create Enforcement

Enforce policies in given content sets







Enforce Endpoint Wipe Action

Issue Windows Remediation actions that wipe, freeze, or recover endpoints.







Enforce Edit Any Enforcement

Edit available policy enforcements. Users always have access to enforcements that they created







Enforce Managed Definitions Read

Read managed definitions in given content sets







Enforce Managed Definitions Write

Edit managed definitions in given content sets







Enforce Disk Encryption Recovery Keys - Read

Read recovery keys for disk encryption in given content sets







Enforce Disk Encryption Recovery Keys - Delete

Delete recovery keys for disk encryption in given content sets







Enforce Policy Template Read

Read policy templates in given content sets







Enforce Policy Template Write

Edit policy templates in given content sets







Enforce Policy Template Delete

Delete policy templates in given content sets







Enforce Policy Type Read

Read policy types in given content sets







Enforce Policy Type Write

Edit policy types in given content sets







Enforce Policy Type Delete

Delete policy types in given content sets







Enforce Reports Read

Read reports in given content sets







Enforce Reports Write

Edit reports in given content sets







Enforce Reports Delete

Delete reports in given content sets







1 To install Enforce, you must have the Import Signed Content micro admin permission (Tanium Core Platform 7.4 or later) or the reserved role of Administrator.

2 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

Module Objects with Access Control by Content Sets
Access Control Type Policy Definition Policy Type Policy Templates Policy Item Managed Definition Files Reports Disk Encryption Recovery Keys
Global
Content Set
Provided Enforce Advanced user role permissions
Permission Enforce Administrator Enforce Operator Enforce Service Account Enforce Policy Administrator Enforce Policy User Enforce Policy Viewer
Read Sensor
Read Plugin
Execute Plugin

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.