Upgrading Enforce
Before you begin
In Enforce 1.11 and later, the steps required to configure the service account are no longer necessary due to the adoption of the System User Service, which performs these tasks automatically. Additionally, the Enforce database is migrated to RDB in this release. Consequently, after upgrading to Enforce 1.11, it might take time for the database migration to complete and for RBAC privileges and other updates to sync properly. This could lead to issues and error messages when you first query Tanium Console. These issues usually resolve on their own after a few minutes, but could take up to an hour or longer depending on system resources and the amount of data to migrate.
- Read the release notesrelease notes.
- Review the Enforce requirements.
Upgrade Enforce
For the steps to upgrade Enforce, see Tanium Console User Guide: Import, re-import, or update specific solutions. After the upgrade, verify that the correct version is installed: see Verify Enforce version.
Upgrading from 1.11.90 or earlier
If your existing installation is 1.11.90 or earlier and you want to upgrade to version 2.2.238, you must upgrade to version 2.0.x or 2.1.x before you upgrade to 2.2.238 to avoid a known upgrade issue. Alternately, you can upgrade directly from 1.11.90 or earlier to 2.2.254 or later where this upgrade issue is resolved.
Update Mac Device Configuration Profile policy priorities and enforcements
If you created Mac Password Profile policies in an earlier version, those policies are migrated to a Mac Device Configuration Profile policy type during the upgrade to
Post migration policy prioritization
Because policies are prioritized per policy type and base policies do not have an assigned priority, the migration process assigns priorities to the migrated policies, starting the prioritization after existing Mac Device Configuration Profile policies.
For example, if you have the following policies and prioritization in
| Mac Device Configuration Profile policies (created before |
Mac Device Password policies | Base policies | ||||||||||||||||
|
|
BasePolicy |
| Mac Device Configuration Profile policies | |
| Policy priority | Policy name |
| 1 | ExistingConfigPolicyA |
| 2 | ExistingConfigPolicyB |
| 3 | ExistingConfigPolicyC |
| 4 | PWpolA |
| 5 | PWpolB |
| 6 | PWpolC |
| 7 | BasePolicy |
After the upgrade, review the prioritization for all Mac Device Configuration Profile policies to ensure that the priority is set appropriately for your environment. For more information about prioritizing policies, see Prioritize policies.
Post migration policy enforcement
Existing Mac Device Configuration Profile policies and migrated Mac Device Password policies that were enforced before the upgrade maintain the same enforcements post migration. Base policies that are migrated to Mac Device Configuration Profile policies during the upgrade are not automatically added to an enforcement during the migration.
If you want to enforce a migrated base policy after the upgrade, you must create an enforcement for the resulting Mac Device Configuration Profile policy (which was previously the base profile) after the upgrade. For more information about creating enforcements, see Create enforcements.
Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.
Last updated: 9/26/2023 2:18 PM | Feedback