Configuring Engage

If you did not install Engage with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Engage action group to target the No Computers filter group by enabling restricted targeting before adding Engage to your Tanium licenseimporting Engage. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Engage action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Engage with automatic configuration, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Windows Workstations computer group
  • Restricted targeting enabled: No Computers computer group

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Engage, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:

  • Creating, updating, or deleting surveys

Install and configure Configure Tanium End-User Notifications

Tanium End-User Notifications is a shared service that is used to send notifications to users, including sending the Engage surveys. You must configure end-user notifications and customize the End-User Self Service interface before you configure Engage. For more information, see Tanium End-User Notifications User Guide: Configuring and Tanium End-User Notifications User Guide: Customizing the End-User Self Service interface. Configure any exclusions that are listed in the Tanium End-User Notifications User Guide: Security Exclusions. You can customize the self service interface to match your corporate branding.

Configure Engage

(Optional) Configure the Engage action group

Importing the Engage module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Engage, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Engage, configuring the Engage action group is optional.

Select the computer groups to include in the Engage action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Engage are included in the Engage action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Engage.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Organize computer groups

  1. Determine which endpoints receive endpoints with computer group targeting. Create relevant computer groups to organize your endpoints. Some options include:

    • Endpoint type, employee workstations
    • Endpoint location, such as by country or time zone
  2. Add the computer groups to the appropriate users or user groups so that the survey creator can schedule the survey to run on those endpoints.

For more information, see Tanium Core Platform User Guide: Managing computer groups.

Set up Engage users

You can use the following set of predefined user roles to set up Engage users.

To review specific permissions for each role, see User role requirements.

On installation, Engage creates a Engage user to automatically manage the Engage service account. Do not edit or delete the Engage user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Engage Administrator

Assign the Engage Administrator role to users who manage the configuration and deployment of Engage functionality to endpoints.
This role can perform the following tasks:

  • Configure Engage service settings.
  • View and modify Engage surveys, questions, and remediations.
  • Dismiss or reject approvals for Engage tasks in Tanium Endpoint Configuration.

Engage Operator

Assign the Engage Operator role to users who manage the configuration and deployment of Engage functionality to endpoints.
This role can perform the following tasks:

  • Configure Engage service settings.
  • View and modify Engage surveys, questions, and remediations.
  • Dismiss or reject approvals for Engage tasks in Tanium Endpoint Configuration.

Engage Question Author

Assign the Engage Question Author role to users who need to create surveys and survey question templates.
This role can perform the following tasks:

  • View Engage workbench, settings, remediations, and surveys.
  • Author and edit Engage questions.

Engage Remediation Author

Assign the Engage Remediation Author role to users who need to create surveys and survey question templates.
This role can perform the following tasks:

  • View Engage workbench, settings, questions, and surveys.
  • Author and edit Engage remediations.

Engage Read Only User

Assign the Engage Read Only User role to users who need visibility into Engage data.
This role can perform the following tasks:

  • View surveys, remediations, and questions.
  • View settings.

Engage Service Account

Assign the Engage Service Account role to the account that configures system settings for Engage.
This role can perform several background processes for Engage.

Do not assign the Engage Service Account and Engage Service Account - All Content Sets roles to users. These roles are for internal purposes only.