Configuring Impact

If you did not install Impact with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Impact action group to target the No Computers filter group by enabling restricted targeting before adding Impact to your Tanium licenseimporting Impact. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Impact action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Impact with automatic configuration, the following default settings are configured:

The following default setting is configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group

    Because Impact is currently supported only on Windows endpoints, the Targeting Criteria for the action to distribute the Impact tools filters the group to Windows endpoints.

  • Restricted targeting enabled: No Computers computer group
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Impact, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure Impact

Configure service account

The service account is a user that runs several background processes for Impact. This user requires the Tanium Administrator or Impact Service Account role.

If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

For more information about Impact permissions, see User role requirements.

If you imported Impact with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

  1. On the Impact Overview page, click Settings and then click Service Account if needed.
  2. Provide a user name and password, and then click Save.

Add computer groups to the Impact action group

By default, the Impact action group is set to the All Computers computer group. If needed, you can update the action group.

Importing the Impact module automatically creates an action group to target specific endpoints. Select the computer groups to include in the Impact action group. By default, Impact targets All Computers.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Impact.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Configure connections to domains

Configure connections to the Active Directory domains that you want to analyze with Impact. For Active Directory requirements, see Third-party software.

  • Active Directory referrals are not supported. You must create a connection for each domain that you want to synchronize.
  • You can create a connection to a Global Catalog server to synchronize an entire Active Directory forest. To ensure accurate results, you must create a connection to every domain within each Active Directory forest.
  • Domain resolution is also possible. However, if you are using TLS, all Domain Controllers that the domain resolves to must share a valid certificate. For LDAPS certificate requirements, see Microsoft: Requirements for an LDAPS certificate. If the domain resolves to a Domain Controller (DC) that has a certificate with a fingerprint that does not match the fingerprint returned by the DC that the domain resolved to when the domain configuration was saved, the connection fails.
  • You must submit a TaaS proxy request to allow communication between your Active Directory (either on-premises or Azure) and the TaaS server. For more information, see TaaS User Guide: Proxy access.

  1. From the Main menu, go to Modules > Impact to open the Impact Overview page.
  2. Click Settings and open the Domains tab.
  3. Click New Domain.
  4. Specify the settings for the connection to the domain:

    1. Name: Specify a unique value that easily identifies the connection. For example: myDomainA.com.
    2. LDAP Server: Specify the LDAP connection string for the domain controller. For example: dc.domain.com/ or 10.0.0.5.

      Port: Specify the port to use when the Module ServerTanium as a Service connects to the Active Directory server. The default port is 636.

      Use TLS is selected by default. Clear this option if you are not using TLS. TLS requires certificates on your domain controller.

      Disabling TLS sends data over the network in plain text. Always use TLS unless you are working in a lab or test environment with test data.

    3. Certificate: If you are using LDAPS, verifyVerify the details of the host certificate before you provide the credentials.

      For LDAPS certificate requirements, see Microsoft: Requirements for an LDAPS certificate. The same requirements apply to certificates issued by an internal certificate authority (CA). Because Impact uses a trust on first use authentication method, intermediate certificates are not required.

    4. User name: Specify the user name to use when connecting to the domain controller.

      The user name can be in DOMAIN\User format or UPN format ([email protected]). UPN format works only for user accounts that have the UPN attribute populated.

      Use an account with read-only permissions to the domain controller. For detailed requirements for this user, see Active Directory user account.

    5. Password: Provide the password for the user.

  5. Click Validate to verify that the information entered is valid.
  6. After you validate the credentials, click Save.

After you save the domain connection, data collection and analysis begins automatically at the next scheduled synchronization. For more information, see Collect and analyze data.

Collect and analyze data

Data is automatically synchronized between endpoints, all configured domains, and the Impact internal databases every 24 hours. To view the last time that data was collected and analyzed , and the next scheduled collection and analysis , go to the Data Collection & Sync tab in Impact Settings . To initiate data collection and analysis manually, click Collect & Analyze.



Data collection and analysis is a long-running process. Do not initiate this process frequently. If a request is already in progress, the requested operation does not run.

Set up Impact users

You can use the following set of predefined user roles to set up Impact users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Impact Administrator

Assign the Impact Administrator role to users who manage the configuration and deployment of Impact functionality to endpoints.
This role can perform the following tasks:

  • Configure Impact service settings, including creating and editing domain connections
  • Manually start a domain synchronization and check the status
  • View all ratings, details, and graphs for endpoints, users, and groups
  • Generate and view the Impact support bundle

Impact Operator

Assign the Impact Operator role to users who manage the configuration and deployment of Impact functionality to endpoints.
This role can perform the following tasks:

  • Configure Impact service settings, including creating and editing domain connections
  • Manually start a domain synchronization and check the status
  • View all ratings, details, and graphs for endpoints, users, and groups

Impact User

Assign the Impact User role to users who perform analysis of Impact ratings.
This role can perform the following tasks:

  • View the domain synchronization status
  • View all ratings, details, and graphs for endpoints, users, and groups

Impact Endpoint Configuration Approver

Assign the Impact Endpoint Configuration Approver role to a user who approves or rejects Impact configuration items in Endpoint Configuration.
This role approves, rejects, or dismisses changes that target endpoints where Impact is installed.

Impact Service Account

Assign the Impact Service Account role to the account that configures system settings for Impact.
This role can perform several background processes for Impact.