Managing Tanium solutions

Tanium solutions overview

Tanium Cloud automatically manages imports and updates for Tanium solutions, which include modules (such as Interact), shared services (such as Direct Connect), and content-only solutions (such as Default Content). Tanium Cloud also performs initial configuration for all the modules and services that your Tanium license specifies.

You can configure the Tanium™ Cloud Management Portal (CMP) to send you email notifications when a solution import is scheduled or completed. See Tanium Cloud Deployment Guide: Subscribe to email notifications.

Tanium solutions include modules (such as Interact), shared services (such as Direct Connect), and content-only solutions (such as Default Content). When you first sign in to the Tanium Console after Tanium Server installation, the Administration > Configuration > Solutions page opens. The Modules section displays a tile for each module and the Content section displays a row for each shared service or content-only solution. At the top-right, the page indicates whether the Tanium Server Version is up-to-date or if an update is available.

You cannot update Tanium Core Platform servers through the Tanium Console. Contact Tanium Support if you want to install a Tanium Server update.

Table 1 describes the page buttons that you use to manage solutions. Note that the Import, Re-import, Update, and Uninstall buttons appear in multiple places, and where you click a button determines the scope of its operation:

  • Solutions page warning Expired banner: If any installed solutions are incompatible with the current Tanium Console version, a warning banner lists those solutions. Clicking Uninstall in the banner uninstalls only the listed solutions, not any others that you select in the Modules or Content sections.
  • Solutions page footer: Performs the operation for all the selected modules, services, and content-only solutions.
  • Modules section header: Performs the operation only for the selected modules.
  • Modules section tiles: Performs the operation only for a single module.
  • Content section header: Performs the operation only for the selected services and content-only solutions.
 Table 1: Solutions page action buttons
Button Operation
Tanium Recommended Installation Initiates the workflow to import and automatically configure, in a single operation, all the modules and shared services that your Tanium license enables (see Import all modules and services). After you import any modules or services, the page stops displaying the Tanium Recommended Installation button.

Automatic configuration is not available for update or re-import operations.

When you initially set up your Tanium deployment, the best practice is to import all modules and shared services in a single operation because some cannot function unless you import dependent modules and shared services. For example, the Reveal module requires that you first import the Direct Connect service. For details about the dependencies see Dependencies, default settings, and tools deployment. The Tanium Server also automatically imports several content-only solutions that are useful for many modules.
Update Initiates the workflow to update a solution to the latest version. The page uses bold orange text to indicate that an update is available for a solution. See Import or update specific solutions.
Import Initiates the workflow to import a solution for which no version is currently installed. The workflow includes an option to configure modules and shared services with the recommended default settings. See Import or update specific solutions.
Re-import Initiates the workflow to re-import the currently installed version. See Import or update specific solutions.
Uninstall Initiates the workflow to uninstall a solution. See Uninstall solutions.
View documentation Accesses the user guides for modules and shared services and the release notes for content-only solutions. See View solution documentation.
Copy URL Copies the URL of the source file for the currently installed version of a solution. See Export and import specific solution versions.
To troubleshoot issues that occur when you manage and use solutions, see Troubleshoot Tanium solution issues.

To customize the Overview page of a solution, see Customize solution overview pages.

For details on the impact of solution updates, see Content updates.

If the Tanium license expires, you cannot import, export, or update any solutions, and the Solutions page does not display any solutions. See License expiration.

To perform all management tasks for Tanium solutions, users require the Administrator reserved role.

Review Tanium security advisories on a weekly basis to determine if any solution updates are recommended. See Tanium Maintenance User Guide: Review Tanium security advisories.

Tanium modules

Each Tanium module comprises content and a workbench. A workbench is the user interface that you use to perform module operations. You use the content and workbenches to manage, monitor, and protect the endpoints in your network as described in the user guides listed at Tanium user documentation: Tanium Modules. The Tanium Console User Interface (UI) is also a module that you can update when a new version is available (see Import Console UI updates).

In the Main menu of the Console, use the Modules menu to navigate the pages of module workbenches.

In the Solutions page, the Modules section displays a tile for each module. The tiles indicate the currently installed module version and whether updates are available.

Contact Tanium Support if the Solutions page does not display tiles for certain modules or if a tile indicates the module is Available for Purchase and you want to add it to your Tanium license.

Tanium shared services

Each Tanium shared service includes content and a workbench that you use to manage, monitor, and protect the endpoints in your network. For details about specific shared services, see Tanium user documentation: Shared Services.

In the Main menu of the Console, use the Administration > Shared Services menu to access the shared service workbenches.

Tanium content-only solutions

Tanium content is a set of configuration objects that Tanium develops for a particular purpose and provides through solutions. Some of these solutions provide only content and do not have a workbench or service. For example, the Default Content solution does not have a workbench but provides many key configuration objects found on the Interact Overview page (categories, dashboards, and saved questions) and Administration > Content pages (sensors, packages, saved questions).

To see documentation for content-only solutions, sign in to the Tanium KB and view the Tanium Core Content Documentation.

The Tanium Server downloads a manifest of available Tanium content-only solutions and shared services from content.tanium.com and displays them in the Content section of the Solutions page. If you specified a Tanium™ lab license when installing the Tanium Server, you can filter the Content grid by Source:

  • Manifest: This is production content that includes the essential set of objects for querying endpoints and deploying actions. It also lists the shared services that you can manage.
  • Labs: This is an experimental set of configuration objects. Labs content is available only if you specified a Tanium lab license.
  • All: Both Manifest and Labs content.

If you specified a Tanium production license, only Manifest content is available.

If the grid indicates that the Imported Version lags the latest Available Version for a content-only solution or shared service, you can update it.

After the Tanium Server is installed, it automatically imports the content-only solutions Default Content and Default Computer Groups when the first user signs in to the Tanium Console (see Initial content). If you perform the Tanium Recommended Installation, the server automatically imports several more basic content-only solutions, but you must manually import any other content-only solutions (see Import all modules and services).

Tanium Cloud automatically imports content-only solutions that are dependencies for your licensed modules and shared services. For example, Tanium Cloud imports the Default Content, Core Content, and Default Computer Groups for Interact as part of Initial content.

View solution documentation

The Solutions page provides links to user guides for modules and shared services and to release notes for some content-only solutions:

  • Module user guides: Scroll to the Modules section and click View Documentation View documentation in a module tile.
  • Shared service user guides or content-only solution release notes: Scroll to the Content section and click View Documentation View documentation in the row of a service or content-only solution.

You can also access documentation for modules and shared services on the Tanium documentation portal.

Dependencies, default settings, and tools deployment

Tools deployment

When Tanium Cloud performs the initial configuration of modules and shared services, If you select default configuration when importing modules and shared services, the ones that employ tools on managed endpoints create their own action groups and automatically deploy the tools to those groups. By default, those action groups target the All Computers filter group. However, you can set the No Computers computer group as the target by enabling the restricted targeting option. This option enables you to control tools deployment by preventing automatic deployment. For example, you might want to test Tanium™ Comply tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. See Managing action groups.

For details about deploying tools for content-only solutions such as Default Content, see Tanium Endpoint Configuration User Guide: View and manage content-only solutions.

To enable or disable restricted targeting:

  1. Sign in to the Tanium Console as a user who is assigned a role with the Global Settings write permission.
  2. From the Main menu, go to Administration > Configuration > Settings > Platform Settings.
  3. Set Restricted Targeting to ON (enable) or OFF (disable) and click Save All.

After you enable or disable restricted targeting, the updated setting applies only to solutions that are subsequently imported, not to solutions that are already imported. Because Tanium Cloud imports and configures solutions automatically, you must configure restricted targeting before adding solutions to your license if you want the updated setting to apply to those solutions.

Dependencies and default settings

If you later decide to add solutions to your Tanium license, note that some Some Tanium solutions cannot function unless you also add dependent solutionsimport dependent solutions. Certain Tanium solutions support the automatic import of dependencies. For example, when you import Tanium Benchmark by itself, the Tanium Server automatically imports all the dependencies of Benchmark . To see a list of the dependencies for a solution and to see if it supports automatically importing them, click a link in Table 2 to go to the corresponding user guide. The user guides also list the default settings that Tanium Cloud sets during initial configurationare configured if you use the Tanium Recommended Installation button to import solutions.

 Table 2: Solution-specific settings and dependencies
Solution Dependencies Default Settings
API Gateway Solution dependencies No solution dependencies No default settings are configured for API Gateway.
Asset Solution dependencies No solution dependencies Import and configure Asset with default settingsConfiguring Asset
Benchmark Solution dependencies No solution dependencies Import Benchmark with default settingsConfiguring Benchmark
Certificate Manager Solution dependencies No solution dependencies Import Certificate ManagerConfiguring Certificate Manager
Client Management Solution dependencies No solution dependencies Import and configure Client Management with default settingsConfiguring Client Management
Comply Solution dependencies Import and configure Comply with default settingsConfiguring Comply
Connect Solution dependencies No solution dependencies Import and configure Connect with default settings No default settings are configured for Connect.
Criticality Solution dependencies No solution dependencies Import Criticality with default settingsConfiguring Criticality
Deploy Solution dependencies No solution dependencies Import and configure Deploy with default settingsConfiguring Deploy
Direct Connect Solution dependencies No solution dependencies Import and configure Direct Connect with default settingsConfiguring Direct Connect
Directory Query Solution dependencies No solution dependencies Configure satellite settings
Discover Solution dependencies No solution dependencies Import and configure Discover with default settingsConfiguring Discover
Endpoint Configuration Solution dependencies No solution dependencies Import and configure Endpoint Configuration with default settingsConfiguring Endpoint Configuration
End-User Notifications Solution dependencies Import and configure End-User Notifications with default settingsConfiguring End-User Notifications
Enforce Solution dependencies No solution dependencies Import and configure Enforce with default settingsConfiguring Enforce
Engage Solution dependencies No solution dependencies Configuring EngageConfiguring Engage
Feed No solution dependencies No default settings are configured for Feed.
Health Check No solution dependencies Import and configure Health Check with default settings
Impact Solution dependencies No solution dependencies Import and configure Impact with default settingsConfiguring Impact
Integrity Monitor Solution dependencies No solution dependencies Import and configure Integrity Monitor with default settingsConfiguring Integrity Monitor
Interact Solution dependencies No solution dependencies Import and configure Interact with default settings No default settings are configured for Interact.
Map Solution dependencies No solution dependencies Import and configure Map with default settingsConfiguring Map
Patch Solution dependencies Import and configure Patch with default settingsConfiguring Patch
Performance Solution dependencies No solution dependencies Import and configure Performance with default settingsConfiguring Performance
Provision Solution dependencies No solution dependencies Installing ProvisionConfiguring Provision
Reporting Solution dependencies No solution dependencies Import ReportingConfiguring Reporting
Reputation Solution dependencies No solution dependencies Import and configure Reputation with default settings No default settings are configured for Reputation.
Reveal Solution dependencies No solution dependencies Import and configure Reveal with default settingsConfiguring Reveal
Threat Response Solution dependencies No solution dependencies Import and configure Threat Response with default settingsConfiguring Threat Response
Trends Solution dependencies No solution dependencies Import and configure Trends with default settingsConfiguring Trends

Content updates

Customizing Tanium content

Tanium Cloud automatically imports updates to Tanium-provided content and overwrites the current content configurations with the imported configurations. For example, if you edit the Custom Tagging - Add Tags package and change its Command Timeout to two minutes, that setting reverts to the default one minute if Tanium Cloud imports an update to the Core Content pack, which provides the package.

Create custom content instead of editing Tanium content. For example, clone the Custom Tagging - Add Tags package, specify a Package Name that helps other users recognize it as a custom package, and edit any settings that must differ from the original package. The next time Tanium Cloud imports a Core Content pack update, it overwrites the original package but not the clone.

If editing Tanium content is necessary, limit the edits to ensure updates are minimally disruptive and keep records of your changes. For example, record changes to the Command Timeout setting in packages. Also keep records of Tanium objects that you clone for your custom objects. You can then use your records to re-edit any Tanium content that an update overwrote.

Content with parameterized objects

When a content import overwrites a parameterized sensor or parameterized package, the overwriting does not affect existing saved questions or scheduled actions that reference the sensor or package:

  • Saved questions: When you save a question that has a parameterized sensor, the sensor definition and parameter values are saved in a new object called a temporary sensor. On the endpoint, the Tanium Client runs the temporary sensor when it computes answers to a saved question that calls it. If Tanium Cloud reissues the saved question at scheduled intervals, it continues using the temporary sensor even if the original sensor has changed. Therefore, you must re-create the saved question if you want it to use the updated version of the sensor.

  • Scheduled actions: When a scheduled action deploys a parameterized package, the package definition and parameter values are saved in an object called a temporary package. If the package settings change, Tanium Cloud deploys the temporary package by default unless you edit the action configuration to use the updated Deployment Package. Alternatively, you can re-create the scheduled action to use the updated version of the package. Otherwise, the Tanium Client runs the temporary package whenever it has a directive to run the scheduled action that calls the package.

Import all modules and services

After you install the Tanium Server and sign in to the Tanium Console for the first time, the Solutions page opens and displays a Tanium Recommended Installation button. To initiate the workflow for importing and configuring all your licensed modules and shared services in a single operation, you must click that button instead of selecting tiles in the Modules section or rows in the Contents grid.

During the Tanium Recommended Installation workflow, the Tanium Server performs the following operations:

  1. Imports the following content-only solutions:
    • Client Maintenance
    • Core Content
    • Core Content - MSSQL
    • Initial Content - Python
  2. Imports the modules and shared services, and configures them with default settings. See Dependencies, default settings, and tools deployment.

    The default settings including setting the service account for every solution to the user account that you use to perform the import. See Manage service accounts.

    Services and content-only solutions that you import on one Tanium Server are automatically available to the other server in an active-active deployment because the servers write content to the shared Tanium database. When you import a module on one Tanium Server, the peer automatically performs the same operation. For details, see Module synchronization.

  3. Sets the Default - All Computers action group as the target for all scheduled actions that previously targeted the Default action group. Default - All Computers specifies the All Computers computer group, whereas Default specifies the No Computers computer group. Five minutes after re-targeting the actions, the server deploys them to Default - All Computers as a one-time event. The server bases future deployments of the actions on their configured reissue interval (see Manage scheduled actions). If automatically deploying actions to the Default - All Computers action group is not appropriate for your deployment, enable restricted targeting before importing solutions (see Tools deployment).

After you finish the workflow, the Solutions page stops displaying the Tanium Recommended Installation button. To re-import or update modules thereafter, see Import or update specific solutions.

Before importing modules in an active-active deployment, replace the self-signed certificates on the Tanium Servers with certificates that a certificate authority (CA) has signed. For details, see Module synchronization.

After you read the release notes for your licensed modules and shared services, import and configure them as follows:

  1. Access the Tanium Console by entering the fully qualified domain name (FQDN) of the Tanium Server in the browser URL field (https://ts1.example.com, for example).

    In an active-active deployment, Tanium Servers automatically synchronize module operations only if you specify the FQDN, not the IP address, and use the default port. In a Windows deployment, the default port is 443. In a Tanium Appliance deployment, the default port is 8443 but you can also use 443.

  2. (Optional) To avoid automatically deploying solution-specific tools to the All Computers filter group during automatic configuration, see Tools deployment.
  3. From the Main menu, go to Administration > Configuration > Solutions.
  4. Click Tanium Recommended Installation and click Yes to proceed.

    The Tanium Console displays the progress of the import and configuration. Based on the number of licensed solutions to import and configure, the process might take up to 30 minutes.

  5. Click Close when the Console indicates that the import and configuration succeeded.

    After you finish the operation, the Main menu displays the imported modules and services under Modules and Administration > Shared Services.

Import or update specific solutions

Before you import, re-import, or update solutions, read the corresponding release notes. You can combine imports, re-imports, and updates in a single operation. After you initiate an operation, it must finish before you can start another operation.

Downgrading solutions is not recommended and might cause unexpected behavior on the Tanium Server or managed endpoints. Downgrade only if Tanium Support explicitly directs you. See Contact Tanium Support.

In an active-active deployment, shared services and content-only solutions that you import, re-import, or update on any single Tanium Server are available in the peer because the servers write content to the shared Tanium database. When you import, re-import, or update a module on one Tanium Server, the peer automatically performs the same operation. For details, see Module synchronization.

Certain Tanium solutions support the automatic import of dependencies. For example, when you import Tanium Benchmark, the Tanium Server automatically imports all the dependencies of Benchmark regardless of whether you select those dependencies for the import. See Dependencies, default settings, and tools deployment.

Before performing these steps in an HA deployment, replace the self-signed certificates on the Tanium Servers with CA certificates. For details, see Module synchronization.

Finish importing or updating Tanium Interact, Tanium Trends, and Tanium Client Management, in that order, before importing or updating any other module.

  1. (Updates or re-imports only) Notify Tanium users not to use the modules or services that you are updating or re-importing until the update or re-import process finishes. Otherwise, users might lose work in progress.
  2. Access the Tanium Console by entering the fully qualified domain name (FQDN) of the Tanium Server in the browser URL field (https://ts1.example.com, for example).

    In an active-active deployment, Tanium Servers automatically synchronize module operations only if you specify the FQDN, not the IP address, and use the default port. In a Windows deployment, the default port is 443. In an Appliance deployment, the default port is 8443 but you can also use 443.

  3. (Optional) To avoid automatically deploying solution-specific tools to the All Computers filter group during automatic configuration, see Dependencies, default settings, and tools deployment.
  4. From the Main menu, go to Administration > Configuration > Solutions.

  5. In the Modules section, select the check box in the tile of each module that you want to include in the operation.

    To display only modules for which updates are available, set the Show option to Available Updates.

  6. In the Content section, select the services and content-only solutions that you want to include in the operation.

    To display only services and content-only solutions for which updates are available, set the Show option to Available Updates. If you have a Tanium lab license, you can also filter by Source to list only production (Manifest) or Labs content.

  7. Click an action button (Import, Re-import, or Update) based on which solution types to include in the operation:
    • All solution types: To perform the operation for all the modules, services, and service packs that you selected, click the action button in the Solutions page footer.
    • Modules: To perform the operation only for selected modules, click the action button in the header of the Modules section. To perform the operation only for a single module, you can also click the action button in the module tile.
    • Services and content-only solutions: To perform the operation only for selected services and content-only solutions, click the action button in the header of the Content section.
  8. (Fresh imports only) Optionally, deselect the Apply All Tanium recommended configurations check box for any modules or services that you want to configure manually instead of using the default settings:
    • Manually configure all the listed solutions: Deselect the check box above the list of solutions.
    • Manually configure specific solutions: Expand Expand the solution entry and deselect the check box below its list of content.
  9. Expand Expand each solution, review the content to import, and select resolutions for any conflicts with existing content (see Resolve import conflicts).
  10. (Optional) For each solution for which you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, expand Expand the solution entry and select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  11. Click Begin Import.

    Based on the number of solutions that you selected for the operation, the Tanium Server might take up to 30 minutes to complete it. The Tanium Console displays the progress of the operation.

    If you selected Apply All Tanium recommended configurations for any imports, click Close when the Console indicates that the operation succeeded. Otherwise, the page automatically refreshes when the operation finishes. The Main menu then displays imported modules in the Modules menu and imported services in the Administration > Shared Services menu.

  12. (Updates only) If the release notes for the updated solutions list changes to the Tanium™ Trends data, panels, or sources, perform the steps under Tanium Trends User Guide: Importing the initial gallery to re-import them.
  13. (Updates only) From the Main menu, go to Administration > Actions > Scheduled Actions and set the Source Package filter to Has Updates. If the grid lists actions with that filter applied, it means the solutions that you updated include package updates. Update the affected actions as described under Update action packages.

Import Console UI updates

In the Main menu, the Console: <version> field displays the current version of the Tanium Console UI module. Tanium periodically provides updates to the module and the Tanium Server checks content.tanium.com for the updates. To check for updates:

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. Examine the Modules section to see if a Console tile appears. If an update is available, the Console tile appears with an option to update.
  3. Click Update to <version> to import the update.

Restarting the Tanium Server or your browser session is not necessary to initialize updates.

Update the Tanium Console UI whenever a new version is available.

Export and import specific solution versions

For each solution, you can export a URL for the version that is currently installed on the Tanium Server. You can then sign in to the Tanium Console of another Tanium Server and import that version from the URL. This option is useful for migrating a version other than the latest between Tanium Servers. For example, after testing a specific module version in your lab environment, you can export the URL for that version and then import the module from that URL into your production deployment.

In an active-active deployment, shared services and content-only solutions that you import on any single Tanium Server are available in the peer because the servers write content to the shared Tanium database. When you import a module on one Tanium Server, the peer automatically performs the same operation. For details, see Module synchronization.

Before importing solutions in an active-active deployment, replace the self-signed certificates on the Tanium Servers with CA certificates. For details, see Module synchronization.

After you read the release notes for the solution versions, export and import them as follows:

  1. Sign in to the Tanium Console of the Tanium Server that already has the desired solution version.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. In the Modules or Content section, click Copy URL Copy URL in the tile or row of the solution that you want to export.

    If you do not want to import the solution immediately, paste the URL into a text file to store it for later.

  4. If you will replace an existing version of a module or service with another version, notify Tanium users not to use that module or service until the import process finishes. Otherwise, users might lose work in progress.
  5. Sign in to the Tanium Console of the Tanium Server to which you want to migrate the solution version. When you access the Console, enter the FQDN of the Tanium Server in the browser URL field (https://ts1.example.com, for example).

    In an active-active deployment, Tanium Servers automatically synchronize module operations only if you specify the FQDN, not the IP address, and use the default port. In a Windows deployment, the default port is 443. In an Appliance deployment, the default port is 8443 but you can also use 443.

  6. Scroll to the Content section, select Import > Import URL, paste the URL in the Import URL field, and click Import.
  7. Expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve import conflicts).
  8. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  9. Click Begin Import to proceed with the import.

Export content files

The steps to export content, and the supported file formats (CSV or JSON), vary by content type:

Import content files

Develop and test custom content in your lab environment before importing that content into your production environment.

Users who are assigned a role with Import Signed Content permission can import content files (such as for Tanium solutions or sensor configurations) that are in JSON format. The Administrator reserved role has this permission.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
    You do not have to generate keys or signatures for Tanium-provided solutions. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

    If you plan to import a file that another user signed, you can first perform an integrity check on the file. See Verify content file signatures.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve import conflicts).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

    Perform the next step only for imported packages that reference other files. You must manually download these files on the Tanium Server because the file that you imported contains only the package configurations, not associated files.

  7. For each package that you imported, select the package, click Status, and click Re-Download All to download the referenced files.

    If the Tanium Server cannot access a file location, move the file to an accessible location, change the File Address in the package configuration (see Edit a package), and repeat this step.

Resolve import conflicts

When you import solution updates, or import a file that contains content (such as sensors), conflicts might occur with existing content. After you review the Best practices for resolving import conflicts, perform the following steps:

  1. Perform the import workflow up to the point where the Tanium Console lists the New Items and Existing Items to import:Content conflict resolution
  2. Expand Expand the items that you are importing and select a resolution for each conflict:
    • Overwrite: Replaces existing content with the imported content.
    • Skip: Skips the import for that item.
    • (Categories only) Merge: Unites objects that are included in the categories.

      Select Merge and, after finishing the import, review the resulting configuration in the Categories panel on the Interact Home page.

    • (Actions only) Overwrite and Disable Action: This option is useful if you want the new action to be disabled by default. Later, when are ready to test the action, re-enable it: from the Main menu, go to Administration > Actions > Scheduled Actions, select the action, and select More > Enable Action(s).

    The solution or content file might include content set definitions. When you first establish your content sets, selecting Include content set overwrite ensures that content is assigned to the content sets that the content designer intended. After you implement your own role-based access control (RBAC) plan and move content to the content sets that you plan to use, do not select this option; otherwise, the assignments defined in the imported file will overwrite your content set assignment.

  3. Click Begin Import. When the operation finishes, click Close.
  4. (Updates only) If the release notes for the updated solutions list changes to the Tanium Trends data, panels, or sources, perform the steps under Tanium Trends User Guide: Importing the initial gallery to reimport them.

Best practices for resolving import conflicts

The following tips can inform your decisions regarding conflicts when you import content.

Tip 1: Read the release notes

Always read the release notes for every solution version that was released since your last update. The release notes alert you to the scope of changes and might include notes that can help you avoid issues. Release notes also indicate the release date, which is important if you plan to import multiple content-only solutions. Different content-only solutions might include updates to the same basic sensors or packages. In this case, it is best to import the older content-only solutions before the newer ones.

Tip 2: Confirm you have good restore points

Before you update a Tanium solution, confirm that you have recent restore points and backups in case something goes wrong. The Tanium database stores content configuration objects. The installation folders for the Tanium Server and Tanium Module Server include important files, such as encryption keys, a license file, string files, and other data files.

As a best practice, schedule regular file system and database backups based on your Tanium infrastructure:

Tip 3: Update your lab deployment first

Before you update Tanium Core Platform servers in your production environment, always update them in your lab first and perform the following tasks to evaluate how changes might affect endpoints:

After you qualify the updates on lab servers, import the updates on production servers and spot test the behavior of new or changed content.

Tip 4: Limit customizations to Tanium content

When you import Tanium updates, the configuration specified in the import overwrites the current configuration. In almost every case, overwriting is preferable to maintaining the current configuration because the updates include important changes that optimize performance, avoid issues, and make the associated tools more useful.

Limit customizations to Tanium content so that updates are minimally disruptive. Maintain notes of any changes you make. For example, keep a log of any changes to the Max Sensor Age setting, a package timeout, or a saved question reissue interval. Keep a log of the Tanium objects that you clone as a source for your custom objects.

When a content-only solution update becomes available, import it and redo the customizations that the import overwrote.

Tip 5: Re-create content that uses parameterized objects

When a content import overwrites a parameterized sensor or parameterized package, the overwriting does not affect existing saved questions or scheduled actions that reference the sensor or package:

  • Saved questions: When you save a question that has a parameterized sensor, the sensor definition and parameter values are saved in a new object called a temporary sensor. On the endpoint, the Tanium Client runs the temporary sensor when it computes answers to a saved question that calls it. If the Tanium Server reissues the saved question at scheduled intervals, it continues using the temporary sensor even if the original sensor has changed. Therefore, you must re-create the saved question if you want it to use the updated version of the sensor.

  • Scheduled actions: When a scheduled action deploys a parameterized package, the package definition and parameter values are saved in an object called a temporary package. If the package settings change, the Tanium Server deploys the temporary package by default unless you edit the action configuration to use the updated Deployment Package. Alternatively, you can re-create the scheduled action to use the updated version of the package. Otherwise, the Tanium Client runs the temporary package whenever it has a directive to run the scheduled action that calls the package.

Tip 6: Avoid bulk overwrites to Tanium content

Do not simply export the current configuration and then reimport it after the content update finishes. This practice overwrites the sensor code with old versions and often has unexpected consequences. For example, a Tanium content-only solution includes a scheduled action to distribute patch tools when the patch tools version, which the Has Patch Tools sensor reports, does not match a particular value. If the package that provides the patch tools and updates the version uses a different version than the Has Patch Tools sensor expects, the Tanium Server continuously distributes the patch tools until the Has Patch Tools sensor uses the correct version.

Uninstall solutions

Before performing these steps in an active-active deployment, replace the self-signed certificates on the Tanium Servers with CA certificates. For details, see Module synchronization.

  1. Access the Tanium Console by entering the FQDN of the Tanium Server in the browser URL field (https://ts1.example.com, for example).

    In an active-active deployment, Tanium Servers automatically synchronize module operations only if you specify the FQDN, not the IP address, and use the default port. In a Windows deployment, the default port is 443. In an Appliance deployment, the default port is 8443 but you can also use 443.

  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. (Deprecated solutions only) If a warning Expired banner indicates that certain solutions are incompatible with the current Tanium Console version, click Uninstall in the banner to remove only those solutions. Uninstalling from the banner has no effect on other solutions that you select in the Modules or Content sections.
  4. In the Modules section, select the check box in the tile of each module that you want to uninstall, or click Select All above the tiles.
  5. In the Content section, select the services and content-only solutions that you want to uninstall.
  6. Click an Uninstall button based on which solution types to include in the operation:
    • All solution types: To uninstall all the modules, services, and service packs that you selected, click Uninstall in the Solutions page footer.
    • Modules: To uninstall only the selected modules, click Uninstall in the header of the Modules section.
    • Services and content-only solutions: To uninstall only the selected services and content-only solutions, click Uninstall in the header of the Content section.

Completely uninstalling certain solutions requires additional steps. For example, to completely remove Comply from your Tanium deployment, you must remove Comply content and tools from endpoints. For details about uninstalling specific solutions or Tanium Clients, see the user guides for those products:

Module synchronization

The import, re-import, or update operation for each module writes a workbench configuration to files on the Tanium Server host and adds an entry in the shared Tanium database logs. When you perform the operation on one Tanium Server in an active-active deployment, its peer automatically attempts the same operation. This duplication also applies to uninstalling modules.

In an active-active deployment, Tanium Servers automatically synchronize module operations only if you specify the FQDN (not the IP address) and use the default port when accessing the Tanium Console. In a Windows deployment, the default port is 443. In an Appliance deployment, the default port is 8443 but you can also use 443.

Tanium Servers must have the same Tanium Core Platform version to support module synchronization.

Manage certificates for module synchronization

During module synchronization, the browser on each Tanium Server must trust and access the peer server. The servers use their SOAPServer.crt certificates to establish that trust. If the certificates are CA signed, the servers establish trust automatically. If the servers use the self-signed certificates that they generated by default during installation, you must manually enable trust to avoid synchronization errors

To facilitate synchronization, replace the self-signed certificates with CA certificates before importing modules. For the steps to replace certificates, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access

To prevent module synchronization errors on Tanium Servers that use self-signed certificates:

  1. Access the Tanium Console of each Tanium Server and, when the browser displays a certificate validation error, select the option to ignore the error and proceed to the server URL.

    This action enables the servers to trust each other for the duration of the current browser session.

  2. Complete the module operations (imports, updates, or uninstallations) within the current browser session.

    If the session times out during an operation, automatic synchronization fails and you must repeat the first step to re-enable trust.

Resolve module synchronization errors

Module operations might succeed on one Tanium Server but fail to synchronize on the peer server due to network or certificate issues. For example, in air-gapped deployments, deployments where the Console is accessed through a CNAME alias, or deployments with unexpected certificate names, the browser on each Tanium Server might be unable to access the peer for Cross-Origin Resource Sharing (CORS). When such issues cause discrepancies in the module versions on the servers, a message indicates the discrepancies when you access the Solutions page. The message appears only in the Tanium Console of the server that has discrepancies based on the database log entries. For example, updating Tanium™ Patch might succeed on Tanium Server ts1.example.com but not on Tanium Server ts2.example.com. In this case, the database logs will have an updated entry for ts1.example.com and the Tanium Console for ts2.example.com will display a discrepancy message.

Figure  1:  Mismatched module versions
Mismatched solutions

Perform the following steps to resolve module discrepancies between Tanium Servers:

  1. In the browser that you are using to access the Tanium Console, verify that the URL field specifies the Tanium Server FQDN, not the server IP address.
  2. Verify that the Tanium Server uses the default port for Tanium Console access. If you specify a custom port, module operations are not automatically synchronized and you must repeat the operations on each active-active server. The steps to view and edit the port (ServerSOAPPort setting) depend on your infrastructure:
  3. Ensure that the browser on each Tanium Server trusts the SOAPServer.crt certificate of the peer server. See Manage certificates for module synchronization.
  4. Configure the access_control_origin_servers platform setting to ensure that the Tanium Servers support CORS.

    In most deployments, Tanium Servers automatically enable CORS. However, if module synchronization fails, manually configure access_control_origin_servers with the FQDNs or IP addresses that you use to access the Tanium Console on each Tanium Server.

    1. From the Main menu, go to Administration > Configuration > Settings > Advanced Settings and click Add Setting.
    2. For the Setting Type, select Server.
    3. For the Platform Setting Name, enter access_control_origin_servers.
    4. Set the Value Type to Text.
    5. For the Value, enter the Tanium Server FQDNs or IP addresses with a comma to separate each, such as ts1.example.com,ts2.example.com or 192.0.2.1,192.0.2.2.
    6. Click Save.

  5. If no access_control_origin_servers value can enable CORS to work in your deployment, disable module synchronization:

    1. From the Main menu, go to Administration > Configuration > Settings > Advanced Settings and click Add Setting.
    2. For the Setting Type, select Server.
    3. For the Platform Setting Name, enter console_disable_ha_workbench_install.
    4. Set the Value Type to Numeric.
    5. For the Value, enter 1.
    6. Click Save.

    After disabling module synchronization, you must perform all future module operations on both Tanium Servers in an active-active cluster.

  6. Repeat the import, update, downgrade, or uninstallation operation on the Tanium Server where the module operation initially failed.

    Downgrading solutions is not recommended and might cause unexpected behavior on the Tanium Server or managed endpoints. Downgrade only if Tanium Support explicitly directs you. See Contact Tanium Support.

Manage service accounts

Tanium service accounts

Each Tanium solution (module or shared service) uses a service account that authenticates to the Tanium Server to run background processes such as plugins on the server. A solution authenticates to create a plugin when you import that solution and possibly when you upgrade it. Specific solutions also create plugins for other events. When you import solutions, you can select automatic configuration of the service account (along with other settings) or manually configure the account after importing. Automatic configuration sets the service account to the user account that you use to perform the import. During manual configuration, you can specify any account that has permissions to run solution processes. Whether you select automatic or manual configuration, you can later specify different service accounts through the Tanium Console.

Configuring a unique Tanium service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

Changes to service account passwords do not interrupt currently running processes. For example, if an administrator changes the password for the Tanium Comply service account in the identity store of your organization, ongoing Comply processes continue running without the need to re-authenticate to the Tanium Server. However, when an account password changes, the Tanium solution that uses the account cannot create new plugins until you enter the updated password in the account configuration on the server. To ensure that a solution can create plugins when necessary, update its account configuration whenever the password changes.

For details about the permissions that are required for Tanium service accounts, and the steps to configure the accounts, see the corresponding user guide:

  • API Gateway: The service account is not configurable.

  • Asset: not applicable to Asset 1.19.99 or later

  • Benchmark: not applicable
  • Certificate Manager: not applicable
  • Client Management: not applicable to Client Management 1.10.279 or later
  • Comply: not applicable to Comply 2.12 or later
  • Connect: not applicable to Connect 5.12.325 or later
  • Criticality: not applicable
  • Deploy: not applicable to Deploy 2.19.87 or later
  • Direct Connect: not applicable to Direct Connect 2.5.24 or later
  • Directory Query: not applicable
  • Discover: not applicable in Discover 4.7.159 or later
  • Endpoint Configuration: not applicable in Endpoint 1.6.265 or later
  • End-User Notifications
  • Enforce: not applicable in Enforce 1.11 or later
  • Engage: not applicable
  • Feed: not applicable
  • Health Check
  • Impact: not applicable in Impact 2.0 or later
  • Integrity Monitor
  • Interact: not applicable in Interact 2.14 or later
  • Map: not applicable in Map 3.8 or later
  • Patch: not applicable in Patch 3.13.127 or later
  • Performance: not applicable in Performance 1.2 or later
  • Provision: not applicable in Provision 1.3.69 or later
  • Reporting: not applicable
  • Reputation
  • Reveal
  • Threat Response: not applicable in Threat Response 4.0 or later
  • Trends: not applicable in Trends 3.9 or later

For details about the service account that the Tanium Server might use if it synchronizes with a Lightweight Directory Access Protocol (LDAP) server, see LDAP User Name and Password.

Windows service accounts (not applicable to the Tanium Appliance)

In a Tanium deployment on Windows infrastructure, all Tanium modules and shared services use a Windows service account to launch services on the Tanium Module Server. Windows service accounts are distinct, and managed independently, from the service accounts that Tanium solutions use to run processes on the Tanium Server. For example, Comply uses a Windows service account to launch the Tanium Comply service on the Module Server.

By default, LocalSystem is the Windows service account that launches all Tanium solution services. LocalSystem is a predefined account that authenticates to the Windows operating system. Because LocalSystem has no password, you never need to update its credentials for running services. If you use any other Windows service accounts to launch Tanium services, and an administrator changes the account passwords on the LDAP or AD server, the services cannot restart until you enter the new passwords through the Services program on the Module Server. You can also use the Services program to select different service accounts for launching Tanium services.

Configuring a unique Windows service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

Tanium Core Platform servers and the Tanium database use Windows service accounts to run processes during and after installation. You select the accounts during server installation. After installation, you can select different accounts, or update their passwords, through the Services program in the same way as for Tanium solution services. For details about the service account requirements of platform servers and the database, see Tanium Core Platform Deployment Guide for Windows: Administrator account permissions.

Perform the following steps to update a Windows service account:

  1. Sign in as the Administrator user to the system that runs the service:

    • Tanium solutions: Sign in to the Module Server.
    • Tanium Core Platform servers or Tanium database server: Sign in to the system that hosts the server.
  2. Open the Windows Services program and right-click the service that requires an update.
  3. Select Properties and select the Log On tab.
  4. (Optional) To select a different account, select This Account and enter the account name.
  5. Enter the Password, re-enter it in the Confirm Password field, and click OK.
  6. Restart the service. The account update does not apply until the service restarts.