Managing action locks

To prevent the Tanium Client from running Tanium package scripts on certain endpoints, you can deploy an action lock. For example, you might prevent actions while troubleshooting endpoint issues or to protect sensitive endpoints. An action lock prevents all actions from running unless you configure overrides for the associated packages (see Override action locks) or for specific Tanium solution operations (see Solution-specific impacts and overrides for action locks).

All Tanium deployments provide the content-only solution Default Content, which includes packages for turning action locks on or off for Windows and non-Windows endpoints. This solution also includes a sensor named Action Lock Status and saved questions that use this sensor, which enable you to track Tanium Clients that have the action lock turned on.

Solution-specific impacts and overrides for action locks

Most Tanium solutions use Endpoint Configuration for deploying tools and configuration changes to endpoints (see Tanium Endpoint Configuration User Guide: Integration with other Tanium products). If action locks are turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings in Endpoint Configuration (see Tanium Endpoint Configuration User Guide: Global Endpoint Configuration settings).

You can also configure the following Tanium solutions to ignore action locks for certain operations:

Deploy: Specify whether to ignore action locks for applicablility scanning and deployments. See Tanium Deploy User Guide: Configure module settings.
Direct Connect: Specify whether to ignore action locks for new connections and configuration changes. See Tanium Direct Connect User Guide: Configure Endpoint Connection settings.
Enforce: Specify whether to ignore action locks for anti-malware enforcements. See Tanium Enforce User Guide: Action Lock Override.

For details on how action locks affect other Tanium solutions, see the associated user guides:

Asset
Client Management:
- Access detailed client health and troubleshooting information on an endpoint
- Upgrade Tanium Clients using Client Management
Comply
Discover
Patch

No solutions can perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on. You can see the affected solutions under Tanium Endpoint Configuration User Guide: Integration with other Tanium products.

Turn on action locks

Windows and non-Windows endpoints require separate packages for turning on action locks. Therefore, perform the following steps for each type of endpoints:

Ask a targeting question, such as:

Get Computer Name and Is Windows and Action Lock Status from all machines with Action Lock Status contains Action Lock Off
Select the Windows or non-Windows endpoints that
require the action lock turned on, and click Deploy Action.
Select the Deployment Package that matches the target endpoints:
- Windows endpoints: Tanium Client - Set Action Lock On
- Non-windows endpoints: Tanium Client (Non-Windows) - Set Action Lock On
Configure the remaining action settings and deploy the action. See Deploying actions.
Monitor the action status. See View action status.

If you want to Test action locks, record the Action ID and wait for the action to complete.

Test action locks

Issue the saved question Clients That Cannot Take Actions - Action Lock On. See Issue a saved question.
Check the ActionLockFlag setting on an endpoint that is included in the question results. Turning on action locks creates the setting on endpoints and sets its value to 1.
1. Sign in to the endpoint and open a Command Prompt.
  For details about the Tanium Client CLI, see Tanium Client Management User Guide: Tanium Client command line interface (CLI).
2. Navigate to the Tanium Client installation directory:
  cd <installation directory>
3. Verify that the ActionLockFlag value is 1:
  TaniumClient config get ActionLockFlag
  1
On the endpoint, open the associated action log and look for a message that indicates the action lock is on. Action logs are in the <Tanium_Client_installation_directory>/Downloads folder. You can identify the log for a specific action by the log file name (Action_<ID>.txt), which contains the Action ID. See Track Action IDs.
Deploy an action to the endpoint (see Deploying actions). After the Action Status page opens, the action eventually times out and its status changes to Expired. The Administration > Actions > Action History page shows the Status as Closed after the action expires.

Turn off action locks

Windows and non-Windows endpoints require separate packages for turning off action locks. Therefore, perform the following steps for each type of endpoint:

Issue the saved question Clients That Cannot Take Actions - Action Lock On. See Issue a saved question.
Select the Windows or non-Windows endpoints that
require the action lock turned off, and click Deploy Action.
Select the Deployment Package that matches the target endpoints:
- Windows endpoints: Tanium Client - Set Action Lock Off
- Non-windows endpoints: Tanium Client (Non-Windows) - Set Action Lock Off
Configure the remaining action settings and deploy the action. See Deploying actions.
Issue the saved question Clients That Cannot Take Actions - Action Lock On: see Issue a saved question.
Select the Windows or non-Windows endpoints that
require the action lock turned off, and click Deploy Action.
Select the Deployment Package that matches the target endpoints:
- Windows endpoints: Tanium Client - Set Action Lock Off
- Non-windows endpoints: Tanium Client (Non-Windows) - Set Action Lock Off
Configure the remaining action settings and deploy the action: see Deploying actions.
Monitor the action status and wait for the action to complete: see View action status.

Perform the remaining steps to verify that the action lock is off.
Issue the saved question Clients That Cannot Take Actions - Action Lock On, and verify that the results do not include the endpoints for which you turned off the action lock.
Review the Tanium Client settings on an endpoint that is not included in the question results. Turning off the action lock removes the ActionLockFlag setting on endpoints.
1. Sign in to the endpoint and open a Command Prompt.
  For details about the Tanium Client CLI, see Tanium Client Management User Guide: Tanium Client command line interface (CLI).
2. Navigate to the Tanium Client installation directory:
  cd <installation directory>
3. Verify that the list of settings does not include ActionLockFlag:
  TaniumClient config list
On the endpoint, open the associated action log and look for a message that indicates the action lock is off. Action logs are in the <Tanium_Client_installation_directory>/Downloads folder. You can identify the log for a specific action by the log file name (Action_<ID>.txt), which contains the Action ID. See Track Action IDs.

Override action locks

To override action locks for certain operations that Tanium solutions perform, see Solution-specific impacts and overrides for action locks.

To override action locks for a specific action, perform the following steps to edit the associated package before deploying the action.

If a package is Tanium-defined content, clone it and edit the clone instead of editing the original package. For details, see Tip 4: Limit customizations to Tanium content.

Consult whoever turned on action locks to verify that it is safe to run the action on the target endpoints.
From the Main menu, go to Administration > Content > Packages and click the package Display Name.
Click Edit Mode , select Ignore Action Lock, and click Save.