Managing Tanium Core Platform settings

You can manage settings that control Tanium Core Platform behaviors across all Tanium solutions (modules, shared services, and content-only solutions). For example, if you enable the Require Action Approval setting, then actions that any user or solution initiates do not deploy to endpoints until another user approves those actions.

The Administration > Configuration > Settings page lists settings in two tabs based on the level of expertise that is required to manage them effectively:

Platform Settings: You can manage these settings effectively without guidance from Tanium Support.
However, you cannot create or delete settings on the Platform Settings tab, you can only view and edit them. Platform settings are a subset of the most commonly used Advanced Settings and therefore appear in both tabs, but the Platform Settings tab simplifies configuring them.
Advanced Settings: Contact Tanium Support for guidance (see Contact Tanium Support) before you edit, create, or delete these settings unless they are also Platform Settings. Advanced settings are listed alphabetically for easy scanning. Some advanced settings are hidden by default and you must create them before they appear in the tab.

For descriptions of the settings that are most commonly viewed or configured when you set up or customize a Tanium deployment, see Reference: Tanium Core Platform settings.

For most settings, you require Global Settings read permission to view them, Global Settings write permission to edit them, or Permission Administrator permission to both view and edit them. The Admin reserved role has these permissions and can also view and edit settings (such as Trusted Auth Origin) that are not visible to any other role. Platform Settings and Advanced Settings include server and client settings that appear only to users who have Global Settings read permission. Global Settings write permission provides Global Settings read permission and also enables users to create, edit, or delete server and client settings. The Administrator reserved role has these permissions.

Only the Administrator reserved role can view and manage Local Tanium Server settings, such as Trusted Auth Origin.

Manage platform settings

Assess the impact of your planned changes before you edit settings. For example, enabling Restricted Targeting prevents the automatic deployment of solution-specific tools to endpoints by making the No Computers computer group the target for the action groups of solutions that you later add to your licenseimport. Therefore, before enabling the setting, assess the impact of preventing automatic tools deployment.

Perform the following steps to view setting values and descriptions, and to change the values:

From the Main menu, go to Administration > Configuration > Settings > Platform Settings.

For each setting, the page shows the current value, whether that value is the Default, and a brief description. Settings with non-default values have a Reset button for reverting to the default values.
(Optional) Expand the setting that you plan to edit to see additional information about the platform behavior that it controls.
Change the setting value as follows and click Save All:
- Click the ON or OFF widget for settings that are enabled or disabled.
- Enter values in the text-entry fields for settings that have numeric or string values.
  
  You must expand some settings, such as Trusted Auth Origin, to see their text-entry fields.

Manage advanced settings

Contact Tanium Support for guidance before you edit advanced settings. See Contact Tanium Support.

You can manage the following types of advanced settings:

Server: Server settings affect the behavior of all Tanium Core Platform servers and Tanium Console.
Client: Client settings affect the behavior of all Tanium Clients.
Local settings: Tanium Server settings that you configure locally on each server control aspects of the connections between the server and other Tanium Core Platform components or external servers. Local settings also control features such as logging and Tanium Client peering. Most local settings are automatically configured during server installation, but you can change the settings when necessary. During troubleshooting, Tanium Support might ask you to review or confirm local settings, but rarely asks you to change them.
You must update local settings on each Tanium Server in an active-active deployment because the servers do not synchronize those settings.

Server and client settings that you configure locally on a server or client through its command-line interface (CLI) override the settings that you configure through Tanium Console. To configure server settings locally, see Tanium Core Platform Deployment Reference Guide: Tanium Core Platform server settings. To configure client settings locally, see Tanium Client Management User Guide: Tanium Client CLI and client settings.

Some advanced settings are hidden by default: they do not appear in Console or in the server or client CLI unless you manually add those settings. However, hidden settings have default values that apply even if you do not add them. After you add a setting through Console or the CLI, the value that you set overrides the default value.

View advanced settings

The Advanced Settings page displays the setting properties that Table 1 describes, as well as who last modified a setting and when. However, the page does not show the Value of protected settings. After you configure a protected setting, you cannot see its value in Tanium Console.

From the Main menu, go to Administration > Configuration > Settings > Advanced Settings.
(Optional) Enter a search string in the Filter items field to filter the settings by Name or Value.
(Optional) Click Show More in the Note column to see the full text for settings that are configured with a Note value.

From the Main menu, go to Administration > Configuration > Settings > Advanced Settings.
(Optional) Filter the settings by:
- Type: The page displays All settings by default but you can click Server, Client, or Local to display only settings of that type.
- Name or Value: Enter a search string in the Filter items field.
(Optional) Click Show More in the Note column to see the full text for settings that are configured with a Note value.

Edit advanced settings

From the Main menu, go to Administration > Configuration > Settings > Advanced Settings.
Click the Name of the setting that you want to edit.
Enter a new Value, optionally update the Note (server and client settings only), and click Save.
A Note can help other users understand why you changed the setting.

Updates to most Server and Local settings apply immediately but some require a Tanium Server restart. Contact Tanium Support for information about which settings require a server restart (see Contact Tanium Support). To restart the server, see:

Tanium Appliance: See Tanium Appliance Deployment Guide: Start, stop, and restart Tanium services.
Windows Server: See Tanium Core Platform Deployment Guide for Windows: Manage Windows services for core platform servers.

Updates to Tanium ClientClient settings apply only after you manually restart the clients or wait for the automatic client reset, which by default occurs at a random interval in the range of two to six hours.

Create advanced settings

Some advanced settings are hidden by default. When you create a setting through Tanium Console, the setting becomes visible and you can change its default value.

From the Main menu, go to Administration > Configuration > Settings > Advanced Settings.

Click Create Setting, configure the following properties, and click Save:

Table 1: Advanced settings properties
Property	Description
Setting Type	Specify the Tanium Core Platform components to which the setting applies: Server: Applies to one or more Tanium Core Platform servers Client: Applies to Tanium Clients Local: Applies to the Tanium Server that you are currently logged into through Tanium Console
Name	Enter a name to identify the setting.
Value Type	Specify the type of value: Text: The value is a text string. Note that the string might include both letters and numbers, such as an IP address or URL. Numeric: The value is a number. Protected: This type applies only to Local settings (such as passwords) for which you want to hide the value in the Advanced Settings page. After you configure a protected setting, you cannot see its value in Tanium Console.
Value	Enter the setting value.
Note	(Server or client settings only) Optionally, enter any notes that might help other users understand the purpose of the setting.

Most Server and Local settings apply as soon as you create them, but some require a Tanium Server restart. Contact Tanium Support for information about which settings require a server restart (see Contact Tanium Support). To restart the server, see:

Tanium Appliance: See Tanium Appliance Deployment Guide: Start, stop, and restart Tanium services.
Windows Server: See Tanium Core Platform Deployment Guide for Windows: Manage Windows services for core platform servers.

New Tanium ClientClient settings apply only after you manually restart the clients or wait for the automatic client reset, which by default occurs at a random interval in the range of two to six hours.