Working with policy enforcement

Enforce policies

Enforce a policy on one or more computer groups for which you have management rights that you have defined in the Administration section of Tanium Console. See Tanium Platform User Guide: Managing Computer Groups for more information about creating and managing computer groups. Manual computer groups are not supported by Protect.

  1. On a policy page, click Add Enforcement.
  2. On the Create Enforcement page, select Computer Groups or Individual Computers.

    To select Individual Computers, you must have a micro admin role that grants the Read System Status permission.

  3. Define the Schedule when enforcing a remediation policy.
  4. Click Create.

If you are using a Common Access Card (CAC), check the Proceed with enforcement of this policy to endpoints box and click Confirm to enforce the policy.

Remove a policy enforcement

  1. Under Enforcements for this Policy, click Delete next to the enforcement you want to remove.
  2. On the next window, enter your password and click Confirm.

If you are using a CAC, check the Proceed with deletion of this enforcement of this policy on target group "XXXX" box (where XXXX is the name of the target Computer Group) and click Confirm to remove the policy enforcement.

View policies

From the Protect menu, click Policies to view all created policies.

Click on a policy to see the configuration of that policy, the number of enforcements, which user created the policy, and when the user created it.

Use the Type and Enforcement Status drop-down menus under Filter Results to see policies of each type.

You can also select a policy to export, copy, edit, or delete it. A policy can be deleted only if it has no enforcements.

Prioritize policies

All policies are exclusive, meaning that only one policy of each type can be in effect on an endpoint at a given time. When multiple policies with the same exclusive rule type are enforced against a particular endpoint, Protect must resolve the conflict to decide which policy is applied.

If an endpoint is enforced with two or more policies of the same type, only the highest priority policy is applied. Lower priority policies are not enforced.

Set the prioritization of policies to determine which policy is applied if a conflict exists.

  1. On the Policies page, select Prioritize.
  2. Drag and drop a policy to reprioritize it. Protect automatically adjusts the numbers next to the other policies and reorders the list by priority.
  3. Click Save to save your new policy prioritization order.
  4. On the Confirm Update of Conflict Resolution Priorities window, enter your password and click Confirm.

If you are using a CAC, check the Proceed with update of conflict resolution priorities box and click Confirm to enforce the policy.

View policy details

Click a policy to view the Policy Details including all rules associated with that policy.

You can also see details for all Enforcements.

Click Add Enforcement to add a computer group or endpoint to the enforcements.

If you see any Online Partially Enforced Assets or Online Unenforced Assets on the Protect Home page, you should go to Policies and Computer Groups in the Protect menu to determine which policies are not being enforced and which computer groups are unenforced.