Configuring Provision

If you did not install Provision with the Apply All Tanium recommended configurations option, you must configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Provision action group to target the No Computers filter group by enabling restricted targeting before adding Provision to your Tanium licenseimporting Provision. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Provision action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Provision with automatic configuration, the following default settings are configured:

The following default settings are configured for Provision:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Provision, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to PXE endpoints:

  • Provision tools
  • Provision contract
  • Provision manifest

Configure Provision

Configure Provision action group

By default, the Provision action group is set to the All Computers computer group. You can update the action group if needed.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Provision.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Set up Provision users

You can use the following set of predefined user roles to set up Provision users.

To review specific permissions for each role, see User role requirements.

On installation, Provision creates a Provision user to automatically manage the Provision service account. Do not edit or delete the Provision user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Provision Administrator

Assign the Provision Administrator role to users who manage the configuration and deployment of Provision functionality to endpoints.
This role can perform the following tasks:

  • Configure Provision service settings.
  • View and modify Provision configurations.

Provision Read Only User

Assign the Provision Read Only User role to users who need visibility into Provision data.
This role can view Provision service settings and configurations.

Provision Endpoint Configuration Approver

Assign the Provision Endpoint Configuration Approver role to a user who approves or rejects Provision configuration items in Tanium Endpoint Configuration.
This role can perform the following tasks: approve, reject, or dismiss changes that target endpoints where Provision is installed.

Do not assign the Provision Service Account role to users. This role is for internal purposes only.

Configure PXE settings

  1. On the Provision Overview page, click Settings and then click Configuration if needed.
  2. In the Preboot Execution Environment (PXE) section, configure the PXE options.
    1. (Windows endpoints) To automatically open the required firewall ports on Windows endpoints, select Create Local Firewall Rule.

      For macOS or Linux endpoints, manually open UDP ports 67, 69, 4011, and the TCP port that is used for caching. The default port for HTTP caching is 17519 and the default port for HTTPS/TLS caching is 17530.

    2. (Optional) If you want to enable reporting of DHCP requests and other helpful information for troubleshooting, select Verbose Logging.
    3. (Optional) If you want to use Tanium Client instead of directly downloading files, select Use Tanium Client to download content to Tanium PXE.
    4. (Optional) If you want to use a different port for HTTP caching, provide any unused TCP port number in the HTTP Cache Port field.
    5. (Optional) If you want to use a different port for HTTPS/TLS caching, provide any unused TCP port number in the HTTPS/TLS Cache Port field.
  3. Click Save.

Configure ODJ settings

  1. On the Provision Overview page, click Settings and then click Configuration if needed.
  2. In the Offline Domain Join (ODJ) section, configure the ODJ options.
    1. Enter a Client Port. The default value is 8100.
    2. (Optional) Specify the Duration in hours or days to set the maximum amount of time that the ODJ process can run. The default is 750 hours.
    3. (Optional) Specify the Max Computer Account Blobs to set the maximum number of times the ODJ process can be called. The default is 1000 blobs.
  3. Click Save.