Provision requirements

Review the requirements before you install and use Provision.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium license that includes Provision. Provision is licensed with the Tanium IT Operations Suite (Tanium™ Asset, Tanium™ Deploy, Tanium™ Discover, and Tanium™ Patch).
  • Tanium™ Core Platform servers: 7.3.314.4250 or later
  • Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.
    If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server 7.4.2 or later, the server Tanium™ Cloud automatically imports the computer groups that Provision requires: All Computers.

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Provision to function (required dependencies) or for specific Provision features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Provision dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Provision requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Provision, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Provision to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Provision has the following required dependencies at the specified minimum versions:

  • Tanium Client Management 1.7 or later
  • Tanium Interact 2.9.76 or later
  • Tanium RDB Service 1.4.0 or later
  • Tanium System User Service 1.0.170 or later

Tanium™ Module Server

Provision is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Endpoints

Supported Internet protocols

Provision supports only IPv4 addresses.

Supported operating systems

The following endpoint operating systems are supported with Provision

Operating System Version Supported Services
Windows Windows 10 and later PXE service and ODJ service
Windows Server 2016 and later PXE service and ODJ service
macOS Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements. PXE service
Linux

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

PXE service

Provision does not support provisioning endpoints that are configured with Intel Rapid Restore Technology. For more information, see Error: USB media does not find the storage drive.

Disk space requirements

Provision requires that the endpoint has at least twice the total size of all OS bundles for the PXE service.

Host and network security requirements

Specific ports and processes are needed to run Provision.

Ports

The following ports are required for Provision communication.

Source Destination Port Protocol Purpose
Module Server Tanium Cloud Module Server Tanium Cloud (loopback) 17518 TCP  
PXE service PXE service

67, 69, 4011

UDP macOS and Linux endpoints
17519 TCP HTTP cache port - configurable in Provision Settings
17530 TCP HTTPS/TLS cache port - configurable in Provision Settings
ODJ service ODJ service 8100 TCP

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Provision security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\provision-service\TaniumProvisionService.exe
  Process <Module Server>\services\twsm-v1\twsm.exe
Windows endpoints   Process <Tanium Client>\Python38\TPython.exe
  Folder <Tanium Client>\Python38
  Process <Tanium Client>\Tools\Provision\TaniumODJ.exe
  Process <Tanium Client>\Tools\Provision\TaniumODJ_x86.exe
  Process <Tanium Client>\Tools\Provision\TaniumPXE.exe
  Folder <Tanium Client>\Tools\Provision
Linux endpoints   Process <Tanium Client>/python38/python
  Folder <Tanium Client>/python38
  Folder <Tanium Client>/Tools/Provision
macOS endpoints   Process <Tanium Client>/python38/python
  Folder <Tanium Client>/python38
  Folder <Tanium Client>/Tools/Provision

User role requirements

The following tables list the role permissions required to use Provision. To review a summary of the predefined roles, see Set up Provision users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Provision user role permissions
Permission Provision Administrator1 Provision Read Only User Provision Service Account1,2,3 Provision Endpoint Configuration Approver2

Provision

SHOW: View the Provision workbench

Read and write access to the Provision module


SHOW
READ
WRITE

SHOW
READ

SHOW
READ
WRITE

SHOW

Provision Endpoint Configuration

Approve Provision items in Endpoint Configuration


APPROVER

Provision Service Account

Access to perform service account administration


EXECUTE

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: User role requirements.

2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

3 Do not assign the Provision Service Account role to users. This role is for internal purposes only.

 

Provided Provision administration and platform content permissions
Permission Permission Type Provision Administrator Provision Read Only User Provision Service Account Provision Endpoint Configuration Approver
Action Group Administration
READ
WRITE

READ

READ
WRITE
Action Platform Content
READ
WRITE

READ

READ
WRITE
Action For Saved Question Platform Content
WRITE

WRITE
Dashboard Platform Content
READ
WRITE

READ

READ
WRITE
Dashboard Group Platform Content
READ
WRITE

READ

READ
WRITE
Filter Group Platform Content
READ
WRITE

READ

READ
WRITE
Own Action Platform Content
READ

READ

READ
Package Platform Content
READ
WRITE

READ

READ
WRITE
Plugin Platform Content
READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE
Saved Question Platform Content
READ
WRITE

READ

READ
WRITE
Sensor Platform Content
READ
WRITE

READ

READ
WRITE

You can view which content sets are granted to any role in the Tanium Console.