Provision requirements

Review the requirements before you install and use Provision.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium license that includes Provision
  • Tanium™ Core Platform servers: 7.4.3.1204 or later
  • Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.
    If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server 7.4.2 or later, the server Tanium™ Cloud automatically imports the computer groups that Provision requires: All Computers.

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Provision to function (required dependencies) or for specific Provision features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Provision dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Provision requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Provision, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Provision to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Provision has the following required dependencies at the specified minimum versions:

  • Core Content 1.3.100 or later
  • Tanium Client Management 1.7 or later
  • Tanium Direct Connect 2.6.26 or later
  • Tanium Interact 2.9.76 or later
  • Tanium RDB Service 1.0.170 or later
  • Tanium Secrets Service 1.0.104 or later
  • Tanium System User Service 1.0.40 or later

Client extensions

Tanium Endpoint Configuration installs client extensions for Provision on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Provision functions:

  • Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
  • Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
  • DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension.
  • Provision CX - Provides sensitive data and notifications about bundle or settings changes to Provision endpoints. Tanium Provision installs this client extension.

Tanium™ Module Server

Provision is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Endpoints

Supported Internet protocols

Provision supports only IPv4 addresses.

Supported operating systems

The following endpoint operating systems are supported with Provision.

Operating System Version Supported Services
Windows Windows 10 and later
  • Provision Endpoint Service (PXE, Caching, ODJ)
  • bare-metal installation (requires volume license versions of Windows)
  • OS refresh (requires volume license versions of Windows)

 
Windows Server 2016 and later
macOS Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements. Provision Endpoint Service (PXE, Caching)
Linux AlmaLinux 8.6, 9
  • Provision Endpoint Service (PXE, Caching)
  • bare-metal installation
  • OS refresh from existing Windows endpoints
Centos 7, 8, 9, Stream
Debian 11
RedHat Enterprise Linux (RHEL) 8.4, 8.5, 8.6, 9
Rocky Linux 8.6, 9
Ubuntu
Provision does not support provisioning endpoints that are configured with the following options:

Disk space requirements

Provision requires that the endpoint has at least twice the total size of all OS bundles for the PXE service.

Power setting requirements

Because Provision endpoints must be available at all times, the following power settings are required:

  • Disable Sleep
  • Turn on High performance power plan

Host and network security requirements

Specific ports and processes are needed to run Provision.

Ports

The following ports are required for Provision communication.

Network communication ports
Source Destination Port Protocol Purpose
Module Server Tanium Cloud Module Server Tanium Cloud (loopback) 17518 TCP  
PXE service PXE service

67, 69, 4011

 UDP
17519 TCP HTTP cache port - configurable in Provision Settings
17530 TCP HTTPS/TLS cache port - configurable in Provision Settings
ODJ process ODJ process 8100 TCP Client Port - configurable in Provision Settings
Endpoint Microsoft 80 TCP Optional connection to Microsoft for direct download of WIM files. For more information, see Download Windows files directly from Microsoft.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Provision security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\provision-service\TaniumProvisionService.exe
  Process <Module Server>\services\twsm-v1\twsm.exe
Windows endpoints   Process <Tanium Client>\TaniumCX.exe
  File <Tanium Client>\TaniumClientExtensions.dll
  File <Tanium Client>\TaniumClientExtensions.dll.sig
  File <Tanium Client>\extensions\TaniumConfig.dll
  File <Tanium Client>\extensions\TaniumConfig.dll.sig
  File <Tanium Client>\extensions\TaniumDEC.dll
  File <Tanium Client>\extensions\TaniumDEC.dll.sig
  File <Tanium Client>\extensions\TaniumProvision.dll
  File <Tanium Client>\extensions\TaniumProvision.dll.sig
  Process <Tanium Client>\Tools\Provision\TaniumPXE.exe
  Folder <Tanium Client>\Tools\Provision
Linux endpoints   Process <Tanium Client>/TaniumCX
  File <Tanium Client>/libTaniumClientExtensions.so
  File <Tanium Client>/libTaniumClientExtensions.so.sig
  File <Tanium Client>/extensions/libTaniumConfig.so
  File <Tanium Client>/extensions/libTaniumConfig.so.sig
  File <Tanium Client>/extensions/libTaniumDEC.so
  File <Tanium Client>/extensions/libTaniumDEC.so.sig
  File <Tanium Client>/extensions/libTaniumProvision.so
  File <Tanium Client>/extensions/libTaniumProvision.so.sig
  Folder <Tanium Client>/Tools/Provision
macOS endpoints   Process <Tanium Client>/TaniumCX
  File <Tanium Client>/libTaniumClientExtensions.so
  File <Tanium Client>/libTaniumClientExtensions.so.sig
  File <Tanium Client>/extensions/libTaniumConfig.so
  File <Tanium Client>/extensions/libTaniumConfig.so.sig
  File <Tanium Client>/extensions/libTaniumDEC.so
  File <Tanium Client>/extensions/libTaniumDEC.so.sig
  File <Tanium Client>/extensions/libTaniumProvision.so
  File <Tanium Client>/extensions/libTaniumProvision.so.sig
  Folder <Tanium Client>/Tools/Provision

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to allow the following URLs.

  • *.download.windowsupdate.com (if you use a Windows OS bundle that includes the DirectDownload key value entry)

User role requirements

The following tables list the role permissions required to use Provision. To review a summary of the predefined roles, see Set up Provision users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Do not assign the Provision Service Account role to users. This role is for internal purposes only.

Provision user role permissions
Permission Provision Administrator1,2,3 Provision Read Only User1 Provision Endpoint Configuration Approver4

Provision

SHOW: View the Provision workbench

Read and write access to the Provision module
SHOW
READ
WRITE
SHOW
READ
SHOW

Provision Direct Connect Satellite

Create satellites in Direct Connect
WRITE

Provision Endpoint Configuration

Approve Provision items in Endpoint Configuration
APPROVER

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: User role requirements.

2 This role provides module permissions for Tanium Secrets. You can view which Secrets permissions are granted to this role in the Tanium Console.

3 This role provides module permissions for Tanium Direct Connect. You can view with Direct Connect permissions are granted to this role in the Tanium Console. For more information, see Tanium Direct Connect User Guide: User role requirements.

4 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

Provided Provision administration and platform content permissions
Permission Permission Type Provision Administrator Provision Read Only User Provision Endpoint Configuration Approver
Action Group Administration
READ
WRITE
READ
Action Platform Content
READ
WRITE
READ
Dashboard Platform Content
READ
WRITE
READ
Dashboard Group Platform Content
READ
WRITE
READ
Filter Group Platform Content
READ
WRITE
READ
Own Action Platform Content
READ
READ
Package Platform Content
READ
READ
Plugin Platform Content
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
Saved Question Platform Content


READ
READ
Sensor Platform Content
READ
READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.