Setting up endpoints

Scan endpoints by configuring engines for targeted computer group groups and by configuring custom settings.


Configure engines

Target deployments to computer groups based on the architecture and platform of the targeted endpoints to deploy engines and JREs to endpoints on a schedule. For example, you might want to create the following deployments:

  • Windows 64-bit
  • Windows 32-bit
  • macOS 64-bit
  • Linux 64-bit

  • Ensure that the computer groups targeted by each deployment include all applicable endpoints. Review the deployments to confirm that no computer groups are missing.
  • Ensure that deployments are created for all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.

By default, Tanium provides the Tanium Scan Engine (powered by JovalCM), but if you uploaded another supported engine, you can select that engine. For more information on scan engines, see Working with scan engines and JREs.

  1. Go to Setup > Configuration.
  2.  In the Engines tab, do the following:
  3. Click for an engine in the list to open the targeting window.
  4. Select Computer Groups you want to target.
    • Default: Default targeting uses the Comply action group.

    • Custom Targeting: Choose this option to build your own groupings. Use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. When finished, click the check mark for each selection and then click Save.

    • You must register sensors that are referenced by the action group. See Register or unregister sensors for collection.

  5. Click Save.


Custom settings

Set limits for engines on endpoints using targeting.

On the Setup > Configuration page, select the Custom Settings tab.

    The default configuration with suggested "best practice" parameters is displayed:

      • For CPU Count, 1 CPU is selected.
      • For Java Heap Size, a default value 768 MB is set.
      • For Targeting, Default is selected for the action group.

  1. To create a custom configuration, click the Add Custom Settings button.
  2. In the Create Custom Settings window, set the following: 
    • Resource mode: The default setting is Normal. Change this setting to Low, and the Tanium scan engine will utilize fewer resources on the endpoint.
    • Note the following about Low Resource Mode:

      • It only applies to the Tanium scan engine.

        Tanium scan engine version 6.3.7 or higher is required.

      • Scans take more time to complete.

      • The CPU Count automatically defaults to 1 and the Max Java Heap size is set to 128 MB.

      • CPU Utilization (Windows OS types only) can be set as low as 10%. If other resources are using CPU, the scan will pause until the set amount of CPU is available.

    • CPU Count: Set a maximum number of CPUs for scanning. The default recommendation is 1 CPU.
    • Java Heap Size: Set the maximum amount of Java heap memory used for scanning. The default recommendation is 768 MB.
    • SBOM: (Requires a Tanium SBOM license) SBOM scanning is useful for determining vulnerabilities on endpoints based on the results of a Software Bill of Materials assessment. If you are configuring an SBOM scan assessment, you must select the Enable SBOM check box choose at least one file ecosystem. See SBOM scan assessment. In the Candidate Ecosystems section, select at least one ecosystem: 
      • File Types: Select the file types to be scanned by the SBOM scan assessment. The following are supported: Java (JAR, PAR, SAR, WAR, EAR, JHI, JPI LPKG), JavaScript (Node/NPM), Python, Ruby (Gem), PHP (Composer), Go binary files, Native binary files.
      • Scanning binary files can impact performance on endpoints. If you choose to scan binary files, it is recommended you use file and directory exclusions to minimize the impact.

        The scanning of native binary files is not supported on Windows endpoints.

      • In the Settings section, configure the following:

        • Index Scan Frequency: Enter a value, in Days, Minutes, or Hours for how often the Index scan will run. The default is 7 days. It is recommended that you do not change this default. A week is approximately how long it may take to index files systems for endpoints when first deploying SBOM.
        • Index First Scan Distribute over Time: Enter a value, in Days, Minutes, or Hours, over which to randomize the distribution of scans to endpoints after the initial scan begins. The default is 1 day.
        • Filter Scan Exclusions: Enter file names, using regular expressions, to be excluded from scans. For example, ".*\.csv" filters all .csv files. Each exclusion should appear on a separate line.
        • Directory Exclusions : By default, Tanium Client directories are included in this exclusion list and will not be scanned. To take an unnecessary load off of index and not scan files that don't require scanning, enter any additional directories that can be excluded. Each exclusion should appear on a separate line.
        • Excluded Tanium Client directories are as follows:

          /opt/Tanium/TaniumClient

          /Library/Tanium/TaniumClient

          /System/Volumes/Data/Library/Tanium/TaniumClient

          C:\\Program Files\(x86\)\\Tanium\\Tanium Client

          Index exclusions that you define in Client Management apply globally to all Tanium solutions that use Index. Exclusions that you add directly in other solutions (Comply in this case) are not visible in Client Management and apply only to those solutions; make sure to view the exclusions in each solution to understand the full list of exclusions. See Client Index Extension overview for more information.

          Once SBOM custom settings are configured and saved, you can create an SBOM scan assessment.

    • Targeting: Select endpoints to receive these customized settings. Select Default or Custom Targeting.
      • Default: This includes all endpoints in the Comply Action Group.
      • Custom Targeting: Choose this option to build your own groupings. Use the Add buttons to build upon or narrow your selection. When finished, click the check mark for each selection.
  3. Click Save.