Creating policies

You can create the following policies in Enforce.

Anti-Malware

Anti-malware policies use the Microsoft Anti-malware engine to protect your endpoints from viruses. Configured using Machine administrative templates- Windows Defender Antivirus Active Directory administrative group policy objects on Windows systems. See Create an Anti-malware policy.

AppLocker

Use AppLocker policies to prevent unwanted executables from running on your endpoints (Deny rules) or to allow only certain applications to run on endpoints (Allow rules). See Create an AppLocker policy.

BitLocker

Use BitLocker policies to encrypt drives on endpoints using Windows BitLocker Drive Encryption. For more information about BitLocker Drive Encryption. See Create a BitLocker policy.

Device Control - All Devices

Use this policy to restrict the installation of new devices. With this policy type, the installation of any new device is blocked unless the device is explicitly allowed by either the device class or the hardware ID of the device. See Create a Windows device control policy.

Device Control - Removable Storage

Use this policy to control access permissions to specific removable media categories. The types of removable media predefined by Microsoft are CD-ROM and DVD drives, floppy disk drives, removable disk drives, tape drives, and Windows Portable Devices (WPD). See Create a Windows device control policy.

FileVault Policy

Use FileVault policies to encrypt drives on endpoints using macOS FileVault Encryption. For more information about FileVault, see Create a FileVault policy.

Firewall Management - Windows and Linux

Firewall management policies consist of rules that block or allow network traffic using the built-in operating system firewall. See Create a Windows firewall management policy and Create a Linux firewall management policy.

Machine Administrative Templates

Machine administrative template policies target machine-based Active Directory administrative template (ADMX) group policy objects on Windows systems. Use machine administrative policies to apply consistent rules to Windows devices regardless of the logged in user. See Create a Machine administrative template policy

The following Microsoft packages are used in Windows administrative template policies: Windows 10 baseline, Google Chrome, MS Office, Microsoft Edge, and Windows Security Baseline ADMX files (MSS-legacy and SecGuide).

Remediation Policy

A remediation policy is a list of tasks that run sequentially on the endpoint(s). See Create a remediation policy.

Remediation Purge Policy

Use these policies to take action on lost or stolen endpoints by remotely wiping all nonessential data or freezing the endpoint to prevent attempts to sign in. See Create a purge remediation policy.

Software Restriction Policy (SRP)

SRPs consist of rules that block the execution of applications and are created using Windows SRP component. See Create an SRP management policy

Create an Anti-malware policy

Anti-malware policies consist of groups of settings. You can have only one Anti-malware rule for each policy; however, a single Anti-malware rule within one policy can have multiple settings. When you create an Anti-Malware policy, you can add settings to control the user experience.

Make sure you have completed the steps detailed in the Upload Anti-malware section before configuring anti-malware policies.

  1. From the Enforce menu, go to Policy Configurations and then click Actions > Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select Machine Administrative Templates.

      You can filter policy types by operating system by clicking any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a content set.
  3. (Optional) To configure anti-malware settings, expand the Anti-Malware Specific Settings section and select Enable.
    1. To automatically add the required Tanium exclusions to the policy, click Create exclusions for Tanium processes.
    2. Determine if you should select Deploy definition update using Tanium for Managed Definitions and then complete the fields for Definition Grace Period to specify how often endpoints use Tanium to check for Anti-malware definition updates. This value represents how old an Anti-malware definition can be before the policy is considered unenforced. The default grace period is 1 day.

      By default, anti-malware rules are configured to retrieve definitions directly from Microsoft. If an endpoint does not receive an update within the specified grace period, it is considered unenforced. When this option is selected, anti-malware rules are configured to use Tanium to deploy anti-malware definition updates.

  4. From the list of policy setting categories, go to the following categories and enable Windows Defender settings as needed. Click Add to Policy after you configure each setting.
    • Windows Components > Microsoft Defender Antivirus
    • Windows Components > Microsoft Defender Application Guard
    • Windows Components > Microsoft Defender Exploit Guard
    • Windows Components > Windows Defender SmartScreen
  5. Expand Filters and search for Defender in the Settings text field.
    1. Enable additional Windows Defender policy settings and configure as needed.
    2. Click Add to Policy after you configure each policy setting.

    Anti-malware policies require that endpoints have either SCEP or Windows Defender installed. When SCEP Installation is enabled, enforcing an Anti-malware policy automatically installs SCEP on endpoints that do not support Windows Defender.

  6. After all settings for the policy are complete, click Create.
    The policy now appears in the Policies list on the Policy Configurations page.

Enforce policies

You can enforce a policy from three different places in Enforce:

  • The Enforcements tab of the Policy Configurations page
  • The Policies tab of the Policy Configurations page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create an AppLocker policy

For successful AppLocker rule enforcement, Enforce starts the Application Identity service on the endpoint.

The Enforce settings include default rule templates for each rule type used in AppLocker policies. The Block list rule template is used by default until you change it. For more information about changing the default rule templates, see Set defaults for AppLocker.

Only one AppLocker policy is in effect on an endpoint at a given time. Therefore, if you want to enforce rules for multiple app types (Executable, Windows Installer, or Script) on a particular endpoint, you must use one AppLocker policy with rules for each app type (and not a separate policy for each one). If there are multiple policies with the same policy type applied to an endpoint, the priority of the policy is used to resolve the conflict.

  1. From the Enforce menu, go to Policy Configurations and then click Actions > Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select AppLocker.

      You can filter policy types by operating system by clicking any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a content set.
  3. In the Settings section, configure the policy settings.
    1. (Optional) Provide a Support URL if you want to display a custom URL when a user tries to run an app that is blocked.
    2. You can import AppLocker rules using the XML files you generate in the AppLocker section of the Windows Local Security Policy Tool or an exported Enforce AppLocker policy to quickly add multiple rules to a policy. For more information, see Import an AppLocker rule.
    3. Select one or more rule types to configure for the policy: Executable, Windows Installer, or Script and configure each rule type that you select. Deny and Allow rules are populated with the default rule template you chose in the Enforce Settings > AppLocker section.
  4. In each of the sections for the enabled rule types, add deny or allow rules, if necessary, as follows.
    • Deny rules prevent the specified files from running on endpoints where the policy is enforced
    • Allow rules let the specified files run on endpoints where the policy is enforced

      AppLocker Deny rules take precedence over AppLocker Allow rules. You must include at least one Allow rule. For more information about best practices and rule precedence, see Set defaults for AppLocker.

      Be aware of AppLocker allow or deny rules that are set in your Domain Policy. These rules might take precedence over AppLocker rules created in Enforce.

      Add to the existing default rules to allow or deny files rather than modifying the default rules. Test any modifications in audit mode first to ensure that they are running as intended before you switch to blocking mode.

      The Tanium Client uses BAT, EXE, and VBS files. Be sure that you do not block scripts in the Tanium Client directory that might break the client functions.

    1. Select whether the rule type is Audit Only or Blocking.
    2. Click Create and provide a Name for the rule.
    3. In the Type section, select Hash, Path, or Publisher.
    4. Specify the settings for the file:
      • If you selected Hash, provide the Hash and optional file size in bytes. Optionally, click the Add another rule to add another hash rule.

        For best results, use a utility other than Get-AppLockerFileInformation to generate the SHA-256 hash. For example, you can use Get-FileHash to generate the hash. Hashes generated with Get-AppLockerFileInformation are different than hashes generated by other utilities and are not supported by Enforce.

      • If you selected Path, provide the file path or file name.
      • If you selected Publisher, provide the Publisher, Product Name, File Name, and File Version, using the dropdown list to indicate whether you want earlier or later versions included or only the version you specify.
        You can use the * character as a wildcard character only for the entire value. Partial wildcard values are not valid for any of these values.
    5. Select Everyone or Administrators in the Windows User section and then click Save.
  5. Click Create.

Enforce policies

You can enforce a policy from three different places in Enforce:

  • The Enforcements tab of the Policy Configurations page
  • The Policies tab of the Policy Configurations page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Import an AppLocker rule

  1. Click Browse for File in the Import Rules From XML section.
  2. Select the XML file that contains the exported AppLocker rules and click Open.
  3. The Import Pending Review window shows up to three tabs, depending on the content in the XML file: the new rules added to the policy from the imported XML file, the rules Enforce cannot import, and duplicate rules.
  4. Click Proceed to import the XML file and then click Save.

For more information about AppLocker event logs, see Review AppLocker event logs.

Create a BitLocker policy

Make sure you have completed the steps detailed in the Configure Endpoint Encryption settings section before configuring BitLocker policies.

Optionally, you can configure a self-service recovery portal that users can access if they forget their PIN or password. See Reference: Encryption management recovery portal.

  1. From the Enforce menu, go to Policy Configurations and then click Actions > Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select BitLocker.

      You can filter policy types by operating system by clicking any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a content set.

    If requirements for this policy are missing, that information is displayed. For more information about BitLocker requirements, see Configure Endpoint Encryption settings

  3. In the Global Encryption Settings section, select the Encryption Type: Hardware, Software, or Hardware and Software.
    • If you select Hardware and Software, BitLocker software-based encryption is used if the drive does not support hardware-based encryption.
    • If you select Software or Hardware and Software, set the Encryption Method for each operating system.
    • This setting applies only to software-based encryption. It configures the encryption algorithm and key cipher strength for the drive. For more information about this setting, see Microsoft Documentation: Choose drive encryption method and cipher strength.
  4. (Optional) In the Operating System Disk Encryption section, select Encrypt Operating System Drives.
    1. Choose: Full or Used Disk Space Only. For more information on this option, see Microsoft Documentation: Used Disk Space Only encryption.
    2. For computers that have a TPM chip, specify the behavior of the computer at startup or reboot when the drive is encrypted:

      TPM only

      If you choose TPM only, the drive is unlocked at startup or reboot using the integrated TPM chip with no user interaction.

      With TPM only, the drive can be encrypted when no end user is signed in to the computer. Keys are backed up to the Tanium database. One or more reboots are required, and you can use a Tanium package to accomplish that. It is recommended that you monitor the system status and push the reboot when needed.

      TPM + PIN

      If you choose TPM + PIN, the user configures a PIN during the initial BitLocker setup on the computer. The user must enter that PIN when the computer starts or reboots.

      If you use a PIN, you must set the Minimum PIN Length. Set this value to a number between 4 and 20. By default, PINs can include only numbers. If you want to allow PINs to include uppercase and lowercase letters, symbols, numbers, and spaces, select Enhanced PIN. If you do not want to allow PINs or passwords that consist of all the same character (11111111) or a sequence of characters (12345678), select Enforce minimum complexity requirements.

    3. (Optional) For computers without a TPM chip, specify whether you want to Allow BitLocker to run without a compatible TPM and specify a minimum password length. If you select this option, you can enforce the policy on computers that do not have a compatible TPM chip. Users must enter a password to access the encrypted drive. You can also specify whether you want to Enforce minimum complexity requirements for PINs or passwords to prevents PINs from using duplicate or sequential characters.
  5. (Optional) In the Fixed Disk Encryption section, select Encrypt Fixed Data Drives.
    1. Select Full or Used Disk Space Only. For more information on this option, see Microsoft Documentation: Used Disk Space Only encryption.
    2. (Optional) Select Deny write access to fixed drives not protected by BitLocker.

      If you select this option, fixed data drives that are not protected by BitLocker are mounted as read-only. Fixed data drives that are protected by BitLocker are mounted with Read and Write access.

  6. (Optional) In the Removable Disk Encryption section, configure settings for removable data drives.
    1. Select Encrypt Removable Data Drives and then select Full or Used Disk Space Only. For more information on this option, see Microsoft Documentation: Used Disk Space Only encryption

      .
    2. Select Deny write access to removable drives not protected by BitLocker

      to specify if BitLocker protection is required for a computer to write to a removable data drive.

      If you select this option, removable data drives that are not protected by BitLocker are mounted as read-only. Removable data drives that are protected by BitLocker are mounted with Read and Write access.

    3. Select Control use of BitLocker on removable drives to allow users to turn BitLocker on or off on removable drives.
      1. Select Allow users to apply BitLocker protection on removable data drives

        to allow users to enable BitLocker protection.
      2. Select Allow users to suspend and decrypt BitLocker protection on removable data drives to allow users to remove BitLocker encryption.
    4. Select Configure use of hardware-based encryption for removable data drives to manage how BitLocker uses hardware-based encryption on removable data drives and to specify which encryption algorithms and cipher suites can be used with hardware-based encryption.
      1. Select Use BitLocker software-based encryption when hardware-based encryption is not available.

      2. Select Restrict encryption algorithms and cipher suites allowed for hardware-based encryption.
      3. Select Restrict crypto algorithms or cipher suites to the following and enter the crypto algorithms and cipher suites that you want to allow for hardware-based encryption.

    5. Select Allow access to BitLocker-protected removable data drives from earlier versions of Windows to specify whether removable data drives formatted with the FAT file system can be unlocked and viewed on computers that run Windows Vista or Windows XP SP2 or SP3. You can also restrict whether to allow installation of BitLocker to Go Reader on FAT-formatted removable drives on Windows XP or Windows Vista machines.
    6. Select Configure use of passwords for removable data drives to specify whether a password is required to unlock removable data drives that are protected by BitLocker, and to set password requirements.
    7. Select Choose how BitLocker-protected removable drives can be recovered to control how removable data drives protected by BitLocker can be recovered when the required credentials are not available.
      1. Select Omit recovery options from the BitLocker setup wizard to hide recovery options during BitLocker setup.

      2. Select Save BitLocker recovery information to AD DS for removable data drives to back up your recovery key to Active Directory. Note that Tanium also stores the recovery key in escrow in Enforce.

    For more information about these settings, see Microsoft Documentation: BitLocker Group Policy settings.

    To apply removable disk encryption setting updates, reboot the affected endpoints after you enforce the BitLocker policy.

  7. In the End User Notifications section:
    1. Select or drag an image file (PNG, GIF, or JPG/JPEG) and enter a window title to use in the notifications window for all BitLocker notifications.
    2. In the Reboot Computer section, provide the notification Title and Message that you want to display to users before the computer is rebooted. This message is the first message that displays to the user after the policy is enforced. It should prompt them to reboot their computer when possible to prepare their drive for encryption.
    3. In the Encrypt Hard Drive section, provide the notification Title and Message that you want to display to users to notify them that they must reboot their computer to begin the encryption process. This message displays when the hard drive is prepared for encryption, which occurs after the first reboot. This message prompts users to reboot their computer when possible to start the encryption.

      Inform users that drive encryption is not a disruptive process and that they can continue to work while encryption occurs.

    4. If applicable, in the message, notify users that they must reset the password or PIN. This option is available only when you choose the TPM + PIN or Allow BitLocker to run without a compatible TPM options.

      Click Restore Default for any of these sections to remove your text and return to the default text.

  8. In the Key Recovery section:
    1. Specify the Pre-Boot Recovery Message. If you chose the TPM + PIN or Allow BitLocker to run without a compatible TPM option, this message displays to users at startup and reboot on the screen where the PIN or password is entered.

      Include the URL for the recovery portal in this message.

    2. Select how often you want keys to rotate from the Recovery Key Rotation dropdown list.

      Due to Microsoft Windows OS constraints, if you change the protection settings in an existing BitLocker policy, you must decrypt endpoints and re-encrypt them again for the changes to be applied.

  9. Click Create.

Enforce policies

You can enforce a policy from three different places in Enforce:

  • The Enforcements tab of the Policy Configurations page
  • The Policies tab of the Policy Configurations page
  • When you click on a policy to view it

For more information, see Enforcing policies.

View BitLocker recovery keys

View recovery key information, such as computer name, user name, recovery key ID, and last rotation.

From the Enforce menu, click Endpoint Encryption to view health data and recovery key information.

Create a Windows device control policy

Windows device control policies provide two modes for administering devices on Windows endpoints.

Removable Storage

Controls access permissions on removable media. The types of removable media predefined by Microsoft are CD-ROM and DVD drives, floppy disk drives, removable disk drives, tape drives, and Windows Portable Devices (WPD).

With this mode, you can deny specific permissions to categories of removable devices. On the endpoint, the permissions are managed using local group policy settings located in Administrative Templates > System > Removable Storage Access.

All Devices

Restricts the installation of new devices. This advanced mode provides more granular control by using a list-based approach.

With this mode, the installation of any new device is blocked unless the device is explicitly allowed by either the device class or the hardware ID of the device. Optional settings allow administrators to bypass all restrictions and to uninstall existing USB storage devices that are not on the allowed list of devices. On the endpoint, the permissions are managed using local group policy settings located in Administrative Templates > System > Device Installation > Device Installation Restrictions.

Make sure you complete the steps that are detailed in the Manage Windows device classes and devices section before configuring device control policies.

  1. From the Enforce menu, go to Policy Configurations and then click Actions > Create.
  2. Enter a Name and optional Description for the policy.

Create a Windows device control policy to administer removable devices

  1. From the Policy Type dropdown list, select Device Control - Removable Storage - Windows.

    You can filter policy types by operating system by clicking any of the operating system icons.

  2. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
  3. (Optional) Expand Advanced Settings and select a content set.
  4. In the Device Control section, select the type of removable storage that you want to administer and the access that you want to deny for that storage type.
  5. Click Create.

Create a Windows device control policy to administer all devices

This mode blocks new installations of all devices by default. This mode includes an optional setting to uninstall existing USB storage devices that are not on the policy allow list. All other existing devices remain installed and unblocked, including devices that are not currently connected but were installed previously. You must add devices to the policy allow list to allow installation to endpoints. Carefully test configurations and their impacts before you deploy them widely.

  1. From the Policy Type dropdown list, select Device Control - All Devices - Windows.

    You can filter policy types by operating system by clicking any of the operating system icons.

  2. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
  3. (Optional) Expand Advanced Settings and select a content set.
  4. (Optional) In the Notification section, select Provide a notification message for users when a device is denied access and specify a message to display when a user attempts to install a restricted device.
  5. In the General Device Rules section, configure the following settings:
    1. In the Administrator Permissions section, select the Allow Administrators to bypass all restrictions option to enable users to bypass the restrictions if they are signed in as an administrator.

      Devices do not install automatically when this option is selected. Administrators must manually install the device through Device Manager.

    2. In the Existing USB Devices section, select the Uninstall existing USB storage devices not on the allowed list of devices option to uninstall USB storage devices that are not on the allow list.

      As a safeguard against uninstalling devices that are required for the system to run, other devices that are currently installed on an endpoint, including devices that are not currently connected but were installed previously, are not uninstalled when this option is selected. If the device is in use when the policy is enforced on the endpoint, the device is uninstalled at the next reboot of the endpoint. In this scenario, the policy status sensor returns a status indicating that prohibited devices are still installed.

  6. In the Device Classes section, define groups of devices that you want to allow in your environment. Many device classes are predefined by Microsoft, and you can define custom device classes. Each device class has a globally unique identifier (GUID). For more information about device classes, see Microsoft Documentation: Windows Hardware Developer: System-Defined Device Setup Classes Available to Vendors. When you add a device class, it is stored in the global device class list, which you can access from the Settings page.

    If you add a device by device class, you must allow all of the device nodes in the device tree for that class. For example, if you want to allow the installation of a USB storage device, you must allow the installation of Disk Drives and USB Bus Devices (hubs and host controllers). For more information, see Microsoft Documentation: Windows Hardware Developer: Device nodes and device stacks.

    • Click Import to query all Windows endpoints for their installed device classes and import them to the allow list. With this option, you can quickly add any custom device classes that might be used in your environment. Device classes that are already known to Enforce, marked with a warning icon , are not imported to avoid duplicates. From this page, you can select all device classes that were found on endpoints or you can select individual device classes. Click Proceed to add the selected device classes to the allow list.
    • Click Manage Existing to add existing device classes to the allow list. This list contains the predefined device classes that are provided by Microsoft and any device classes that were manually added previously. From this page, you can add or remove all available device classes, or add or remove individual device classes.

    If you added a device class using the Create option, it does not appear in this list until you save the policy.

    • Click Create to add a new device class. Specify a device class name, valid GUID, and optional description. Click Create again to add the device class to the allow list.
  7. In the Devices section, define individual devices that you want to allow in your environment. This option is useful if, for example, you want to allow a USB storage device from a specific manufacturer that is supported by your company, but no other USB storage devices. You do not need to allow the associated device classes when you allow a specific device. When you add a device, it is stored in the global device list, which you can access from the Enforce settings page. For more information on the global list, see Manage Windows device classes and devices.
    • Click Create to add a new device. Specify a device name and an optional ID. Click Create again to add the device to the allow list.

      Most devices have several hardware IDs. These IDs range from the most specific, which identifies a particular device, to a more general ID, which might identify a device type. Use the hardware ID that is appropriate for your environment.

    • Click Import to query all Windows endpoints for their installed USB storage devices and import them to the allow list. With this option, you can quickly add any USB storage devices that might be used in your environment. USB storage devices that are already known to Enforce, marked with a warning icon , are not imported to avoid duplicates. From this page, you can select all USB storage devices that were found on endpoints or you can select individual USB storage devices. Click Proceed to add the selected USB storage devices to the allow list.
    • Click Manage Existing to add existing devices to the allow list. This list contains devices that were manually added previously. From this page, you can add or remove all available devices, or add or remove individual devices.
  8. Click Create.

Enforce policies

You can enforce a policy from three different places in Enforce:

  • The Enforcements tab of the Policy Configurations page
  • The Policies tab of the Policy Configurations page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create a FileVault policy

Before you create a FileVault policy, you must have the following configuration in place:

  • A database to store encryption keys. For more information, see Configure Endpoint Encryption settings.
  • The End-User Notifications service must be installed and the End-User Notifications package must be pushed out to endpoints where the FileVault policy is enforced.
  • The Direct Connect service must be installed and the Direct Connect package must be pushed out to endpoints where the FileVault policy is enforced.

You can create FileVault policies even if one or more of these components are not in place, but the policy is not successfully enforced until the entire configuration is on the endpoint.

Optionally, you can configure a self-service recovery portal that users can access if they forget their PIN or password. See Reference: Encryption management recovery portal.

If endpoints already have FileVault enabled without using the Tanium Enforce FileVault policy, you must run the Enforce - Decrypt FileVault package on those endpoints first. Then you can deploy the Enforce FileVault policy. If you fail to do this, the Enforce FileVault policy appears to be successfully enforced, but the recovery key is not backed up. Therefore recovery keys do not work.

  1. From the Enforce menu, go to Policy Configurations and then click Actions > Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select FileVault.

      You can filter policy types by operating system by clicking any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a content set.

    If requirements for this policy are missing, that information is displayed. For more information about FileVault requirements, see Configure Endpoint Encryption settings.

  3. In the End User Notification section:
    1. Select or drag an image file (PNG, GIF, or JPG/JPEG) to use in the notifications window for all FileVault notifications.
    2. Provide a concise Window Title for the window prompt, such as FileVault Encryption.
    3. Provide a brief Message Titlethat describes the policy for the user.
    4. Provide the Message that you want to display to users. This message is the first message that displays to the user after the policy is enforced.
  4. In the Key Recovery section:
    • Select Enable Private Key if you are using an Institutional Recovery Key. For more information about generating institutional recovery keys, see Apple Documentation: How to use institutional recovery keys with Intel-based Macs.
      After the keychain is generated, remove the private key from the master keychain. Then in the Enforce policy, click Upload Public Key to locate the public key and upload it to the Tanium console. This key is sent to endpoints along with the FileVault policy. The public key, in combination with the private key you securely store elsewhere, is used to recover encrypted data if a user forgets their password.
    • Select Enable Public Key if you are using a unique, machine-generated Personal Recovery Key that is accessible to end users. If you are using the recovery portal (Postgres DB), select this key type. For more information about recovery portal configuration details, see Reference: Encryption management recovery portal.

    For Institutional Recovery Key, you must remove the private key from the master keychain before sending the FileVault policy to endpoints. If you fail to do this, the private key is placed on each endpoint along with the public key.

    After you upload a key, a Download Public Key link appears that allows you to retrieve the key to verify it, if necessary.

    After the disk is encrypted after a reboot, it can take up to an hour for recovery keys to be backed up.

  5. Configure Additional Options as needed:
    1. Select Prompt user to enable FileVault at log in only to prompt the user for the Enable FileFault password at the next attempt to sign in. If you do not select this option, the user is prompted for the Enable FileVault password at the next attempt to sign out.
    2. Select Allow user to cancel Enable FileVault log in prompt and choose a Condition.
      • Select Always allow user to cancel prompt to give the user unlimited access to the cancel the Enable FileVault password prompt.
      • Select Only allow user to cancel prompt to put a limit on the number of times the user can cancel the prompt before being forced to enter a password to enable FileVault.
  6. Click Create.

Enforce policies

You can enforce a policy from three different places in Enforce:

  • The Enforcements tab of the Policy Configurations page
  • The Policies tab of the Policy Configurations page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create a Windows firewall management policy

When a Windows firewall management policy is enforced on an endpoint, Enforce starts the MpsSvc (Windows Firewall) service on that endpoint.

The maximum number of firewall rules for each policy is 1000.

  1. From the Enforce menu, go to Policy Configurations and then click Actions > Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select. Firewall Management - Windows.

      You can filter policy types by operating system by clicking any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a content set.
  3. In the Rule Management section, choose Replace or Merge.
    The Replace option removes all existing firewall rules on the endpoint and replaces them with the rules in this policy. The Merge option leaves the existing firewall policies on the endpoint in place and adds the rules in this policy.
  4. In the Firewall Profiles section, configure the following settings:
    1. Expand Domain, Private, and Public to define the policy profiles. For more information about protocols, see Microsoft Documentation: Understanding Firewall Profiles.
    2. For Network Selection, choose Default, Enabled, or Disabled




Create a new Windows firewall rule

  1. In the Firewall Rules section, click Add Rule.
  2. Complete the following fields for your firewall rule and then click Create:
  3. Field Description
    Name (Required) Enter a brief name for the rule.
    Direction (Required) Select Outbound, Inbound, or Bi-directional for the direction of the connection.
    Action (Required) Select either Block or Allow depending on the type of rule you are creating.
    Network Protocol

    (Required) Select a protocol. If you specify UDP or TCP for the protocol, then you must specify at least one value in the following fields: Application Path, Local Address(es), Local Port(s), Remote Address(es), Remote Port(s), or Service Name.

    For more information about protocols, see Microsoft Documentation: Firewall Rule Properties Page: Protocols and Ports Tab.

    Group (Optional) You can specify a group name here or choose one that already exists that can help organize your firewall rules.
    Profiles Select the applicable profiles. If you do not select one or more profiles, the rule is created as if all profiles were selected.
    Application Path An example of an application path is C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
    Local Address(es) Use this field to target the rule to specific local IP addresses. Separate IP addresses with commas.
    Local Port(s) This field is most likely populated for Inbound connections. You can specify port ranges, for example: 80, 443, 5000-5010.
    Remote Address(es) This field can be used to target the rule to a specific remote IP address. Separate IP addresses with commas.
    Remote Port(s) This field is most likely populated for Outbound connections. You can specify port ranges, for example: 80, 443, 5000-5010.
    Service Name This field can be used for a Windows Service Display name.

Import firewall rules from a Windows TSV file

Before you can import a firewall policy into Enforce from a Windows TSV file, you must export it from Windows.

  1. In Windows, go to Windows Firewall Advanced Security.
  2. Right-click on Inbound Rules and click Export List..., and then save the file as a Text (Tab Delimited) .txt file.
  3. In the Firewall Rules section, click Import > Import from Windows TSV file.
  4. Click Select TSV File to locate the files that contains the exported firewall rules and click Open. The Import window shows the file name and how many rules are being imported.
  5. Select the Direction and then click Proceed.
  6. Repeat these steps for Outbound Rules to export them from Windows and import them into Enforce.

If the file you are importing does not include a Service column, a warning displays. If your firewall rules depend on the Service field, add the Service column and re-export the firewall rules from Windows.

To add a Service column

  1. In Windows, go to Windows Firewall with Advanced Security.
  2. Select Add/Remove Columns from the View menu.
  3. Select Service from Available columns, click Add and then click OK.
  4. Select Export List from the Action menu and save it to a file.

Import firewall rules from Tanium Endpoints

  1. In the Firewall Rules section, click Import > Import Rules from Tanium Endpoints.
  2. In the Import Rules from Tanium Endpoints window, select the rules already existing on Tanium endpoints that you want to import.
  3. Click Add Rules.

Enforce policies

You can enforce a policy from three different places in Enforce:

  • The Enforcements tab of the Policy Configurations page
  • The Policies tab of the Policy Configurations page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create a Linux firewall management policy

  1. From the Enforce menu, go to Policy Configurations and then click Actions > Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, selectFirewall Management - Linux.

      You can filter policy types by operating system by clicking any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a content set.
  3. In the Linux Firewall Default Chain Policies section, select Accept or Drop for the Input, Output, and Forward fields.
  4. In the Linux Firewall Default Rules section, view the default input, output, and forward rules. You cannot edit these defaults.

 

 

Create a new Linux firewall rule

  1. In the Firewall Rules section, click Add Rule.
  2. Complete the following fields for your firewall rule:
  3. Field Description
    Name (Required) Enter a brief name for the rule.
    Table (Required) Filter is the only supported table at this time.
    Chain (Required) Select Input, Output, or Forward to specify where in a packet's delivery path a rule is evaluated.
    Target

    (Required) Select one of the following options:

    Accept: Allows the packet.

    Drop: Drops the packet.

    Reject: Send a response back and drop the packet.

    Queue: Pass the packet to userspace.

    Network Protocol

    (Optional) Select the protocol of the rule or of the packet to check. The specified protocol can be one of the predefined options or it can be a numeric value, representing one of these protocols or a different one. Protocol all is the default when this option is omitted.

    Select the Inverse option to include everything except for the selected protocol.

    State

    (Optional) Select one of the following options:

    • New: The packet has started a new connection.
    • Established: The packet is associated with a connection which has seen packets in both directions.
    • Related: The packet is starting a new connection, but is associated with an existing connection.
    • Invalid: The packet could not be identified for some reason.
    Source Address

    (Optional) A comma separated list of network names, IP addresses with masks, plain IP addresses, or IP address ranges.

    Select the Inverse option to include everything except for addresses you entered.

    Destination Address

    (Optional) A comma separated list of network names, IP addresses with masks, plain IP addresses, or IP address ranges.

    Select the Inverse option to include everything except for addresses you entered.

    Optional fields that might appear depending on choices you make for some of the fields above:
    Source port(s) A comma separated list of ports or port ranges.
    Destination ports(s) A comma separated list of ports or port ranges.
    In Interface Name of an interface by which a packet was received.
    Out Interface Name of an interface by which a packet is going to be sent.

    Depending on the choices you make for the Chain, Target, and Network Protocol fields, additional optional fields might appear that you can complete.

  4. Click Create.

Import Linux firewall rules from Tanium endpoints

  1. In the Linux Firewall Rules section, click Import > Import Rules from Tanium Endpoints.
  2. In the Import Firewall Rules from Tanium Endpoints window, select the checkboxes for rules already existing on Tanium endpoints that you want to import.
  3. Click Add Rules.

Some rules might specify rule not supported..., which means that Enforce does not support this rule. But the entire rule configuration is shown in the rule listing so that you can configure it manually if needed.

Enforce policies

You can enforce a policy from three different places in Enforce:

  • The Enforcements tab of the Policy Configurations page
  • The Policies tab of the Policy Configurations page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create a Machine administrative template policy

  1. From the Enforce menu, go to Policy Configurations and then click Actions > Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select Machine Administrative Templates.
      Machine administrative template policies target machine-based ADMX (Active Directory administrative templates) group policy objects.

      You can filter policy types by operating system by clicking any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a content set.
  3. (Optional) To configure anti-malware settings, expand the Anti-Malware Specific Settings section and select Enable.
    1. To automatically add the required Tanium exclusions to the policy, click Create exclusions for Tanium processes.
    2. Determine if you should select Deploy definition update using Tanium for Managed Definitions and then complete the fields for Definition Grace Period to specify how often endpoints use Tanium to check for Anti-malware definition updates. This value represents how old an Anti-malware definition can be before the policy is considered unenforced. The default grace period is 1 day.

      By default, anti-malware rules are configured to retrieve definitions directly from Microsoft. If an endpoint does not receive an update within the specified grace period, it is considered unenforced. When this option is selected, anti-malware rules are configured to use Tanium to deploy anti-malware definition updates.

  4. From the list of policy setting categories, select a category and view the available policy settings.

    Expand Filters to enter criteria to filter the list of categories and settings. You can apply additional filters to the policy names within the categories.


    When you configure a policy setting, you choose one of the following states:

    • Not Configured: Setting might be determined by another group policy setting. Otherwise, default Microsoft settings are used.
    • Enabled. You must enter your own settings.
    • Disabled. Default Microsoft settings are used.

    For more information, see Microsoft Documentation: Use the Settings app Group Policy in Windows 10.

    For examples of high-level Machine administrative template policy categories, see Policy setting category examples.

    For the full list of policy settings included in Windows administrative template files, see Microsoft Documentation: Group Policy Settings Reference for Windows and Windows Server and Microsoft Security Compliance Toolkit 1.0.

    1. Enable policy settings and configure as needed.

    2. Click Add to Policy after you configure a policy setting.

  5. After all settings for the policy are complete, click Create.

Enforce policies

You can enforce a policy from three different places in Enforce:

  • The Enforcements tab of the Policy Configurations page
  • The Policies tab of the Policy Configurations page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Policy setting category examples

You can configure Machine administrative template policies with a variety of policy settings. Policy settings are organized into the same categories used by Microsoft to manage group policies. The following table includes many of the high-level categories and the types of policy settings that each category contains.

Machine Administrative Template Policy Category Examples
Category (top level) Policy Setting Overview
Control Panel Includes display, personalization, regional and language options, and printers.
Google Chrome Includes cookies, Javascript, and image settings.
MS Security Guide Includes UAC restrictions and SMB server and client.
MSS (Legacy) Includes legacy Windows registry values that predate group policy.
Microsoft Edge Includes download restrictions and autofill.
Microsoft Office Includes Window security restrictions and storage of user passwords.
Mozilla Includes authentication, certificates, cookies, location, notifications, extensions, bookmarks, and other preferences.
Network Includes network connections.
OneDrive Includes OneDrive sync app, accounts, permissions, bandwidth management, and disk space options.
Printers Includes prevention of security issues with print driver installation.
Start Menu and Taskbar Includes notifications.
System Includes driver installation, display, locale services, group policy, mitigation options, logon, power management, removable storage access, and user profiles.
Windows Components Includes app runtime, attachment manager, autoplay policies, cloud content, credential user interface, edge UI, and Windows Defender antivirus.

Create a remediation policy

  1. From the Enforce menu, go to Policy Configurations and then click Actions > Create.
  2. You can also create a remediation policy from the Remediations tab of the Device Actions page.

  3. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select Remediation - Windows, Remediation - Mac, or Remediation - Linux.

      You can filter policy types by operating system by clicking any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a content set.
  4. In the Remediation section, select the task that you want to run on your endpoint(s) from the Add Task dropdown list.

    You can add the following types of tasks to a Windows remediation policy:

    • Delete File: deletes a single file or multiple files matching a pattern. See Remediation policy file pattern matching examples.
    • Delete Registry Key: deletes a registry key if it exists.
    • Edit Registry Data: modifies an existing registry value if it exists; optionally, the value can be created if it does not exist.
    • Kill Process: kills all processes that match the specified Process Type options: name, path, or hash. You can also optionally enter Command Line Args to use a regular expression to match against process command line arguments for any of the Process Type options.
    • Run Service Action: changes the running state of the specified service.

      For the Service Name field, enter the Service Name instead of the Service Display Name.

    • Run Service Configuration: changes the startup config of the specified service.

      For the Service Name field, enter the Service Name instead of the Service Display Name.

    • Update Registry Value: changes the name of a registry value if it exists or deletes the value if the delete option is selected.

      For tasks that modify the registry and target the HKEY_USERS hive, if you use the wildcard character (*) to target all users, users that are signed out when the policy is enforced are skipped.

    • Purge - Delete all nonessential files: provides a destructive, non-recoverable wipe of all non-Tanium and non-Windows files from the targeted system. These changes are not reversible.
    • Purge - Freeze and lockout: provides a non-destructive lockout of the targeted system using BitLocker on computers that have a TPM chip and forces a BitLocker recovery. You can also decide if you want to immediately lock the user out of the target system.
    • Purge - Recover from freeze: reverses the purge - freeze and lockout policy by displaying the Bitlocker recovery window. At that time a key can be entered to recover the system.

      For more information about purge remediation policy types, see Create a purge remediation policy.

  5. You can add the following types of tasks to a Mac or Linux remediation policy:

    • Delete File: deletes a single file or multiple files matching a pattern.
    • Kill Process: kills all processes that match the specified Process Type options: name, path, or hash. You can also optionally enter Command Line Args to use a regular expression to match against process command line arguments for any of the Process Type options.
    • Run Service Action: changes the running state of the specified service.

      For the Service Name field, enter the Service Name instead of the Service Display Name.

  6. Complete the required fields for the task that you are defining.
  7. Add other tasks as needed for the policy. When you are finished adding all tasks, click Create.

Enforce policies

You can enforce a policy from three different places in Enforce:

  • The Enforcements tab of the Policy Configurations page
  • The Policies tab of the Policy Configurations page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Remediation policy file pattern matching examples

Recursive matching is not supported. Each directory level must be specified.

Definition Example
Match a file by name in an unknown directory path.

Actual Path: c:\a\b\c\file.exe

Wildcard: c:\*\*\*\file.exe

Match any file in a known directory path.

Actual Path: c:\a\b\c\file.exe

Wildcard: c:\a\b\c\*

Match a specific file type in a partially known directory path.

Actual Path: c:\a\b\c\file.exe

Wildcard: c:\a\*\c\*.exe

Disable case sensitivity for the first character in a file name.

Actual Path: c:\a\b\c\File.exe

Wildcard: c:\a\b\c\[Ff]ile.exe

Match a single character in a file name.

Actual Path: c:\a\b\c\cat.exe

Actual Path: c:\a\b\c\bat.exe

Wildcard: c:\a\b\c\?at.exe

Do not match a character in a file name.

Actual Path: c:\a\b\c\cat.exe

Wildcard: c:\a\b\c\[!c]at.exe

Create a purge remediation policy

Use a purge remediation policy to take action on lost or stolen endpoints by remotely wiping all nonessential data or freezing the endpoint to prevent attempts to sign in.

Test these policies prior to implementing them in a production environment.

The following information applies to remediation purge policies:

  • A remediation policy that contains a purge cannot have any other tasks. Conversely, if there is already a task in a remediation policy, you cannot add a purge task.
  • A remediation policy that contains a purge can only be targeted to individual computers, not computer groups.
  • The Enforce Endpoint Wipe Action privilege is required for this policy.

To create a purge remediation policy, complete the following steps:

  1. From the Enforce menu, go to Policy Configurations and then click Actions > Create.
  2. You can also create a remediation policy from the Remediations tab of the Device Actions page.

  3. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select Remediation - Windows.

      You can filter policy types by operating system by clicking any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a content set.
  4. In the Remediation section, select the task that you want to run on your endpoint(s) from the Add Task dropdown list.

    The following purge tasks are available:

    • Purge - Delete all nonessential files: provides a destructive, non-recoverable wipe of all non-Tanium and non-Windows files from the targeted system by completing the following tasks. These changes are not reversible.

      BitLocker and TPM are not required. This process can take up to an hour to complete.

      • Locks the endpoint, which prevents any users from accessing the endpoint, and reboots the system to close open programs
      • Takes ownership and gains permission for all files possible
      • Deletes all files that are not open or in the c:\windows\ and %programfiles%\Tanium\Tanium Client\ folders 
      • Deletes the BitLocker key from the hardware TPM (if BitLocker is enabled)
      • Performs a three pass wipe on the freed disk space
      • At start-up, displays the BitLocker recovery screen instead of booting into Windows (if BitLocker is enabled)
      1. In the Requested By field, enter the name of the person or business group that is requesting the purge.
      2. Enter a BitLocker Pre-Boot Recovery Message. This message displays to users at start-up (if BitLocker is enabled).
      3. Enter the MAC address for the selected target to ensure that the correct target receives the action, as a MAC address is a more distinct identifier than a host name. If the target has multiple MAC addresses, Tanium compares each address until it finds a match. If it does not find a match then the policy does not run.
    • Purge - Freeze and lockout: provides a non-destructive user lockout of the targeted system using BitLocker on computers that have a TPM chip by completing the following tasks.
    • For both freeze and lockout features, the endpoint must have BitLocker enabled and disk encryption with TPM. If BitLocker is not enabled, the user is still prevented from signing in, but the endpoint is not prevented from booting.

      • Sets up a scheduled action after verifying endpoint requirements are met
      • Deletes the BitLocker key from the hardware TPM
      • Forces a shutdown of the endpoint
      • At start-up, displays the BitLocker recovery screen instead of booting into Windows
      1. In the Requested by field, enter the name of the person or business group requesting the freeze.
      2. Enter a BitLocker Pre-Boot Recovery Message. This message displays to users at start-up.
      3. Enter the MAC address for the selected target. This is to ensure that the correct target receives the action as MAC address is a more distinct identifier than host name. If the target has multiple MAC addresses, Tanium compares each address until it finds a match. If it does not find a match then the policy does not run.
      4. (Optional) Clear the User Account Lockout option if you do not want to immediately lock the user out of the target system.
    • Purge - Recover from freeze: reverses the freeze and lockout. This task runs after the user manually recovers BitLocker by using the recovery key, but still cannot sign in due to the account lockout. This task restores the user account, which allows the user to sign in again.
      • Adds TPM back to the BitLocker protectors list
      • Recovers locked out account
      • The user must input the recovery key and boot to windows before the machine can be unfrozen.
  5. Click Create.

Enforce policies

You can enforce a policy from three different places in Enforce:

  • The Enforcements tab of the Policy Configurations page
  • The Policies tab of the Policy Configurations page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Create an SRP management policy

When you enable Windows SRP for the first time, targeted endpoints must be rebooted for SRP Management policies to be enforced.

You might want to enforce an SRP Management policy that does not block anything or allows a path that is always trusted, such as the Tanium Client. With this practice, the required reboot does not have to take place when you need to push out an urgent policy, such as a policy to block a malicious application.

  1. From the Enforce menu, go to Policy Configurations and then click Actions > Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select SRP Management.

      You can filter policy types by operating system by clicking any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a content set.

Create an SRP process rule using a path

  1. In the Path Rules section, click Create.
  2. Enter a Name for the rule.
  3. Enter the path or filename in the Path field. Full paths, environment variables, and filenames are supported.
  4. Continue adding rules as necessary and click Create when you are finished.


Create an SRP process rule using a hash

  1. In the Hash Rules section, click Create.
  2. Enter a Name for the rule.
  3. Enter the MD5 Hash.
  4. Enter the File Size in bytes and click Save.
  5. Continue adding rules as necessary and click Create when you are finished.


Enforce policies

You can enforce a policy from three different places in Enforce:

  • The Enforcements tab of the Policy Configurations page
  • The Policies tab of the Policy Configurations page
  • When you click on a policy to view it

For more information, see Enforcing policies.

Be aware of AppLocker Allow or Deny rules set in your Domain Policy – these rules might prevent SRP process rules created in Enforce from being enforced.

Import policies

You can import one or more policies from a JSON file.

  1. From the Enforce menu, click Policy Configurations and then click Actions > Import.
  2. Click Browse for file, select the JSON file, and click Import.
  3. Make any necessary changes and then click Save.

    You might have to change an imported policy name if the name conflicts with the name of an existing policy.

Imported policies appear on the Policies page.

Export policies

  1. From the Enforce menu, click Policy Configurations.
  2. Select the policies that you want to export and then click Actions > Export.

Each policy is downloaded as a separate JSON file. You can use each downloaded JSON file to import each policy.

Prioritize policies

A single policy can contain multiple settings. When several policies are enforced on an endpoint, unique settings across all policies are applied. If duplicate settings exist for an endpoint, the setting with the lowest priority number takes precedence. See Overview for more information about how policy settings are applied to endpoints.

The policy with the highest priority has the lowest priority number. For example, a policy with a priority of 1 takes precedence over a policy with a priority of 10.

Set the prioritization of policies to determine which policy setting is applied if a conflict exists.

  1. From the Enforce menu, go to Policy Configurations and click Actions > Prioritize to make the priority fields editable.
  2. Click the priority field for the policy you want to change and enter a new priority number. Click Preview updated priorities to accept the change or Cancel to undo the change. When you click Preview updated priorities , the priority number for all policies update based on your change.
  3. (Optional) To revert your changes back to the original priorities, click Cancel.
  4. To keep the new priorities, click Save.