Jamf Nation Community

pmendez · ‎12-13-2019

Please keep in mind there's several ways to deploy this. I'm sharing what worked for me :)
Getting the Installer
- Using the Tanium Client Deployment Tool, go to Clients, then click on Generate Archive
- Choose .iso and platform osx. Click OK

Creating a DMG
- Open Composer
- Open the .iso file by double-clicking on it
- Drag the .pub file to the left column of composer
- Take the file out of the directories, delete the empty directories
- Drag the pkg to Composer, make sure it's outside of any directory and delete any other directory so the only two things in Composer should be the .pub and the .pkg - I changed the name to TaniumClient_osx so it was just like the .iso
- Click on Build as DMG
- Upload the DMG to Jamf

Extension Attribute(s) (I might add more later)
- Create a new EA called 'Install Status - Tanium' - Data Type: String - Input Type: Script

#!/bin/bash
taniumLaunchDaemon=`ls /Library/LaunchDaemons/ | grep com.tanium.taniumclient.plist`
if [[ $taniumLaunchDaemon != '' ]]; then
    echo "<result>Installed</result>"
else
    echo "<result>Not Installed</result>"
fi
exit 0

Create a new EA called 'Contains: Tanium Cached'

Data Type: String

Input Type: Script

#!/bin/bash
if [ -e /Library/Application Support/JAMF/Waiting Room/TaniumClient_osx.iso.dmg ]; then
echo "<result>Yes</result>"
else 
echo "<result>No</result>"
fi
exit 0

Smart Group(s)
- Create a new smart group called 'Not Cached: Tanium' - Criteria: Contains: Tanium Cached is No (you might have to click on Show Advanced Criteria to see it)
- Create a new smart group called 'Cached: Tanium' - Criteria: Contains: Tanium Cached is Yes (you might have to click on Show Advanced Criteria to see it)
- Create a new smart group called 'Not Installed: Tanium' - Criteria: Install Status - Tanium is Installed (you might have to click on Show Advanced Criteria to see it)
- Create a new smart group called 'Ready to Install: Tanium' - Criteria: Computer Group is member of Cached: Tanium - Criteria: Computer Group is member of Not Installed: Tanium
(Alternatively, you can also just not create the cached: tanium group and just put Contains: Tanium Cached is Yes in the last group)

Creating the Script
- Set parameter 4 to ServerName

#!/bin/bash
echo "Start of Tanium Install Script"
hdiutil mount /Library/Application Support/JAMF/Waiting Room/TaniumClient_osx.iso.dmg -nobrowse
echo "Mounted cached dmg"
installer -pkg /Volumes/TaniumClient_osx.iso/TaniumClient-7.2.314.3518.pkg -target /
hdiutil unmount /Volumes/TaniumClient_osx.iso/
echo "unmount successful"
/Library/Tanium/TaniumClient/TaniumClient config set ServerName $4
sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist
echo "unload /Library/LaunchDaemons/com.tanium.taniumclient.plist"
sudo launchctl load /Library/LaunchDaemons/com.tanium.taniumclient.plist
echo "load /Library/LaunchDaemons/com.tanium.taniumclient.plist"
exit 0

Policy#1: Cache Tanium
- Trigger: Recurring Check-In, Custom: cache_tanium
- In Packages, add the DMG you previously created
- Action: Cache (This is important!)
- Scope: Not Cached: Tanium
- Maintenance: Update Inventory
- Execution Frecuency: I always like to start with Once Per Computer to make sure it's not 'overinstalling' but given the smart group we are using, we should be able to set it to Ongoing from the start

Policy#2: Install Tanium
- Trigger: Recurring Check-In, Custom: tanium
- Script: Add the Script you created. Add the ServerName (or IP address) if your Tanium Server
- Scope: Ready to Install: Tanium
- Maintenance: Update Inventory
- Execution Frequency: I always like to start with Once Per Computer to make sure it's not 'over installing' but given the smart group we are using, we should be able to set it to Ongoing from the start

Check the comments for pppc for it

sbirdsley · ‎12-13-2019

This is also a good resource

pmendez · ‎12-13-2019

Hi @sbirdsley ! I definitely went off that to start this process. A couple of things I noted:
- Playing around with the installer, best bet is to keep the pkg and the .pub in the same installer, hence me deploying a dmg
- You can't really upload a .iso to jamf, so I'm 'repackaging' it
- The doc doesn't really specify that you have to stop and restart the service after you set the servername to make sure it applies
- It also doesn't really specify the PPPC stuff needed so tanium can run (I might post that in a different discussion thread)

jeanviales · ‎01-17-2020

Hi @pmendez !

Any chance you can share the PPPC stuff? I've been trying to deploy tanium for 5 days and I have tried it all and nothing.

Thank you!

travismchugh · ‎01-29-2020

@pmendez Thanks for posting! I have been informed I will need to start testing the deployment of Tanium in the near future. I'm curious to hear how the use of Tanium is affecting your Mac fleet? @jeanviales Have you gotten Tanium up and running? Would be interested to hear how it is working for you.

pmendez · ‎01-31-2020

@travismchugh we are using tanium more as a vulnerability scanner (we used to use nessus agent) - I think we are currently using deploy and config at the moment

pmendez · ‎01-31-2020

@jeanviales check it out

pmendez · ‎01-31-2020

For some reason the pics got our of order, but the last one is what the top part of the "Private Preferences Policy Control" will look like.
To get the code requirement, run

codesign -dr - /path/to/application

More info here

jeanviales · ‎02-04-2020

@pmendez Thanks a lot! @travismchugh , I was able to make it work, finally! Deployed it on both my VM and test iMac.

obi-k · ‎02-06-2020

Anybody using an Extension Attribute that spits out the installed version?

rqomsiya · ‎02-06-2020

@mvu Here is what I use:

#!/bin/bash
taniumVersion=$(sudo /Library/Tanium/TaniumClient/TaniumClient --version)
if [[ $taniumVersion != '' ]]; then
    echo "<result>$taniumVersion</result>"
else
    echo "<result>Not Installed</result>"
fi
exit 0

obi-k · ‎02-07-2020

Thank you, @rqomsiya and happy Friday

donmontalvo · ‎04-28-2020

@rqomsiya won't that command invoke the client every time it runs (during recon)?

If you're on 7.2 or later, can get the version from this file:

# awk -F> '/e_4/{print $(NF-1)}' /Library/Tanium/TaniumClient/swidtag/regid.2005-04.com.tanium.client.swidtag | cut -d"<" -f1

--
https://donmontalvo.com

rqomsiya · ‎04-28-2020

Hi @donmontalvo,

This is true, however, I've always preferred to read the actual client output rather than the swidtag file. It's minimal impact as far as I've seen, but you do have a great point! I'll play around with both ways. Thanks for the nice one-liner!

donmontalvo · ‎04-28-2020

@rqomsiya undertstood, if you're using an EA, check Activity Monitor after a few days to look for TaniumClient processes.

--
https://donmontalvo.com

sdagley · ‎07-19-2020

@donmontalvo Are you're saying that calling TaniumClient --version will create additional instances of the TaniumClient process each time? That isn't the behavior I'm seeing. While I do have multiple instances of TaniumClient, the count seems static, and doing a recon doesn't create additional ones.

MatG · ‎07-20-2020

Are you allowing Tanium full disk access?

donmontalvo · ‎07-20-2020

@sdagley not sure what version or build number it was, we had some issues with having excessive Tanium processes. We were told the new version gives a way to get the version from a file.

--
https://donmontalvo.com

sdagley · ‎07-20-2020

@donmontalvo I was thinking it might have been a problem with earlier versions, but it doesn't seem to be an issue with what we're deploying so I'm going to stick with the --version call since it also tells me the binary is responding.

@MatG It does seem odd the Tanium install docs make no mention of needing a PPPC profile, but the group that manages Tanium in my environment has never complaint about functionality. Since your question has rekindled my curiosity, I have asked them to verify with Tanium support.

MatG · ‎07-22-2020

@sdagley

I've also asked Tanium the same a few weeks back but no response as I also see no documentation about it requiring Full Disk access and inclined not to allow unless Tanium state its a requirement.

paula_mendez · ‎08-10-2020

@sdagley @MatG - It's been a while since I deployed this, but when I did, I was in a long call with my tanium reps while testing (since their documentation lacks). FWIW, I can tell you that I wouldn't have done it unless it otherwise didn't work. I agree that It'd be good to get confirmation from them/add it to their docs

sdagley · ‎08-10-2020

Thanks @paula.mendez. In the last communication I saw from Tanium support on the question of a PPPC profile being necessary their response was basically ¯_(ツ)_/¯. Since we're only using it as a scanner may explain why the AppleEvents permissions you found necessary haven't been an issue for us, but the file access ones are definitely a mystery. I do know that on some of our Macs the TaniumClient has appeared in the Full Disk Access list, but not as enabled, and as far as I know none of those users saw a prompt it needed access.

rserva · ‎09-30-2020

So my company is going to deploy Tanium to our Macs. The Tanium documentation says we need to run the taniumclient.pkg then after it, copy the file Tanium-init.dat to the /TaniumClient directory. I'm trying to create a policy in Jamf that does all of that in one shot. Can somebody help?

rqomsiya · ‎09-30-2020

Hi @rserva . I can assist

sdagley · ‎09-30-2020

@rserva Here's the layout of the Tanium 7.4.2.2073 installer .pkg I built in Composer:

The postinstall script in that .pkg is:

#!/bin/bash
## postinstall

/usr/sbin/installer -verbose -pkg "/var/tmp/TaniumInstall/TaniumClient-7.4.2.2073.pkg" -target /

# Delete the Tanium installer
/bin/rm -rf "/var/tmp/TaniumInstall"

exit 0      ## Success

rserva · ‎10-01-2020

What do you have in the .ini file and did you build it yourself? I only have the .pkg and the .dat files

rserva · ‎10-01-2020

Hi Rany, yes please can you assist?

rserva · ‎10-01-2020

Hi sdagley, I see that you put the .pkg, the .dat and the .ini in the same folder in /tmp, then you ran a script to install the .pkg. Question is how does the .dat and the .ini get put in the /TaniumClient directory after the install?
Thanks

CommandShiftK · ‎12-22-2020

I did something similar to what @sdagley did. My .INI file is super simple and just has the text "ServerNameList=our.server.org"

sdagley · ‎12-22-2020

@rserva Sorry, missed your question when it was posted. Hopefully you've found the answer by now, but for anyone just finding this thread, the Tanium installer handles creating the necessary config files in the TaniumClient directory by reading the ones in the same directory as the client installer when it's run.

davidtorres · ‎12-21-2022

I'm having issues with this KB since the package available in the Tanium Console doesn't match this article.
Any chance to get some assistance on how to properly deploy the client in my company environment using Jamf Pro?

Regards

scottb · ‎04-28-2023

Wondering if any of you folks know if we need a PPPC Profile for Tanium? I've read both yes and no...

New to Tanium, so looking for some advice. Thank you!

allanp81 · ‎10-17-2023

I was wondering the same thing. I've pushed the agent to a handful of devices but as is I get no prompts for it to do anything permissions wise. I've followed their guide here: Deploying the Tanium Client using an installer or package file and as I can tell I've created the PPPC profile with the permissions it requires but no way of testing whether it actually works or not.

Jamf Nation Community

Installing tanium