Tanium 6.x: Deploying the Tanium Client through McAfee ePO

Packaging the Tanium Client for deployment through ePO

This document explains the process to package the Tanium Client installation files using the McAfee ePO Endpoint Deployment Kit (EEDK) so you can remotely install the Tanium agent through an ePO task action. 

Verify desired installation settings

  1. Confirm Tanium ServerAddress
    • The internally defined, fully qualified domain name or alias the Tanium Clients use to resolve the Tanium Server's IP address.
    • For Windows clients or Mac Clients that might use a Zone Server or report to a Tanium Server configured in an Active/Active array, the Server Address can be set to a list of comma separated address values
  2. Confirm Tanium ServerPort number
    • Identify the private port used at server installation for Tanium Clients to communicate with the Tanium Server and their local neighbors.
    • Otherwise, use the default port of 17472
  3. Choose Product Name for ePO Package
    • Consider a naming convention representative of the Package elements:
    • Application Name: Tanium
    • Component: CLient
    • Target Operating System: WINdows, Mac OSXLinux
    • Linux distribution: Red Hat, SUSE, DeBian, UBuntu
    • For example: TANCLWINTANCLOSXTANCLLRHTANCLLSUTANCLLDBTANCLLUB
  4. Determine Product ID for ePO Package
    • Use the value 1001 later in the build process as the Product ID for your new Package if you are creating the first Tanium Client package for a specific product name to import into the ePO Master Repository.
    • Otherwise, set the Product ID for your new Package to be one greater than the Product ID assigned to the last Package for the specific product name imported into ePO.

Locate and Organize files

Create source input and package output folders

  1. Create a folder accessible to the device running the EEDK utility in the format x:\EEDK\InputSourceFiles\<ProductName><ProductID>-<ProductVersion> to host the files necessary to build each Tanium Client package you need.
    For example: x:\EEDK\InputSourceFiles\TANCLWIN1001-6.0.314.1190
  2. Create a folder for the EEDK output Package files, if one does not already exist.
    For example: x:\EEDK\OutputPackageFiles

Gather public key and client installer files

  1. Locate the Tanium public key file in the Tanium Server installation folder, by default \Program Files\Tanium\Tanium Server\tanium.pub, and copy it to each of the source files input folder(s).
  2. Contact your Tanium Technical Account Manager for the links to download the Tanium Client installer software.
  3. Download each client installer to the source files input folder for the respective client package.

Update script file to launch client installer

Windows Install Script

  1. Expand the Install-Client.cmd script below, copy the text, and paste it into an editor.
    @echo off
    :: Update the default variable assignments to reflect the respective values for your environment:
    Set ServerAddress=tanium.OrgName.com     &:: Tanium Server's FQDN
    Set ServerPort=17472                     &:: Port designated for system communication 
    Set LogVerbosityLevel=1                  &:: 1 recommended, 0 to disable logging
    Set ProductID=1001                       &:: Product ID for this iteration of package
     
    "%~dp0SetupClient.exe" /ServerAddress=%ServerAddress% /ServerPort=%ServerPort% /LogVerbosityLevel=%LogVerbosityLevel% /S && reg add "HKLM\Software\Tanium\Tanium Client" /v %ProductID% /d "EEDK" /f
  2. Set the "ServerAddress" variable to the FQDN or fixed IP Address of your Tanium Server. If any clients will report in to a Tanium Server configured in an Active/Active array and/or through a Zone Server, this entry can be a comma-separated list of addresses.
  3. Update the other three "Set" statements as needed.
  4. Save the updated file as Install-Client.cmd to the source files input folder for the respective client package.
    Note: To include additional client installation options—for example, to designate an alternate installation folder—refer to Tanium Client installation for a complete list of command line arguments the Windows installer supports.

Mac OSX and Linux Install Script

  1. Expand the install-client.sh script below, copy the text, and paste it into an editor.
    #!/bin/sh -x
     
    # defaults
    TANIUM="yes"
    TSNAME=""
    TSPORT=17472
    TLEVEL=0
     
    ##################################
    # change nothing below this line #
    ##################################
    TCLIENT=""
    TVER="0.0.0.0"
     
    urldecode() {
            local data=$(echo "$1" | sed -e 's/\+/ /g' -e 's/%/\\x/g')
            printf '%b' "$data"
    }
     
    usage() {
    			echo
    			echo "Usage: $0 -s servername [-p serverport] [-l loglevel] [-r]"
    			echo "-s servername: A resolvable FQDN or an ipv4 address (Solaris client requires a hostname)"
    			echo "-p serverport: The tcp port to communicate to the server on (default 17472)"
    			echo " -l  loglevel: The log level of the client (default 0)"
    			echo "-r:  Install the McAfee RealTime client instead of the TaniumClient"
    			echo
    			exit 1
    }
     
    # so we can fully "exit 1" from inside a subroutine
    quit () {
    	exit 1
    }
     
    SetClientVersion () {
     
    	# $1 = filespec to search for
    	if ! ls $1 > /dev/null 2>&1
    	then
    		echo Client file does not exist. Cannot continue
    		quit
    	else
    		# debian uses somename_ver instead of SomeName-ver hence the character class
    		TVER=$(ls $1 | sed -n 's/^.*[_-]\([0-9]\{1,4\}\.[0-9]\{1,4\}\.[0-9]\{1,4\}\.[0-9]\{1,4\}\).*/\1/p')
    		if [ "" = "$TVER" ]
    		then
    			echo Unable to parse client version. Cannot continue
    			quit
    		fi
    		echo "Client version: $TVER"
    	fi
    }
     
    SetClientIni() {
     
    	echo setting ini to: $1/$TINI
    	# $1 = client directory
    	if [ ! -d "$1" ]
    	then
    		echo Client directory does not exist. Cannot continue
    		quit
    	else
    		echo "Client installed to $1"
    	fi
    	local CONFIG="$1/$TINI"
    	cp $CONFIG $CONFIG.old 2>/dev/null
     
    	echo "Version=$TVER" > "$CONFIG"
    	echo "ServerName=$TSNAME" >> "$CONFIG"
    	echo "ServerPort=$TSPORT" >> "$CONFIG"
    	echo "Resolver=nslookup" >> "$CONFIG"
    	echo "LogVerbosityLevel=$TLEVEL" >> "$CONFIG"
    	echo ----config----
    	cat "$CONFIG"
    	echo ----config----
    	cp $TKEY $1/
     
    }
     
    ########
    # MAIN #
    ########
     
    while getopts "s:p:l:rh" optname
    do
    	case "$optname" in
    		"h")
    			usage
    			;;
    		"r")
    			TANIUM=""
    			;;
    		"s")
    			TSNAME=$(urldecode "$OPTARG")
    			echo ServerName: "$TSNAME"
    			;;
    		"p")
    			TSPORT=$(urldecode "$OPTARG")
    			echo ServerPort: "$TSPORT"
    			;;
    		"l")
    			TLEVEL=$(urldecode "$OPTARG")
    			echo LogVerbosityLevel: "$TLEVEL"
    			;;
    		"?")
    			echo Unknown option $OPTARG
    			exit 1
    			;;
    		":")
    			echo No argument value for option $OPTARG
    			exit 1
    			;;
    		*)
    			echo Unknown error processing options
    			exit 1
    			;;
    	esac
    done
     
    if [ "" = "$TANIUM" ]
    then
    	echo Will install Real Time Client
    	TKEY=serverKey.pub
    	TINI=rtclient.ini
    	TPATH=McAfee/realtime
    	TSPEC=RealTimeClient
    	PLIST=com.mcafee.realtime.rtclient.plist
    	TSERVICE=rtclient
    else
    	echo Will install Tanium Client
    	TKEY=tanium.pub
    	TINI=TaniumClient.ini
    	TPATH=Tanium/TaniumClient
    	TSPEC=TaniumClient
    	PLIST=com.tanium.taniumclient.plist
    	TSERVICE=TaniumClient
    fi
     
    if [ "" = "$TSNAME" ]
    then
    	echo ServerName not specified. Aborting installation
    	usage
    	exit 1
    fi
     
    if [ ! -s "$TKEY" ]
    then
    	echo $TKEY file not found. Aborting installation
    	exit 1
    fi
     
    if [ Darwin = `uname -s` ]
    then
    	### OSX ###
    	echo This system appears to be running Mac OSX
    	SetClientVersion  "$TSPEC*.zip"
    	echo "Installing $TSPEC"
    	unzip -qu "$TSPEC*.zip"
    	# the tanium zip file has a different structure than the McAfee zip file
    	if [ ! "" =  "$TANIUM" ]
    	then
    		sudo installer -allowUntrusted -pkg $TSERVICE-Mac-$TVER/$TSPEC.pkg -target /
    	else
    		sudo installer -allowUntrusted -pkg $TSPEC*.pkg -target / 
    	fi
    	SetClientIni "/Library/$TPATH"
    	launchctl load -w /Library/LaunchDaemons/$PLIST
    	rm -rf "$TSPEC*.pkg" "$TSPEC*.zip" "__MACOSX" "$TSERVICE-Mac-$TVER"
     
    elif which dpkg >/dev/null 2>&1
    then
     
    	### DEBIAN ###
    	echo This system appears to be running a Debian Linux distribution
    	# debian is the outlier, it uses lower case for the filename
    	TSPEC=$(echo "$TSPEC" | tr '[A-Z]' '[a-z]')
    	SetClientVersion "$TSPEC*.deb"
    	echo "Installing $TSPEC"
    	dpkg -i $TSPEC*.deb
    	SetClientIni "/opt/$TPATH"
    	service $TSERVICE start
    	rm -f $TSPEC*.deb
     
    elif which yast > /dev/null 2>&1
    then
     
    	### SUSE ###
    	echo This system appears to be running a SUSE Linux distribution
    	SetClientVersion "$TSPEC*.sle*.rpm"
    	echo "Installing $TSPEC"
    	rpm -U "$TSPEC*sle*.rpm"
    	SetClientIni "/opt/$TPATH"
    	service $TSERVICE start
    	rm -f $TSPEC.sle*.rpm
     
    elif which rpm > /dev/null 2>&1
    then
     
    	### RED HAT ###
    	echo This system appears to be running a Red Hat Linux distribution
    	# this one is tricky we son't want *.sle.rpm
    	# exclude the suse rpm f present and get the highest version if there are two versions here
    	INSTALLER=$(ls -1 *rpm | grep -v sle | tail -n1) 
    	SetClientVersion $INSTALLER
    	echo "Installing $INSTALLER"
    	rpm -U $INSTALLER
    	SetClientIni "/opt/$TPATH"
    	service $TSERVICE start
    	#rm -f $INSTALLER
     
    else
     
    	### DUNNO ###
    	echo "This system appears to be running an unsupported Linux distribution."
    	echo "No client is available to install.  Sorry!"
    	exit 1
     
    fi
     
    echo Checking for running client...
    sleep 2
    if [ ! "" = "`ps -ef | grep [T]aniumClient`" ]
    then
    	echo Tanium client appears to be running
    else
    	echo Tanium client does not appear to be running
    fi
    if [ ! "" = "`ps -ef | grep [r]tclient`" ]
    then
    	echo Real Time client appears to be running
    else
    	echo RealTime Client does not appear to be running
    fi
  2. Set the "TSNAME" variable to the FQDN or fixed IP Address of your Tanium Server.
  3. Update the other three variables at the top of the script as needed.
  4. Save the updated file as install-client.sh to the source files input folder for the respective client package.

Download and configure EEDK

  1. Download and unzip the latest version of the McAfee ePO Endpoint Deployment Kit and related documentation from the McAfee Tool Exchange.
  2. Launch the EEDK utility using the 'Run as administrator' option from the right mouse context menu:
  3. Navigate to Tools⇒Options
  4. Press Browse, navigate to the output Build Packages folder you created earlier.
  5. Select the folder and press OK:
  6. By default, the entry .\EEDK.log directs the EEDK log file to the utility's current working directory.
  7. Press Save.

Define and build the ePO deployment package

Complete the following steps for each client installer you want to deploy through ePO.

  1. From the main EEDK UI, choose the Folder option.
  2. Press Browse, navigate to the folder with the input source files for the respective client package you are building.
  3. Select the folder and press OK:
  4. Enter the software package properties based on the values specific to the package you are building.
  5. Select the specific versions of the operating system the package will support:
  6. Press Build Package. The EEDK creates the Package files and compresses them to a single .zip file in the directory designated as the build folder.
    Note: If a message box appears titled "ePO Signing Error," copy the following files from any machine running a McAfee Agent into the folder hosting the EEDK binaries:
    • \Program Files (x86)\McAfee\Common Framework\msvcp71.dll
    • \Program Files (x86)\McAfee\Common Framework\msvcr71.dll
  7. Check in the .zip Package file to the ePO Master Repository to deploy through a standard ePO Client Deployment task.
Have more questions? Submit a request