Tanium 6.x: Licensing

Introduction

The tanium.license file located in the Tanium Server’s installation folder—by default, \Program Files\Tanium\Tanium Server\—sets the following limits on a deployment:

  • The maximum number of managed computers the Tanium system will support
  • The duration of time for which the Tanium platform provides full functionality
  • The Tanium platform features authorized for use
  • The IP Address or FQDN to define the URL to launch the console.

If the tanium.license file does not exist in the server’s installation folder, the system defaults to using the limits established for a pilot or evaluation deployment:

  • Support for up to 50 managed devices: Servers, Workstations, or Laptops
  • Authorization for all platform features

License Acquisition and Activation

Evaluation License <= 50 seats

  1. No action necessary to acquire or activate a license.
  2. After installing the Tanium application server, no tanium.license file exists in the server's installation folder. Consequently, the system uses the default license settings to enable an organization to manage the 50 most recently registered Tanium Clients installed to devices within an evaluation environment.

Production License or Evaluation License > 50 seats

  1. To acquire a production or evaluation license to manage more than 50 seats, provide your Tanium or Tanium partner account team with the Fully Qualified Domain Name or fixed IP address of the physical or virtual device that hosts the Tanium application server.
  2. The account team will process the request and return a tanium.license file.
  3. To activate the new license, rename the current version of the tanium.license file for back up if one exists within the Tanium Server's installation folder.
  4. Copy the tanium.license file delivered by the account team to the Tanium Server’s installation folder.
  5. The new license will be activated automatically within a few minutes; however, you may also restart the Tanium Server service to complete the new license activation process immediately

Tanium platform licensing FAQ’s

To minimize the effort associated with maintaining compliance to a Tanium software license contract and to discourage the practice of over-licensing software from fear of failing a vendor's software audit, the Tanium platform and underlying licensing algorithm include a number of built-in features to simplify license management and eliminate the expense of purchasing and tracking unnecessary licenses.

FAQ

Q: To demonstrate compliance with the terms of the Tanium software license, will our organization need to deploy, configure, and maintain an independent software License Metric Tool from Tanium or a third-party software vendor?
 
A: The Tanium platform automatically tracks the number of devices registered and reports that information within the management console, so you do not need to install a separate license metric tool or generate license usage and compliance reports from another system.

The platform maintains an internal counter to track the number of unique devices registered and reporting in to the system within the previous 30-day period. To view that count at any time:

  1. Navigate to Administration | System Status within the Console
  2. Select the option "Show systems that have reported in the last:"
  3. Enter the value "30" at the data entry field
  4. Set the duration dropdown list to "Days"

The system determines License compliance by subtracting the number of devices registered within the last 30 days from the "SeatCount" value defined in the tanium.license file:

725px-Licensing-SystemCount.png

Q. Our organization frequently re-images or refreshes our hardware. How do we reclaim unused licenses from the old systems so they can be used to manage the new ones?

A: The platform reclaims Licenses automatically from refreshed or decommissioned devices as well as systems temporarily disconnected from the network.
  • The license tracking feature requires no on-going maintenance for an organization to remain compliant with the terms of the software contract. If a device does not re-register within any 30-day period, the internal counter tracking the number of actively managed devices decreases by one, making the license available for use by another device.
  • If the machines are being replaced faster than the old licenses are being released, a buffer of additional seats is available automatically to compensate for the difference in seat count while the system reclaims old licenses.
Q: Because of mergers and acquisitions, the number of devices our organization needs to manage can increase very quickly. How can we manage those machines while working through the process to add additional seats to our existing license?
 
A: Again, the platform license automatically includes a buffer of additional seats to compensate for a sudden increase in the number of managed devices until a system administrator activates a new license file on the server. If you run into any issues because this buffer is inadequate, please contact your Tanium account representative for assistance.
 
Q: What happens if the total number of managed devices exceeds the licensed seat count plus the temporary buffer of additional seats?
 
A: Operators logging into the console see an alert that the number of currently managed devices exceeds the license allocation and temporary buffer.
  • The system rejects registration attempts from any additional devices until the license count is increased or licenses no longer in use are released by computers that have not re-registered.
  • As a result, the system continues to provide full management of the licensed number of devices; however, the specific devices under management will be different at any point in time, again, until new licenses are added or unused licenses are released by computers that have not registered within the previous 30-day period.
Licensing-SeatCountExceeded.png
Q: How will our organization be notified when our license renewal is due?
 
A: The Tanium or partner account team contacts your organization's procurement department well in advance of the license expiration date to begin the renewal process. If any unexpected events prevent the license from being renewed before the license expires, the system continues to operate during a brief grace period to avoid any disruption in service.
  • If the license goes into its grace mode, operators logging into the system see an alert to renew the license before the end of the grace period. 
  • The system continues to support the entitled number of devices after license expiration; however, if a replacement license is not activated by the end of the grace period, the system will revert to managing only the 50 most recently registered devices until a new license is put in place.
Licensing-LicenseExpired.png
Q: How can our organization verify the seat count, expiration date, and authorized features associated with the tanium.license file activated on our system? 
A: Follow the steps below to verify the active license settings:
    1. Enable the Tanium Server log with a decimal value of 81.
      1. If logging is already enabled, make note of the Tanium Server's current logging level and update the setting to a decimal value of 81.
      2. After reviewing the licensing information described below, reset the server's logging level to its previous value or to zero to disable the logging.
    2. From a text editor:
      1. Open the current version of the log file, log0.txt, located within the server's installation folder.
      2. Scroll to the end of the file
      3. Search up for the string value "Opened License"
Licensing-ViewLogFile.png
3. Confirm that the details about the tanium.license file reported in the log file are consistent with the terms of the Tanium contract regarding seat count, expiration date, and authorized features described in the table below.
4. After reviewing the licensing information, reset the the server logging level to its previous value or to zero to disable the logging.
 
ServerName Address of the Tanium application server associated with the active license. Once activated, the tanium.license file allows access from a browser to the console only when the URL includes the server name value specified here. For example:
  • Assuming a ServerName value of tanium.organization.com, the URL to access the console must be https://tanium.organization.com or https://tanium.organization.com:8443, depending on the port used for console access.
  • Even if the address values are valid on the internal network, attempts to access the console through URL's such as https://192.168.100.115https://localhosthttps://tanium, etc. will not be successful
Features System functionality enabled by the license:
  • Questions: Platform is licensed only to report information through Questions, Saved Questions, Dashboards and Dashboard groups using both out of the box and custom Sensors.
  • Questions, Actions: Platform is also licensed to target and deploy actions through the infrastructure
SeatCount Number of computers licensed to be managed by the platform. The server compares the number of computers registered over the last 30 days as reported in the console's System Status tab to the SeatCount value in the license file to determine compliance. If the number of registered computers exceeds the number of licensed seats by more than 10%, operators logging into the console see an alert warning that the system will continue to function, but will reject registration attempts from new devices until either additional licenses are purchased or the system reclaims unused licenses from managed computers that have not re-registered within the last 30 days.
Expiration The date on which the license expires expressed as the number of days since the start of the Unix/POSIX Epoch time system, January 1, 1970.
  • For example, 15912 = July 26, 2013
daysFromEpoch The current date expressed as the number of days since the start of the Unix/POSIX Epoch time system, January 1, 1970.
  • For example, 15884 = June 28, 2013
Days Left Calculated as Expiration - daysFromEpoch

A positive value represents the number of days until the license expiration date:

  • 15912 - 15884 = 28

A negative value represents the number of days since the license expiration date:

  • 15877 - 15884 = -7

When a license expires, the system continues to function for a limited grace period. If a new license is not activated by the end of the grace period, the system will revert to "evaluation mode" which allows you to manage only the 50 most recently registered devices.

 
Q: What if I don't see all Features I Expect? (Troubleshooting Licenses)
 
A: The most common causes of not seeing all features expected are 1) not browsing to the URL that is licensed in the tanium.license file, 2) having the license file named as tanium.license.license or tanium.license.txt, 3) not waiting long enough or restarting the Tanium Server service. The respective solutions are 1) browse to the URL located in the tanium.license file for administrative work, 2) rename the tanium.license file from a command prompt or by showing hidden extensions, and 3) restarting the Tanium Server service.

Have more questions? Submit a request