Endpoint management (Tanium)
What is Tanium?
Tanium is a cybersecurity and system management platform that provides asset discovery, patch management, software distribution, security compliance reporting, and various other functionalities.
Tanium was procured in March 2024 as part of the Digital Transformation project to address one of the key recommendations from the 2022 Information Security Audit of the University. The audit highlighted the lack of a centralized network endpoint and software inventory, which is a critical requirement for compliance with ISO27001 and Cyber Essentials Plus standards - both of which are increasingly demanded by research funding bodies.
The project objective is to install Tanium on all endpoint devices and enable the platform to discover assets across the entire LAN, creating a university-wide inventory of hardware and software and enhancing the security posture of network-connected devices. Units may also use Tanium for endpoint device management, though this functionality is optional.
What we offer
The OxCERT manages the University's Tanium landscape including the provisioning of sub-estates to these. We are now rolling out Tanium across the collegiate University and inviting all units to onboard. This service includes:
- Access to the Tanium cloud interface.
- Guidance and tutorials on managing the platform.
- Support from the OxCERT.
- Tanium Teams channel, where we post updates, offer resolutions, and provide for all onboarded units to enhance their experience with the platform.
Benefits for you...
The Network Asset Discovery Tanium is already approved by GRC and Information Security. This tool is guaranteed to improve your Department/College/Faculty security posture. Deployment of Tanium will:
- Help to easier manage the estate and to gain better insight of the network and the devices deployment therein. Your unit may already have a solution for this, but Information Security believes that Tanium will be both easier to use and deploy while having a powerful and useful suite of features.
- Provide a vulnerability and compliance reporting for all network connected devices.
- Make users life easier by providing a self-service software portal for installing the programs they need.
- Provide wide support and knowledge sharing by being deployed across the Collegiate University.
How to get started
To get onboarded we ask ITSS01 to submit their interest via the Network Asset Discovery Environment Survey where the following information is required:
- The SSO Username(s) of the users that need to be added to the console.
- The role that should be granted to the user (Admin, Patch, Read-Only).
- The sub-estates that the user should have access to.
We understand that the ITSS01 for a unit may not be directly involved in the Tanium Project, and may have dedicated team members to handle the platform and any support requests around it. As such, ITSS01 may delegate one person in each unit to act as a key departmental contact with authority to request creations, modifications and deletions of users accounts within the unit. A Delegation of Authority (DoA) request should be submitted to endpointmanagement@infosec.ox.ac.uk and our team will maintain a list of personnel who is authorised to contact us on behalf of the unit. Where significant changes are requested, we may still request the approval of the ITSS01.
After Onboarding
Once you have been onboarded, you will:
- Get access to the Tanium platform with the relevant roles and visibility. The University has integrated Single Sign-On, meaning you use your SSO to authenticate with the Tanium Cloud platform. Users will be created by OxCERT upon the request of the ITSS01. Use the button underneath 'Sign in with your corporate ID'.
- Ge added to the Tanium Teams channel where you can collaborate with other units, so feel free to come and ask questions, or have a chat.
- Be provided an appropriate training on managing the Tanium platform.
Further information and FAQs
If you have any questions or concerns, please contact OxCERT, mailto: endpointmanagement@infosec.ox.ac.uk.
The Project Team are currently in the process of onboarding units in tranches. The aim of the project is to have Tanium as the only solution for all network asset discovery within the collegiate University.
Tranche | Deployment Target | Status |
---|---|---|
POC Tranche (8 Units - POC Early Adopters) |
March 2024 | Complete |
Tranche 0 - HOK (15 Units - HOK Early Adopters) |
July 2024 | Complete |
Tranche 1 - FEA (10 Units - Final Early Adopters) |
August 2024 | Complete |
Tranche 2 - PROD (10 Units) |
September 2024 | Complete |
Tranche 3 - PROD (10 Units) |
October 2024 | Upcoming |
Tranche 4 - PROD (10 Units) |
November 2024 | Upcoming |
Tranche 5 - PROD (5 Units) |
December 2024 | Upcoming |
Upcoming plans
Plans for 2025 are yet to be finalised. Units will be selected for each tranche, comprising of a diverse range of technical environments, sizes and complexities. We aim by December 2024 to cover most critical infrastructure. We invite departments to register their interest early to be considered for upcoming tranches.
The Tanium platform modules available to the University are dictated by the Jisc Chest Agreement. We have a standard Higher Education bundle.
Access to the listed below modules are defined by Role Based Access Control (RBAC). If you are unable to access a specific one, you may not be assigned the relevant permissions. The ITSS01 for your unit can request role elevation for users.
Interact
Interact is a module designed to help you ask questions about your environment. It supports a Natural Query Language, and returns fast results. For example, you can ask 'Get computer name from All Machines' and it will return the list of your endpoints and their hostnames.
Comply
Comply helps to identify and patch vulnerabilities and misconfiguration in your environment.
Deploy
Deploy allows you to install, update and uninstall software packages and bundles on your endpoints. You can target singular or multiple machines, and you can provide self-service to your users.
Discover
Discover is used for finding and reporting on assets that have been detected during Asset Discovery process.
Patch
Patch module gives an ability to deploy patches within your given maintenance window. The user can select which patches to install on the target endpoint(s).
Unfortunately, the modules that are present within your dashboard are the only modules that are either included in our bundle, or we support at this time.
Note: We are currently only offering Admin roles during the initial tranches. Read-Only and Patch roles will be available soon.
We offer three standard roles - Admin, Patch and Read-Only. Our general rule of thumb is that your ITSS01 and Infrastructure Engineers will be granted Admin access, and your ITSS03 staff will have Read-Only, but you can decide whichever is appropriate for your use case.
Admin
Admins are able to administer parts of your estate, including maintenance windows, deployment packages and deploy actions.
Patch
Patch users are limited to read-only operations, with the additional of being able to deploy patches to endpoints.
Read-Only
Read-Only users can view data about their estate, but not make any changes.
Unfortunately, not. Since the RBAC within Tanium is based on Computer Groups, creating additional groups would make our estate unmanageable. We operate Tanium in a similar way to Sophos, where each department is created as a single group/estate, and then we provide users access to those estates. If you need to target machines in a fashion that you feel requires a computer group, please contact endpointmanagement@infosec.ox.ac.uk as we may be able to offer alternative solutions and workarounds.
The deployment will only take place during an active maintenance window. Therefore, if an endpoint is offline during deployment/patching, it will sit in a 'waiting' state until the next maintenance window period when the patch/software will deploy.
Yes, and we will publish documentation on this site on how to do so. Please ensure that you put your unit name in front of the tag name to avoid any conflicts with other departmental tags. For example, 'infosec-newtag' rather than 'newtag'. If two departments use the same custom tag, you may lose visibility on parts of your estate, or the ability to manage that tag.
Departmental ITSS may request access to the Tanium platform to gain visibility and control over their networked endpoints. We will only approve and action user creation requests for departments that have already completed the NAD Environment Survey and have been onboarded to the platform.
Request Access
We will only accept and provision new users where the request comes from, or has been approved by, the ITSS01 for the unit, or personnel with delegated authority for the service. Where a user may require access to multiple units, approval from the ITSS01 for each unit is required. For detailed information please check on the 'How to get started' in this article.
Removal of Users
A request must be submitted to the Endpoint Management Team, endpointmanagement@infosec.ox.ac.uk, with the SSO username and sub-estate that you wish to remove from the user.
Warning
Users with no active sub-estates left, or users who have left the University, will have their accounts removed from the platform entirely. Users may be re-added at any time.
Modification of Users
When requesting that a user account is modified, we will action requests from ITSS01 for units to modify the roles of the user within your sub-estate. Please note that we are unable to make other changes to user accounts, such as Display Name, unless same changes has been reflected on the ITS Self-Registration site.
Tanium Support is only accessible to the OxCERT, who will be your first line of support with any queries or issues.
In most environments, this won't be necessary. However, if you are running an air-gapped environment, you may need to allow port 17472(TCP) outbound. More details and discussion will be given during your onboarding session. Please indicate in your environment survey if you are running an air-gapped environment.
Since Tanium is an asset discovery solution, users may be concerned that their home environment will be scanned. To confirm, there are two measures in place to prevent the scanning of non-University networks.
Tanium will only scan a network if there are two managed endpoints on a subnet and those are reporting to have an Oxford owned IP Address.
Tanium is set to use the 'Locations', which are defined by Public IP ranges. This means that any devices that are outside of a University IP range are ignored, and are not visible to departmental units or admins. VPN Subnets are also excluded from discovery, so only devices on premises are discovered.
Please contact OxCERT, endpointmanagement@infosec.ox.ac.uk, if you would like to see a demo. We are also in the process of compiling some University-specific documentation and help videos which will be published in the near future.
Service Roles
Service Sponsor | Tony Brett |
Service Owner | Kashif Mohammad |
Service Manager | Adam Berry |
Support contacts
For any queries relating to Tanium, please contact OxCERT.
About this service
This service is provided by