How to: Managing Tanium licenses

This Knowledge Base article describes how Tanium™ Core Platform licensing works, how to find licensing information, and how to renew a license.

Audience

This article is written for Tanium administrators who are responsible for managing the Tanium™ Server and Tanium™ Client deployment. This article assumes you have already installed the Tanium Server.

Introduction

The Tanium license controls the following settings for your deployment.

  • Maximum seats: the number of devices that count as managed computers (endpoints, workstations, and servers) because they have a Tanium Client that has registered with the Tanium Server in the last 30 days (see Used and available licensed seats)
  • Tanium solution modules, content sets, and features that you can access
  • IP address or fully qualified domain name (FQDN) used to access the Tanium™ Console
  • The license validity period (see License expiration and grace mode)

The Tanium Server installation process places the Tanium license file (tanium.license) in the installation folder (default is \Program Files\Tanium\Tanium Server). You do not need to install the license on any other Tanium Core Platform server. Making any licensing-related changes to your deployment (such as increasing the maximum seats) is simply a matter of replacing the Tanium license with a new version of the file.

Used and available licensed seats

The Tanium Server determines whether your deployment is compliant with the licensed maximum seats by subtracting the number of used seats (devices that have registered within the last 30 days) from the seat_count value (maximum seats) in the tanium.license file. To ensure that decommissioned or disconnected devices do not waste seats, the Tanium Server automatically reclaims licenses from devices that have not re-registered in the last 30 days. The Tanium Console displays a warning when device registrations exceed the maximum seats. To check the number of used and available seats, View Tanium license information.

License expiration and grace mode

The Tanium license validity period starts when Tanium generates the license, regardless of when you activate it. Your Tanium or partner account team will contact the procurement department of your organization well before the license expires to start the renewal process. However, if unexpected events stop you from renewing before the license expires, the Tanium Console alerts you that the system is in grace mode.

To check the license validity period and the number of days before expiration, View Tanium license information. To renew your Tanium license, replace the Tanium license.

View Tanium license information

You can use the Tanium Console to verify the seat usage, validity period, authorized features, and Tanium Servers associated with your Tanium license; no independent license metric tool or compliance reports are required.

  1. Log into the Tanium Console.
  2. Display the number of used seats and list the managed computers by computer name.
    1. From the Main menu, select Administration > System Status.
    2. In the Show systems that have reported in the last fields, set the quantity to 30 and the duration units to Days. The Items field then shows the number of used seats. If the number does not match what you expect, see Tanium license troubleshooting: alerts and common issues.
  3. Access the info page (https://<tanium_server>/info) and go to the Settings section to see all other licensing information.
    • Maximum licensed seats (licensed_seat_count). The number of available (unused) seats is the licensed_seat_count minus the number of used seats.
    • Number of days before the license expires (licensed_days_left).
    • Authorized features, license validity term (days), and expiration date (expire) are listed in the licensed_features field.
    • IP addresses or FQDNs of the Tanium Servers that the license authorizes (licensed_server_name).

Replace the Tanium license

Perform the following steps to replace the license on a Tanium Server. As a best practice in a high availability (HA) deployment, replace the license on each Tanium Server in case one server becomes unavailable for a long time.

  1. Contact your Tanium or Tanium partner account team for a new license. You must provide the FQDN or IP address of the physical or virtual device that hosts the Tanium Server. The account team will process the request and return a tanium.license file.
  2. Rename the current Tanium license to save it as a backup. As a best practice, include the current date in the filename (such as tanium.license_2018-7-27) in case you repeat this procedure at a later date.
  3. Copy the new Tanium license to the same folder as the original license.
  4. Optionally, restart the Tanium Server service to activate the new license immediately. Otherwise, the Tanium Server automatically activates the new license within a minute.

If an error or alert displays after you install the license and log into the Tanium Console, see Tanium license troubleshooting: alerts and common issues.

Tanium license troubleshooting: alerts and common issues

The following table lists alerts and common issues related to the Tanium license. If conditions trigger an alert, the Tanium Console displays it whenever you log in. You can also see the alerts in the Tanium Server logs (default location is \Program Files\Tanium\Tanium Server\Logs). Note that the following corrective actions are independent options to consider, not sequential steps.

Table 1:   Tanium license alerts and common issues

Issue/Alert

Corrective Actions

Common issue: Tanium Server unreachable

The Tanium Console displays an error indicating the Tanium Server that you logged into is not licensed. This commonly occurs because you accessed a URL that does not match a Tanium Server hostname specified in the license. The error message indicates which Tanium Servers are licensed. For example: The current server name ‘ts3.example.com’ is not licensed. Licensed Servers: localhost, 127.0.0.1, ts1.example.com, ts2.example.com.

  • Browse to the correct URL that the license specifies for the Tanium Server (see View Tanium license information). For example, if the hostname is tanium.organization.com, use the URL https://tanium.organization.com or https://tanium.organization.com:8443, depending on the port used for access.

Note: You cannot access the Tanium Console through URLs such as https://localhost or https://tanium even if those addresses are valid on the internal network.

  • If the license specifies the wrong Tanium Server, ask your Tanium technical account manager (TAM) for a new license for the correct server and then replace the Tanium license.

Common issue: Tanium features unavailable

Some Tanium features that you expected to access are unavailable. This can happen if you:

  • Activated the wrong license.
  • Accessed the wrong Tanium Server.
  • Renamed or moved the license file.
  • Did not wait for long enough (one minute) for the license to activate after you replaced the license.
  • Verify that the license file has the correct name and is in the Tanium Server installation folder (default is /Program Files/Tanium/Tanium Server/tanium.license).
  • Restart the Tanium Server service to activate the license immediately.

Common issue: higher than expected used seat count

On the Tanium Console, the Administration > System Status page and https://<Tanium_Server>/info page might display a higher than expected number of used seats (client count) for several reasons:

  • The Tanium Server considers each distinct computer name as a different managed computer. Names like computer_name and computer_name.some_company.com would count as two seats.
  • Older versions of the Tanium Client might intermittently report both FQDN names and non-FQDN names, and report localhost or null as managed computers.
  • Non-persistent virtual machines might instantiate with unique names whenever they are initialized, which can inflate the seat count.

If necessary, consult your TAM about replacing the Tanium license with one that supports more managed computers.

Note: In the Administration > System Status page, if the Filter by Client Version section includes version 0.0.0.0, clear the check box for that version; it is an artifact that the Tanium Server does not count towards the maximum seats.

Alert: license expired

  • The Tanium Console displays an alert indicating the license is in grace mode (see License expiration and grace mode). The alert indicates the number of days since the license expired and the number of days remaining in the grace period.
  • The Tanium Console displays an alert indicating the license is expired and the grace period is over.

Replace the Tanium license.

Alert: maximum licensed seats exceeded

  • The number of used seats exceeded the licensed maximum by up to 10 percent within the last 30 days. The Tanium Console displays a warning, and indicates the current number of Tanium Clients and licensed seats.
  • The number of used seats exceeded the licensed maximum by more than 10 percent. The Tanium Console displays a warning, indicates the current number of Tanium Clients and licensed seats, and directs you to contact your TAM.
  • Wait for the Tanium Server to reclaim unused seats from managed computers that have not re-registered within the last 30 days.
  • Contact your TAM for a new license that supports more seats and then replace the Tanium license.

 

Have more questions? Submit a request