Tanium's Endpoint Identity feature can share information about a device that is attempting to authenticate through Cloudflare Access, including patch status, management status, and vulnerabilities score.
Once complete, return to the Cloudflare for Teams dashboard to integrate with your Cloudflare Access account.
Cloudflare Access Configuration
Cloudflare Access relies on a secure exchange between a user's browser and the Tanium agent to read data from the Tanium client. When users attempt to connect to a resource protected by Access with a Tanium rule, Cloudflare Access will validate the user's identity, and the browser will connect to the Tanium agent before making a decision to grant access.
Integrating Tanium Identity
|You will need an active Tanium™ Core Platform deployment that runs version 7.2 or later.|
Integrate your Tanium deployment with Cloudflare Access using public keys generated in the Tanium step-by-step documentation linked above.
On the Teams dashboard, navigate to Access > Authentication.
Select the Device Posture tab.
Click +Add to start configuring the Tanium integration.
Select Tanium from the list of providers.
In the next screen, give a name to the Tanium integration.
"Tanium" will work, or, if you prefer, you can choose a more specific name.
17472for the port value.
This is the default port used by the Tanium endpoints to communicate inbound and outbound with Cloudflare Access. You may need to modify it to reflect your organization's deployment.
Input the public certificate generated in the Tanium step-by-step documentation above.
Adding the certificate allows Cloudflare to validate that the response from the Tanium agent is valid.
Building policy rules with Tanium endpoint signal
With Tanium integrated, you can build policies that enforce decisions using signal from the endpoint.
|Managed||Boolean||Validates that the device is managed in your organization's Tanium account.|
On the Teams dashboard, navigate to Access > Applications.
For example, a rule that allows users to connect if they are members of your team's email domain.
Add an additional rule that contains a Require action that includes Device Posture and choose Tanium.
The Tanium rule will require that the device connecting is managed in your Tanium deployment and has checked into the Tanium server in the last 7 days.
Save the rule.
The rule above will only allow users who are part of your team's email domain and running the Tanium agent to connect to the protected resource.