IT Service Center Administration Guide - Tanium Documentation
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
IT Service Center Administration Guide Version 1.24.0 March 03, 2022
The information in this document is subject to change without notice. Further, the information provided in this document is provided “as is” and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium’s customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc. has been advised of the possibility of such damages. Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Please visit https://docs.tanium.com for the most current Tanium product documentation. This documentation may provide access to or information about content, products (including hardware and software), and services provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set forth otherwise in an applicable agreement between you and Tanium. Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium products is appropriate and will not cause infringement of any third party intellectual property rights. Tanium is committed to the highest accessibility standards for our products. To date, Tanium has focused on compliance with U.S. Federal regulations - specifically Section 508 of the Rehabilitation Act of 1998. Tanium has conducted 3rd party accessibility assessments over the course of product development for many years and has most recently completed certification against the WCAG 2.1 / VPAT 2.3 standards for all major product modules in summer 2021. In the recent testing the Tanium Console UI achieved supports or partially supports for all applicable WCAG 2.1 criteria. Tanium can make available any VPAT reports on a module-by- module basis as part of a larger solution planning process for any customer or prospect. As new products and features are continuously delivered, Tanium will conduct testing to identify potential gaps in compliance with accessibility guidelines. Tanium is committed to making best efforts to address any gaps quickly, as is feasible, given the severity of the issue and scope of the changes. These objectives are factored into the ongoing delivery schedule of features and releases with our existing resources. Tanium welcomes customer input on making solutions accessible based on your Tanium modules and assistive technology requirements. Accessibility requirements are important to the Tanium customer community and we are committed to prioritizing these compliance efforts as part of our overall product roadmap. Tanium maintains transparency on our progress and milestones and welcomes any further questions or discussion around this work. Contact your sales representative, email Tanium Support at support@tanium.com, or email accessibility@tanium.com to make further inquiries. Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property of their respective owners. © 2022 Tanium Inc. All rights reserved. © 2022 Tanium Inc. All Rights Reserved Page 2
Table of contents
About this documentation 10
IT Service Center overview 11
Manage cases and take action 11
Manage real-time asset data in CMDB 11
Configuration items 11
Configuration item classes 12
Tanium Cloud 12
More information 12
Work.com overview 12
About Employee Workspace 12
More information 12
About Employee Concierge 13
More information 13
Supported languages 13
Succeeding with IT Service Center 14
Step 1: Gain organizational effectiveness 14
Step 2: Configure Tanium Cloud identity provider 14
Step 3: Configure Tanium Cloud platform settings 15
Step 4: Configure client security exceptions 15
Step 5: Deploy Tanium Client 15
Step 6: Configure user group in Tanium 15
Step 7: Install IT Service Center and required prerequisites 15
Step 8: Connect IT Service Center to Tanium Cloud 15
Step 9: Configure users and permissions in Salesforce 16
Step 10: Update Salesforce configurations 16
Step 11: Administer IT Service Center 16
Configure Tanium for IT Service Center 17
© 2022 Tanium Inc. All Rights Reserved Page 3
Components overview 17
Prerequisites 17
Configure SAML identity provider for Tanium Cloud 18
More information 18
Configure platform settings in Tanium Cloud 18
Configure client security exceptions 19
Deploy Tanium Client 19
More information 19
Configure IT Service Center user group 19
More information 20
Configure Tanium permissions 20
Configure Tanium Map and create application service maps 20
Configure development, QA, and production instances for IT Service Center 21
Install IT Service Center 22
Required editions 22
User permissions 22
Before you begin 22
Install and configure Employee Workspace 22
Required before you install IT Service Center 23
Required before go live 23
Optional 23
Install and configure Employee Concierge 23
Required before you install IT Service Center 23
Required before go live 24
Optional 24
Install the IT Service Center package 24
Verify IT Service Center installation and auto-configuration 26
Upgrade IT Service Center 28
Before you begin 28
Install IT Service Center 28
© 2022 Tanium Inc. All Rights Reserved Page 4
Upgrade Tanium Cloud 28
Update 1.20 to 1.24 configurations 28
Track case origin 28
Assign ITSC - Request page layout 28
Update ITSC - Request Record Page lightning record page 29
Remove unused Asset fields 29
Review and assign user permissions 29
New and changed permission sets and permission set groups 29
Update permission sets and permission set groups 29
Connect with Tanium Cloud 31
Add Tanium Cloud as a remote site 31
Connect to Tanium Cloud from Salesforce 31
Authenticate the service user 31
Authenticate the current user 31
Configure Tanium data synchronization 32
Configure Salesforce for IT Service Center 33
Assign IT Service Center permissions 33
Meet the IT Service Center personas 33
Add IT Service Center users 33
Update default profiles 34
Create and assign user permissions in Salesforce 34
IT Service Center permission sets 38
IT Service Center permission set groups 39
IT Service Center User 39
IT Service Center Admin 39
IT Service Center Config Manager 40
IT Service Center Employee Requester 40
Update Salesforce configurations 40
Update organization-wide defaults and sharing rules 40
Assign record types to case lightning record pages 41
© 2022 Tanium Inc. All Rights Reserved Page 5
Assign record types to asset lightning record pages 42
Edit case lightning record pages to add custom CI details 42
Add quick actions to case pages for creating known error and service knowledge 43
Add buttons to case pages for creating known error and service knowledge 43
Customize Asset page layout 43
Remove buttons from Asset page layout 44
Add new configuration item button to Asset list view page 44
Add new configuration item button to Asset search layout 44
Set up email for automatic ticket creation 44
Create publishing workflows for known errors and service knowledge 44
Configure major incident actions 45
Add Actions & Recommendations to the ITSC - Major Incident Page lightning record page 45
Configure actions 45
Configure emails 45
Review flows 46
More information 46
(Optional) Add announcements component to ITSC page layouts 46
(Optional) Customize Milestones, Queues, Assignment Rules, and Approvals 46
(Optional) Customize labels 47
Example 47
(Optional) Audit field history 47
Enable history tracking on an object 47
More information 48
Create report to view audit history 48
Update asset lightning record pages to view audit history 48
Add history related list to the asset layout 48
Add related list object to ITSC - Managed Asset Layout 48
(Optional) Enable problem cases to have multiple root causes 49
Add root causes related list to the problem page layout 49
Add related list object to ITSC - Problem Record Page 49
© 2022 Tanium Inc. All Rights Reserved Page 6
Customize Employee Workspace 50
Customize Incident ticket creation for Employee Concierge 50
Add ticket category picklist values 50
Add a quick action and optional fields to the Contact object 50
Add the custom metadata type for the Incident ticket category 51
Add announcement component to Employee Workspace 51
(Optional) Customize Employee support ticket fields in the community 51
Add request menus to Employee Workspace 52
Administer IT Service Center 53
View and customize dashboards 53
View IT Agent dashboard 53
Customize dashboards 53
Configure associations 54
Enable automatic problem generation 54
Disable associations for a case or asset status 54
Configure case timings 54
Update timing settings 54
Update change management settings 55
User permissions 55
Customize change calendar 55
Customize risk scores 56
Manage CMDB configuration items 58
User permissions 58
Configure CMDB data retention and synchronization 58
View configuration items 58
Asset Record Type field 58
View and update CI relationships 59
View configuration item classes 59
Customize fields on configuration item classes 59
Add fields to CI class 59
© 2022 Tanium Inc. All Rights Reserved Page 7Remove fields from CI class 60
Store custom CMDB fields in Salesforce 60
Import custom configuration items 60
Download and update custom configuration items 61
Edit or delete single configuration items 61
Create single custom configuration items 61
Resolve duplicate configuration items 62
Create request menus 62
User permissions 63
Before you begin 63
Create a request menu 63
Create request menu items 63
View all request menus 65
Assign sharing rules 65
(Optional) Customize request menu item picklists 65
View cases that were created from request menus 65
Request menu objects 65
Create announcements 67
User permissions 67
Create an announcement 67
View and edit announcements 67
(Optional) Modify case templates 67
Customize standard templates 67
Create custom case templates 68
Set default templates 68
Automate IT Service Center with flows 68
Default flows 68
Flow actions 69
Create an IT Service Center flow 70
More information 70
© 2022 Tanium Inc. All Rights Reserved Page 8Troubleshoot IT Service Center 71
Collect logs 71
Configure logging 71
View case actions 71
View log recordings 71
Example 71
Troubleshoot issues 71
Test connection to Tanium 72
Error: Unauthorized endpoint error 72
Cause: 72
Solution: 72
Error: No authentication is configured 73
Cause: 73
Solution: 73
Error: Non 200 response code returned 401 73
Cause: 73
Solution: 74
Error: Non 200 response code returned 403 75
Cause: 75
Solution: 75
Error: Current user authentication token is missing 75
Cause: 75
Solution: 75
Contact support 76
Reference: Case layouts 77
Incident 77
Major incident 78
Change 79
Problem 80
Request 81
© 2022 Tanium Inc. All Rights Reserved Page 9About this documentation This document is for Version 1.24.0. To download the IT Service Center Administration and User Guides, see IT Service Center Documentation. © 2022 Tanium Inc. All Rights Reserved Page 10
IT Service Center overview
With IT Service Center, you can streamline IT support operations by consolidating IT ticketing and tasks into a single location.
Available in: Lightning Experience
Available in: Enterprise and Unlimited editions
IT Service Center is available as an add-on license.
Manage cases and take action
IT Agents can resolve support tickets more quickly by deploying common actions without leaving IT Service Center. These actions
include:
l Reviewing performance events
l Terminating processes
l Starting or stopping system services
l Restarting the computer
l Installing, updating, or removing software
For example, if a user opens a support ticket that requires a software update, the IT Agent can deploy the update to the user's asset
with a few clicks directly from IT Service Center. IT Agents can also create a deployment that pushes the same software update to
other assets, reducing the possibility of duplicate tickets being opened by other users for the same issue.
Manage real-time asset data in CMDB
Use the Configuration Management Database (CMDB) integration from Tanium with IT Service Center to manage and store real-time
configuration items or components related to IT services. Configuration Items (CI) are components that must be managed to deliver
an IT service. By defining a central source of truth for CIs, IT agents and configuration managers can improve service management,
reduce time spent on change management, and improve auditing, security and compliance.
Configuration items
A configuration item is associated with an asset, is governed by IT, and is used for an IT service.
A configuration item can be a Tanium Managed CI or a Tanium Custom CI. Tanium Managed CIs are an asset that has the Tanium
Client installed. The information about Tanium Managed CIs comes from the CMDB service in Tanium. You can create Tanium
Custom CIs in Salesforce for additional CIs that were not found in Tanium, and these are synchronized with the CMDB on a regular
basis.
© 2022 Tanium Inc. All Rights Reserved Page 11Configuration item classes
A configuration item class is a predefined categorization for a configuration item that comes from Tanium, for example, an
application, business process, or endpoint.
Tanium Cloud
The ability to take actions on end user computers is enabled by a connection from IT Service Center with Tanium Cloud.
The Tanium platform provides visibility and control of your endpoints. In Tanium, an endpoint is any computer or server on which
you can install and run the Tanium Client service. In response to your standard or ad-hoc queries, Tanium can discover and report,
within seconds, both static and dynamic real-time data pertaining to the endpoint. In addition to getting data about your endpoints,
you can deploy actions to manage and secure your environment.
The operations in the IT Service Center are run by API calls to Tanium Cloud, which includes the Tanium™ Discover, Tanium™
Deploy, Tanium™ Map, Tanium™ Interact, and Tanium™ Performance modules. Selected data about Tanium endpoints is stored in
Salesforce as Asset objects. To see information about Tanium-managed endpoints in Salesforce, you can view them as Assets.
MORE INFORMATION
l Tanium Discover User Guide
l Tanium Deploy User Guide
l Tanium Map User Guide
l Tanium Interact User Guide
l Tanium Performance User Guide
Work.com overview
IT Service Center is part of the Work.com suite of solutions. Work.com is the complete employee experience platform for the work-
from-anywhere world. Work.com is built on top of the Salesforce Platform and enables employees to be successful from anywhere
they work.
When you purchase IT Service Center, you also get Employee Workspace and Employee Concierge. These products enable
employees to open cases that get sent to IT Agents in IT Service Center.
About Employee Workspace
With Employee Workspace, you can give your employees an integrated experience and enable employee productivity and
collaboration. Employee Workspace provides a central hub for tools and resources your employees need to work from anywhere.
MORE INFORMATION
Work.com Docs: Employee Workspace
© 2022 Tanium Inc. All Rights Reserved Page 12About Employee Concierge
Employee Concierge is an extension to Employee Workspace that includes a searchable knowledge base and ticketing system, so
employees can find solutions and get support when they need it.
MORE INFORMATION
Work.com Docs: Employee Concierge
Supported languages
The IT Service Center user interface is translated into the following languages:
l Chinese - Simplified: zh_CN
l Chinese - Traditional: zh_TW
l Dutch: nl
l French: fr
l German: de
l Italian: it
l Japanese: ja
l Korean: ko
l Portuguese (Brazil): pt_BR
l Spanish: es
© 2022 Tanium Inc. All Rights Reserved Page 13Succeeding with IT Service Center Follow these best practices to achieve maximum value and success with IT Service Center. These steps align with the key benchmark metrics: Mean Time to Resolve (MTTR), SLA Compliance Rate, Tickets Automatically Resolved, and Actions Taken From Tickets. Step 1: Gain organizational effectiveness Complete the key organizational governance steps to maximize IT Service Center value. For more information about each task, see the IT Service Center User Guide. ☐ Develop a dedicated change management process. ☐ Define distinct roles and responsibilities in a RACI chart. ☐ Validate cross-functional organizational alignment. ☐ Track operational metrics. Step 2: Configure Tanium Cloud identity provider ☐ Choose and configure SAML 2.0 compliant identity provider for Tanium Cloud. See Configure SAML identity provider for Tanium Cloud on page 18. © 2022 Tanium Inc. All Rights Reserved Page 14
Step 3: Configure Tanium Cloud platform settings
☐ Configure platform settings. See Configure platform settings in Tanium Cloud on page 18.
Step 4: Configure client security exceptions
☐ Configure client security exceptions. See Configure client security exceptions on page 19.
Step 5: Deploy Tanium Client
☐ Install the Tanium Client on any computers you want to manage with IT Service Center. See Deploy Tanium Client on page 19.
Step 6: Configure user group in Tanium
☐ Configure a user group in Tanium Cloud for the ITSC Agent users of IT Service Center. See Configure IT Service Center user
group on page 19.
Step 7: Install IT Service Center and required prerequisites
Before you install the IT Service Center Managed package in your Salesforce org, you must install and configure
Employee Workspace and Employee Concierge.
☐ Install and configure Employee Workspace and Employee Concierge. See Install and configure Employee Workspace on page
22 and Install and configure Employee Concierge on page 23 for required setup at both initial configuration and go live phases.
☐ Use the Work.com installer to install and automatically complete some configuration for the IT Service Center managed
package. See Install IT Service Center on page 22.
☐ If you are upgrading from a previous release, additional manual steps are required to update page layouts. See Upgrade IT
Service Center on page 28.
Step 8: Connect IT Service Center to Tanium Cloud
☐ In IT Service Center, connect to Tanium Cloud to pull information and operate on the end user devices with your IT Service
Center org. See Connect with Tanium Cloud on page 31.
© 2022 Tanium Inc. All Rights Reserved Page 15Step 9: Configure users and permissions in Salesforce ☐ Manage IT Service Center configurations such as the dashboard, change management settings, and CMDB items. See Assign IT Service Center permissions on page 33. Step 10: Update Salesforce configurations ☐ Update page layouts and lightning record pages to support IT Service Center functions. See Update Salesforce configurations on page 40. ☐ Create publishing workflows for known errors and service knowledge. See Create publishing workflows for known errors and service knowledge on page 44. Step 11: Administer IT Service Center ☐ Track IT Service Center metrics on the dashboard. See View and customize dashboards on page 53. ☐ Update change management settings, which include calendar settings and risk score calculations. See Update change management settings on page 55. ☐ Add configuration items. By default, configuration items are imported from the CMDB service that is hosted in Tanium Cloud, but you can add other configuration items that are synced between Salesforce and the CMDB. See Manage CMDB configuration items on page 58. © 2022 Tanium Inc. All Rights Reserved Page 16
Configure Tanium for IT Service Center
Details about your initial administrator user for Tanium Cloud are included in a welcome email. To use IT Service Center, configure
an identity provider for your Tanium Cloud instance, assign user permissions to IT Agents, and install the Tanium Client on the
computers that you want to manage.
Components overview
The following diagram shows the interaction between IT Service Center and Tanium Cloud.
Prerequisites
l Tanium Cloud URL and account information that you received when you purchased IT Service Center
l Salesforce org URL
l Work.com license
l List of IT agent user email addresses (required for integration with IT Service Center)
l Active Directory
Active Directory is required to automatically associate users and endpoints.
© 2022 Tanium Inc. All Rights Reserved Page 17Configure SAML identity provider for Tanium Cloud
You must set up one of the following SAML 2.0 compliant identity providers with your Tanium Cloud instance:
l General
l OneLogin
l Auth0
l Duo Access Gateway
l Configuring Azure AD for Tanium Cloud
l Configuring Okta for Tanium Cloud
l Configuring AD FS for Tanium Cloud
l Configuring Oracle Identity Cloud Service for Tanium Cloud
l Configuring PingFederate for Tanium Cloud
l Configuring Google Cloud Identity for Tanium Cloud
l Configuring Salesforce for Tanium Cloud
More information
Tanium Cloud Deployment Guide: Getting started
Configure three Salesforce orgs with IT Service Center: Development, QA, and Production instances. Using Salesforce
as a SAML provider could cause issues when switching between these orgs, so it is not recommended.
Configure platform settings in Tanium Cloud
Enable connections from Tanium to your Salesforce instance.
1. From the Tanium Cloud instance (logged in as an administrator), click Administration > Platform Settings.
2. For console_trustedAuthOrigin, enter your Salesforce ITSC URL org address (example:
https://yoursite.lightning.force.com). If you have multiple environments, you can use a comma-separated list of
URLs.
3. Click Save.
© 2022 Tanium Inc. All Rights Reserved Page 18Configure client security exceptions
l Configure firewall policies to open ports 17472 and 17486 for Tanium traffic, with TCP-based rules rather than application
identity-based rules.
l Configure open communication on ports 17472 and 17486 on all endpoints, so that they can communicate with each other
and Tanium Cloud.
l Configure exceptions for any security software on endpoints, such as antivirus tools, to prevent the tool from scanning the
Tanium process and interfering with Tanium Client activities.
Deploy Tanium Client
To enable your Tanium Cloud instance to communicate with your endpoints, install the Tanium Client on the Windows, Mac, and
Linux systems that you want to manage.
While you can complete this step later in the configuration process, if you proceed through the configuration steps
without any Tanium Clients installed, errors are displayed in the Tanium Cloud instance and no assets are displayed
in IT Service Center.
To get started with installing and deploying the Tanium Client, see the Tanium documentation. You can use any software
deployment tool to deploy the Tanium Client, including Tanium.
If you already have a tool that you are using for software deployments, use that tool for your initial deployments of
the Tanium Client.
When the Tanium Client is installed on your assets and reporting to your Tanium Cloud instance, you can start to see asset
information, manage performance, and deploy software to the endpoints from within the IT Service Center.
After you have a few Tanium Clients deployed, you can use Tanium Discover to look for unmanaged devices and determine whether
additional endpoints exist in the environment that also need the Tanium Client installed.
To improve discovery, deploy Tanium Client to a few endpoints before proceeding with the configuration.
More information
Tanium Client Management User Guide: Downloading Tanium Client
Tanium Discover User Guide
Configure IT Service Center user group
Configure a user group in Tanium for the ITSC Agent users of IT Service Center. For more information about creating user groups and
assigning users, see the Tanium documentation.
© 2022 Tanium Inc. All Rights Reserved Page 19You must give access to the user that is listed as the Primary Tanium Admin Username in your welcome email from
Tanium. The Primary Tanium Admin is the only user that is created during the provisioning process. You can create
more users in Tanium with this user or other delegated users.
1. In your Tanium Cloud instance, create an ITSC Agents user group.
2. Assign the following roles to the user group:
l API Gateway User
l Atlas Operator
l Deploy Operator
l Discover Operator
l Map Operator
l Interact Power User
l Performance Operator
3. Assign users to the ITSC Agents user group. The email address of the users must be identical to the user email addresses in
IT Service Center. Save your changes.
More information
Tanium Console User Guide: Managing user groups
Configure Tanium permissions
You can set permissions in Tanium to allow only certain users to have access to computer groups, modules, and so on. For example,
if a user attempts to deploy software to a computer that is in a computer group to which they do not have access, the deployment
job fails.
For more information about Tanium permissions, see Tanium Console User Guide: RBAC Overview.
Configure Tanium Map and create application service maps
To view CI relationships in IT Service Center, you must set up Map endpoint tools and configure an application service map.
1. Deploy the Map tools to your endpoints. By default, Map tools are installed only to server operating systems, including
variants of Windows Servers and Linux systems. You must prepare these endpoints with the correct tool sets and set up the
Map action group. For more information, see Tanium Map User Guide: Configuring Map.
2. Create an application service map. An application service is a logical grouping of software, devices, and network traffic. For
© 2022 Tanium Inc. All Rights Reserved Page 20more information, see Tanium Map User Guide: Mapping application services.
3. After you create an application service map, the data you configured will flow to your CI relationships during the next CMDB
data synchronization.
Configure development, QA, and production instances for IT Service Center
You can configure multiple Salesforce environments to use for development, quality assurance (QA), and production that connect to
a single Tanium Cloud instance. If you set up multiple Salesforce environments:
l Use computer groups in Tanium to identify endpoints that only exist in the dev and QA environments. Set up a computer
group for development endpoints and a computer group for QA endpoints. For more information, see Tanium Console User
Guide: Managing computer groups.
l Use role-based access control (RBAC) in Tanium to configure user accounts that can only perform actions on the endpoints
that you assigned to the dev and QA environments.
l Use different Administrator accounts for each Salesforce org to avoid confusion.
l Run tests in the Dev and QA orgs to confirm expected functionality before porting to production.
© 2022 Tanium Inc. All Rights Reserved Page 21Install IT Service Center
Use the Work.com installer to install and automatically complete some configuration for the IT Service Center managed package.
Then, follow the prompts to complete the manual, post-installation setup steps.
Required editions
Available in: Lightning Experience
Available in: Enterprise and Unlimited editions
IT Service Center is available as an add-on license.
User permissions
User Permissions Needed
To configure installed packages: Customize Application
Before you begin
l Consider setting up multiple Salesforce orgs for development, quality assurance, and production environments. See
Configure development, QA, and production instances for IT Service Center on page 21.
l Sign into your Salesforce org URL with administrative credentials that were provided in your welcome email.
l Configure an allowlist in your Salesforce org. If any IP address restrictions exist in your org or profile, you might need to edit
your settings before installing this package. Confirm the Salesforce installer IP addresses aren’t within any restricted ranges,
or add them to an allowlist:
o 18.214.2.206
o 3.89.46.237
o 52.201.65.75
o 52.2.53.142
You can remove these IP addresses from your allowlist when installation completes.
Install and configure Employee Workspace
Employee Workspace is a required prerequisite for IT Service Center. For more information about Employee Workspace, see
Work.com docs: Employee Workspace.
© 2022 Tanium Inc. All Rights Reserved Page 22Required before you install IT Service Center
l Configure my domain
l Enable digital experiences
l Install Employee Workspace
l Set up Employee Workspace Admin
Required before go live
l Configure field access settings on the Employee object
l Assign Employee Workspace user permission sets
l Create and link employees and users
l Activate your Employee Workspace site
l Publish your Employee Workspace site
Optional
l Brand your org
l Add Employee Workspace Admins
l Add connected apps
l Add search to your pages
l Customize navigation bar and news banner
l Create your branded app for Employee Workspace
Install and configure Employee Concierge
Employee Concierge is a required prerequisite for IT Service Center. You must install and configure Employee Workspace before you
install Employee Concierge. For more information about Employee Concierge, see Work.com docs: Employee Concierge.
Required before you install IT Service Center
l Install Employee Concierge
l Assign Employee Concierge permissions to Employee Workspace Admin
l Enable knowledge access for knowledge authors
© 2022 Tanium Inc. All Rights Reserved Page 23Required before go live
l Assign Employee Concierge user permissions
l Add custom fields to knowledge page layout
l Make custom fields for knowledge articles visible
l Add tickets page to your Workspace site
l Add a knowledge page to your Workspace site
l Add new tickets component to the Workspace site
l Manage person accounts and employee records
l Create ticket categories (See: Customize Incident ticket creation for Employee Concierge on page 50)
Optional
l Assign record types to system admin profile
l Assign record types to IT Agent profile
l Update your My Tickets page
l Configure Employee Concierge ticket assignment
l Set up Agent desk App
l Prepare your team and customize Concierge
Install the IT Service Center package
The account that is used to deploy the IT Service Center package will be the administrator that is attached to the created/modified
by fields in the Salesforce interface.
1. Navigate to this URL in your browser: https://install.work.com/products/itsc
You must have the IT Agent and ITSC Endpoint add-on licenses for IT Service Center to install in your org.
The Salesforce installer service is used only for the installation and initial configuration of the IT Service
Center package.
2. Click the IT Service Center tile.
3. Click Install and Configure IT Service Center. If you already installed IT Service center, there is also an option to Configure IT
Service Center.
4. Click Log In to Start Pre-Install Validation.
5. Select your org type. Enter your Salesforce username and password.
© 2022 Tanium Inc. All Rights Reserved Page 246. Click Allow to run the pre-installation validation.
7. In the Connected to Salesforce box, confirm that you’re logged in to the correct org. If the pre-install validation fails, use the
error messages in the installer to troubleshoot and complete the pre-installation requirements in your org. When you’re ready,
return to the installer URL and try again.
8. Review the list of customizations the installer makes in your org.
Do not clear the recommended settings for optional items.
9. Click Install. Click Confirm to accept the terms of use. During installation, your user is assigned the IT Service Center App
Administrator permissions that are needed to configure and manage the org.
10. Click View Org to return to your Salesforce instance after the installation is complete.
11. To verify the installation, look for IT Service Center in the App launcher.
If you see a warning: Current User Authentication token is missing, you can ignore the warning and resolve it
when you configure the connection to Tanium Cloud.
Follow the prompts throughout the Salesforce Help topics to complete the post-installation configuration.
The Salesforce installer service is available in English, Japanese, French, German, Spanish, and Dutch.
© 2022 Tanium Inc. All Rights Reserved Page 25Verify IT Service Center installation and auto-configuration
See what is customized in your org when installing the IT Service Center packages. To verify these configuration items, go to Setup
in your Salesforce org.
Installation Step Name What it Does and Verification Steps
Enable Omni-Channel Enables Omni-Channel settings to enable routing of work items to IT Agents based on their skill sets. To verify
the Omni-Channel Settings is enabled, go to Setup.
Enable Entitlements for Case Enables customers to set up SLAs for case milestones, such as how long it takes to initially respond to or
Milestones resolve a case.
To verify milestones were created, go to Setup and look at Milestones.
Enable Creation of List Settings Turns on creation of List Settings in the organization. To verify, go to Setup > Administration > Data > Schema
Settings and verify that Manage list custom settings type is enabled.
Enable Translation Workbench Turns on translation workbench in Salesforce to enable translated UI content. To verify, go to Setup > User
Interface > Translation Workbench > Translation Language Settings.
Add Case Status Picklist Values Creates status values for cases. To verify, go to the Case object in Object manager, view Fields & Relationships
and look at the Status field.
Do not update these picklist values.
Add Case Origin Picklist Values Adds origin options for case objects. To verify, go to the Case object in Object manager, view Fields &
Relationships and look at the Case Origin field.
Add Asset Status Picklist Values Adds status options for asset objects. To verify, go to the Asset object in Object manager, view Fields &
Relationships and look at the Status field.
Install IT Service Center Installs the IT Service Center package.
Managed Package
Create IT Service Center Deploys known error and service knowledge record types and deploys the IT Service Center Knowledge
Knowledge Extensions permission set.
Create IT Service Center Creates the permission sets, and then adds them to permission set groups for IT Service Center. To use these
Permission Sets and permissions, you must manually assign users to the permission set groups. For a list of permission set groups
Permission Set Groups and permission sets, see Assign IT Service Center permissions on page 33.
To verify the permissions and permission set groups were created, go to Setup and look at Permission Sets and
Permission Set Groups.
Deploy Case and Asset Layouts Assigns the case and asset compact layouts and record layouts for standard user and admin profiles.
© 2022 Tanium Inc. All Rights Reserved Page 26Installation Step Name What it Does and Verification Steps
Enable Path Assistant for Case Creates paths for change, incident, problem, and request case record types. To verify, open Path Settings in
Setup and confirm that case records are created for Case Status Change, Case Status Incident, Case Status
Major Incident, Case Status Problem, and Case Status Request.
Deploy Case Management l Creates the following queues to prioritize, distribute, and assign records to teams who share workloads for
Queues and Change Approval change approvals (CAB) and case management. You must assign users or groups to each queue:
Board (CAB) Approval Process
o ITSC - Case Management - Default
o ITSC - Case Management - Escalation
o ITSC - Case Management CAB
l Creates the ITSC - Change Approval process, which defines the business processes around approving
change case types.
To verify queues are created, open Queues in Setup and confirm that the queues were created.
(Optional) Grant access to IT Creates the IT - Agent, IT - Case Management, and IT - Configuration Manager dashboards.
Service Center Reports and
Dashboards
Run Migration Job Migrate configuration changes to match current IT Service Center data model.
Add Case Template Picklist Adds picklist options for case template objects. To verify, go to the Object Manager > Case Template object >
Values Fields & Relationships. Look at the Type field.
© 2022 Tanium Inc. All Rights Reserved Page 27Upgrade IT Service Center
Before you begin
Verify that the administrator account that you are using to perform the upgrade has the IT Service Center Admin permission set
group assigned, along with Knowledge User feature license.
Install IT Service Center
The Work.com installer also performs upgrades, if you already have IT Service Center installed in your org. The Run Migration Job
step makes updates to your existing org as necessary for the upgrade. For more information about installing, see Install IT Service
Center on page 22.
Upgrade Tanium Cloud
Tanium Cloud is a fully-managed environment, so no manual upgrades are required. The Tanium Core Platform and products are
automatically configured and maintained, so that you can focus on using Tanium to manage endpoints.
Update 1.20 to 1.24 configurations
When you upgrade IT Service Center, page layouts are not automatically updated. You also must review the changes to user
permissions and validation rules.
For screenshots of the case page layouts from this release, see Reference: Case layouts on page 77.
Track case origin
The Source field now tracks if a case got created from an association, another case, or a case template. You can add this field to any
case page or use it to create reports on how cases were created.
Assign ITSC - Request page layout
Assign the ITSC - Request Layout page layout to the case object for request record types.
1. From Object Manager, go to Case > Case Page Layouts > Page Layout Assignment.
2. Click Edit Assignment.
3. For the profiles you want to use with IT Service Center (for example: Standard User and System Administrator), select the cells
for the Request column.
4. For Page Layout To Use, select ITSC - Request Layout. Save your changes.
© 2022 Tanium Inc. All Rights Reserved Page 28Update ITSC - Request Record Page lightning record page
1. From Object Manager, go to Case > Lightning Record Pages > ITSC - Request Record Page. Click Edit
2. In the Lightning App Builder, click Activation..
3. Click App, Record Type, and Profiles.. tab, then Assign to Apps, Record Types, and Profiles.
4. Select IT Service Center.
5. For the Record Type, choose Request.
6. Select the profiles you want to use with IT Service Center (for example: Standard User and System Administrator).
Remove unused Asset fields
The following fields are no longer in the managed package. You can remove these fields if you are not using them:
Asset.Processor__c, Asset.CpuConsumption__c, Asset.TotalDiskSpace__c, Asset.DiskConsumption__
c, Asset.Ram__c, Asset.MemoryConsumption__c, Asset.WirelessNetworks__c, Asset.DiskEncryption_
_c
Review and assign user permissions
IT Service Center introduces the following new permissions and permission sets. For more information, see Assign IT Service Center
permissions on page 33.
New and changed permission sets and permission set groups
l IT Service Center Request Menu Admin permission set: Provides IT Service Center Administrator persona with the ability to
create request menus and request menu items for frequently opened case patterns.
l IT Service Center Request Menu Requester permission set: Provides employee persona with the ability to create request and
incident cases from a request menu.
l IT Service Center Request Menu Manager permission set group: Contains the IT Service Center Request Menu Admin
permission set.
Update permission sets and permission set groups
1. Edit the IT Service Center Employee Requester permission set group to add the IT Service Center Request Menu Requester
permission set.
2. Edit the IT Service Center User permission set group to include the following permission set:
l IT Service Center Request Menu Requester
3. Edit the IT Service Center Admin permission set group to include the following permission set:
l IT Service Center Request Menu Admin
© 2022 Tanium Inc. All Rights Reserved Page 294. Create a permission set called IT Service Center Configuration Manager Visibility and assign it to the existing IT Service
Center Config Manager and IT Service Center Admin permission set groups. For more information, see Assign IT Service
Center permissions on page 33.
© 2022 Tanium Inc. All Rights Reserved Page 30Connect with Tanium Cloud
Connect to Tanium™ Cloud to pull information and operate on the end user devices with your IT Service Center org.
Add Tanium Cloud as a remote site
Remote sites are a list of Web addresses that the organization can invoke from salesforce.com.
1. From Setup, enter remote in the Quick Find box, then select Remote Site Settings.
2. Click New Remote Site.
3. For the Remote Site URL, enter the main URL of your Tanium Cloud instance. (Example: https://dev.cloud.tanium.com)
Click Save.
4. Add another remote site with the API URL of your Tanium Cloud instance. (Example: https://dev-
api.cloud.tanium.com) Click Save.
Connect to Tanium Cloud from Salesforce
Connect Salesforce to your Tanium Cloud instance, so that IT agents can take direct actions on endpoints.
1. From the App Launcher, click the IT Service Center app.
2. In the IT Service Center menu, click Settings.
3. In the Tanium Configuration section, enter your Tanium URL, which is the URL of the Tanium Cloud instance that is
provisioned. You do not need to customize the API URL. Click Save.
Authenticate the service user
The Service User runs background processes. This Tanium Cloud user ID and password is provided when you purchase IT Service
Center. After you authorize the service user, the authorization is automatically renewed.
1. From the IT Service Center menu, go to Settings.
2. Click Initiate Service User Auth Flow.
3. In the page that pops up, click Authorize.
4. The expiration date under Service User Authorization is updated.
Authenticate the current user
Each IT Service Center user must authenticate their user ID with Tanium Cloud to have permission to view and operate on assets in
IT Service Center.
© 2022 Tanium Inc. All Rights Reserved Page 31If you do not log in for 30 or more days, you must repeat these steps.
1. From the IT Service Center menu, go to Settings.
2. Click Initiate Current User Auth Flow.
3. In the page that pops up, click Authorize.
4. The expiration date under Current User Authorization is updated.
Configure Tanium data synchronization
The Tanium job schedules run in the background to synchronize asset and user data from Tanium on a scheduled frequency.
To configure job schedules and AD queries from the IT Service Center menu, go to Settings, then click Job Schedules. You can
change the frequency for each job, least frequent being once every 24 hours.
In most configurations, you do not need to update these job schedules. Update the schedules only if you have
specific requirements that require adjustments to the default synchronization settings.
Refresh Changed Asset Data from Tanium
Update fields for the Asset object from the latest data available in Tanium.
Update Active Assets
Update fields for assets that are currently online.
Synchronize Tanium Action Status
Update the status of Tanium actions that have been performed on assets, such as deploying software or terminating a
process.
Refresh Service and Current User Tokens
Update tokens that are used for Current User and Service User authentication.
Primary Ownership (Active Directory Queries)
Update primary owner details for the Asset object. Disabled by default.
© 2022 Tanium Inc. All Rights Reserved Page 32Configure Salesforce for IT Service Center
Set up the connection to Tanium Cloud, configure users, and set up emails.
Assign IT Service Center permissions
Permissions control what users see and do. The workplace permissions are automatically created when you install the IT Service
Center package, but you must manually assign users their appropriate permissions.
Meet the IT Service Center personas
The IT Service Center package includes permission sets for personas that we recommend for Work.com orgs.
IT Service Center Admin
IT Service Center Admins manage IT Service Center settings, including the connection to Tanium Cloud.
IT Agent
IT agents manage cases, view assets and Tanium custom CIs, control performance events, and deploy software.
Change Manager
Change managers control change calendar and risk settings, create change management rules, and add events to the
change calendar.
CMDB Administrator
CMDB administrators control CMDB actions, edit CMDB settings, run data import jobs, and create Tanium custom CIs.
CMDB Manager
CMDB managers create Tanium custom CIs.
Employee
Employees create cases that get resolved by the IT agent.
Add IT Service Center users
By default, you have a single administrator user for both your Salesforce org and Tanium Cloud. If you want to add users, you must
create the user in both Salesforce and Tanium.
The User ID in Tanium must match the Email field for the user in Salesforce. To create users in Tanium, see
Configure Tanium for IT Service Center on page 17.
© 2022 Tanium Inc. All Rights Reserved Page 33UPDATE DEFAULT PROFILES
To prevent issues with synchronizing CI items with the CMDB, remove access to the Asset object from the profile you
are using for IT Agent users. Modify a profile that affects only IT Agents, because CMDB Managers must have access
to the Asset object. Choose which profile to modify, then assign the updated profile:
l If you are using Employee Concierge, use the IT Agent profile, which does not have edit access to the Asset
object.
l Edit the default profile and remove access to the Asset object.
l If you want to preserve the default profile, you can clone the default profile and remove access to the Asset
object.
Use the IT Service Center permission set groups to grant access to the IT Service Center asset record types. If you
require access to other custom Asset record types, use a custom permission set to grant access to the custom record
types.
CREATE AND ASSIGN USER PERMISSIONS IN SALESFORCE
Create users in Salesforce. Use the value in the Email field for the user name that you create in Tanium Cloud.
The following table provides the permission sets, permission set groups, licenses, and profiles to assign to users. If you use a
permission set group to assign permissions, do not also apply the permission sets.
These user permissions do not include Employee Workspace and Employee Concierge permissions. You must assign these
permissions in addition to the IT Service Center permissions listed in the table. See Salesforce Help: Meet the Employee Workspace
Personas and Salesforce Help: Assign Employee Concierge Permissions.
© 2022 Tanium Inc. All Rights Reserved Page 34Persona User Feature Profile Permission Set Permission Sets Permission Set
License License Licenses Group
IT Service Salesforce l Service Cloud ANY l Employee l Change Calendar l IT Service Center
Center Admin User Workspace and Basic Access Admin
Concierge
l Knowledge l Change Calendar l IT Service Center
User l Employee Admin Access Config Manager
Experience
l Change Calendar l IT Service Center
Write Access Request Menu
Manager
l IT Service Center
App Administrator
l IT Service Center
Configuration
Manager
l IT Service Center
App User
l IT Service Center
Case Record Type
Access
l IT Service Center
Knowledge
l IT Service Center
Standard Field
Access
l IT Service Center
Request Menu
Admin
l IT Service Center
Announcement
Manager
© 2022 Tanium Inc. All Rights Reserved Page 35Persona User Feature Profile Permission Set Permission Sets Permission Set
License License Licenses Group
IT Service Salesforce l Service Cloud ANY l Employee l Change Calendar l IT Service Center
Center Agent User Workspace and Basic Access User
Concierge
l Knowledge l IT Service Center
User l Employee App User
Experience
l IT Service Center
Case Record Type
Access
l IT Service Center
Knowledge
l IT Service Center
Standard Field
Access
Change Salesforce l Service Cloud ANY l Employee l Change Calendar l IT Service Center
Manager User Workspace and Basic Access User
Concierge
l Knowledge l Change Calendar
User l Employee Admin Access
Experience
l Change Calendar
Write Access
l IT Service Center
App Administrator
l IT Service Center
App User
l IT Service Center
Case Record Type
Access
l IT Service Center
Knowledge
l IT Service Center
Standard Field
Access
© 2022 Tanium Inc. All Rights Reserved Page 36Persona User Feature Profile Permission Set Permission Sets Permission Set
License License Licenses Group
CMDB Salesforce l Service Cloud ANY l Employee l IT Service Center l IT Service Center
Administrator User Workspace and App Administrator Admin
Concierge
l Knowledge l IT Service Center l IT Service Center
User l Employee Configuration Config Manager
Experience Manager
l IT Service Center
App User
l IT Service Center
Case Record Type
Access
l IT Service Center
Knowledge
l IT Service Center
Standard Field
Access
CMDB Manager Salesforce l Service Cloud ANY l Employee l IT Service Center l IT Service Center
User Workspace and Configuration User
Concierge Manager
l Knowledge l IT Service Center
User l Employee l IT Service Center Config Manager
Experience App User
l IT Service Center
Case Record Type
Access
l IT Service Center
Knowledge
l IT Service Center
Standard Field
Access
© 2022 Tanium Inc. All Rights Reserved Page 37Persona User Feature Profile Permission Set Permission Sets Permission Set
License License Licenses Group
Employee Salesforce Salesforce l Company l IT Service Center l IT Service Center
Platform Platform Community for Requester Employee
User Force.com Requester
l IT Service Center
l Employee Standard Field
Workspace and Access
Concierge
l IT Service Center
l Employee Knowledge
Experience
l IT Service Center
Request Menu
Requester
IT Service Center permission sets
If you followed the recommended setup process for IT Service Center, confirm you have these permission sets in your org.
Permission Set Name Description
Change Calendar Admin Edit change management settings (calendar and risk), create and edit change management rules.
Access
Change Calendar Basic Read access to change calendar.
Access
Change Calendar Write Write access to change calendar.
Access
IT Service Center App Full edit access within IT Service Center, including service settings. Included in the IT Service Center package.
Administrator
IT Service Center App Access the IT Service Center application. Cannot create or edit assets.
User
IT Service Center Edit CMDB settings, run CMDB jobs, and create Tanium Custom CI.
Configuration Manager
IT Service Center Provide permissions to the Asset object for Configuration Managers. This permission set must be set up manually.
Configuration Manager See Assign IT Service Center permissions on page 33
Visibility
IT Service Center Case Access case record types in IT Service Center. You can clone and customize this permission set if you want to provide
Record Type Access only certain case types to a set of users (for example, to remove Change case access for IT Agents).
© 2022 Tanium Inc. All Rights Reserved Page 38Permission Set Name Description
IT Service Center Access fields for knowledge articles in IT Service Center.
Knowledge
IT Service Center Access fields for standard objects.
Standard Field Access
IT Service Center Create incidents and requests.
Requester
IT Service Center Request Create request menus and request menu items.
Menu Admin
IT Service Center Request Open cases with a request menu.
Menu Requester
IT Service Center Create announcements in IT Service Center.
Announcement Manager
When you follow the recommended installation and configuration process, these permission sets are automatically organized into
permission set groups. Assign permission set groups to users to grant them the required level of access.
When the installation of the IT Service Center is complete, the IT Service Center App Administrator permission is assigned to the first
admin user.
Permission updates to the IT Service Center package are pushed to the Tanium recommended permission sets. Any
customizations made to the recommended permission sets are erased when the package updates.
IT Service Center permission set groups
You can use the following included permission set groups to provide user access.
IT SERVICE CENTER USER
Includes the following permission sets:
l Change Calendar Basic Access
l IT Service Center App User
l IT Service Center Case Record Type Access
l IT Service Center Knowledge
l IT Service Center Standard Field Access
l IT Service Center Request Menu Requester
IT SERVICE CENTER ADMIN
Includes the following permission sets:
© 2022 Tanium Inc. All Rights Reserved Page 39l Change Calendar Basic Access
l Change Calendar Admin Access
l Change Calendar Write Access
l IT Service Center App Administrator
l IT Service Center App User
l IT Service Center Configuration Manager
l IT Service Center Case Record Type Access
l IT Service Center Knowledge
l IT Service Center Standard Field Access
l IT Service Center Request Menu Admin
l IT Service Center Announcement Manager
IT SERVICE CENTER CONFIG MANAGER
Includes the following permission sets:
l IT Service Center Configuration Manager (Configured with only create and read access to assets)
l IT Service Center Configuration Manager Visibility
IT SERVICE CENTER EMPLOYEE REQUESTER
Includes the following permission sets:
l IT Service Center Knowledge
l IT Service Center Standard Field Access
l IT Service Center Requester
l IT Service Center Request Menu Requester
Update Salesforce configurations
Update organization-wide defaults and sharing rules
You can set configuration items (CIs) to be private, to restrict the visibility to certain users. You must update organization-wide
defaults and sharing rules to enable this capability.
© 2022 Tanium Inc. All Rights Reserved Page 401. Update organization-wide defaults for the Asset object from Controlled by Parent to Private. For more information, see
Salesforce Help: Set Your Internal Organization-Wide Sharing Defaults.
2. Create sharing rules on the Asset object. For example, you might create the following rules:
l If Is Private is False, share with Public Groups named Internal Users with Read Only access level
l If Is Private is False, share with Public Groups named Configuration Managers with Read/Write access level
l If Is Private is True, share with any necessary groups or roles as required
Configuration Manager users must have one or both of the following access levels:
l Read/Write access level for all Assets
l Modify All on the Asset object in the profile
For more information about sharing rules, see Salesforce Help: Sharing Rules and Salesforce Help: Sharing Rule
Considerations.
3. Mark CIs as private. See Manage CMDB configuration items on page 58.
Assign record types to case lightning record pages
Edit the case page layouts to assign the IT Service Center record types for change, problem, incident, and major incident.
1. From Setup, click Object Manager.
2. Click Case and Lightning Record Pages. You must edit each of these pages:
To update the change record page, click: ITSC - Change Record Page, then View.
To update the problem record page, click: ITSC - Problem Record Page then View.
To update the incident record page, click: ITSC - Incident Request Record Page then View.
To update the major incident record page, click: ITSC - Major Incident Page then View.
3. After the Lighting App Builder for the page loads, click Activation...
4. Click the App, Record Type, and Profile tab and then Assign to Apps, Record Types, and Profiles.
5. Select IT Service Center, then Next.
6. Choose a form factor for the app (Phone, Desktop, or both).
7. On the Selected Record Types page, select the corresponding record type.
If you are editing the ITSC - Change Record Page, select Change.
If you are editing the ITSC - Problem Record Page, select Problem.
If you are editing the ITSC - Incident Request Record Page, select Incident.
If you are editing the ITSC - Major Incident Page, select Major Incident.
8. On the Selected Profiles page, select Standard User and System Administrator. If you have custom profiles for IT agents,
select those profiles as well.
9. Save your changes.
© 2022 Tanium Inc. All Rights Reserved Page 41You can also read
