Deploying software

Use deployments to install, update, or uninstall software on a set of target computers. Deployments can run once or be ongoing to meet requirements such as:

  • Maintain operational hygiene and system baselines.
  • Manage systems which may be online for short periods.
  • Rerun packages which become applicable as system states change.

Deployments do not run outside of a maintenance window unless the Override maintenance window option is selected in the deployment options. You must create at least one maintenance window for other deployments to run. For more information about creating a maintenance window, see Managing maintenance windows.

Before you begin

Create a deployment template

You can create a deployment template to save settings for a deployment that you can issue repeatedly. You can either create a deployment template from the Deployment Templates menu item, or you can select an option when you create a deployment to save the options as a template.

  1. From the Deploy menu, go to Deployment Templates and then click Create Deployment Template.
  2. Specify a name, an optional description for your deployment template, and the content set.
    Because of the complexities of managing permissions with multiple users, you cannot move a deployment template from one content set to another after the initial assignment.
  3. Select deployment options. These options are the same as the options you can configure in an individual deployment. For more information, see Deploy a software package or bundle.

    4. For self service deployments that are set for the future, use the Make Available Before Start Time option.

  4. Click Create Deployment Template.

You can use this template when you create a deployment.

Set the default deployment template

The default deployment template is applied when you create deployments. Importing Deploy with automatic configuration creates three deployment templates and sets one of them as the default. You can change the default template or remove a template as the default.

You can only set a deployment template in the Deploy Content Set as the default deployment template.

  1. From the Deploy menu, go to Deployment Templates.
  2. Select a template and click Set as Default.
  3. To remove the default designation from a template, select the default template and click Remove as Default.

Delete a deployment template

  1. From the Deploy menu, go to Deployment Templates.
  2. Select one or more templates and click Delete Deployment Templates.

You can also click the name of your deployment template and then click Delete .

Deploy a software package or bundle

  1. From the Deploy menu, go to Deployments and then click Create Deployment.

    You can also create a deployment from the Software page. Select a software package and click Deploy Package.

  2. Provide a name for the deployment, add an optional description, and select the content set.
    Because of the complexities of managing permissions with multiple users, you cannot move a deployment from one content set to another after the initial assignment.
  3. Do one of the following, as needed:
    • Select Software Package, select the package from the drop-down list, and then select the software package operation. You can filter packages by typing the platform, vendor name, or package title.
    • Select Software Bundle and then select the bundle from the drop-down list.

      A software bundle is platform-specific and each software package evaluates and installs independently, but is available only for the specified OS platform. If an individual package fails to install during a bundle deployment, you can decide if the bundle should continue and install the remaining packages, or you can choose to stop on failure and report the failure.

  4. Add targets.

    Select either or both of the following targeting methods and complete the fields as needed. If you select both targeting methods, then they are joined by an OR operator. If you use multiple targets, the deployment applies to endpoints that match any of the targets you specify.

    • Select Computer Groups provides a drop-down list of computer groups available to be managed in Deploy.

    • Set Targeting Criteria lets you add any Tanium question filter as a target. When you use this option, you must also select a limiting group from the Select Limiting Group drop-down list of computer groups. For example, to target endpoints in the 192.168.1.0/24 subnet, you can type Tanium Client IP Address starts with 192.168.1 in the Filter Bar or use the Filter Builder to select the Tanium Client IP Address sensor, and then apply the same filter. After that, set the All Windows 10 computer group as the limiting group to make the deployment apply to all Windows 10 endpoints with an IP address that starts with 192.168.1.

      • The Select Computer Groups and Set Targeting Criteria options are joined by an OR operator. If you use multiple targets, the deployment applies to endpoints that match any of the targets you specify. If you use Set Targeting Criteria, you must also specify a limiting group that limits all targets. For example, if you select All Laptops as the target computer group, the deployment goes to all laptops managed by Deploy. However, if you also add Tanium Client IP Address starts with 192.168.1 as the targeting criteria, and then select All Windows 10 as the limiting group, then the deployment goes to all Windows 10 devices that are either laptops or have an IP address starting with 192.168.1.

      If you set targeting criteria, use criteria based on attributes that cannot be changed by the deployment. If you select attributes that can change, endpoints might become in a state where the deployment is Not Applicable with a sub-status of Configuration not available or not targeted. For more information about how endpoints might become in this state, see Reference: Deployment status.

  5. Select deployment options.
    1. Choose whether you want to use an existing deployment template. To create a new deployment template based on this template, select Do not use existing template and then select Save Deployment Options as template. For more information, see Create a deployment template.

    2. Specify a deployment frequency. You can either do a single deployment with a specific start and end time, or an ongoing deployment that does not have an end time.

      A software package operation may be interrupted if you stop the deployment, the deployment ends, or the maintenance window closes.

      After the deployment ends or the maintenance window closes, restarts do not occur, End-User Notification messages do not appear, and remaining steps in a software bundle (if applicable) do not run.

    3. Designate the deployment time. You can choose from the local time on the endpoint or UTC time.

    4. Select self service options.

      For self service deployments that are set for the future, use the Make Available Before Start Time option.

    5. To prepare the endpoints for future deployments by downloading the deployment content before the installation time, select the option for Download Immediately.
    6. (Windows and macOS endpoints) To enable pre-deployment end user notifications, select Notify User Before Running in the Pre-Notify User section. To minimize disruptions to end users, configure a notification for Update and Remove operations, as they could affect applications that are in use on an endpoint.

    7. To protect shared compute resources in a virtual environment, select Enabled for the Distribute Over Time option and indicate an amount of time. The value you indicate for Distribute Over Time must be less than the deployment duration.

      Distribute Over Time randomizes the deployment start time on each endpoint by an amount of time up to the value configured. This option reduces concurrent consumption of shared compute resources in a virtual environment.

      Specify a Distribute Over Time value that is at least two hours less than the length of the deployment window and any maintenance windows. If the value exceeds deployment and maintenance windows, some endpoints will not be able to run the deployment or will run a software package operation outside of the maintenance window.

    8. If you want to ignore deployment restrictions, select Override maintenance windows.
    9. (Windows and macOS endpoints) Select whether to restart the endpoint. To avoid suddenly restarting a endpoint while an end user is working, configure a notification if the deployment requires a restart.

    10. (Windows and macOS endpoints) Select Notify User After Running in the Post-Notify User section to configure a post-deployment end user notification.

      Use a post-deployment notification if a deployment also uses a pre-deployment notification to inform users that an operation is complete.

  6. Click Show Preview to Continue and review the deployment.
  7. Click Deploy Software.

Configure end user notifications

(Windows and macOS endpoints) You can enable pre- and post-deployment notifications to warn end users about changes to endpoints. Pre-deployment notifications are especially important for Update and Remove operations because they can affect applications that are in use on an endpoint. Post-deployment notifications are especially important for deployments that require restarts because they can occur while end users are working on an endpoint.

Notification Options

  • Duration of Notification Period: Specify the amount of time before the notification must be accepted. The deadline is calculated by adding this value to the time the deployment completed for each endpoint.

  • Allow User to Postpone: If you want to give the user an option to defer accepting the notification for a specified amount of time, select this option. A user cannot postpone beyond the deadline.

  • User Postponement Options: Specify the amount of time a user can postpone the notification. The total amount of time specified must be less than the Duration of Notification Period value. Note that this is only the amount of time to defer the notification from being displayed again; it does not affect when the countdown to deadline appears.

  • Final Countdown to Deadline: Specify the amount of time for end users to accept the notification. The notification also shows a countdown until end users must accept. If end users dismiss the notification and a restart is required, the notification will reappear in the last minute of the final countdown to deadline before the computer restarts.

Message Content

  • Specify the title and body of the notification message. Upload optional icon and body images for branding to avoid confusing users and to limit support calls. Optionally, enable additional languages and provide translated title and body text. By default, the notification displays content in the system language on the endpoints. If you enable additional languages, the user can select other languages to display.

    You can use ||OPERATION||, ||PACKAGENAME||, or ||DEPLOYMENTNAME|| as variables in the title or body. If you are deploying a software bundle, the bundle name is used for the ||PACKAGENAME|| variable.

If your deployment is configured for a pre-notification, but the endpoint does not have the End-User Notifications tools installed, the deployment fails and triggers the following error: EunIncompatible: EUN is not installed or the version installed is too old. For more information about installing End-User Notifications tools on endpoints, see Tanium End-User Notifications User Guide: Configuring End-User Notifications.

Deploy a software package to a single endpoint

You can quickly create a deployment to install a software package on a single endpoint through the Endpoint Details page in Tanium Reporting. To create a deployment, you must have the Deploy Deployment write permission.

You can also install a software package on a single endpoint by following the steps in Deploy a software package or bundle.

  1. Open the Endpoint Details page for the endpoint that requires a deployment. See Tanium Reporting User Guide: View endpoint details.

  2. Select the Endpoint Management tab.

  3. In the Software Package Applicability section, click Install next to the package you want to deploy, and complete the deployment.

Review deployment summary

You can get the deployment results by status, any error messages, and the deployment configuration details.

  1. From the Deploy menu, go to Deployments.

  2. Select the Active, Inactive, or Self Service tab.

    A software package or bundle appears in the Self Service tab after it is included in a self service profile and applicability counts appear after a user installs, updates, or removes the item in the End-User Self Service Client application.

  3. Click the deployment name. The Status section shows the status and substatus, links to deployment results, OS, online endpoints, information about the last time the status or initialization was updated, and any error messages.
  4. In the Deployment Details area, expand the section you want to see, or click Expand All to expand all sections.
    • Content to deploy provides all the configuration information, including installation details, execution information, installation workflow and notifications, patch lists, and patches.
    • Endpoints to target lists the targeted endpoints for the deployment.
    • Deployment type and schedule shows the deployment frequency, time zone, and schedule.
    • User notifications has the information about any end user notifications associated with the deployment.

Stop a deployment

You can stop a package or bundle deployment, but it does not remove packages that have already completed installation.

  1. From the Deploy menu, go to Deployments.
  2. On the Active tab, click the deployment name, and then click Stop.
  3. Go to the Inactive tab and click the deployment name to verify the status.

Reissue a deployment

You can restart a stopped deployment or reissue a one-time deployment. Reissuing a deployment creates a new deployment with the same configuration and targets.

  1. From the Deploy menu, go to Deployments.
  2. On the Inactive tab, click the deployment name, and then click Reissue.
  3. Make changes if necessary and then click Deploy.

Clone a deployment

You can clone an active deployment if you want to create a deployment that is similar to an existing deployment. When a deployment is cloned, the name is automatically prepended with Clone: and the targets are removed.

  1. From the Deploy menu, go to Deployments.
  2. On the Active tab, click the deployment name, and then click Clone.
  3. Make changes and then click Deploy.

Reference: Deployment status

The following is a list of all possible deployment status groups and the sub-statuses. Endpoints return deployment statuses only if they are targeted endpoints.

Status group Sub-status Description and troubleshooting
Not Applicable Configuration not available or not targeted

The endpoint is no longer targeted by the deployment. Most commonly, this sub-status means the deployment uses targeting criteria that was changed by the deployment.

For example, if you create a deployment with an Adobe Acrobat Reader Update bundle and targeting criteria of Deploy - Software Packages matches ".Adobe Acrobat Reader.*Update Eligible." , the deployment updates Adobe Acrobat Reader on endpoints. The update changes the response to the Deploy - Software Packages sensor so that this deployment no longer applies.

Use deployment targeting criteria based on attributes that cannot be changed by the deployment.

Stopped before the deployment started

  

Software package ID is no longer applicable after task error. Updating status.

The software package encountered the error in the sub-status but the package is no longer applicable after running.

Investigate the error message and endpoint log files for more information.
  • All software packages are not applicable to specified operations

  • Software package Remove operation sub-status:

    • Software package is

      applicability instead of Installed

  • Software package Update operation sub-statuses:

    • Software package is Installed instead of Update Eligible

    • Software package is Update Ineligible (System Requirements not met)

    • Software package is Install Eligible instead of Update Eligible

    • Software package is Not Applicable (Update Detection not met)

  • Software package Install operation sub-statuses:
    • Software package is already Installed
    • Software package is Update Eligible instead of Install Eligible (Update Detection met)
    • Software package is Update Ineligible (Update Detection met, System Requirements not met)
    • Software package is Not Applicable (System Requirements not met)
    • Software package is Not Applicable (Installation Requirements not met)
    • Software package is Update Ineligible (System Requirements not met)

  • Software package Install or Update operation sub-statuses:

    • Software package is already Installed
    • Software package is Update Ineligible (System Requirements not met)
    • Software package is Not Applicable (System Requirements not met)
    • Software package is Not Applicable (Update Detection and Installation Requirements not met)

The deployment will not run because the software package operation is not applicable. The sub-status provides the current software package applicability status and high-level reason.

If this sub-status is unexpected on an endpoint, investigate the software package applicability.
Waiting

Download Complete Waiting

The endpoint downloaded all software package files needed for this deployment but is waiting for the deployment start time or a maintenance window to open.

This sub-status is most commonly the result of selecting Download Immediately and a future start time in the deployment settings.

Waiting for initial evaluation

Deploy sent the deployment to the endpoint, but Deploy has not yet evaluated it.

This sub-status should not persist for more than a few minutes.

Waiting for maintenance window. Next window is at time

  

Waiting for maintenance window. No upcoming maintenance windows

  

Waiting for deployment start time x

  

Waiting for notification

  

Waiting for reboot

  

Waiting to run process

  

Waiting for updated software package catalog

The deployment includes a software package that the endpoint does not have.

This sub-status should not persist for more than five minutes.

Waiting for an active user

The deployment includes a software package with a command that runs as active user, but there is no active user logged in.

To avoid this sub-status, use an ||ACTIVEUSERPROFILE|| or ||ACTIVEUSERREGISTRY|| applicability rule, which makes the software package Not Applicable if there is not an active user. For more information, see Variables for Windows applicability scans and command-line operations.

  • Waiting for notification for deployment ID

  • Waiting for deployment ID to finish running

  • Waiting for deployment ID to finish running task ID

    		•  Another deployment is running. The current deployment is ready to run but will not run until the referenced deployment has finished running.
    Downloading

    Software package ID downloading files x%

    		  

    Downloading required files

    		 Software package files are downloading, but a download status cannot be reported yet.
    Running

    • Software package ID command name

    • Software package ID killing process name

    • Software package ID waiting for process name to exit

    • Software package ID copying source to destination

    • Software package ID deleting path

    • Software package ID creating path

    • Software package ID renaming source to destination

    • Software package ID extracting source to destination

    		 The command step that is running.
    Complete

    Success

    		  

    Skipped

    		 A command step encountered an error and was skipped. The command step is in a software package or a software package in a bundle that is set to On Failure or Error: Continue.

    Success after re-scan

    The deployment did not succeed initially, but after re-running an applicability scan, the software package is now in the targeted state.

    This sub-status most often happens if the software package installs software that is not fully installed until completing some additional activity, such as a security agent that must connect to a management server before it is fully installed. This sub-status might also indicate that something other than Deploy changed the state of this software shortly after this initial deployment did not succeed.

    Success after step error error details

    One of the software package commands received an error but the targeted software package applicability state is still achieved.

    This sub-status might indicate the exit code seen in the error details can be safely ignored or that the software package applicability rules are not fully detecting the state of the software.

    Failed

    Software Package ID at edit_id ID is no longer present in the catalog

    The specific revision of a software package was removed after the deployment started running.

    This sub-status can happen temporarily when a software package is edited during an active deployment. If it persists for more than 24 hours or appears on a new deployment of an unedited software package, this most likely indicates an issue. Gather endpoint logs and contact Tanium Support.

    Software Package name (id: ID) applicability after operation is applicability

    The deployment ran but did not reach the targeted applicability state (for example, Installed for an Install or Update deployment). Instead, the deployment resulted in another applicability state (for example, Not Applicable for an Install or Update deployment).

    This sub-status most often indicates a misconfiguration with the software package applicability rules. Review the sub-process log and the software package applicability .
    Software package is applicability after operation. Task error error details

    Deployment ended before completing

    The deployment stopped or reached the configured end time before it could complete.

    This sub-status might happen for one of the following reasons:

    • The deployment window was too short to download needed package files.

    • There was no active maintenance window during the deployment window.

    • The duration of notification period was too long and the end user did not accept the notification in time.

    • There was a persistent error and the deployment ended during a retry.

    Failed to import configuration

    The deployment or software package configuration could not be imported.

    To investigate this rare status, verify security exclusions for Deploy and Endpoint Configuration. If this status persists or is repeatable, collect a full Endpoint Must Gather and contact Tanium Support.

    Software package ID applicability reverted to applicability after previous_deployment_status deployment status and attempt_count attempts were made within retry_reset_hours hours. Will not retry for retry_reset_hours hours.

    The deployment ran and initially succeeded but a software package applicability scan later detected the deployment needed to run again. If this happens enough to exceed the configured deployment Retry Count during the period of the deployment Reset Frequency, Deploy stops re-running the deployment and sets the deployment to this status. For more information, see Configure module settings.

    This sub-status might indicate an external system is undoing changes made by Deploy or that another deployment is undoing it. For example, if this is an Install deployment, a concurrent deployment that uninstalls this software might cause this problem.

    Attempts to download EUSS icon exceeded retry limit. Attempt_count attempts were made within retry_reset_hours hours. Will not retry for retry_reset_hours hours.

    Deploy cannot download the package icon configured on the software package.

    This sub-status most commonly happens if the deployment is configured with Download Immediately and a future start time, but the deployment runs when the endpoint cannot connect to Tanium.

    As a workaround, remove the package icon and re-issue the deployment or wait for the deployment to try again after the Reset Frequency interval has elapsed. For more information, see Configure module settings.

    Attempts to populate EUSS catalog exceeded retry limit. Attempt_count attempts were made within retry_reset_hours hours. Will not retry for retry_reset_hours hours.

    Deploy is persistently failing to refresh the Self Service Client after the post-deployment applicability scan.

    This sub-status most likely indicates an issue with Deploy or End-User Self Service. Collect a full Endpoint Must Gather and contact Tanium Support.

    Scan attempts exceeded retry limit. Attempt_count attempts were made within retry_reset_hours hours. Will not retry for retry_reset_hours hours.

    Deploy is persistently unable to complete software package applicability scans.

    The software management logs contain diagnostic information about this issue. Collect a full Endpoint Must Gather and contact Tanium Support.

    Notification attempts exceeded retry limit. Attempt_count attempts were made within retry_reset_hours hours. Will not retry for retry_reset_hours hours.

    Deploy is persistently unable to launch an end user notification configured in this deployment.

    This sub-status might happen if there is a disconnected Microsoft Remote Desktop session on a Windows computer. If this status persists or is repeatable, collect a full Endpoint Must Gather and contact Tanium Support.