Upgrading Tanium Clients
The following procedures describe how to upgrade the Tanium Client to a later version on managed endpoints.
Review the following best practices before upgrading Tanium Clients:
- When possible, upgrade through the Tanium Core Platform as described in this topic, instead of using third-party software. For cases where third-party software is preferable or necessary, consult your Technical Account Manager (TAM) for the recommended procedures.
- Upgrade without uninstalling and reinstalling Tanium Clients. If you uninstall clients, you lose any custom data associated with them.
- Test the upgrade process in a lab environment that resembles the production environment as closely as possible. For example, use a lab environment that has similar Tanium Client versions, operating systems (OSs), and deployed Tanium™ module tools.
- Deploy the upgrade in stages, starting with non-essential endpoints.
- Deploy the upgrade to one OS type at a time.
- Deploy the upgrade in batches to prevent unforeseen issues from affecting too many endpoints simultaneously.
- Consider the following best practices when planning how to schedule the upgrade actions in a way that minimizes the impact on network and endpoint resources:
- Distribute the actions over time to prevent upgrades from occurring on all the targeted endpoints simultaneously.
- Reissue actions at different times of day, or even over multiple days, to include endpoints that might be offline when the upgrade action first runs.
- Set an end date for the actions so that they do not run indefinitely even after you upgrade all the Tanium Clients.
- Read the Release Notes for the new and intermediate Tanium Client versions to understand which enhancements, bug fixes, and known issues those versions include.
- If you deploy upgrades to endpoints that have a firewall turned on and that run macOS 10.14 (Mojave) or later, perform the steps under Manage popups for Tanium Client upgrades.
For planning how to upgrade Tanium Clients in stages to minimize the impact on your environment, determine the scope of the upgrade:
- Issue the question Get Tanium Client Version from all machines with Tanium Client Version < <target_client_version>, where <target_client_version> is the version to which you are upgrading. The question results indicate the number of endpoints that require upgrades.
- If you want to evaluate the impact on specific types of endpoints (such as critical servers), you can apply a drill-down question such as Operating System or Organizational Unit (see Tanium Console User Guide: Drill down into results). Drilling down based on OS also indicates which content packs you need; separate upgrade packages are required for Windows and non-Windows endpoints.
- Access the Tanium Console.
- From the Main menu, click Solutions.
- Scroll to the Tanium Content grid and check the Imported Version and Available Version for the Client Upgrade content pack. Perform the remaining steps only if the Imported Version is blank (you have not imported any version) or is earlier than the Available Version, which must be the same as the Tanium Client version to which you are upgrading.
If the Available Version is not the target upgrade version, consult your TAM for the instructions to import another content pack version.
- Select the Client Upgrade content pack, click Import Solution, review the list of content objects, and click Import.
- Get the ClientUpgradeNonWindows content pack from your TAM.
- Use KeyUtility.exe to sign the content pack XML file before you import it. As a one-time action, you must also copy the associated public key to the correct folder. For the procedure, see Tanium Console User Guide: Authenticating content files.
- Access the Tanium Console.
- From the Main menu, open any Content or Permissions page (such as Administration > Content > Sensors) and click Import from XML at the top right of the page.
- Click Choose File, find and select the ClientUpgradeNonWindows content pack, and click Open.
- Click Import. If object names in the file duplicate existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
- Select resolutions for any conflicts. For guidance, see Tanium Console User Guide: Resolve conflicts when importing updates or configurations and Tanium Console User Guide: Best practices for resolving import conflicts, or consult your TAM.
- Click Import again and click Close when the import finishes.
- Issue a question that identifies the endpoints that require Tanium Client upgrades.
For example, to identify Windows endpoints that require upgrades, go to the Main menu, select Administration > Content > Saved Questions, select the Windows Client Older Than <version> question, and click Load.
- In the Question Results grid, select the results for the endpoints that require the upgrade and click Deploy Action.
- Specify the Deployment Package or verify that the auto-populated entry is correct, based on the OS of the endpoints:
- Windows: Update Tanium Client <client_version>
- macOS: Update OS Specific Tanium Client (Mac <client_version>)
- Linux: Update OS Specific Tanium Client (Linux - <Linux_version> <client_version>)
Using content to upgrade the Tanium Client on Linux restarts the Tanium™ Trace Recorder process if it exists on the endpoint.
- Solaris: Update OS Specific Tanium Client (Solaris <Solaris_version> <client_version>)
- AIX: Update OS Specific Tanium Client (AIX <client_version>)
- Configure the Schedule Deployment fields based on the Best practices.
- Under Targeting Criteria, select an Action Group, click Show preview to continue, and review the targeted endpoints.
- Click Deploy Action. If the Estimated Number of affected endpoints exceeds the configured threshold (the default is 100), enter that number and click Yes. The Tanium Server enforces this confirmation step to ensure that you understand the network impact that an action has.
The page reloads to display the Action Summary.
- Review the action status to confirm the expected results. Wait until the action completes for all endpoints before continuing.
- Reissue the question from Step 1 to verify that the upgrade succeeded.
For example, if you reissue the Windows Client Older Than <version> question, the Question Results indicate No machines matched the question to indicate the upgrade succeeded.
Last updated: 7/16/2020 12:00 PM | Feedback