Upgrading Tanium Clients

The following procedures describe how to upgrade the Tanium Client to a newer version on managed endpoints.

Best practices

Review the following best practices before upgrading Tanium Clients:

  • When possible, upgrade using Client Management as described in Upgrade Tanium Clients using Client Management, instead of using third-party software. In cases where third-party software is preferable or necessary, refer to the documentation for that software.
  • Upgrade without uninstalling and reinstalling Tanium Clients. If you uninstall clients, you lose any custom data that is associated with them.
  • Test the upgrade process in a lab environment that resembles the production environment as closely as possible. For example, use a lab environment that has similar Tanium Client versions, operating systems (OSs), and deployed Tanium module tools.
  • Deploy the upgrade in stages.
    • Start with non-essential endpoints.
    • Deploy the upgrade to one OS type at a time.
    • Deploy the upgrade in batches to prevent unforeseen issues from affecting too many endpoints simultaneously.
    • Consider organizing computer groups to help manage upgrade stages: see Tanium Console User Guide: Create a computer group.
  • Tanium recommends replacing the x86-64 binary with the universal binary on all Mac computers running macOS 11 or later. However, you cannot upgrade an existing installation of the x86-64 version of the Tanium Client directly to the Universal version. You must first uninstall the existing Tanium Client. If you upgrade the x86-64 client in Client Management, it installs a newer version of the x86-64 client.

Before you begin

  • Read the release notes for the target version of Tanium Client, as well as all earlier versions that were released since the currently installed version, to understand the enhancements, bug fixes, and known issues that those versions include.
  • If you deploy upgrades to endpoints that have a firewall enabled on macOS 10.14 (Mojave) or later, perform the steps under Manage pop-ups for Tanium Client upgrades.
  • macOS: If you previously created a Privacy Preferences Policy Control (PPPC) custom payload for a version of the Tanium Client earlier than 7.2.314.3608 and you are upgrading to version 7.2.314.3608 or later, you must update the code signing requirement. For more information about creating a PPPC custom payload, see Deploy the Tanium Client to macOS endpoints using the installer.

Assess the impact of upgrading on your environment

To help plan the stages of the upgrade to minimize the impact on your environment, determine the scope of the upgrade and appropriate groups of endpoints to target:

  1. Ask the following question, where <target_client_version> is the version to which you are upgrading:

    Get Tanium Client Version from all machines with Tanium Client Version < <target_client_version>

    The question results indicate the number of endpoints that require upgrades.

  2. If you want to evaluate the impact on specific types of endpoints (such as critical servers), you can apply a drill-down question such as Operating System or Organizational Unit (see Tanium Console User Guide: Drill down into results).

Upgrade Tanium Clients using Client Management

Use client upgrades in Client Management to upgrade the Tanium Client on endpoints that have earlier versions installed. A client upgrade targets specific computer groups and upgrades any endpoints in those groups to the specified version as the endpoints become available. Create a one-time upgrade to upgrade clients within a specified window of time. Create an ongoing upgrade to keep clients upgraded to the latest version of the Tanium Client or to upgrade clients that are later added to the targeted group to a selected version.

By default, client upgrades of either type use recurring scheduled actions that have an expiration period of twenty minutes and re-issue time of every hour. This configuration allows even a one-time upgrade to upgrade endpoints that might not be online when deployment of the upgrade starts but that you expect to be online at some point during the window of time defined for the upgrade.

Client Management cannot upgrade endpoints with action locks turned on. For more information, see Tanium Console User Guide: Managing action locks.

Create a client upgrade

Before you create an upgrade, make sure that your Tanium Cloud instance has cached the versions of the Tanium Client that you need: see Manage versions of the Tanium Client available for upgrades.

  1. From the Tanium Cloud menu, click Client Upgrades.
  2. Click Create Client Upgrade.
  3. Enter a Name for the client upgrade.
  4. (Optional) To deploy a version of the Tanium Client other than the latest, click Edit in the Content to deploy section, and then select the Client Version to deploy.

    Leave Auto-upgrade to latest version selected to deploy the latest version of the client. In an ongoing upgrade, this option also keeps targeted clients upgraded to the latest version as new versions become available.

  5. In the Endpoints to target section, click Computer Groups, and select the computer groups to be upgraded.
  6. Click Edit in the Deployment type and schedule section, and configure the following settings:

    • For Deployment Type, select Ongoing or One-Time.

      Use a one-time upgrade with an end time for an upgrade to a specific version so that it does not run indefinitely even after you upgrade all the Tanium Clients.

    • Select the Deployment Time Zone and configure the Start Time at which deployment of the upgrade will begin. For a one-time upgrade, configure the End Time at which deployment of the upgrade will end.

      If you are configuring a one-time upgrade, make sure that the Start Time and End Time define a period of time during which you expect each targeted endpoints to be online at some point. The upgrade window can span multiple days if necessary.

    • (Optional) Adjust the Distribute Over Time setting. This setting determines the period of time over which distribution of the upgrade action is randomized and helps balance resource use.

      Distribute the upgrade over time to prevent upgrades from occurring on all the targeted endpoints simultaneously.

  7. Click Preview to Continue and review the Version status of targeted endpoints.
  8. Click Deploy to create the upgrade. The action for the client upgrade is issued at the Start Time you configured.

    You can later edit an ongoing upgrade, or you can edit a one-time upgrade before the Start Time has passed.

Upgrade Tanium Clients using a package

In cases where you want to upgrade the client on an individual endpoint or a small number or endpoints that do not comprise an entire computer group, you can target those endpoints and manually deploy actions that use the Client Management - Upgrade [Windows] and Client Management - Upgrade [Non-Windows] packages. For more information about deploying packages, see Tanium Console User Guide: Deploying actions.

  1. In Interact, target the endpoints on which you want to upgrade the Tanium Client. For example, ask a question that targets a specific operating system and a Tanium Client older than a certain version:
    Get Tanium Client Version from all machines with ( Is Windows contains true and Tanium Client Version < )
  2. In the results, drill down as necessary, and select the endpoints that you want to upgrade.
  3. Click Deploy Action.
  4. For the Deployment Package, select Client Management - Upgrade [Windows] or Client Management - Upgrade [Non-Windows], depending on the endpoints you are targeting.
  5. Select a Client Version to install.

  6. Click Show preview to continue.
  7. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.