Tanium™ Comply 2.3 User Guide

PDF 2.3
PDF 2.2
Documentation Home > Tanium Comply User Guide

Creating deployments

Use deployments to deploy engines and JREs to endpoints on a schedule. You must have the Comply Deployment Administrator role to create deployments. For more information about Comply roles, see User role requirements.

Create a deployment

  1. Select Deployments under Setup.
  2. On the Manage Deployments page, click Create Deployment on the top right.
  3. In the Details section, provide a Name.
  4. Select Computer Groups you want to target with the deployment. You are able to select multiple computer groups in this field.
  5. Select a Platform. Depending the Platform you select, you will see the appropriate choices for Architecture and Scan Engines. If you select CIS-CAT or JovalCM scan engines, you need to choose a JRE option. Preview on the right side of the Details section shows the deployment criteria as you define it.

  6. Consult with your TAM before changing any Advanced Settings.

  7. In the Schedule section, select Start at and End at and complete the date and time values to limit the report to run only during a specific time period.
  8. Select the Distribute over and enter values to run the report over minutes or hours. This value cannot be over four hours. For more information on how Tanium deploys actions, see Tanium Platform User Guide: Using Deploy Action.

  9. For Repeat report execution by select None if you do not want the deployment to run again. Select Interval and then define the interval in minutes, hours, or days in which you want the report to run in the Reissue every fields. Select Use Policy Saved Action to use a saved question every hour to determine if the deployment should run again when applicable endpoints are online.

  10. Click Create & Deploy. You will see the Action progress and Installation status of your deployment.
You might receive one of the following errors if deployments do not run as expected:

Some machines included in this deployment cannot be deployed to. — Ensure that targeted endpoints have enough disk space to accommodate deployments.

Some machines included in this deployment don’t have the system utilities required to complete a scan. — Linux/macOS endpoints do not have the Unix utilities installed required for Comply to work correctly.

Use JRE encryption

Use JRE encryption to encrypt the ZIP file on the endpoint that contains the JRE, which prevents access to the JRE. When you use JRE encryption, reports that require the JRE distribute a key file to decrypt the JRE. After the report runs, the key file and decrypted JRE are removed. The encrypted JRE remains and is used the next time it is required.

  1. Complete all of the fields in the Create Deployment window and select Deploy JRE in the Java Runtime section.
  2. Select Encrypt JRE.
  3. Click Create & Deploy. On the Reports page, any report with an encrypted JRE will show a lock next to that engine.


If a JRE encryption key is lost or overwritten, you can recreate the JRE encryption key. See Recreate JRE encryption key.

Last updated: 11/15/2019 8:33 PM | Feedback