Working with deployments

You can create, redeploy, edit, clone, delete, or see the status of a deployment on the Manage Deployments page. Select Setup > Deployments from the Comply menu to open this page.

Click Information next to Target to see the target computer groups for that deployment.



Create a deployment

Create deployments based on the architecture and platform of the targeted endpoints to deploy engines and JREs to endpoints on a schedule. For example, you might want to create the following deployments:

  • Windows 64-bit
  • Windows 32-bit
  • macOS 64-bit
  • Linux 64-bit

  • Ensure that the computer groups targeted by each deployment include all applicable endpoints. Review the deployments to confirm that no computer groups are missing.
  • Ensure that deployments are created for all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.
  1. On the Manage Deployments page, click Create Deployment.

  2. In the Details section, provide a Name.
  3. Select Computer Groups you want to target with the deployment. You can select multiple computer groups in this field.
  4. Select a Platform for the deployment.
  5. Select the Architecture for the deployment.
  6. Select one or more Scan Engines.
    • By default, Tanium provides the Tanium Scan Engine (powered by JovalCM), but if you uploaded another supported engine, you can select that engine. For more information on scan engines, see Working with scan engines and JREs.
    • If you select Tanium Scan Engine (powered by JovalCM) or CIS-CAT, you must select a Java Runtime option: Deploy JRE or Do not deploy JRE.
    • The Encrypt JRE option is selected by default. This option encrypts the ZIP file on the endpoint that contains the JRE and prevents access to the JRE. When you use JRE encryption, reports that require the JRE distribute a key file to decrypt the JRE. After the report runs, the key file and decrypted JRE are removed. The encrypted JRE remains and is used the next time it is required.

      On the Reports page, any report with an encrypted JRE will show a lock next to that engine.


      If a JRE encryption key is lost or overwritten, you can recreate the JRE encryption key. See Recreate JRE encryption key.

  7. Add Advanced Settings as needed.

    As a best practice, configure the deployment to use a single CPU core:

    1. Expand the Advanced Settings section.
    2. Click Add Advanced Setting Group.
    3. For Number CPUs, select 1 CPU.
    4. For Java Heap Size, leave the default value.
    5. For Computer Groups, select All Computers.

  8. In the Schedule section, set the schedule for the deployment:
    1. (Optional) If you want to define specific schedules, you can select Start on and End on and complete the date and time values to limit the report to run only during a specific time period.

      The date and time displayed by default is the local browser time. For details on how this time is used to deploy the scheduled action, see Tanium Console User Guide: Deploying actions (Step 5).

    2. (Optional) If you want to distribute the actions over time, select the Distribute over option and enter values to run the report over minutes or hours. For more information on deploying actions, see Tanium Console User Guide: Deploying actions (Step 5).
    3. In the Repeat section, select Interval, Using Policy Saved Action, or Never.
      • Select Interval to specify how often the deployment runs. The Reissue every field displays, and you can set the schedule.
      • Select Using Policy Saved Action to use a saved question to determine whether any endpoints require the deployment. The action runs only if applicable endpoints are found.
      • If you do not want the deployment to run again, select Never.
  9. The Preview section shows the defined deployment criteria. Review the defined deployment criteria, and then click Create & Deploy. The Action progress and Installation status display for your deployment.

Redeploy a deployment

  1. On the Manage Deployments page, hover over the deployment and click Redeploy.
  2. Depending on your Tanium Server configuration, either enter your password or click Yes to proceed.
  3. The Action progress and Installation status displays.

Edit a deployment

  1. On the Manage Deployments page, hover over the deployment and click Edit.
  2. Make any necessary changes to the Details or Schedule of the deployment.
  3. Click Save & Deploy.

Clone a deployment

  1. On the Manage Deployments page, hover over the deployment and click Clone.
  2. Provide a new Name for the duplicate deployment.
  3. Make any necessary changes to the Details or Schedule of the deployment.
  4. Click Create & Deploy.

Delete a legacy deployment

On the Manage Deployments page, click Delete to delete legacy deployments that are obsolete. Removing legacy deployments stops and removes the old action and package associated with these deployments. You might need to create a new deployment that matches the legacy deployment to ensure that engine and JRE selections are deployed as previously configured.

For best results, remove legacy deployments.

Update tool deployment

If any of your tool deployment actions have outdated tools, a warning displays on the Home or Manage Deployments page. Tools can become outdated when you upgrade Comply to a new version.

  1. On the Manage Deployments page, click Update X Outdated Tool Deployment on the top right.
  2. Enter your credentials and click OK.