Configuring Deploy

If you did not install Deploy with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Deploy action group to target the No Computers filter group by enabling restricted targeting before adding Deploy to your Tanium licenseimporting Deploy. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Deploy action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Deploy with automatic configuration, the following default settings are configured:

The following default settings are configured for Deploy:

Setting	Default value
Action group	Restricted targeting disabled (default): All Computers computer group Restricted targeting enabled: No Computers computer group
Deploy deployment templates	The following deployment templates are created: [Standard Deployment] - default [Deployment with Reboot] [Deployment with Pre-Notification]
Deploy maintenance windows	An Always On maintenance window is created, and enforced against the All Computers computer group.
Deploy configurations	For action locked machines, only applicability scanning is enabled, so that deployments cannot run on action locked machines.
Deploy software packages	The following Predefined Package Gallery packages are automatically imported: Adobe Digital Editions Adobe Acrobat Reader DC (en-us) Adobe Acrobat Reader DC (en-us) (64-bit) Adobe Acrobat Reader DC (MUI) Adobe Acrobat Reader DC (MUI) (64-bit) Microsoft Power BI Desktop (x64) Microsoft Power BI Desktop Microsoft Teams (x64) Microsoft Teams (x86) Microsoft Visual Studio Code (x64 en-us) Microsoft Visual Studio Code (x86 en-us) Mozilla Firefox (x64 en-US) Mozilla Firefox (x86 en-US) VideoLAN VLC media player (32-bit) VideoLAN VLC media player (64-bit) Zoom Zoom Zoom Zoom (64-bit)

Configure advanced settings

You can configure the Tanium platform for optimal delivery of larger payloads, which are typically associated with downloading and installing software.

From the Main menu, go to Administration > Configuration > Settings > Advanced Settings.
To increase the client cache size, click Add Setting, provide the following information, and click Save.
Setting Type: Client
Platform Setting Name: ClientCacheLimitInMB
Value Type: Numeric
Value : 2048

Changes to platform settings can take up to five hours to propagate to clients.

Install and configure Configure Tanium End-User Notifications

With the Tanium End-User Notifications solution, you can create a notification message with your deployment to Windows and macOS endpoints to notify the user that the system is about to begin a deployment, has completed a deployment, and if postponements are enabled, to give the user the option to postpone the deployment or restart now.

For more information, see Tanium End-User Notifications User Guide: End-User Notifications overview.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

For information about installing Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Installing Endpoint Configuration.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Deploy, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:

Creating, stopping, or reissuing deployments
Adding or removing maintenance window enforcements
Creating, editing, or removing self service profiles
User-initiated actions, such as initializing endpoints, distributing the software package catalog, updating Deploy Settings

Configure Deploy

(Optional) Configure the Deploy action group

Importing the Deploy module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Deploy, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Deploy, configuring the Deploy action group is optional.

Select the computer groups to include in the Deploy action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Deploy are included in the Deploy action group.

From the Main menu, go to Administration > Actions > Action Groups.
Click Tanium Deploy.
Select the computer groups that you want to include in the action group and click Save.
If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Organize computer groups

One way to deploy packages or bundles is by computer group. Create relevant computer groups to organize your endpoints. Some options include:

Endpoint type, such as servers or employee workstations
Endpoint location, such as by country or time zone
Endpoint priority, such as business-critical machines

Set up Deploy users

You can use the following set of predefined user roles to set up Deploy users.

To review specific permissions for each role, see User role requirements.

On installation, Deploy creates a Deploy user to automatically manage the Deploy service account. Do not edit or delete the Deploy user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Deploy Administrator

Assign the Deploy Administrator role to users who manage the configuration and deployment of Deploy functionality to endpoints.
This role can perform the following tasks:

Manage all Deploy settings
Manage deployments, maintenance windows, Self Service profiles, software packages, and software bundles

Deploy Endpoint Configuration Approver

Assign the Deploy Endpoint Configuration Approver role to a user who approves or rejects Deploy configuration items in Tanium Endpoint Configuration.
This role approves, rejects, or dismisses changes that target endpoints where Deploy is installed.

Deploy Operator

Assign the Deploy Operator role to users who manage the configuration and deployment of Deploy functionality to endpoints.
This role can perform the following tasks:

Create, edit, import, or delete software packages and software bundles
Manage deployments, maintenance windows, and Self Service profiles

Deploy Read Only User

Assign the Deploy Read Only User role to users who need visibility into Deploy data.
This role can view all configurations, graphs, and reporting data in Deploy.

Deploy Self-Service Administrator

Assign the Deploy Self-Service Administrator role to users who manage End-User Self Service profiles.

This role can perform the following tasks:

Create, edit, and delete self service profiles
View software packages and software package bundles

Deploy Software Package Administrator

Assign the Deploy Software Package Administrator role to users who create software packages and bundles.
This role can view, create, and delete software packages and bundles. This role cannot create, edit, or delete deployments.

Deploy Software Package Gallery Administrator

Assign the Deploy Software Package Gallery Administrator role to users who manage the package gallery.
This role can perform the following tasks:

View, edit, and import software packages into package gallery
View software packages

Deploy Software Package Operator

Assign the Deploy Software Package Operator role to users who deploy software packages to endpoints.
This role can perform the following tasks:

Create, edit, and delete deployments
View software packages and software package bundles

This role cannot create, edit, or delete software packages or software package bundles.

Do not assign the Deploy Service Account and Deploy Service Account - All Content Sets roles to users. These roles are for internal purposes only.

Configure module settings

On the Deploy Overview page, click Settings and then click Configuration Settings if needed.
In the Endpoint Process Settings section, configure the following options:
Scan Interval
Specify how frequently in hours that endpoints complete a full catalog scan. The default value is 24 hours but can be set lower to improve responsiveness to changes on endpoints, such as software that is installed, updated, or removed by programs other than Deploy.
File Download Retry Limit
Specify how many times Deploy will attempt to download a file that has failed to download. Setting this option to a higher number can help work around temporary issues, such as bad network connectivity.
File Download Retry Delay
Specify the amount of time in seconds, minutes, or hours before the endpoint tries to download a file that has failed to download. Setting this option to a relatively low number, such as 1-5 minutes, can help work around temporary issues without causing an excessive number of download requests.
File Download Timeout
Specify the amount of time in hours or days before a download attempt will time out. Setting this option to at least 24 hours helps ensure that large downloads on bandwidth-constrained endpoints have time to complete.
When Action Lock Enabled
This option specifies how Deploy behaves on action-locked endpoints. For best results, select either Applicability Scanning Only or Ignore Action Lock to ensure the accuracy of workbench data.
The Deploy action lock setting does not override the Endpoint Configuration action lock setting. If you do not select Manifest package ignore action lock in Endpoint Configuration settings, then action-locked endpoints do not receive changes to Deploy configurations. For more information, see Tanium Endpoint Configuration User Guide: Reference: Settings and Tanium Console User Guide: Managing action locks.
The Deploy action lock setting does not override the Endpoint Configuration action lock setting. Action-locked endpoints do not receive changes to Deploy configurations. For more information, see Tanium Console User Guide: Managing action locks.
Enable Debug Logging
Select this option to set the Deploy logs on all endpoints to be at the most verbose level. You should use this setting only with guidance from Tanium Support. To configure log verbosity, use the Deploy - Set Logging Options Tanium packages.
Max Log Size (in MBs)
Specify the maximum size of logs (in MBs) on an endpoint. Specify an option that allows readability and sufficient logging on an endpoint without utilizing too much disk space.
Number of Logs to Keep
Specify the number of log files to keep on an endpoint. Specify an option that allows readability and sufficient logging on an endpoint without utilizing too much disk space.
In the Deployment Retry Settings section, configure the following options:
Retry Limit
Specify how many times Deploy will retry a failed deployment on an endpoint. When Deploy reaches this limit, it will not retry the failed deployment until the Reset Frequency time has been reached.
Reset Frequency (in hours)
Specify the amount of time in hours before Deploy will attempt to retry failed downloads after the Retry Limit has been reached. Setting this option to a value less than 24 hours lets failed deployments run multiple times in the same day and can help work around temporary issues.
In the Inactive Deployment Removal Settings section, configure the following options:
Enable Inactive Deployments Removal
Select this option to enable Deploy to delete inactive deployments with ended or stopped dates that are older than the specified interval. Enabling this option improves the performance of the Deploy workbench.
Inactive Deployment Removal Frequency
Specify the amount of time at which Deploy removes inactive deployments with ended or stopped dates that are older than the interval. The minimum is 1 month. The maximum and default is 6 months.
In the General Settings section, configure the following options:
Client API Nonce Roundoff (in minutes)
This setting enables a timestamp-based nonce for all Tanium Client API calls to avoid reusing previously cached URLs. You should use this setting only with guidance from Tanium Support.
UNC Path Host Allowed List (comma separated)
Specify the hostnames and IP addresses, separated by commas, for which the system allows access via UNC paths. The asterisk (*) character is a wildcard that matches any characters or none in a target hostname or IP address.
Software Package Gallery
For air-gapped environments, select Enable Alternate Software Package Gallery Location and then specify a location in the Alternate Software Package Gallery Location field. For more information, see Configure an alternate location for the Predefined Package Gallery.
Auto-Distribute Catalog
If you want the software package catalog to be automatically distributed, you must select Enable Auto-Distribute Catalog. New installations of Deploy automatically distribute the software package catalog to endpoints when changes are detected. If you do not enable this option, you are prompted to distribute the software package catalog each time an update is detected, and must click Distribute Catalog.
Click Save.

Configure an alternate location for the Predefined Package Gallery

The Predefined Package Gallery in Tanium Deploy provides a collection of common software packages that are hosted at content.tanium.com. These packages are preconfigured and ready to deploy to endpoints. By default, the Tanium Server in an air-gapped environment cannot directly access Deploy Gallery package definitions. To address this scenario, you can configure an alternative Gallery location so that a Tanium Server in an air-gapped environment can still download the Gallery.

To ensure the Tanium Server can download the Gallery, use a computer that is connected to the internet to download the software package definitions and then place the definitions in a location defined on your local network that is accessible to your Tanium Server.

For more information about using the Deploy Gallery, see Import a software package from the Predefined Package Gallery.

Stage the Predefined Package Gallery in a location accessible to the Tanium Server

Download the Package Gallery ZIP file and place it where it can be accessed by the Tanium Server.

The network location that you specify must be accessible by the Tanium Server. To use a UNC path or a credential-protected URL, configure the settings based on the Tanium Server version and operating system.
- Tanium Server 7.5.3.3503 and later: You must configure a downloads authentication entry for the UNC path or credential-protected URL. For information about configuring a downloads authentication entry, see Tanium Console User Guide: Managing downloads authentication.
- (TanOS) Tanium Server earlier than 7.5.3.3503: You must configure credentials in the TanOS Tanium Operations menu. For information, see Tanium Appliance Deployment Guide: Add an authentication user for TDownloader
- (Windows) Tanium Server earlier than 7.5.3.3503: You must configure the Tanium Server service account to run as a Windows user with sufficient permissions. For information, see Tanium Appliance Deployment Guide: Add an authentication user for TDownloader
Tanium does not support hidden or administrative shares.

The Package Gallery ZIP file contains JSON content for each software package in the Gallery. In environments that are not air-gapped, this JSON content is downloaded automatically from content.tanium.com. Because air-gapped environments do not have access to the internet, the ZIP file must be staged in a location that the Tanium Server can access.

Configure the alternate Gallery location

On the Deploy Overview page, click Settings and then click Configuration Settings.
In the General Settings section, select Enable Alternate Software Package Gallery Location and then specify a location in the Alternate Software Package Gallery Location field.
For example, a UNC location might look like this: \\myserver.example.local\files\deploy-software-package-gallery.zip.
Click Save and then confirm your changes.
On the Deploy Overview page, click Help , and then click Support > Initialize Endpoints.
In the Support tab, click View Job Status and confirm that Sync Software Gallery appears with a green check mark.
Close the window and let the Package Gallery synchronize to Deploy. This process typically takes 5-10 minutes.

Add files to a software package

When you import a software package from the Gallery, the Tanium Server attempts to download the files associated with that software package. However, air-gapped Tanium Servers cannot download the files, which causes a Sync Software Package warning to appear. For information about fixing the error so that the imported software package can be used by the air-gapped Tanium Server, see Deploy cannot access the origin of a software package file.

Create a custom operating system

To make a specific operating system version available for use in the Restrict Operating System menu for software packages, you can create a new operating system in the Deploy settings.

On the Deploy Overview page, click Settings and then click Operating Systems.
Click Add Operating System.
Select the OS platform, and then specify a name and version.
Configure the following settings as needed:
- (Windows) In the Type drop-down menu, specify whether the OS is for servers or workstations.
- (Linux) In the Distribution drop-down menu, specify the type of Linux distribution for the OS.
Click OK.

Initialize Deploy endpoints

Deploy installs a set of tools on each endpoint that you have targeted. Initializing the endpoints starts the Deploy service and starts the Deploy process on every endpoint where it is not running.

On the Deploy Overview page, click Help , and then click Support if needed.
Click Initialize Endpoints and confirm your action.

After deploying the tools for the first time, endpoints can take up to four hours to display status.