Maintaining Deploy

Perform regular maintenance tasks to ensure that Deploy successfully performs scheduled activities on all the targeted endpoints and does not overuse endpoint or network resources. If Deploy is not performing as expected, you might need to troubleshoot issues or change settings. See Troubleshooting Deploy for related procedures.

Perform weekly maintenance

Monitor Deploy metrics and update the configurations, if necessary.

From the Main menu, go to Modules > Trends > Boards.
Click IT Operations Metrics to view the Deploy Coverage, Endpoints Missing Software Updates Released Over 30 Days, Mean Time to Deploy Software, and Software Installed by Self Service User Request panels in the Deploy section.
Monitor and troubleshoot Deploy coverage.
Monitor and troubleshoot endpoints missing software updates released over 30 days.
Monitor and troubleshoot mean time to deploy software .
Monitor and troubleshoot software installed by self service user request.

Perform monthly maintenance

Review and remediate Deploy coverage

From the Main menu, go to Modules > Deploy > Overview.
Scroll to the Health dashboard to verify that the Deploy process is running on all endpoints.
To investigate endpoints that are not running the process, click the number above False in the Running Deploy panel. Tanium CloudThe Tanium Server opens the Deploy - Endpoint Deployment Process Running report for the affected endpoints.
To investigate Deploy coverage issues, scroll up to the Summary dashboard and click the number above Needs Attention in the Deploy Coverage panel. Tanium CloudThe Tanium Server opens the Deploy - Coverage Status Details report for the affected endpoints.
To troubleshoot issues related to the Deploy process or coverage, see Troubleshoot Deploy process not running .

Remove unused Deploy software packages

Go to Modules > Deploy > Software.
Review the Software Packages and delete unused packages.
For example, delete software packages that are not the latest version or software that you are no longer using. For more information, see Managing software.

Stop unneeded ongoing deployments

Go to Modules > Deploy > Deployments > Active.
Review the deployments and stop any deployments that are no longer needed.

Perform quarterly maintenance

If you install Deploy with default settings, it includes the Tanium Deploy action group, to which the All Computers computer group is assigned. If you changed computer group assignments for the Tanium Deploy action group, or if you created custom action groups for Deploy, review those action groups and, if necessary, update them. For example, if you discover that the Deploy tools are not installed on all the necessary endpoints, you might have to change the computer group assignments in the Tanium Deploy action group.

From the Main menu, go to Administration > Actions > Action Groups.
Use the filters to list only the groups that are for Deploy operations. See Tanium Console User Guide: View action groups.
For example, if the custom action groups all have the string "Deploy" in their names, enter Deploy in the Filter items field.
Edit, create, or delete action groups if necessary to ensure Deploy targets the correct computer groups. See Tanium Console User Guide: Managing action groups.

Perform semi-annual maintenance

Review Deploy self-service profiles and, if necessary, update them to ensure that users have access to all the self-service capabilities:

From the Main menu, go to Administration > Modules > Deploy > Self Service Profiles and review the profiles. Expand each profile and verify that all the operations are successful .
From the Deploy menu, go to Deployments > Self Service and review the Failures column.
Troubleshoot self-service installations if necessary to resolve issues. See Monitor and troubleshoot software installed by self service user request.
Edit, create, or delete self-service profiles if necessary to resolve issues. See Managing End-User Self Service.

Monitor and troubleshoot Deploy coverage

The following table lists contributing factors into why the Deploy coverage metric might report endpoints as Needs Attention or Unsupported, and corrective actions you can make.

Contributing factor	Corrective action
Gaps in Deploy action group membership	Ensure that all endpoints that have a supported configuration for Deploy have the Deploy tools installed. These endpoints should be added to computer groups that can be members of the Deploy action group.
Gaps in End-User Notifications tools installations	Users cannot receive notifications for actions that are about to happen or configure the Self Service Client application. Ensure that all endpoints that have a supported configuration have the End-User Notifications tools installed. Ensure that any endpoint that is using the Self Service Client application has a properly configured and targeted End User Notification customization profile. Ensure that all other endpoints have a default fallback profile configured in case the tools need to be accessed.
Gaps in Trends metric reports	Ensure that all computer groups that are part of the Deploy action group are also part of the End-User Notifications action group.

Contributing factor

Corrective action

Gaps in Deploy action group membership

Ensure that all endpoints that have a supported configuration for Deploy have the Deploy tools installed. These endpoints should be added to computer groups that can be members of the Deploy action group.

Gaps in End-User Notifications tools installations

Users cannot receive notifications for actions that are about to happen or configure the Self Service Client application.

Ensure that all endpoints that have a supported configuration have the End-User Notifications tools installed.

Ensure that any endpoint that is using the Self Service Client application has a properly configured and targeted End User Notification customization profile.

Ensure that all other endpoints have a default fallback profile configured in case the tools need to be accessed.

Gaps in Trends metric reports

Ensure that all computer groups that are part of the Deploy action group are also part of the End-User Notifications action group.

Monitor and troubleshoot endpoints missing software updates released over 30 days

The following table lists contributing factors into why the endpoints missing software updates released over 30 days metric might be higher than expected, and corrective actions you can make.

Contributing factor	Corrective action
Gaps in maintenance window coverage	Verify that the Computers with Enforced Maintenance Windows chart in the Health section of the Deploy Overview page shows 100% enforcement. Ensure that endpoints have enough time to download and perform the installation. Use the Download immediately option for future deployments so that endpoints are ready when the deployment start time begins. If your business needs require a hard stop, set your maintenance window to end 30 minutes prior to that hard stop to ensure that deployments complete in time to adhere to business needs.
Software is not installing due to maintenance windows being too restrictive	Ensure that maintenance windows properly overlap with deployment times and change control process timelines. Use End-User Notifications to provide users with options to postpone actions, such as installations or updates. Use the Make Available Before Start Time option for self service deployments that are set for the future.
Software hits a timeout or does not install properly	Ensure that you have a supported silent installation command-line option that is supported by the vendor. Consult with the vendor or developer of the software for the best practices to install the software.
The installer does not have a silent installation option	Use a third-party repackaging solution, such as AdminStudio or InstallShield, that offer the ability to assist in making a custom installer. Request that the vendor create a proper silent installer for larger deployments.

Monitor and troubleshoot mean time to deploy software

The following table lists contributing factors into why the mean time to deploy software metric might be higher than expected, and corrective actions you can make.

Contributing factor	Corrective action
Files are not uploading to a package properly	(Windows) Ensure that the permissions are properly set to remote Windows file servers. (Appliance) Ensure that you set up the Module Server TDL to access the shares. For more information, see Tanium Appliance User Guide: Add an authentication user for TDownloader.
Packages are not downloading from the Predefined Package Gallery	Ensure that the Tanium Server can download the packages from the remote URL. Check any proxies, firewalls, or network connectivity. Ensure that your TDL settings are correct. For more information, see Maintaining Deploy.
It takes too long to test the software and get it ready for production	Reevaluate your process for software testing: Are there any gaps or delays in the process? Are there too many points of contact for reporting issues? Are endpoints being tested that may not be relevant for the deployment? Evaluate conditions that surround problem resolution and retesting. Hold people accountable to timelines. For endpoints that might exhibit compatibility or testing issues, consider a shared solution, such as Terminal, Remote Desktop Server, Citrix XenApp, or App-V.

Contributing factor

Corrective action

Files are not uploading to a package properly

(Windows) Ensure that the permissions are properly set to remote Windows file servers.

(Appliance) Ensure that you set up the Module Server TDL to access the shares. For more information, see Tanium Appliance User Guide: Add an authentication user for TDownloader.

Packages are not downloading from the Predefined Package Gallery

Ensure that the Tanium Server can download the packages from the remote URL.

Check any proxies, firewalls, or network connectivity.

Ensure that your TDL settings are correct.

For more information, see Maintaining Deploy.

It takes too long to test the software and get it ready for production

Reevaluate your process for software testing:

Are there any gaps or delays in the process?
Are there too many points of contact for reporting issues?
Are endpoints being tested that may not be relevant for the deployment?

Evaluate conditions that surround problem resolution and retesting.

Hold people accountable to timelines.

For endpoints that might exhibit compatibility or testing issues, consider a shared solution, such as Terminal, Remote Desktop Server, Citrix XenApp, or App-V.

Monitor and troubleshoot software installed by self service user request

The following table lists contributing factors into why the software installed by self service user request metric might be different than expected, and corrective actions you can make.

Contributing factor	Corrective action
Help desk spends too much time installing software for users	Use self service options for software that is pre-approved, to ease the load on your help desk. Applications that make the best candidates for self service are: Freeware (example: Chrome or Firefox) Software that is available for all systems, but are discretionary by business needs (example: Zoom, Notepad++, or specific line of business applications)
Users install unapproved software	Use self service options, but limit the applications that the user has access to, by default. Consider locking down administrative permissions on the endpoints, if available. For software that might require additional approvals, such as software that requires a purchased license, target only endpoints that are approved to install that software.

Contributing factor

Corrective action

Help desk spends too much time installing software for users

Use self service options for software that is pre-approved, to ease the load on your help desk.

Applications that make the best candidates for self service are:

Freeware (example: Chrome or Firefox)
Software that is available for all systems, but are discretionary by business needs (example: Zoom, Notepad++, or specific line of business applications)

Users install unapproved software

Use self service options, but limit the applications that the user has access to, by default.

Consider locking down administrative permissions on the endpoints, if available.

For software that might require additional approvals, such as software that requires a purchased license, target only endpoints that are approved to install that software.