Managing software

Use software packages to install, update, or remove software on a set of target computers. Use software bundles to specify a sequenced list of software packages to deploy. Deploy also provides a gallery of common software packages in the Predefined Package Gallery.

The Predefined Package Gallery page lists predefined software package templates that you can import. Use the software package gallery to import third-party software package templates to install, update, or remove software on a set of target computers.

Tanium does not repackage or redistribute third-party software installers. The Tanium software package templates provide you with the remote file paths to directly download the software installer from the third-party vendor. You must review any applicable third-party End User Licensing Agreement (EULA) before you import third-party software to the Tanium software package catalog. Tanium is not responsible for accepting, nor does it accept, any EULAs from third-party software vendors on your behalf.

Before you begin

For applicability checks and command-line operations, make sure that all endpoints have the required system environment variables defined. For more information, see Windows System environment variables.

Create a software package

  1. From the Deploy menu, go to Software and then click Create Software Package.
  2. In the Package Files section, click Add Package Files to add a local file, remote file, or remote folder.
    These are the files that are needed to silently install an application on a managed device. They include, but are not limited to, msi or exe installers, resource files or folders, package files, configuration files, custom scripts, custom registry files, or license keys.
    If you select a remote file or remote folder, ensure that the Tanium Module Server service account can access the remote location and has sufficient permissions.
  3. In the Package Details section, provide the general product information, select the OS platform, and click Choose Icon to upload an icon for self service deployments.
    • If the package files include one or more Windows Installer packages (MSI file format), you can click Inspect MSI to Populate Fields to extract information from the .msi file and verify the pre-populated information. Using this feature does not overwrite any information that you previously entered manually.
    • The account that is set for the Deploy service account must have access to execute PowerShell on the Tanium Module Server.

    If the package files include one or more Windows Installer packages (MSI file format), you can click Inspect MSI to Populate Fields to extract information from the .msi file and verify the pre-populated information. Using this feature does not overwrite any information that you previously entered manually.

  4. In the System Requirements section, provide the minimum system requirements for the package to run on the endpoint.
  5. In the Deploy Operations section, select which operations you want to enable: Install, Update, or Remove, and add conditional commands for any of the Deploy operations that you enabled for this package. (Windows) For more information, see Variables for Windows applicability scans and command-line operations.

    If you chose to inspect the MSI, some operations are already enabled and information is pre-populated. You can verify or update any of the pre-populated information.

    Check for Running Processes

    Specify a process name, for example, Chrome.exe, and choose whether to terminate or pause the process.

    Run Command

    Specify an install, update, or remove command to run and choose whether to run the command as the System or the Active User. If any part of the path in a command contains a space, use double quotation marks, even if you use variables.

    File/Folder

    Copy a file or folder, create a folder, delete a file or folder, extract a file or folder, or rename a file or folder. For file/folder actions, the source is the folder from which the package is running. If you specify a different folder, for example, c:\temp, specify the fully qualified path. The destination requires the fully qualified path. For more information, see File/Folder actions.

    Tanium Client File Request

    Specify an HTTP(S) address or a UNC file path and file name. Any URI that you enter must be allowed on the Tanium Server. For more information, see Tanium Platform User Guide: Managing allowed URLs.

  6. In the Installation Requirements section, add a list of detection rules for prerequisite software. (Windows) For more information, see Variables for Windows applicability scans and command-line operations and WMI queries.
  7. (Optional) If the Update operation is selected, add a list of detection rules for previous versions. (Windows) For more information, see Variables for Windows applicability scans and command-line operations and WMI queries.
  8. In the Install Verification section, add a list of detection rules for installation verification. For more information, see Variables for Windows applicability scans and command-line operations and WMI queries.
  9. Click Create Package. You can also click Save and Finish Later to finish creating the package later.

Variables for Windows applicability scans and command-line operations

When you create a Windows software package, you can use ||PROGRAMFILES32BIT||, ||PROGRAMFILES||, ||ACTIVEUSERPROFILE||, or ||ACTIVEUSERREGISTRY|| as variables for applicability scans and command-line operations. For the Requirements, Update Detection, and Install Verification sections, you can use these variables if you select the Registry Path, Registry Data, File Path or File Version filter fields.

Installer Architecture Variable Path
32-bit on 32-bit endpoint ||PROGRAMFILES32BIT||

Path to Program Files folder

(example: C:\Program Files)

32-bit on 64-bit endpoint ||PROGRAMFILES32BIT|| C:\Program Files (x86)
64-bit on 32-bit endpoint ||PROGRAMFILES|| C:\Program Files
64-bit on 64-bit endpoint ||PROGRAMFILES|| C:\Program Files
Any ||ACTIVEUSERPROFILE||

Profile directory of the active authenticated user

(example: C:\users\john.smith)

Any ||ACTIVEUSERREGISTRY||

Registry hive of the active authenticated user

(example: HKEY_USERS\USER-SID\)

Use double quotation marks (") if any part of the path in a command contains a space, even if you use variables.

WMI queries

You can use a Windows Management Instrumentation (WMI) query to query information from WMI classes for any of the detection rules within a software package. If you use a WMI query, you cannot query against the Win32_Product WMI class.

For more information, see [Microsoft Documentation]: Win32_Product class.

File/Folder actions

You can perform the following actions for files and folders.

Do not use quotation marks in the folder path or file name in File/Folder actions.

Copy File/Folder

Specify the fully qualified path and file name. If the destination is a folder, Deploy copies the source to the destination folder; it does not replace an existing folder. For example, a command to copy firefox.app to /Applications/firefox.app with overwrite enabled produces the following results, depending on whether /Applications/firefox.app is an existing folder: If not, Deploy creates /Applications/firefox.app; if so, Deploy creates /Applications/firefox.app/firefox.app. To always replace /Applications/firefox.app, set the destination to /Applications instead of /Applications/firefox.app.

Create Folder

Creates a folder. If you specify a parent folder path that does not exist, it is created. For example, c:\temp\myfiles creates c:\temp folder and myfiles subfolder.

Delete File/Folder

Any subfolders of the folder that you specify are also deleted.

Extract File/Folder

Supported file types for extracting a file are 7z, tar, zip, bzip2, gzip, xz, and Z. Specify an existing folder path or a folder path to create. For example, specify file example.zip and destination c:\temp\myunzippedfile.

Rename File/Folder

Specify the existing (source) and new (updated) fully qualified path and file names.

Export a software package

You can export a software package so that you can later import the package on a different server or recreate a deleted package.

  1. From the Deploy menu, go to Software.
  2. Click the name of your package and then click Export .

The ZIP file is available in your downloads folder.

Import a software package

You can import a previously exported software package on a different server or recreate a deleted package.

Tanium as a Service does not support importing a package that references a remote file. If a previously exported software package file contains a reference to a remote file, you cannot import that package.

  1. From the Deploy menu, go to Software and then click Import Package.
  2. Browse to the previously exported ZIP file and click Import.
  3. Click (Download File) for any required files.

    Tanium as a Service does not support importing a package that references a remote file.

  4. Click Import or Import Duplicate if you are importing a duplicate package.

Import a software package from the package gallery

  1. From the Deploy menu, go to Software and then click Predefined Package Gallery.
  2. Click Import for the package you want to import.

    To import multiple packages simultaneously, select the packages that you want to import and click Import.

After you import a package from the package gallery and distribute the catalog, you can deploy, edit, delete, or export the package.

If you import the Oracle Java 8 package and want to remove previous versions of Java, you can add REMOVEOUTOFDATEJRES=1 to the end of the run command in the Update Command field of the software package.

Distribute the software package catalog

After you create or edit a software package, the updated software package catalog must be distributed to the endpoints. When the endpoints receive the updated software package catalog, you can view the package applicability.

New installations of Deploy automatically distribute distributes the software package catalog to endpoints when changes are detected. If you disable the Auto-Distribute Catalog option in the Configuration Settings tab of the Deploy Settings , you are prompted to distribute the software package catalog each time an update is detected, and must click Distribute Catalog.

If you upgraded from Deploy 2.1.9 or earlier and want the software package catalog to be automatically distributed, you must enable the Auto-Distribute Catalog option in the Configuration Settings tab of the Deploy Settings . If you do not enable this option, you are prompted to distribute the software package catalog each time an update is detected, and must click Distribute Catalog.

Figure  1:  Distribute software package catalog

Replace or add a new package to the software package catalog

If a software package that is being imported already exists in the software package catalog, you are presented with two options prior to importing again. If you want to replace the existing package, select Replace existing. If you want to import the package, but also keep the existing one, select Save as another software package. You must then update at least one of the fields to create a unique record in the software package catalog.

Figure  2:  Package already exists

View software package applicability

  1. From the Deploy menu, go to Software and then expand a package.
    You can also view the software package applicability by additionally clicking your package name.
  2. For more details about a specific applicability state, click the link that corresponds to the number and percentage of endpoints in that applicability state.
  3. To view the applicability details for the endpoints, click Full Report.

Create a software bundle

  1. From the Deploy menu, go to Software and then click Software Bundles.
  2. Click Create Software Bundle.
  3. In the Bundle Details section, specify the bundle name and optionally a description.
  4. In the Bundle Workflow section, select software options.
    1. Click Add to select the software packages to add to the bundle.
    2. Select a specific version, or choose Latest Applicable to automatically select the latest available version for each endpoint.
    3. Select the operation: Install Or Update, Install, Update, or Remove.
    4. Select whether you want the bundle to exit or continue or if the package fails.

    You can change the order of the packages by dragging the package.

  5. Click Create Bundle.

Edit a software package or bundle

To edit a package or bundle, click the name of your package or bundle and then click Edit.

When a software package or bundle is edited and saved, the version number of the package or bundle is incremented. All existing deployments continue to use the version that is specified at the time of deployment until the updated software package catalog is distributed.

Copy a software package or bundle

To copy a package or bundle, click the name of your package or bundle and then click Copy.

When a software package or bundle is copied, the name is automatically prepended with Copy - .

Delete a software package or bundle

To delete a package or bundle, click the name of your package or bundle and then click Delete .

You can delete a software package or bundle only if it is not referenced in an active deployment.