Managing software

Use software packages to install, update, or remove software on a set of target computers. Use software bundles to specify a sequenced list of software packages to deploy. Deploy also provides a gallery of common software packages in the Predefined Package Gallery.

The Predefined Package Gallery page lists predefined software package templates that you can import. Use the Predefined Package Gallery to import third-party software package templates to install, update, or remove software on a set of target computers.

Tanium does not repackage or redistribute third-party software installers. The Tanium software package templates provide you with the remote file paths to directly download the software installer from the third-party vendor. You must review any applicable third-party End User Licensing Agreement (EULA) before you import third-party software to the Tanium software package catalog. Tanium is not responsible for accepting, nor does it accept, any EULAs from third-party software vendors on your behalf.

Before you begin

For applicability checks and command-line operations, make sure that all endpoints have the required system environment variables defined. For more information, see Windows System environment variables.

Create a software package

  1. From the Deploy menu, go to Software and then click Create Software Package.
  2. In the Package Files section, click Add Package Files to add a local or remote file or remote folder.

    These are the files that are needed to install an application on a managed device. They include, but are not limited to, MSI or EXE installers, resource files or folders, package files, configuration files, custom scripts, custom registry files, or license keys.

    You can select multiple files at once, but you cannot upload entire folder structures as a local file. To use an entire folder, first compress the folder contents into a compressed archive file (such as a ZIP file), then add the compressed file to the software package. For information about using Deploy to extract a file, see File/Folder actions.

    If you select a remote file or remote folder, ensure that the Tanium Module Server service account can access the remote location and has sufficient permissions.
    If you select a remote file, configure network egress allow list rules to ensure that the Tanium Cloud can access the remote location. For more information, see Tanium Cloud Deployment Guide: Configuring network egress allow list rules in the CMP.
  3. In the Package Details section, provide the general product information, select the OS platform, and specify the Self Service display name and icon to upload for self service deployments.
    • If the package files include one or more Windows Installer packages (MSI file format), you can click Inspect MSI to Populate Fields to extract information from the .msi file and verify the pre-populated information. Using this feature does not overwrite any information that you previously entered manually.
    • The account that is set for the Deploy service account must have access to execute PowerShell on the Tanium Module Server.

    If the package files include one or more Windows Installer packages (MSI file format), you can click Inspect MSI to Populate Fields to extract information from the .msi file and verify the pre-populated information. Using this feature does not overwrite any information that you previously entered manually.

    OS Platform

    Specify an operating system platform. If the software package should only be run on certain versions of the platform, click Restrict Operating Systems in the System Requirements section.

  4. In the System Requirements section, provide the minimum system requirements for the software package to run on the endpoint.

    Disk Space Required

    Configure the minimum available system disk space required. For best results, specify at least three times the total size of the package files.

    Minimum Ram

    Configure the minimum physical RAM required.

    Architecture

    Configure the allowed architectures for the software package based on the platform. On endpoints where the architecture does not match, the software package will show a status of Not Applicable.

    (Windows) Select x86 for software that cannot be installed on 64-bit Windows systems. Select x64 for software that can be installed on 64-bit Windows systems. Select Select All for x86 software that can be installed on 64-bit Windows.

    (macOS) Select x64 for software that should only be installed on Intel-based Mac endpoints. Select ARM64 for software that has only a native ARM64 binary. Select Select All for software that has a universal binary, does not install a binary, or can run using Rosetta.

    (Linux) Select x86, x64, or ARM64 based on the platform for which the software is compiled. Select any combination of the three options for software packages that do not install compiled code or that do so in a platform-agnostic fashion.

    Restrict Operating Systems

    Click Restrict Operating Systems and then select the supported operating systems on which to allow Deploy to install or update the software package. The software package will still be considered installed if the Install Verification criteria are met on non-restricted operating systems. Specific operating systems can be targeted for deployments and self service profiles without making a selection in the software package.

    Specify an operating system only if the software package should never be installed or updated on other operating systems. If you need an operating system that is not available, you can add one in Deploy settings. For more information, see Create a custom operating system.

  5. In the Deploy Operations section, select which operations you want to enable: Install, Update, or Remove, and add conditional commands for any of the Deploy operations that you enabled for this package. For each operation, select the Require Source Files option if any of the files in the Package Files section are required to perform the operation. If you do not select this option, the package files are not downloaded. (Windows) For more information, see Variables for Windows applicability scans and command-line operations.

    If you chose to inspect the MSI, some operations are already enabled and information is pre-populated. You can verify or update any of the pre-populated information.

    Check for Running Processes

    Specify a process name, for example, Chrome.exe, and select either Terminate process or Pause until process is no longer running. If you choose to pause the process, the wait time is five minutes.

    Run Command

    Specify an install, update, or remove command to run and choose whether to run the command as the System or the Active User on Windows endpoints. If any part of the path in a command contains a space, use double quotation marks, even if you use variables.

    File/Folder

    Extract a compressed file, copy a file or folder, create a folder, delete a file or folder, or rename a file or folder. For more information, see File/Folder actions.

    Tanium Client File Request

    Specify an HTTP(S) address or a UNC file path and file name. Any URI that you enter must be allowed on the Tanium Server. For more information, see Tanium Platform User Guide: Managing allowed URLs.

    • To use any of these actions with a file attached to this software package, enter the file name in the source field.

    • (Linux) To install a file attached to the software package using the apt command, specify an absolute or relative path and escape the slash, for example apt --yes install .\/zoom_amd64.deb. To install a file attached to the software package without specifying a path, use the dpkg command.

    • To extract or copy a file or folder to the working directory used for running this software package, enter a period in the destination field. If the file or folder should go to a different location, specify the fully qualified path, such as "C:\Program Files" or /opt/Tanium.

    • Variables are not supported in File/Folder commands.

  6. In the Installation Requirements, Update Detection, and Install Verification sections, configure applicability rules that determine whether this software package is install eligible, update eligible, or installed, respectively. For detailed information about how Deploy determines applicability, see Software package applicability in Deploy.
  7. Deploy automatically encloses file and registry paths in double quotation marks, so you do not need to use quotation marks for file or path names that contain spaces.

    • You can refer to file and registry paths specific to the active user of a Windows endpoint. You can also refer to the 32-bit Program Files or native Program Files directory with a single rule. For more information, see Variables for Windows applicability scans and command-line operations.
    • You can use a Windows Management Instrumentation (WMI) query to query information from WMI classes for any of the detection rules within a software package. If you use a WMI query, you cannot query against the Win32_Product WMI class. For more information, see Microsoft Documentation: Win32_Product class.
  8. Click Create Package. You can also click Save and Finish Later to finish creating the package later.

Next steps

Variables for Windows applicability scans and command-line operations

When you create a Windows software package, you can use ||PROGRAMFILES32BIT||, ||PROGRAMFILES||, ||ACTIVEUSERPROFILE||, or ||ACTIVEUSERREGISTRY|| as variables for applicability scans and command-line operations. For the Requirements, Update Detection, and Install Verification sections, you can use these variables if you select the Registry Path, Registry Data, File Path or File Version filter fields.

Installer Architecture Variable Path
32-bit on 32-bit endpoint ||PROGRAMFILES32BIT||

Path to Program Files folder

(example: C:\Program Files)

32-bit on 64-bit endpoint ||PROGRAMFILES32BIT|| C:\Program Files (x86)
64-bit on 32-bit endpoint ||PROGRAMFILES|| C:\Program Files
64-bit on 64-bit endpoint ||PROGRAMFILES|| C:\Program Files
Any ||ACTIVEUSERPROFILE||

Profile directory of the active authenticated user

(example: C:\users\john.smith)

Any ||ACTIVEUSERREGISTRY||

Registry hive of the active authenticated user

(example: HKEY_USERS\USER-SID\)

Use double quotation marks (") if any part of the path in a command contains a space, even if you use variables.

File/Folder actions

You can perform the following actions for files and folders.

Do not use quotation marks in the folder path or file name in File/Folder actions.

  • Copy File/Folder: Specify the fully qualified path and file name. If the destination is a folder, Deploy copies the source to the destination folder; it does not replace an existing folder. For example, a command to copy firefox.app to /Applications/firefox.app with overwrite enabled produces the following results, depending on whether /Applications/firefox.app is an existing folder:
    • If /Applications/firefox.app is not an existing folder, Deploy creates /Applications/firefox.app.
    • If /Applications/firefox.app exists, Deploy creates /Applications/firefox.app/firefox.app.

    To always replace /Applications/firefox.app, set the destination to /Applications instead of /Applications/firefox.app.

  • Create Folder: Creates a folder. If you specify a parent folder path that does not exist, it is created. For example, c:\temp\myfiles creates c:\temp folder and myfiles subfolder.
  • Delete File/Folder: Any subfolders of the folder that you specify are also deleted.
  • Extract File/Folder: Supported file types for extracting a file are 7Z, TAR, ZIP, BZIP2, GZIP, XZ, and Z. You can specify the following options for extract commands.
    • Specify whether to overwrite existing files. If there is an existing file, however, you must also select Continue in the On Failure or Error section; otherwise, the extract command fails and Deploy retries the software package operation.
    • Specify a Command Timeout in minutes. The extract operation will time out after the number of minutes you specify. For best results, specify 1 minute for each 50 MB of file size. For example, if your file is 1 GB, specify a Command Timeout value of 20 minutes.
    • In the Extract To section, specify an option. Root of Destination extracts the contents of the compressed file in the specified destination. Folder within Destination creates a folder in the specified destination with the same name as the compressed file, and then extracts the file to the newly created folder.
    • As an example, to use the contents of an attached package file example.zip in a software package, specify example.zip as the Source and . as the Destination. Select Root of Destination and Overwrite Existing Files. Then, if example.zip contains a Setup.exe file that should be executed in this software package operation, add a Run Command step with Setup.exe at the start of the Run Command.
  • Rename File/Folder: Specify the existing (source) and new (updated) fully qualified path and file names.

Export a software package

You can export a software package so that you can later import the package on a different server or recreate a deleted package.

  1. From the Deploy menu, go to Software.
  2. Click the name of your package and then click Export .

The ZIP file is available in your downloads folder.

Import a software package

You can import a previously exported software package on a different server or recreate a deleted package.

  1. From the Deploy menu, go to Software and then click Import Package.
  2. Browse to the previously exported ZIP file and click Import.
  3. Click (Download File) for any required files.
  4. Click Import or Import Duplicate if you are importing a duplicate package.

Import a software package from the Predefined Package Gallery

You can select one of two ways to import a software package:

  • You manually import a software package from the Predefined Package Gallery.
  • Deploy automatically imports the software package if Tanium updates the package or adds a new version of the package

    .

    If you installed Deploy with the Apply All Tanium recommended configurations option, certain packages are automatically imported by default. For the list of packages, see Import Deploy with default settings. You can modify the default import setting.

    Certain packages are automatically imported by default. For the list of packages, see Configuring Deploy. You can modify the default import setting.

For guidance on determining the import setting for a software package, see Impact of software package import setting and deployment settings on ease of use.

For a complete list of the software packages available in the Predefined Package Gallery, see Reference: Predefined Package Gallery.

  1. From the Deploy menu, go to Software and then click Predefined Package Gallery.
  2. Select the packages you want to import and click Import Settings.
    1. Select the import type.

      If you select the automatic import option, the package is immediately imported. Subsequent automatic imports occur hourly as needed, according to the software package gallery update schedule. If a package is automatically imported by Tanium, you can select the manual import option to stop the automatic import.

      Packages that are automatically imported are marked as In Use on the Software Packages page.

    2. Select if you want to enable package cleanup. If you enable cleanup, enter how many versions to keep of a software package.

      Package cleanup deletes the oldest version of the software package when a new version is imported that exceeds the specified limit. Package cleanup occurs hourly.

    3. Click Save.
  3. If you selected manual import, import the package by clicking Import package in the Actions column.

    Or you might import a package to reset it to the out-of-box configuration.

    You cannot manually import the packages that Tanium automatically imports, unless you have changed the default import setting.

After you import a package and distribute the catalog, you can deploy, edit, delete, or export the package. If a package is marked as Tanium Managed on the Software Packages page, you cannot edit or delete it unless you change the import setting to manual.

If Deploy cannot access the origin of a software package file, you can edit the package and manually add any inaccessible files. For more information, see Deploy cannot access the origin of a software package file.

If you import the Oracle Java 8 package and want to remove previous versions of Java, you can add REMOVEOUTOFDATEJRES=1 to the end of the run command in the Update Command field of the software package.

Impact of software package import setting and deployment settings on ease of use

Review the following table to understand how the software package import setting and the deployment type and settings impact what you need to do to keep software packages and deployments up-to-date.

Software package import setting Package included in software package deployment Package included in software bundle deployment
Manual import
  • You must monitor the software package gallery for changes to the specific package version and additional package versions.

  • When Tanium updates a package or releases a new package version, add the package to the deployment.

Automatically import updated and new versions as they are released
  • If Tanium updates a specific package version, the deployment automatically uses the updated package.

  • When Tanium creates a new package version, add the package to the deployment.
  • If a software package in a bundle uses the Latest Applicable version and Tanium updates a specific package version or creates a new package version, the deployment automatically uses the updated or new package. To configure the Latest Applicable setting, see Create a software bundle.

    To maximize ease of use, automatically import software packages and use software bundles with the Latest Applicable version in deployments.

  • If the software bundle does not use the Latest Applicable version and Tanium updates a specific package version, the deployment automatically uses the updated version. If Tanium creates a new package version, the deployment is updated with the new package, but you need to select the most recent version to deploy.

Distribute the software package catalog

After you create or edit a software package, the updated software package catalog must be distributed to the endpoints. When the endpoints receive the updated software package catalog, you can view the package applicability.

New installations of Deploy automatically distribute distributes the software package catalog to endpoints when changes are detected. If you disable the Auto-Distribute Catalog option in the Configuration Settings tab of the Deploy Settings , you are prompted to distribute the software package catalog each time an update is detected, and must click Distribute Catalog.

If you upgraded from Deploy 2.1.9 or earlier and want the software package catalog to be automatically distributed, you must enable the Auto-Distribute Catalog option in the Configuration Settings tab of the Deploy Settings . If you do not enable this option, you are prompted to distribute the software package catalog each time an update is detected, and must click Distribute Catalog.

Distribute software package catalog

Manually replace or add a new package to the software package catalog

If a software package that is being manually imported already exists in the software package catalog, you are presented with two options prior to importing again. If you want to replace the existing package, select Replace existing. If you want to import the package, but also keep the existing one, select Save as another software package. You must then update at least one of the fields to create a unique record in the software package catalog.

Package already exists

View software package applicability

To view software package applicability and understand the results, review the Interact question results, software package details, and endpoint log files. The following example describes how to view and understand the applicability results for the Igor Pavlov 7-Zip v22.01.00.0 software package on one endpoint.

  1. From the Deploy menu, go to Software > Software Packages and click the 7-Zip package. Note that the 7-Zip package is not applicable on one endpoint.
    You can also view the software package applicability by expanding the package name.
    Software package not applicable on an endpoint (click image to enlarge)
  2. For more details about a specific applicability state, click Details by Endpoint > View Online Data or View Cached Data.

    In this example, WIN2022-patch-pre-merge is an endpoint with Not Applicable results.

    Endpoint results (click image to enlarge)
  3. In Interact, review the Reasons column. Consider the following information:

    • Each answer in the Reasons column is the result of the evaluation of one of the applicability rules in the software package.

    • Each Applicability result does not directly relate to each Reason. If one result is Not Applicable, for example, all Applicability results are Not Applicable.

    • The answers are not displayed in evaluation order. In the image in step 2, each answer is numbered according to the evaluation order specified in Software package applicability in Deploy. For example, the answer marked with 1 corresponds with the System architecture criteria, the answers marked with 2 correspond with the Install Verification criteria, and so on.
  4. To identify which item corresponds with each criteria, compare the results in the Reasons column to the software package details. The following image shows the Install Verification , Update Detection, and Installation Requirements sections.

    Software package details (click image to enlarge)

    This software package is not Installed on this endpoint because the Install Verification criteria are not met. The two registry paths do not exist and there is not an installed application that matches the regular expression of a 32-bit 7-Zip 22.01.00.0.

    The software package is not Update Eligible because the Update Detection criteria is not met. There is not an installed application that matches the regular expression of a 32-bit 7-Zip 22.01.00.0 or older.

    The software package is Not Applicable instead of Install Eligible because the Installation Requirements criteria is not met. There is an installed application name that contains 7-Zip. The results of the Install Verification and Update Detection criteria indicate that this endpoint does not have 32-bit 7-Zip 22.01.00.0 or older installed. So either a newer version of 32-bit 7-Zip is installed or a 64-bit version of 7-Zip is installed.

  5. To quickly evaluate which version of 7-Zip is installed on the endpoint, ask Interact questions on the impacted endpoint.

    1. On the Questions Results page, drill down on the impacted endpoint.
    2. In this example, build a question using the Installed Applications filter with the name of 7-Zip.

      Drill down on endpoint (click image to enlarge)

      This package is not applicable on the endpoint because the endpoint has a 64-bit version of 7-Zip and the software package specifies a non-64-bit version of 7-Zip.

  6. To see an ordered list of applicability results for easier analysis, review the impacted endpoint's software-management.log file. For the log location, see Collect Deploy troubleshooting information from endpoints.

    Search for Determining applicability status for software package 19 to find the most recent instance of this line. 19 is the ID of the software package.

    The log provides more details than are available in Interact. The log identifies that the Installed application rule matches the installed application name of 7-zip 19.00 (x64).

    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Determining applicability status for software package 19
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{23170F69-40C1-2701-2201-000001000000} exists evaluated as False
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{23170F69-40C1-2701-2201-000001000000} exists evaluated as False
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Registry path HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{23170F69-40C1-2701-2201-000001000000} exists evaluated as False
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Evaluating installed application rule: name regex "^(7\-[Z|z]ip) \d+\.\d+ ?(\((?!x64).*\))?$", version eq 22.01.00.0
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Find application: name=^(7\-[Z|z]ip) \d+\.\d+ ?(\((?!x64).*\))?$, operator=regex, version=22.01.00.0, operator=eq
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Installed application rule evaluated as False
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Evaluating installed application rule: name regex "^(7\-[Z|z]ip) \d+\.\d+ ?(\((?!x64).*\))?$", version lt 22.01.00.0
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Find application: name=^(7\-[Z|z]ip) \d+\.\d+ ?(\((?!x64).*\))?$, operator=regex, version=22.01.00.0, operator=lt
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Installed application rule evaluated as False
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Evaluating installed application rule: name not_contains "7-zip", version None None
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Find application: name=7-zip, operator=contains, version=None, operator=None
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Found matching application: Name: 7-zip 19.00 (x64), Version: 19.0
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Installed application rule evaluated as False
    2022-09-19 18:41:55Z INFO [PID 1088] [Software Package Scan][software_package_scan]: Install requirements NOT met. Package is not applicable

For information about configuring applicability scans, see Applicability scans.

Software package applicability in Deploy

When determining software package applicability, Deploy checks the criteria specified in the software package in the following order, stopping at the first section with matching criteria.

  1. System architecture on the endpoint: If the architecture does not match any of the architectures defined in System Requirements, Deploy marks the software package as Not Applicable and moves on to the next software package.

  2. Install Verification criteria: If those criteria match, Deploy marks the software package as Installed and moves to the next software package.

  3. Update Detection: If an Update operation exists, Deploy then checks the Update Detection criteria. If those criteria are met, Deploy checks System Requirements:

    • If System Requirements match, Deploy marks the software package as Update Eligible and moves to the next software package.

    • If System Requirements do not match, Deploy marks the software package as Update Ineligible and moves to the next software package.

  4. Installation Requirements criteria: If Installation Requirements criteria do not match, Deploy marks the software package as Not Applicable and moves on to the next software package. If Installation Requirements criteria match, Deploy then checks System Requirements:

    • If System Requirements match, Deploy marks the package as Install Eligible and moves on to the next software package.

    • If System Requirements do not match, Deploy marks the package as Not Applicable and moves on to the next software package.

Keep the following clarifications in mind as you review software package applicability:

  • Installation Requirements affect only Install operations, not Update operations.

  • If you do not specify Installation Requirements, then the software package is marked Install Eligible if the endpoint meets System Requirements criteria for the software package.

  • Deploy evaluates Installation Requirements criteria, even if the software package does not contain an Install operation. As a result, Deploy marks a software package as Install Eligible even if it cannot be installed. To prevent this behavior, add a rule that cannot be true; for example, add the following Registry Path check to the Installation RequirementsHKLM\Software does not exist.

Create a software bundle

  1. From the Deploy menu, go to Software and then click Software Bundles.
  2. Click Create Software Bundle.
  3. In the Bundle Details section, specify the bundle name and optionally a description.
  4. In the Bundle Workflow section, select software options.
    1. Click Add to select the software packages to add to the bundle.

      You can filter packages by typing the platform, vendor name, or package title.

    2. Select a specific version, or choose Latest Applicable to automatically select the latest available version for each endpoint.
    3. Select the operation: Install Or Update, Install, Update, or Remove.
    4. Select whether you want the bundle to exit or continue or if the package fails.

    You can change the order of the packages by dragging the package.

  5. Click Create Bundle.

Edit a software package or bundle

To edit a package or bundle, click the name of your package or bundle and then click Edit.

When a bundle is edited and saved, all existing deployments continue to use the version that was specified at the time of deployment. To prevent the previous version of the bundle from being used, stop any active deployments of the bundle before making changes.

Copy a software package or bundle

To copy a package or bundle, click the name of your package or bundle and then click Copy.

When a software package or bundle is copied, the name is automatically prepended with Copy - .

Delete a software package or bundle

To delete a package or bundle, click the name of your package or bundle and then click Delete .

To delete multiple packages simultaneously, select the packages from the Software Packages page and then click Delete.

You can delete a software package or bundle only if it is not referenced in an active deployment.