Tanium 6.x: Distributing Software


This article outlines the steps for Package Authors to prepare, test, and distribute commercially or internally developed software applications and updates to managed devices. Embedded links within this document reference other KB articles that provide more detailed instructions about Tanium Package creation and Package deployment.

This information is intended for new Package Authors whose software deployment experience may be limited to installing, updating, or uninstalling software by double-clicking on an application's installer file or using the graphical tools provided by the target operating system. Although Authors already familiar with the typical Build-Test-Deployment process to manage applications using other software distribution tools will be familiar with most of the concepts within this article, they should review the steps as well to note any potential differences.

Requirements Overview

Running with the permissions of the LocalSystem account, the Tanium Client can perform almost any command line instruction available to an Administrator logged into the system. Consequently, even if logged in users do not have admin rights on the device to manage software, authorized Tanium console administrators can use the platform to install, update, or remove any application that can be:

  • Installed from a command line using the permissions of the LocalSystem account
  • Configured to suppress any interaction with an end-user logged into a target system at installation time
  • Dynamically customized at installation, if needed, through options, switches, or input files passed to the application’s installer

If the required executables, scripts and configuration files do not natively have these characteristics, you may be able to use a commercial software packaging tool such as InstallShield or an open-sourced application like Nullsoft Scriptable Install System to create a new version of the installer. Although outside the scope of this article, instructions about using a packaging tool to create a new installer can be readily found through an Internet search. Likewise, examples of command line syntax and switches to distribute common applications are available from both software vendor and software community support and forum websites.

The Tanium platform can track the count of installed applications as well as whether those applications are being used; so before installing new software or upgrading versions of existing software, verify that your organization owns the required number of licenses or meets the Acceptable-Use criteria to centrally distribute and install the commercial or open-sourced software to devices within your organization for use by anyone with the ability to access that application.

Confirm Installation Settings

Before creating the Tanium Package to distribute a software application, perform the following verification steps to confirm you have all of the required files and command line options necessary to install the software in the same environment as the Tanium Client. If the software vendor does not provide adequate documentation for installing the application through command line instructions, the following resources may help you to determine the appropriate command line syntax you need:

  • Installation-specific information posted independently of the software developer on related community support or forum sites maintained by other users of the application.
  • Command line options for .exe installers—some .exe installer applications will generate a list of available command line options if you execute the installer followed by a space and the designated “help” option, which is usually some combination of an escape character such as  or / followed by helph, or ?
  • An Internet search that includes the name of the application or the name of the installer with any combination of related keywords: install, command line, options, switches, arguments, parameters, silent

Installation Validation

If the application cannot be installed manually using the same environment as the Tanium Client, then the installer is unlikely to be successful when executed from the client itself.

Working from a computer system running an OS version supported by the application's installer, complete the following steps to verify that the application can be installed by the Tanium Client.

  1. Create a folder on the test machine.
  2. Copy all files you plan to deliver in the Tanium package to the new folder.
  3. Open a 32-bit command prompt running with the LocalSystem account permissions as described at Launching 32-bit Command Prompt As System.
  4. Within the command prompt, navigate to the folder you created with the test files.
  5. Enter the syntax you plan to use within the Tanium Package to run the software—it could be a single executable file name, an executable file name followed by switches, the name of a script, etc.
  6. Press Enter—the software should install with the desired level of end-user interaction (silent or with prompts).
  7. Launch the application to be sure it is behaving as expected. If so, continue to the section Create a Software Distribution Package; otherwise, review the following instructions to identify and troubleshoot any issues.


  1. If the interaction with the end-user was not suppressed, be sure that the command line options supported by the installer have been included in the command line and that they are entered correctly. Although not very common, some command-line arguments may be case-sensitive, for example /S versus /s.
  2. If you included any switches to suppress output during the installation, try the command line again without those switches to view any error messages or unexpected prompts that may be appearing during the install.
  3. If the installer is unable to find files that should already exist on the computer, be sure to include the path to those files within the command line options if possible or be sure that any environment variables responsible for identifying the location of resources on the target system are configured correctly.
  4. Verify that the target computer meets the criteria for the software to be installed.
  5. If the installer creates a log file, review the log or rerun your command adding the option to generate a log.

Create a Software Distribution Package

For a general overview of using Tanium to create packages to take action, please refer to the Creating Packages KB article.

The process to create a Package to distribute and install a software application includes the following steps:

  1. From AuthoringPackages, click the link, "Create a New Package+".
  2. At Package Name, enter a descriptive name to identify the software title and version.
  3. At Command, enter the command line syntax you validated while testing the installation directly from a command prompt. Any files you add to the Package will be placed in the same working directory. Again, remember that the value entered at Command, must include the necessary options, switches or input files to install and configure the software while suppressing any unwanted interaction with a user who might be logged in when the action executes.
  4. At Files, use one of the following options to add the name and location of each executable, script, configuration or transform file required to perform the software installation:
  • Press "Add local files..." to browse to and select a file the Tanium server can copy from a local or network drive
  • Press "URI" to enter the URI location for a file the Tanium server can copy from a fileshare or web resource.

The following example package to distribute the latest Windows Update Agent can be targeted to designated computers through a Tanium Action:


Deploy a Software Distribution Package

Deploying a package to take action in Tanium is the same whether the package simply executes a command or installs a piece of software.

More information at Deploying Actions explains how to target and deploy the software distribution Package created using the steps within this article.

Have more questions? Submit a request