Oh man, I haven’t seen uuencode in so long, I basically forgot it existed until I read your comment!

Forgot the one everyone wishes they could forget - FTPS !

Might be worth noting that SCP is non- interactive file transfer only, whereas FTP/SFTP can do interactive sessions and management functions as well.

Tanium has some common apps pre-packaged and regularly updated, you could just setup an ongoing deployment for those to automate keeping them up to date with minimal work on your part.

If you need to update something not on that list, you will need to make an upgrade package yourself with the updated installer or files.

Whether this is actually easy or not really depends on the app vendor and the software. It’s usually straight forward, but not always. But that’s the case with literally any software deployment solution.

I have one app in particular who’s install and config essentially un-automateable. But it’s a shitty LOB app that was written in the 90’s to be intentionally obtuse to prevent privacy, hopefully that’s not an issue in your case.

We are using Tanium, just put the agent on the servers and you are good to go…build your packages and set up deployment jobs.

It also handles Windows patching, and can do system inventory, among other features.

It’s also great for software deployments to you remote workforce systems that are rarely/never on the corporate network.

And seriously, you want a domain. GPOs are incredibly useful for pushing out a huge variety of Windows config changes extremely easily.

Yeah, I hate it. I’d want some sort of SAML SSO auth in front of the actual RDS Gateway to allow you to use whatever identity provider and MFA you already have.

You really don’t want to allow all manner of auth attempts able to be made against your actual workload servers, which is what it sounds like you are describing.