Application Updates
Application update configurations manage third-party software on your endpoints using integrated package manager support. Define which applications should be installed or updated, and TridentStack Control handles discovery, installation, and version management across your fleet.
How it works
TridentStack Control integrates with package managers on your endpoints to install and update third-party applications. The platform maintains a catalog of available packages synced from public repositories. When you add an application to a configuration, TridentStack Control ensures the correct version is installed on every targeted endpoint and keeps it updated according to your settings.
The application update workflow is separate from system update policies. System updates handle OS-level patches (KB articles, security updates), while application updates handle third-party software (browsers, runtimes, utilities, developer tools).
Application updates are supported on Windows (all versions, including Windows Server 2016 and older) and macOS. On Windows systems without a native package manager, TridentStack Control uses direct installer downloads from the synced catalog. On macOS, applications are installed and updated through the macOS package manager integration. A catalog application that has both a Windows and a macOS package is managed on each targeted endpoint according to that endpoint's platform.
Creating a configuration
- Navigate to Update Management > Application Updates in the left sidebar.
- Click Create Configuration.
- Enter a name and description for the configuration. Choose a name that reflects the group of applications it manages (for example, "Developer Tools", "Security Software", or "Standard Desktop Apps").
- Save the configuration.
The configuration is now created but empty. The next step is to add applications to it.
Adding applications
From the configuration detail page, click Add Application. This opens the package catalog browser.
Search the catalog
Type an application name or package ID in the search bar. The catalog returns matching packages with their publisher, description, and available versions. Results are pulled from the synced package repository and stay current as new versions are published upstream.
Select a package
Click a package from the search results to select it. The detail panel shows:
- Package name and publisher
- Available versions (latest and historical)
- Package ID (the canonical identifier used by the package manager)
- Description and homepage link
Configure version
Choose how the application version is managed:
| Option | Behavior |
|---|---|
| Latest | Always install the newest available version. When a new version appears in the catalog, the agent upgrades automatically on its next check-in. |
| Pinned version | Install a specific version and do not upgrade beyond it. Useful for applications that require version compatibility with other software. |
All installations run silently in the background with no user interaction. Applications are installed machine-wide by the system service, not per-user. All users on the endpoint have access to the installed application.
Adding from agent software inventory
You can also add applications to an application update policy directly from an agent's detail page. Navigate to Agents > Endpoints, select an agent, and open the Software Inventory tab. Right-click any installed application (or use the context menu) to add it to an existing application update policy. This is a convenient way to build policies based on software that is already deployed in your environment.
Managing applications in a configuration
The configuration detail page lists all applications that have been added. For each application you can:
- Edit version settings - Switch between latest and pinned, or change the pinned version number
- Remove - Remove the application from the configuration (this does not uninstall it from endpoints)
- Check deployment status - See which agents have the correct version, which need updates, and which have failed
Deployment status
Each application in a configuration shows its per-agent status:
| Status | Meaning |
|---|---|
| Installed | The correct version is installed on the endpoint |
| Update Available | A newer version exists and will be installed on the next check-in |
| Not Installed | The application has not been installed yet (pending first check-in or download) |
| Failed | Installation was attempted but failed. Click the status to see error details. |
Targeting
Like system update policies, application configurations are targeted to agents by tag. When you assign a configuration to a tag, any agent with that tag receives the configuration's applications.
An endpoint can inherit more than one application configuration at a time through its tags. See Multiple policies per endpoint below for how TridentStack Control handles that.
Group related applications into the same configuration. For example, create a "Developer Tools" configuration with your IDE, version control client, and runtime environments. Create a separate "Security Software" configuration for antivirus and VPN clients. This keeps your configurations organized and makes it easy to assign the right software bundles to the right teams.
Multiple policies per endpoint
Endpoints often carry more than one tag, and each tag can bring its own application configuration. TridentStack Control lets you build focused, single-purpose configurations, for example "Browsers," "Java Runtimes," and "Developer Tools," and assign each to a different tag. An endpoint that carries all three tags inherits all three configurations at once.
Each configuration only manages the applications it lists. Updates for those applications roll out within that configuration's own deployment ring window, so a "Browsers" configuration on a fast-moving ring and a "Developer Tools" configuration on a cautious ring can both govern the same endpoint without interfering with each other.
When two policies target the same application
If an endpoint inherits two or more configurations that both include the same application, TridentStack Control automatically resolves the conflict so exactly one configuration governs that application. It applies the following rules, in order, until one configuration wins:
- A pinned version always wins. A configuration that pins a specific version for the application takes precedence over any configuration set to install the latest version or a fixed number of versions behind latest.
- The lowest pinned version wins. If more than one configuration pins the application, the configuration with the lower pinned version governs.
- The most conservative target wins. When no configuration pins the application, the configuration with the more conservative version target (further behind the latest release) governs.
- The oldest configuration wins. If configurations still tie after the rules above, whichever configuration was created first governs.
Only the winning configuration's deployment ring window controls when that application updates on that endpoint. The losing configurations are unaffected for every other application they manage on the same endpoint. A pinned version never uninstalls or downgrades an application that is already newer than the pin.
On an endpoint's pending application updates list, each application shows which configuration currently governs it. When more than one configuration applied to that application, an info icon next to it explains which rule decided the winner.
You do not need to plan around overlaps when designing your configurations. Layer them freely by tag, TridentStack Control always resolves conflicts using the most conservative option, so an endpoint never ends up on a newer version than the most cautious configuration targeting it intended.
Manual installs require policy coverage
Manually installing an application update, from an endpoint's Actions menu or its pending application updates list, is only available for applications covered by an assigned application update configuration. On an endpoint with no application update configuration assigned, install actions show a "No Policy" indicator and are disabled. When configurations are assigned but a pending application is not covered by any of them, that application is labeled "Not in Policy" and is excluded from manual installs until a configuration covers it. On macOS, an application is covered when a configuration lists it, or when a configuration enables that application's update source for automatic approval.
Dismissing updates
You can dismiss a pending application update on a specific agent to remove it from that agent's update list. Dismissals are per-agent and do not affect other endpoints.
To dismiss an update, navigate to an agent's detail page (Agents > Endpoints, then select an agent). In the available applications section, hover over an application row to reveal the dismiss icon. Click it to open a dialog with the following fields:
| Field | Required | Description |
|---|---|---|
| Reason | Yes | Select from: OS Incompatible, Not Applicable, or Other |
| Note | No | Optional explanation, up to 500 characters |
After dismissing, the update disappears from the agent's pending list. A collapsible "N dismissed updates" section appears at the bottom of the applications list, showing each dismissed app with its name, target version, and reason.
To restore a dismissed update, expand the dismissed updates section and click Restore next to the application. It immediately returns to the pending list.
Use the notes field to document why an update was dismissed. This helps other administrators understand the decision when reviewing the agent later.
Dismissal is done per-agent from the agent detail page, not from the Application Update Configurations page. Configurations define which applications are targeted across your fleet. Dismissal manages exceptions for individual endpoints.
OS compatibility
TridentStack Control automatically checks each application version's minimum OS requirements against the agent's reported operating system version. Only versions compatible with the agent's OS appear as available updates.
If an application's latest version requires a newer OS than the agent has, it does not appear in the agent's pending update list. No configuration is required. The platform handles compatibility filtering automatically based on the metadata in the application catalog.
Install time estimates
TridentStack Control displays estimated installation times next to applications in the catalog browser and on each agent's available updates list. Estimates appear as approximate durations (for example, "~5 min" or "~2h 15m").
How estimates work
Estimates are calculated from historical installation durations recorded across your fleet. Each successful installation contributes a data point. New tenants start with catalog-based estimates, and accuracy improves as more installations are recorded in your environment.
When enough data exists from endpoints with similar hardware profiles (CPU, memory, and disk characteristics), estimates are tailored to that hardware class. Otherwise, the estimate uses tenant-wide averages.
Viewing estimate details
Click the info icon next to any estimate to see a detailed breakdown:
| Field | Description |
|---|---|
| Confidence | High (hardware-matched with 5+ recorded installs), Moderate (3+ installs), or Low (fewer than 3 installs) |
| Source | Whether the estimate comes from similar hardware or tenant-wide data |
| Installs recorded | Number of successful installations used to calculate the estimate |
| Median | The middle value across all recorded durations |
| Average | The mean duration |
| 95th percentile | The duration at which 95% of installs completed, useful for conservative planning |
When selecting multiple applications to install, the confirmation dialog shows an aggregated estimated total install time across all selected applications.
Estimates use the median duration rather than the average to avoid skew from occasional outliers. For conservative planning (for example, sizing a maintenance window), check the 95th percentile in the detail popover.
Install Stats
The Install Stats column appears in the application catalog browser and on each agent's pending application updates list. It shows fleet-wide installation success metrics for each application, helping you identify problematic packages before deploying them.
What Install Stats show
Hover over or click the Install Stats badge on any application to see:
| Field | Description |
|---|---|
| Total deployments | Number of times this application has been installed or updated across all endpoints |
| Success rate | Percentage of installations that completed successfully, color-coded: green (95%+), amber (80-94%), red (below 80%) |
| Confidence | Data quality indicator based on deployment count: High (50+), Moderate (10-49), or Limited (fewer than 10) |
| Common errors | Top 3 most frequent error codes from failed installations, with occurrence counts |
How Install Stats are populated
Install Stats are computed from actual installation outcomes recorded by the TridentStack Control agent. Every successful or failed application install reports its result back to the platform. These results are aggregated periodically (approximately every 15 minutes) into the stats displayed in the UI.
New tenants will see empty Install Stats ("--") initially. Stats appear only after applications have been installed on at least one endpoint in your environment. As your fleet installs more applications, the data becomes richer and more informative.