Software Installation Checklist

Create or attach the RFC in the PSA (ConnectWise, Autotask, HaloPSA, ServiceNow, Jira Service Management). Even a single-endpoint install needs a ticket so the audit trail and CMDB asset history are intact.

Pull the license key, seat count, and renewal date from the vendor portal or IT Glue / Hudu. Installing past the seat cap is a common cause of activation failures mid-rollout.

Standard / Normal / Emergency per ITIL change types. Blast radius — not package size — drives this. A one-line agent push to 200 endpoints is Normal; a kernel driver to a single workstation may also be Normal.

Match the vendor's stated minimums against actual endpoint inventory in Intune, Jamf, Kandji, or NinjaOne — CPU architecture (x64 vs ARM64), OS build, RAM, .NET / VC++ runtime versions. ARM64 vs x64 mismatches are a recurring source of silent install failure on newer Macs and Surface devices.

Plan for 2-3x the installer footprint to cover temp extraction and rollback restore points. Confirm prerequisite runtimes (.NET, Java JRE/JDK, VC++ redistributables, PowerShell version) are present at the version the vendor specifies — not just "installed."

Cross-reference the vendor's published egress endpoints against NGFW (Palo Alto, Fortinet, pfSense) ACLs. ZTNA / SASE policies often need a per-app allowlist update — license activation calls home over a different domain than the installer download.

Pull the installer directly from the vendor portal or a verified mirror. Never use a copy emailed by an end user — supply-chain compromises (3CX, SolarWinds) reach in through trusted-looking channels.

Compare SHA-256 against the vendor's published checksum and confirm the Authenticode / notarization signature matches the expected publisher. A mismatched or missing signature is a stop-the-line event — open a security ticket before proceeding.

Halt the deployment. Page the on-call security engineer via PagerDuty or Opsgenie, quarantine the installer, and capture the source URL plus referrer. Treat as a potential supply-chain incident until proven otherwise.

Push to the IT pilot group (typically 5-10 endpoints) via Intune, Jamf, Action1, or Automox. Watch EDR (CrowdStrike, SentinelOne, Defender) for false-positive blocks and tune exclusions before broad release.

Apply the CIS Benchmark or vendor-hardening profile via Intune configuration profile, Jamf policy, or Ansible playbook. Disable telemetry channels not approved by the data-handling policy.

Connect the app to Okta, Entra ID, Google Workspace, or JumpCloud via SAML or OIDC and enable SCIM where the vendor supports it. Apps without SSO + SCIM become offboarding gaps — flag for vendor review if the connector is missing.

Store license keys, API tokens, and any service-account credentials in HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or 1Password. Never check them into Git or paste them into the PSA ticket body.

Restore from the pre-install snapshot, push the uninstall package via MDM, and confirm the endpoint is back to baseline before closing the change as Failed. Capture the failure cause for the postmortem.

Record installed version, license key location, SSO connector ID, and owning team in IT Glue, Hudu, or the ServiceNow CMDB. Stale CMDB data is the single biggest reason offboarding misses an app.

Send the user-facing change notice, link the KB article in Confluence / Hudu, and update the on-call runbook with any new alert routing. Helpdesk needs the article live before the rollout closes, not after the first ticket arrives.