CylanceGATEWAY known issues Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Cylance Endpoint Security Release Notes
  4. CylanceGATEWAY release notes
  5. CylanceGATEWAY known issues

CylanceGATEWAY
 known issues

Items marked with an asterisk (*) are new for this release.
Access control list (ACL)
The ACL tab is not displayed in the
Cylance Endpoint Security
 console immediately after
CylanceGATEWAY
 is enabled for the tenant. (BIG-7059)
Workaround
: Log out of the
Cylance Endpoint Security
 console, and log in again.
Network connections
* On
macOS
 devices when split tunneling is enabled and a DNS query is made for an unqualified hostname, the DNS suffixes may not be applied or used as defined in Settings > Network > Client DNS. (BIG-11180)
Workaround
: Complete one of the following:
  • Disable split tunneling and users use CylanceGATEWAY to access network resources.
  • Instruct users to use the FDQN to access network resources.
* When
Windows
 devices are configured to use Safe Mode and Work Mode is not enabled, if third-party solutions that control DNS such as VPN are enabled, they may not work as expected. When enabled, Safe mode intercepts and evaluates all DNS queries and may have conflicts with other solutions that also control DNS. For more information on Safe Mode, see CylanceGATEWAY release notes. (BIG-11098)
If the component that is handling active connections through the
CylanceGATEWAY Connector
 is restarted within the
BlackBerry Infrastructure
, the number of active connections for the connector may not return to zero when the connector is disabled. (BIG-8614)
Restricted apps can't open loopback sockets when "Block network traffic from restricted apps" is set to "No" in the
CylanceGATEWAY
 service policy, for
Windows
 devices. (BIG-7593)
The
Intel
 Killer Prioritization Engine may drop
CylanceGATEWAY
 traffic. (BIG-5527)
Workaround
: Give BlackBerryGatewayService.exe a priority of "1" in the Killer Prioritization Engine console.
If a device's local network IP range (for example, a home
Wi-Fi
 network) overlaps with the customer's private network,
CylanceGATEWAY
 work mode does not allow access to the private network resources for the IPs that fall in the overlap range. For example, if a user’s home
Wi-Fi
 network range uses 10.0.0.0/24 and the customer’s private network uses 10.0.0.0/8, the user will not be able to access 10.0.0.100 on the private network as it falls under 10.0.0.0/24 and will be routed to the local network. (BIG-5389)
Workaround
: Complete one of the following actions:
  • User: If the user can configure their local network, the user could change the local network IP range to a private IP range that does not conflict with the customer's private network IP range.
  • CylanceGATEWAY
     administrators: Create and assign a
    CylanceGATEWAY
     service policy to the specific user. In the policy, enable split tunneling and add a CIDR address of 0.0.0.0/0 and the IP range of the local network.
    Note
    : The local network IP range must be added as more specific CIDR addresses (for example, for the local network of 10.0.0.0/24, add 10.0.0.0/25 and 10.0.0.128/25).
BlackBerry UEM Connector
* After upgrading to
CylanceGATEWAY
 agent for
Windows
 version 2.8.0.9, DNS tunneling does not enable split DNS when a Group Policy Object (GPO) that sets a DNS name resolution policy table (NRPT) or an empty NRPT exists. When split DNS is not enabled, all DNS lookups are performed through the tunnel. (BIG-11032)
To confirm if a GPO exists, verify whether the
Windows
 registry key "DnsPolicyConfig" is present at
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\
* After you connect the
Cylance Endpoint Security
 to your
BlackBerry UEM Cloud
 instance, the status of the BlackBerry UEM Connector remains at "In progress". (UES-12931)
Workaround
: Refresh the Connectors screen.
On
iOS
 devices that are running
CylancePROTECT Mobile
 app version 2.12.0.3252 or later and
BlackBerry UEM Client
 version earlier than 12.47.3265, and the UEM Client is updated to 12.47.3265 or later the
BlackBerry Infrastructure
 identifies the device as a new activation. (UESAPP-3841)
Workaround
: Deactivate and reactivate the
CylancePROTECT Mobile
 app. 
Device
* After upgrading to CylanceGATEWAY agent for macOS version 2.8.0.13, Work Mode and Safe Mode may not establish a connection. (BIG-11186)
Workaround
: Complete one of the following actions:
  • Disable Work Mode and then enabled Work Mode.
  • Restart the device.
If Work Mode is enabled when the
CylancePROTECT Mobile
 app for
iOS
 updates, a "
CylanceGATEWAY
 is disconnected" message is displayed and users are unable to connect to
CylanceGATEWAY
. (BIG-8649)
Workaround
: Start the
CylancePROTECT Mobile
 app or tap the pop-up message.
When you try to reauthenticate the
CylanceGATEWAY
 agent, you might receive a "Sign-in failed" error. (EID-19203)
Workaround
: Temporarily change your default browser or clear the browser cache. 
When environments are configured for device posture validation,
macOS
 users receive an error message when they try to enable work mode if the
CylancePROTECT Mobile
 app is installed but not activated. The
CylanceGATEWAY
 agent log file logs a 403 and the following error message: "error":"NotEntitled","detail":"Endpoint requires protect". (BIG-7848)
Workaround
: Complete the following steps:
  1. Make sure that the
    CylancePROTECT Mobile
     app is installed and activated.
  2. Close and open the
    CylanceGATEWAY
     agent.
  3. Click
    Enable Work Mode
    .
Users may experience connectivity issues when the
CylanceGATEWAY
 agent is installed on a computer running
Windows
 Subsystem for
Linux
 (WSL) due to a known issue where WSL does not accommodate the MTU of the network interfaces in
Windows
. (BIG-5509)
Workaround
: Users with WSL2 can work around this issue using the following commands.
  1. Check the MTU WSL2 assigned to the (virtual) "eth0" interface. Note the 1500. 
    $ ip link show dev eth0 
6: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
  2. As root in WSL2, set the MTU to match that of
    CylanceGATEWAY
    's IPv4 tunnel interface. 
    $ sudo ip link set dev eth0 mtu \
 $(powershell.exe -Command \
   '(Get-NetIPInterface -InterfaceAlias "BlackBerry Gateway" -AddressFamily IPv4).NlMtu' \
   |grep -m1 -oE '[0-9]+')
  3. Confirm that the MTU was changed. Note the 1420. 
    $ ip link show dev eth0 
6: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
Agent
Windows
 users only receive the Connection Blocked notification popup message the first time they try to access a blocked website. (BIG-8578)