CylanceGATEWAY known issues
CylanceGATEWAY
known issuesItems marked with an asterisk (*) are new for this release.
Access control list (ACL)
In some scenarios, an ACL rule might be expected to block a connection to a destination, but it isn't when the following combined ACL properties are used to create the rule. (BIG-6511) Consider the following scenario, this ACL rule will allow users to access to *.example.com when the following ACL properties are specified because the DNS request for http://example.com will be resolved to an IP address (for example, 172.16.10.55) and the request to the IP address on port 80 is not blocked. In the Action section,
In the Destination section,
To block access to the destination in the above scenario, best practice is to enter the FQDN without a wildcard or enter the FQDN with a wildcard and not specify a port number. To have this rule block access to the destination as expected, you must update the ACL rule to one of the following:
| ||||||
The ACL tab is not displayed in the Cylance Endpoint Security console immediately after CylanceGATEWAY is enabled for the tenant. (BIG-7059)Workaround : Log out of the Cylance Endpoint Security console, and log in again. |
Network connections
* Environments that use Cisco Jabber and the CylanceGATEWAY agent must have a Cisco Expressway TURN server deployed and Mobile and Remote Access enabled, or users will not be able to receive incoming calls or hear an incoming conversation. Users will be able to make outgoing calls and are heard by others on the call. For more information, see KB 140116. |
On macOS devices when split tunneling is enabled and a DNS query is made for an unqualified hostname, the DNS suffixes may not be applied or used as defined in Settings > Network > Client DNS. (BIG-11180)Workaround : Complete one of the following:
|
When Windows devices are configured to use Safe Mode and Work Mode is not enabled, if third-party solutions that control DNS such as VPN are enabled, they may not work as expected. When enabled, Safe mode intercepts and evaluates all DNS queries and may have conflicts with other solutions that also control DNS. For more information on Safe Mode, see CylanceGATEWAY release notes. (BIG-11098) |
If the component that is handling active connections through the CylanceGATEWAY Connector is restarted within the BlackBerry Infrastructure , the number of active connections for the connector may not return to zero when the connector is disabled. (BIG-8614) |
Restricted apps can't open loopback sockets when "Block network traffic from restricted apps" is set to "No" in the CylanceGATEWAY service policy, for Windows devices. (BIG-7593) |
The Intel Killer Prioritization Engine may drop CylanceGATEWAY traffic. (BIG-5527)
Workaround : Give BlackBerryGatewayService.exe a priority of "1" in the Killer Prioritization Engine console. |
If a device's local network IP range (for example, a home Wi-Fi network) overlaps with the customer's private network, CylanceGATEWAY work mode does not allow access to the private network resources for the IPs that fall in the overlap range. For example, if a user’s home Wi-Fi network range uses 10.0.0.0/24 and the customer’s private network uses 10.0.0.0/8, the user will not be able to access 10.0.0.100 on the private network as it falls under 10.0.0.0/24 and will be routed to the local network. (BIG-5389)
Workaround : Complete one of the following actions:
|
BlackBerry UEM Connector
After upgrading to CylanceGATEWAY agent for Windows version 2.8.0.9, DNS tunneling does not enable split DNS when a Group Policy Object (GPO) that sets a DNS name resolution policy table (NRPT) or an empty NRPT exists. When split DNS is not enabled, all DNS lookups are performed through the tunnel. (BIG-11032)To confirm if a GPO exists, verify whether the Windows registry key "DnsPolicyConfig" is present at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ |
After you connect the Cylance Endpoint Security to your BlackBerry UEM Cloud instance, the status of the BlackBerry UEM Connector remains at "In progress". (UES-12931) Workaround : Refresh the Connectors screen. |
On iOS devices that are running CylancePROTECT Mobile app version 2.12.0.3252 or later and BlackBerry UEM Client version earlier than 12.47.3265, and the UEM Client is updated to 12.47.3265 or later the BlackBerry Infrastructure identifies the device as a new activation. (UESAPP-3841) Workaround : Deactivate and reactivate the CylancePROTECT Mobile app. |
Device
* Windows users might experience notifications that rapidly appear and disappear when they attempt to enable Work Mode. Work Mode cannot be enabled. (BIG-11432)Workaround : The Windows Management Instrumentation (WMI) cannot be accessed, or it is corrupt. Repair the WMI. For more information, see KB 112135. |
When you try to reauthenticate the CylanceGATEWAY agent, you might receive a "Sign-in failed" error. (EID-19203)Workaround : Temporarily change your default browser or clear the browser cache. |
Windows users only receive the Connection Blocked notification popup message the first time they try to access a blocked website. (BIG-8578) |
When environments are configured for device posture validation, macOS users receive an error message when they try to enable work mode if the CylancePROTECT Mobile app is installed but not activated. The CylanceGATEWAY agent log file logs a 403 and the following error message: "error":"NotEntitled","detail":"Endpoint requires protect". (BIG-7848)
Workaround : Complete the following steps:
|
Users may experience connectivity issues when the CylanceGATEWAY agent is installed on a computer running Windows Subsystem for Linux (WSL) due to a known issue where WSL does not accommodate the MTU of the network interfaces in Windows . (BIG-5509)
Workaround : Users with WSL2 can work around this issue using the following commands.
|