Cylance Endpoint Security requirements
Logging in to the management console
- Custom authentication
- Enhanced authentication sign in
  - Sign in to the Cylance Endpoint Security management console using enhanced authentication
Installing the BlackBerry Connectivity Node
Linking to your company directory
Setting up administrators
Adding users and devices
Enrolling CylancePROTECT Mobile and CylanceGATEWAY users
- Create an enrollment policy
- Supported enrollment email variables
Setting up zones to manage CylancePROTECT Desktop and CylanceOPTICS
- Add and configure a zone
Setting up CylancePROTECT Desktop
Setting up CylancePROTECT Mobile
Setting up CylanceOPTICS
- Install the CylanceOPTICS agent on devices
  - Configuration requirements for macOS 11.x and later
  - OS commands for the CylanceOPTICS agent
- Enable and configure CylanceOPTICS
  - CylanceOPTICS sensors
  - Data structures that CylanceOPTICS uses to identify threats
Setting up CylanceGATEWAY
Setting up CylanceAVERT
Managing updates for the CylancePROTECT Desktop and CylanceOPTICS agents
- Manage updates for the CylancePROTECT Desktop and CylanceOPTICS agents
Appendix: Best practices for deploying CylancePROTECT Desktop on Windows virtual machines

Add an authenticator

You add authenticators so that you can add them to authentication policies. An authenticator typically defines one authentication method, such as a password (for example, a

Cylance

console password) or a connection to a third-party for authentication like

Active Directory

Okta

, or

Ping Identity

. You add them to authentication policies to specify the types of authentication that administrators must complete to sign in to the

Cylance

console and users must complete to activate

Cylance Endpoint Security

apps or agents (for example, the

CylancePROTECT Mobile

app or

CylanceGATEWAY

). You can combine multiple authenticators in an authentication policy to provide multiple authentication steps. For example, you can combine the Enterprise authenticator with a one-time password prompt in a policy to require users to authenticate with both their work or

Cylance

console password and a one-time password.

If you add a SAML authenticator, download a copy of the signing certificate for your IDP.

On the menu bar, click

Settings > Authentication

Click

Add Authenticator

In the

Authenticator Type

drop-down list, select one of the following authenticators:

Item	Description
Azure (SAML)	Select this option if you want users to enter their Azure credentials. Do the following: Enter a name for the authenticator. If you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required . The code is sent to the email address that is associated with the user in your tenant. In the Login request URL field, enter the Login URL that is specified in the app registration single sign-on settings for your identity provider. For example, in the Azure Portal, go to Enterprise Application > CylancePROTECT application > Properties > Single Sign-On Settings > Login URL. In the IDP signing certificate field, paste the the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines. When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information. In the SP entity ID field, enter the Identifier (Entity ID) that is used in the SAML configuration in Azure . This field is required, and the value that you enter must match the Identifier (Entity ID) in Azure . Specify any other optional settings. Click Save .
Custom (SAML)	Select this option if you want users to enter custom credentials. Do the following: Enter a name for the authenticator. If you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required . In the Login request URL field, enter the identity provider's single sign-on URL. In the IDP signing certificate field, paste the the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines. When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information. Specify any other optional settings. Click Save .
Cylance Administrator Password	Select this option if you want users to enter their Cylance console credentials. Do the following: Enter a name for the authenticator. Click Save .
Deny Authentication	Select this option if you want to use an authentication policy to prevent users or groups of users from accessing the Cylance console or another service. You can add another policy or an app exception to allow access to a subset of users. Enter a name for the authenticator. Click Save .
Duo MFA	Select this option if you want users to authenticate using Duo multi-factor authentication. Before you add Duo as an authenticator, you should create an Auth API application. For instructions, see the information from Duo . Do the following: Enter a name for the authenticator. In the DUO MFA Configuration section, enter the API hostname, Integration key, and Secret key. You can find this information on the Applications tab in your organization's Duo account. For more information, see the Duo documentation.
Enterprise	Select this option if you want users to authenticate using their credentials for Active Directory , LDAP, or my Account . The credentials that a user will use depends on the account type that is the source for their user account in the console. Do the following: Enter a name for the authenticator. Click Save .
FIDO	Select this option if you want users to register a FIDO2 device and use it verify their identity. Supported device types include smartphones, USB security keys, or Windows Hello . Enter a name for the authenticator. Click Save . When FIDO is the first factor of authentication and a user registers a device for the first time, a one-time password is also sent to the email address that they use to sign in. When FIDO is used as a second factor in a policy, a one-time password isn’t required when a user registers a device for the first time. For information about how to remove registered devices from a user account, see Remove a registered FIDO device for a user account in the Administration content.
Integrated Directory ( Active Directory / Azure AD /LDAP)	Select this option if you want users to enter their Active Directory password. If you select this option, your Cylance Endpoint Security tenant must have a connection to the company directory instance. For more information, see Linking to your company directory. Do the following: Enter a name for the authenticator. Click Save .
IP Address	Select this option if you want to restrict users’ access based on their IP address. You can create multiple IP address authenticators and use them to manage access for different groups, but you can only assign one IP address authenticator in a policy. Enter a name for the authenticator. In the IP address ranges field, specify one or more IP addresses, IP ranges, or CIDRs. Separate entries with a comma. Click Save .
Local Account	Select this option if you want users to enter their BlackBerry Online Account ( my Account ) credentials. Do the following: Enter a name for the authenticator. Click Save .
Okta MFA	Select this option if you want users to authenticate using Okta . Do the following: Enter a name for the authenticator. In the Okta MFA Configuration section, enter the Auth API Key and the Auth Domain. Click Save .
Okta (OIDC)	Select this option if you want users to authenticate using Okta . Do the following: In the drop-down list below Okta , select OIDC . Enter a name for the authenticator. In the Identity Provider Client section, enter the OIDC discovery document URL, the Client ID, and the Private key JWKS. Click Save .
Okta (SAML)	Select this option if you want users to enter their Okta credentials. Do the following: In the drop-down list below Okta , select SAML . Enter a name for the authenticator. If you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required . In the Login request URL field, enter the identity provider's single sign-on URL. In the IDP signing certificate field, paste the the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines. When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information. Specify any other optional settings. Click Save .
OneLogin (OIDC)	Select this option if you want users to authenticate using OneLogin . Do the following: In the drop-down list below OneLogin , select OIDC . Enter a name for the authenticator. If you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required . In the OneLogin Configuration section, enter the OIDC discovery document URL, the Client ID, Client Secret, and Authentication Method. Click Save .
OneLogin (SAML)	Select this option if you want users to enter their OneLogin credentials. Do the following: Enter a name for the authenticator. If you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required . In the Login request URL field, enter the identity provider's single sign-on URL. In the IDP signing certificate field, paste the the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines. When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information. Specify any other optional settings. Click Save .
One-Time Password	Select this option if you want users to enter a one-time password in addition to another type of authentication. If you select this option, you must also add another authenticator to your authentication policy and rank it higher than the one-time password. Do the following: Enter a name for the authenticator. In the One-Time Password Configuration section, in the first drop-down list, select a number of intervals in the drop-down list. Any code within the window is valid if it precedes or follows the expected code by the number of refresh intervals that you specify. The refresh interval is 30 seconds, and the default setting is 1. In the One-Time Password Configuration section, in the second drop-down list, specify the number of times that users can skip the OTP app setup and authenticate without entering a code.
Ping Identity (OIDC)	Select this option if you want users to authenticate using Ping Identity .Do the following: In the drop-down list below Ping , select OIDC . Enter a name for the authenticator. In the Identity Provider Client section, enter the OIDC discovery document URL, the client ID, and the private key JWKS. In the ID token signing algorithm drop-down list, select a signing algorithm. Click Save .
Ping Identity (SAML)	Select this option if you want users to enter their Ping Identity credentials. Do the following: In the drop-down list below Ping , select SAML . Enter a name for the authenticator. If you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required . In the Login request URL field, enter the identity provider's single sign-on URL. In the IDP signing certificate field, paste the the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines. When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information. Specify any other optional settings. Click Save .

Click

Save

Create an authentication policy.

Section:

Adding users and devices

Considerations for adding SAML authenticators

Migrate custom authentication settings to the authenticators list