Cylance Endpoint Security requirements
Logging in to the management console
- Custom authentication
- Enhanced authentication sign in
  - Sign in to the Cylance Endpoint Security management console using enhanced authentication
  - Generate a new SSO callback URL
Installing the BlackBerry Connectivity Node
Linking to your company directory
Setting up administrators
Adding users and devices
Enrolling CylancePROTECT Mobile and CylanceGATEWAY users
- Create an enrollment policy
- Supported enrollment email variables
Setting up zones to manage CylancePROTECT Desktop and CylanceOPTICS
- Add and configure a zone
Setting up CylancePROTECT Desktop
Setting up CylancePROTECT Mobile
Setting up CylanceOPTICS
- Install the CylanceOPTICS agent on devices
  - Configuration requirements for macOS 11.x and later
  - OS commands for the CylanceOPTICS agent
- Enable and configure CylanceOPTICS
Setting up CylanceGATEWAY
Setting up CylanceAVERT
Managing updates for the CylancePROTECT Desktop and CylanceOPTICS agents
- Manage updates for the CylancePROTECT Desktop and CylanceOPTICS agents
Connecting Cylance Endpoint Security to external services
- Integrating Cylance Endpoint Security with Okta
  - Prerequisites for adding an Okta connector
  - Add and configure an Okta connector
- Integrating Cylance Endpoint Security with Mimecast
  - Prerequisites for adding a Mimecast connector
  - Add and configure a Mimecast connector
Appendix: Best practices for deploying CylancePROTECT Desktop on Windows virtual machines

Considerations for adding SAML authenticators

When you add a SAML authenticator, the login request URL and IDP signing certificate values are required. You should note the following considerations for optional fields.

When you configure an external identity provider, you must add the Cylance Endpoint Security login request URL. The URL must be in the format of https://login.eid.blackberry.com/_/resume/saml20/<hash
>. Because external SAML configurations support a list of single sign-on or assertion consumer service reply URLs, in existing configurations, you can add the new or newly generated URL to the list as a secondary option or replace the original. If you created your authenticator before December 2023, and you want users to access the Cylance console using single sign-on, you must generate an updated login request URL. For more information on updating your authenticator, see Enhanced authentication sign in.

Item	Description
NameID format	You can use this field to specify an optional name identifier format to request from the identity provider.
Federated ID claim	You can use this field to specify an optional claim value that is used as your federated ID to link accounts across systems. The default value is NameID. If your IDP is setup to return the email address in a claim other than “NameID”, you must specify the claim in this field. You should use a unique, immutable, and persistent value in this claim (for example, an objectGUID or UUID). Using a value that is not unique or susceptible to change like an email address is not recommended. When users log in, Cylance Endpoint Security will use the value in the Federated ID claim to create a unique ID for the user to map their identities in both systems. After you specify the value to use as the federated ID claim it cannot be changed because it is used to link a user in the external identity provider and Cylance Endpoint Security after they log in for the first time.
Active Directory claim	You can use this field to specify an optional claim value that is used to match Active Directory objectGUIDs across systems to validate users.
Email claim	You can use this field to specify an optional claim value that is used to match email addresses across systems. The default value is 'email'. Cylance Endpoint Security requires that all SAML responses must contain the users full email address, and it must match the email address that is registered with Cylance Endpoint Security . If your IDP is setup to return the email address in a claim other than “email”, you must specify the claim in this field. For example, if the claim configured in your IDP is called “emailAddress”, then you must set “emailAddress” in the Email Claim field. If these do not match, users cannot sign in.
SP entity ID	You can use this field to specify an optional service provider entity ID to send to the identity provider (also known as the issuer string). For Entra SAML authenticators this field is required, and the value that you enter must match the Identifier (Entity ID) in the SAML configuration in Entra .
IDP entity ID	You can use this field to specify an optional identity provider entity ID (also known as the IDP Issuer). If provided, the IDP issuer will be validated on all responses.
Accepted clock drift	You can use this field to specify, in milliseconds, the acceptable clock drift between client and server.
Signature algorithm	You can use this field to specify the signature algorithm for signing requests.
Signature private key	You can use this field to specify, in PEM format, an optional private key that is used to sign all outgoing requests.

Section:

Add an authenticator