Cylance Endpoint Security requirements
Logging in to the management console
- Custom authentication
- Enhanced authentication sign in
  - Sign in to the Cylance Endpoint Security management console using enhanced authentication
  - Generate a new SSO callback URL
Installing the BlackBerry Connectivity Node
Linking to your company directory
Setting up administrators
Adding users and devices
Enrolling CylancePROTECT Mobile and CylanceGATEWAY users
- Create an enrollment policy
- Supported enrollment email variables
Setting up zones to manage CylancePROTECT Desktop and CylanceOPTICS
- Add and configure a zone
Setting up CylancePROTECT Desktop
Setting up CylancePROTECT Mobile
Setting up CylanceOPTICS
- Install the CylanceOPTICS agent on devices
  - Configuration requirements for macOS 11.x and later
  - OS commands for the CylanceOPTICS agent
- Enable and configure CylanceOPTICS
Setting up CylanceGATEWAY
Setting up CylanceAVERT
Managing updates for the CylancePROTECT Desktop and CylanceOPTICS agents
- Manage updates for the CylancePROTECT Desktop and CylanceOPTICS agents
Connecting Cylance Endpoint Security to external services
- Integrating Cylance Endpoint Security with Okta
  - Prerequisites for adding an Okta connector
  - Add and configure an Okta connector
- Integrating Cylance Endpoint Security with Mimecast
  - Prerequisites for adding a Mimecast connector
  - Add and configure a Mimecast connector
Appendix: Best practices for deploying CylancePROTECT Desktop on Windows virtual machines

Migrate custom authentication settings to the authenticators list

You can migrate your existing SAML authenticators to the authenticators list in Settings so that you add them to authentication policies for users and groups or your tenant. When you migrate the authenticators, you must update the single sign-on URL to the URL used by

Cylance Endpoint Security

. You must also update the NameID claim in your external IDP configuration so that it returns a persistent, immutable value instead of a user's email address or create a claim in the identity provider that can be used as the Federated ID claim.

Before you migrate your settings, as a failsafe, you should create one authentication policy that requires only the

Cylance

console password and assign it to one administrator.

When you migrate the custom authentication settings, in the external identity provider, you must add the following Cylance Endpoint Security login request URL:

https://idp.blackberry.com/_/resume

. Because external SAML configurations support a list of single sign-on or assertion consumer service reply URLs, in existing configurations, you can add the new URL to the list as a secondary option or replace the original.

For more information about SAML authenticators, see Considerations for adding SAML authenticators.

Download a copy of the signing certificate for your IDP.

In the management console, on the menu bar, click

Settings

Application

In the

Custom authentication

section, complete the following:

Copy the following information to a text file:

Provider name

Select the

Allow Password Login

checkbox. For more information about this setting, see Custom authentication descriptions.

On the menu bar, click

Settings

Authentication

On the

Authenticators

tab, click

Add authenticator

In the

Authenticator Type

drop-down list, click the SAML authenticator that corresponds to the provider you copied in step 2 (for example,

Entra

Okta

) or click Custom SAML.

In the

General Information

section, enter a name for the authenticator.

In the

SAML Configuration

section, if you want to require users to validate their email with a one-time code when they log in for the first time, turn on

Validation required

In the

field, enter the single sign-on URL for the identity provider.

In the

IDP signing certificate

field, paste the the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.

When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.

Do one of the following:

Task	Steps
Update the NameID and email claim values in the external identity provider.	Sign in to your external identity provider. Update the single sign-on URL for Cylance Endpoint Security to https://idp.blackberry.com/_/resume . You can add this URL to the existing login.<`region`>.cylance.com URL. Edit the NameID claim so that it returns a persistent, immutable value (for example, objectGUID or a UUID) that can be used in the Federated ID claim instead of the user's email address. For instructions, see the documentation from the identity provider. Create a new email claim that will return the user's email address.
Create a new claim in your external identity provider and add it to the authenticator settings.	Sign in to your external identity provider. Update the single sign-on URL for Cylance Endpoint Security to https://idp.blackberry.com/_/resume . You can add this URL to the existing login.<`region`>.cylance.com URL. Create a new claim that returns a persistent, immutable ID for a user. For instructions, see the documentation from the identity provider. In the Cylance management console, in the Email claim field, enter nameID . The nameID value must use a lowercase "n." In the Federated ID claim field, enter the name of the new claim that you created in the external identity provider.

Task

Steps

Update the NameID and email claim values in the external identity provider.

Update the single sign-on URL for

Cylance Endpoint Security

https://idp.blackberry.com/_/resume

. You can add this URL to the existing login.<region>.cylance.com URL.

Edit the NameID claim so that it returns a persistent, immutable value (for example, objectGUID or a UUID) that can be used in the Federated ID claim instead of the user's email address. For instructions, see the documentation from the identity provider.

Create a new email claim that will return the user's email address.

Create a new claim in your external identity provider and add it to the authenticator settings.

Update the single sign-on URL for

Cylance Endpoint Security

https://idp.blackberry.com/_/resume

. You can add this URL to the existing login.<region>.cylance.com URL.

Create a new claim that returns a persistent, immutable ID for a user. For instructions, see the documentation from the identity provider.

In the

Cylance

management console, in the

Email claim

field, enter

nameID

. The nameID value must use a lowercase "n."

In the

Federated ID claim

field, enter the name of the new claim that you created in the external identity provider.

Click

Save

Create an authentication policy.

If you encounter issues logging in using the SAML authenticator in an authentication policy, you can download a sample SAML response from your IDP and validate the claim names.

Section:

Add an authenticator