Configure CylanceGATEWAY service options Skip Navigation

Configure
CylanceGATEWAY
service options

You can use the
CylanceGATEWAY
service policy to enable split tunneling for devices and specify OS-specific options.
If you enable split tunneling, connections to allowed public destinations bypass the tunnel and the
BlackBerry Infrastructure
unless you specify that connections to the destination must use the tunnel. If you are using source IP pinning, all destinations configured for source IP pinning must use the tunnel. If you make changes to tunneling settings or incoming connections, users must disable and then enable work mode in the
CylanceGATEWAY
agent installed on
Windows
and
macOS
devices or in the
CylancePROTECT Mobile
app on
iOS
,
Android
, and 64-bit
Chromebook
devices for the changes to take effect.
If you are configuring
CylanceGATEWAY
on devices that are activated with an EMM solution such as
BlackBerry UEM
, you can also specify options in your EMM solution that control how
CylanceGATEWAY
works on devices.
  1. On the menu bar, click
    Policies > User Policy
    .
  2. Click the
    Gateway Service
    tab.
  3. Click
    Add Policy
    .
  4. Type a name and description for the policy.
  5. If the policy will be assigned to users with the
    CylanceGATEWAY
    agent installed on
    Windows
    devices, select any of the following options:
    1. Turn on
      Per-app tunnel
      to specify which apps can send traffic through the tunnel to the
      BlackBerry Infrastructure
      . This feature is supported on
      CylanceGATEWAY
      agent version 2.0.0.13 or later.
      1. Select one of the following options:
        • Select
          Allowed apps
          to specify the apps that can use the tunnel. No other apps can use the tunnel. System apps and
          Windows
          DNS always use the tunnel. If you select this option, any set ACL rules or network access control policies are applied. For more information on ACL rules and network access control policies, see Controlling network access.
        • Select
          Restricted apps
          to specify the apps that cannot use the tunnel. All other apps can use the tunnel.
      2. Click The Add icon and enter the full path for desktop apps or add the
        Windows
        Package Family Name (PFN) for store apps and then click
        Add
        . A combined maximum of 200 app paths or PFNs can be specified.
    2. Turn on
      Force allowed apps to use the tunnel
      to require allowed apps to use the tunnel for all non-loopback connections. If you select this option and have split tunneling enabled, connections that don't use the tunnel may not function as expected.
    3. Turn on
      Allow apps to use the local network
      to allow the apps that are forced to use the tunnel to reach local network destinations. This feature requires
      CylanceGATEWAY
      agent version 2.5 or later.
    4. Turn on
      Block network traffic from restricted apps
      to prevent all non-loopback network connections from apps that cannot use the tunnel. If you do not select this setting, the restricted apps can use the default network connection.
    5. Turn on
      Allow other Windows users to use the tunnel
      to allow all users that use the same
      Windows
      device to use the tunnel. If you select this option, any per-app tunnel criteria applies. If you do not select this option, apps run by other
      Windows
      users are treated as restricted apps.
    6. Turn on
      Allow incoming connections
      to allow incoming TCP connections and UDP flows from non-tunnel, non-loopback interfaces.
      CylanceGATEWAY
      never routes incoming connections through the tunnel.
  6. If the policy will be assigned to
    Android
    or
    Chromebook
    device users with the
    CylancePROTECT Mobile
    app, perform the following actions:
    1. To specify which apps send data through the tunnel to the
      BlackBerry Infrastructure
      , turn on
      Per-app tunnel
      .
    2. Select one of the following options:
      • Select
        Allowed apps
        to specify the apps that use the tunnel. All other apps do not use the tunnel
      • Select
        Restricted apps
        to specify the apps that do not use the tunnel. All other apps use the tunnel
    3. Click The Add icon and enter the appropriate app IDs, then click
      Add
      .
  7. If the policy will be assigned to users with the
    CylanceGATEWAY
    agent installed on
    macOS
    devices, perform the following actions:
    1. Turn on
      Force apps to use the tunnel
      to require all non-loopback connections to use the tunnel. If you select this option and have split tunneling enabled, all traffic will use the tunnel. This feature is only supported on unmanaged
      macOS
      devices that are running
      macOS
      10.15 or later and
      CylanceGATEWAY
      agent version 2.0.17 or later.
    2. Turn on
      Allow apps to use the local network
      to allow the apps that are forced to use the tunnel to reach local network destinations. This feature is only supported on unmanaged
      macOS
      devices that are running
      macOS
      10.15 or later and
      CylanceGATEWAY
      agent version 2.0.17 or later.
  8. If the policy will be assigned to users with
    CylancePROTECT Mobile
    app installed on
    iOS
    devices, perform the following actions: 
    1. Turn on
      Force apps to use the tunnel
      to require all non-loopback connections to use the tunnel. If you select this option and have split tunneling enabled, all traffic will use the tunnel. This feature is only supported on unmanaged
      iOS
      devices that are running
      iOS
      14.0 or later and
      CylancePROTECT Mobile
      2.4.0.1731 or later.
    2. Turn on
      Allow apps to use the local network
      to allow the apps that are forced to use the tunnel to reach local network destinations. This feature is only supported on unmanaged
      iOS
      devices that are running
      iOS
      14.2 or later and
      CylancePROTECT Mobile
      2.4.0.1731 or later.
  9. To specify how frequently
    Windows
    and
    macOS
    users must authenticate before they establish a tunnel, perform the following actions:
    1. Turn on
      Tunnel Reauthentication
      .
    2. Optionally, turn on
      Allow authentication reuse
      and specify a reuse period after which users who have authenticated and established a tunnel are required to authenticate again. The reuse period can be set between 5 minutes and 365 days from their last authentication. For example, if you set the reset period to 10 days, users must authenticate again 10 days after their first authentication before they can establish a tunnel.
      If you do not enable the Allow authentication reuse and specify a reuse period, users must authenticate each time they establish a tunnel.
    3. The
      Grace period
      allows users to reconnect to the tunnel without authenticating if the connection to the tunnel is established within 2 minutes of the connection having disconnected. By default, this option is enabled when you turn on tunnel reauthentication.
  10. To specify additional prerequisites before users can use
    CylanceGATEWAY
    , complete any of the following actions:
    • For
      iOS
      and
      Android
      devices, you can require that the devices be managed by
      Microsoft Intune
      . Click the
      Android & iOS
      tab and turn on
      Allow to run only if the device is managed
      .
    • For
      Windows
      devices, you can require that users have
      CylancePROTECT Desktop
      installed and activated from the same tenant. Click the
      Windows
      tab and turn on
      Allow Gateway to run only if CylancePROTECT Desktop is also activated on the device
      .
    • For
      macOS
      devices, you can require that users have
      CylancePROTECT Desktop
      installed and activated from the same tenant. Click the
      macOS
      tab and turn on
      Allow Gateway to run only if CylancePROTECT Desktop is also activated on the device
      . This feature requires
      CylancePROTECT Desktop
      3.0 or later and
      CylanceGATEWAY
      agent version 2.0.17 or later. If you enable this feature for devices that are running a version of
      CylancePROTECT Desktop
      earlier than 3.0, the tunnel may not function as expected.
  11. To allow traffic to public destinations to bypass
    CylanceGATEWAY
    , perform the following actions:
    1. Turn on
      Split tunneling
      .
    2. To specify destinations that must use the tunnel, click The Add icon.
    3. Click
      CIDRs
      or
      FQDN
      and type the CIDR addresses or FQDNs for destinations that must route through the tunnel and click
      Add
      . The management console periodically refreshes the FQDN to IP address resolution. FQDN addresses do not support wildcards.
  12. Click
    Add
    .
  13. If you made changes to the tunneling settings or incoming connections, make sure that users disable and then enable work mode in the
    CylanceGATEWAY
    agent installed on
    Windows
    and
    macOS
    devices or in the
    CylancePROTECT Mobile
    app on
    iOS
    ,
    Android
    and
    Chromebook
    devices for the changes to take effect.