Controlling network access Skip Navigation

Controlling network access

You define the network resources that devices enrolled with
CylanceGATEWAY
can connect to using the access control list (ACL). The access control list defines allowed and blocked destinations on private and public networks. The ACL applies only to users that are assigned a
CylanceGATEWAY
Service policy.
The ACL applies to all
CylanceGATEWAY
users in the tenant. Each network access attempt by a device is evaluated against the rules, in order, for each connection phase (DNS lookup, connection establishment, and TLS handshake) until a rule that matches the attempt is found. The rule must match on all specified properties including destination or destination categories, specified users or groups, and the risk level determined for the destination. The first matching rule determines whether the access attempt is blocked or allowed to continue to the next phase. An access attempt that is allowed through all of its phases can be fully established. If a network access attempt does not match any rule in the ACL, access is blocked.
For existing tenants, you can define the network resources that devices enrolled with
CylanceGATEWAY
can connect to using a network access control policy. The network access control policy defines allowed and blocked destinations on private and public networks. You can upgrade your tenant to use ACL rules. For more information on upgrading, see Upgrading your tenant from network access control policies to ACL rules.
When you create a network access control policy, you specify blocked and allowed network connections. For addresses that are part of your private network, all connections are blocked unless you add the address to the allowed list. For destinations that are not part of your private network, all connections are allowed unless you add the address to the blocked list or
BlackBerry
has determined that the destination is malicious. If you add a public destination to the allowed list, connections are always allowed, even if
BlackBerry
considers the destination to be unsafe.