Cylance Endpoint Security requirements
Logging in to the management console
- Custom authentication
- Enhanced authentication sign in
  - Sign in to the Cylance Endpoint Security management console using enhanced authentication
  - Generate a new SSO callback URL
Installing the BlackBerry Connectivity Node
Linking to your company directory
Setting up administrators
Adding users and devices
Enrolling CylancePROTECT Mobile and CylanceGATEWAY users
- Create an enrollment policy
- Supported enrollment email variables
Setting up zones to manage CylancePROTECT Desktop and CylanceOPTICS
- Add and configure a zone
Setting up CylancePROTECT Desktop
Setting up CylancePROTECT Mobile
Setting up CylanceOPTICS
- Install the CylanceOPTICS agent on devices
  - Configuration requirements for macOS 11.x and later
  - OS commands for the CylanceOPTICS agent
- Enable and configure CylanceOPTICS
Setting up CylanceGATEWAY
Setting up CylanceAVERT
Managing updates for the CylancePROTECT Desktop and CylanceOPTICS agents
- Manage updates for the CylancePROTECT Desktop and CylanceOPTICS agents
Connecting Cylance Endpoint Security to external services
- Integrating Cylance Endpoint Security with Okta
  - Prerequisites for adding an Okta connector
  - Add and configure an Okta connector
- Integrating Cylance Endpoint Security with Mimecast
  - Prerequisites for adding a Mimecast connector
  - Add and configure a Mimecast connector
Appendix: Best practices for deploying CylancePROTECT Desktop on Windows virtual machines

Applying ACL rules

ACL rules apply to all

CylanceGATEWAY

users in the tenant. ACL rules evaluate each network access attempt in the order that they are displayed in the management console, from the top down. The default rule will always be evaluated last, and if none of the previous rules match will block access to all resources. The Default rule cannot be disabled or modified

When you create the ACL rules, BlackBerry recommends that you create your ACL rules and make sure that they are displayed in the in following order:

Block access to Internet content that contains

CylanceGATEWAY

specified categories

Block access to non-categorized services based on your organization's requirements

Allow access to organization-wide services in the private network

Allow access to all public Internet destinations

Default

The following table provides examples of rules and their necessary settings:

Rule	Description
Allow users to access public Internet destinations	This rule will allow users to access any destination that your organization considers to be the public internet. Users will not be able to access the specified RFC1918 addresses. To create this rule, you can specify the following settings: In the Action section, The Action drop-down list displays Allow . Check access attempts against Network Protection check box is selected. This setting allows the rule to pass the ACL, but also allows for further inspection by Gateway. In the Destination section, The Target dropdown list displays Does not match . In the Addresses and Ports , Address field, enter the RFC1918 network ranges.
Allow users to access the private network	This rule will allow user to access network services within your private network. For users to access the private network, the following prerequisites must be met: Ensure that the CylanceGATEWAY Connector is installed in the network to allow traffic to reach your private network. For instructions on how to install the CylanceGATEWAY Connector in your environment, see Setting up the CylanceGATEWAY Connector. Ensure that you have defined a network service containing the private network resources that you want users to access. For information on how to define network services, see Define network services. You can specify the following settings: In the Action section: The Action drop-down list displays Allow . Optionally, clear the Check access attempts against Network Protection check box. No further inspection will be performed by Gateway. In the Destination section: The Target drop-down list displays Matches any . In the Network services field, select the network service that you want users to access.

Rule

Description

Allow users to access public Internet destinations

This rule will allow users to access any destination that your organization considers to be the public internet. Users will not be able to access the specified RFC1918 addresses.

To create this rule, you can specify the following settings:

In the

Action

section,

The

Action

drop-down list displays

Allow

Check access attempts against Network Protection

check box is selected. This setting allows the rule to pass the ACL, but also allows for further inspection by Gateway.

In the Destination
section,

The

Target

dropdown list displays

Does not match

In the

Addresses and Ports

Address

field, enter the RFC1918 network ranges.

Allow users to access the private network

This rule will allow user to access network services within your private network.

For users to access the private network, the following prerequisites must be met:

Ensure that the

CylanceGATEWAY Connector

is installed in the network to allow traffic to reach your private network. For instructions on how to install the

CylanceGATEWAY Connector

in your environment, see Setting up the CylanceGATEWAY Connector.

Ensure that you have defined a network service containing the private network resources that you want users to access. For information on how to define network services, see Define network services.

You can specify the following settings:

In the Action
section:

The Action
drop-down list displays Allow
.

Optionally, clear the Check access attempts against Network Protection
check box. No further inspection will be performed by Gateway.

In the

Destination

section:

The

Target

drop-down list displays

Matches any

In the

Network services

field, select the network service that you want users to access.

Section:

Controlling network access