Skip Navigation

Gateway Service policy parameters

If you are configuring
CylanceGATEWAY
on devices that are activated with an EMM solution such as
BlackBerry UEM
, you can also specify options in your EMM solution that control how
CylanceGATEWAY
works on devices.
Item
Description
General information
Name
This is a name for the rule.
Description
This is a brief description of the purpose for the rule.
Agent Configuration
Allow Gateway to run only if the device is managed by
BlackBerry UEM
or
Microsoft Intune
This setting specifies that
iOS
,
Android
, or
Chromebook
devices must be managed by
BlackBerry UEM
or
Microsoft Intune
before users can use
CylanceGATEWAY
.
This feature requires one of the following:
  • BlackBerry UEM
    : The
    BlackBerry UEM
    connector is added to the
    Cylance Endpoint Security
    tenant and apps are sent from
    BlackBerry UEM
    .
  • Intune
    : The
    Microsoft Intune
    connector is added to the
    Cylance Endpoint Security
    tenant and you create app configuration policies that define the device types and Intune user groups that the integration applies to. 
Allow Gateway to run only if the device is managed by
Microsoft Intune
This setting specifies that
Windows
devices must be managed by
Microsoft Intune
and is
Entra ID
joined before users can use
CylanceGATEWAY
. For more information, see Connecting Cylance Endpoint Security to MDM solutions to verify whether devices are managed and complete the
Intune
tasks.
This feature is supported on
CylanceGATEWAY
agent for
Windows
version 2.10 or later.
Allow Gateway to establish tunnels only on MDM managed devices where Gateway is configured as the managed VPN
You can require that a device be enrolled in Mobile Device Management (MDM) for your organization with
CylanceGATEWAY
configured as a VPN provider before
CylanceGATEWAY
Work Mode will create a tunnel on that device. 
This feature is supported on the following devices:
  • CylanceGATEWAY
    agent for
    macOS
    2.7 or later
  • CylancePROTECT Mobile
    app for
    iOS
    2.14 or later
Allow Gateway to run only if
CylancePROTECT Desktop
is also activated on the device
This setting requires that users have
CylancePROTECT Desktop
installed and activated from the same tenant. This feature is supported on the following devices:
  • Windows
    devices that are running
    CylanceGATEWAY
    for
    Windows
  • macOS
    devices that are running
    CylancePROTECT Desktop
    3.0 or later and
    CylanceGATEWAY
    for
    macOS
    2.0.17 or later. If you enable this feature for devices that are running a version of
    CylancePROTECT Desktop
    earlier than 3.0, the tunnel may not function as expected.
Safe Mode
You can enable Safe Mode for your users. With Safe Mode,
CylanceGATEWAY
blocks apps and users from accessing potentially malicious destinations and enforces an acceptable use policy (AUP) by intercepting DNS requests. The
CylanceGATEWAY
cloud services evaluate each DNS query against the configured ACL rules and network protection settings (for example DNS Tunneling and Zero Day Detections such as DGA, Phishing, and Malware), and then instructs the agent to allow or block the request in real time. If allowed, the DNS request completes normally over the bearer network. Otherwise, the
CylanceGATEWAY
agent overrides the normal response to prevent access.
When enabled, Safe Mode automatically takes effect when Work Mode is disabled. When enabled for
Windows
devices, the agent is minimized in the system tray when it launches. Enabling Safe Mode does not prevent users from opening the agent and enabling or disabling Work Mode (if the users' policy allows such operations).
Safe Mode events appear in the CylanceGATEWAY Events screen and Alerts view and are sent to the SIEM solution or syslog server, if configured.
When enabled, Safe Mode will protect all DNS traffic that does not use the
CylanceGATEWAY
tunnel (for example, allow Gateway to establish tunnels only on MDM managed devices where Gateway is configured as the managed VPN, per-app tunnel, split tunneling).
This feature is supported on the following devices:
  • CylanceGATEWAY
    agent for
    Windows
    2.8 or later.
  • CylanceGATEWAY
    agent for
    macOS
    2.7 or later.
This feature is not supported in environments that use secure DNS with DoT (DNS-over-TLS) and DoH (DNS-over-HTTPS) protocols. DNS queries sent using DoT or DoH cannot be viewed by
CylanceGATEWAY
Safe Mode and
CylanceGATEWAY
agent for
macOS
: On
macOS
, the
CylanceGATEWAY
agent uses a system extension to implement Safe Mode. If you add the “P7E3XMAM8G:com.blackberry.big3.gatewayfilter” system extension to an allowed list, it can load automatically without user interaction when the
CylanceGATEWAY
agent is activated. Otherwise, instruct your users to allow the
CylanceGATEWAY
system extension when they are prompted during activation. For information on how to add a system extension to an allowed list, see your
macOS
documentation. For more instructions on how to activate the
CylanceGATEWAY
agent to use Safe Mode, see Activate Safe Mode in the CylanceGATEWAY agent in the user guide.
Safe Mode and third-party VPNs
: If your environment is configured to use Safe Mode and a third-party VPN, you must review and, if necessary, adjust the VPN DNS settings to ensure that the DNS settings only route the DNS queries for traffic that is defined to use the VPN tunnel. If you enable Safe Mode and the VPN DNS settings are not reviewed, the VPN may not work as expected. By default, the configuration for many VPNs is to route all DNS traffic through the VPN tunnel when active.
Enforce the "Start CylanceGATEWAY when I sign in" setting
This setting specifies whether to force the
CylanceGATEWAY
agent on
macOS
or
Windows
devices to start automatically when users log in. This policy setting overrides the "Start
CylanceGATEWAY
when I sign in" setting in the agent.
BlackBerry
recommends that you enable this option in the Gateway Service policy.
This feature is supported on the following devices:
  • CylanceGATEWAY
    agent for
    macOS
    2.7 or later
  • CylanceGATEWAY
    agent for
    Windows
    2.7 or later  
Automatically start CylanceGATEWAY when user signs in
This setting starts the
CylanceGATEWAY
agent automatically when users sign in to the device, but users can still stop the agent manually. When you enable both this setting and "Enable Work Mode Automatically" for
Windows
devices, the agent is minimized in the system tray when it launches.
This setting is only valid if the "Enforce the Start CylanceGATEWAY when I sign in" setting is enabled.
Enforce the 'Enable Work Mode Automatically' setting
This setting specifies whether to force the
CylanceGATEWAY
agent on
macOS
or
Windows
devices to enable Work Mode automatically when the agent starts. This policy setting overrides the "Enable Work Mode Automatically" setting in the agent.
This feature is supported on the following devices:
  • CylanceGATEWAY
    agent for
    macOS
    2.7 or later.
  • CylanceGATEWAY
    agent for
    Windows
    2.7 or later  
Enable Work Mode Automatically
This setting enables Work Mode automatically when the
CylanceGATEWAY
agent starts, but users can still manually enable and disable Work Mode after the agent starts. When you enable both this setting and "Automatically start
CylanceGATEWAY
when user signs in" for
Windows
devices, the agent is minimized in the system tray when it launches.
This setting is only valid if the "Enforce the Enable Work Mode Automatically setting" is enabled.
Tunnel Use
Per-app tunnel
This setting specifies which apps can send data through the tunnel to the
CylanceGATEWAY
cloud services. You can configure per-app tunnel with either an Allowed apps or Restricted apps list. For example, if you select the Allowed apps option and specify apps that can use the tunnel, and then change the option to Restricted apps, the listed apps cannot use the tunnel. 
Possible options:
  • Select
    Allowed apps
    to specify the apps that use the tunnel. No other apps can use the tunnel. System apps and
    Windows
    DNS always use the tunnel. If you select this option, any set ACL rules or network access control policies are applied. For more information on ACL rules and network access control policies, see Controlling network access.
  • Select
    Restricted apps
    to specify the apps that cannot use the tunnel. All other apps can use the tunnel.
  • Click The Add icon and enter the full path or include a wildcard in the path for desktop apps or add the
    Windows
    Package Family Name (PFN) for store apps. You can specify a combined maximum of 200 app paths or PFNs.
    When you include a wildcard in the path, consider the following:
    • You can include only one wildcard per path. The supported format is \*\ (for example, %ProgramFiles%\
      Folder_Name
      \*\
      Application_Name
      .exe)
    • Wildcards are not supported in the following instances:
      • Used in place of environment variables
      • Used in place of root directories in the path
      • Used for partial directory names (for example, "C:\Win*\notepad.exe")
      • Used in executable names (for example, "C:\Windows\*.exe")
    Wildcards are supported on
    Windows
    devices that are running
    CylanceGATEWAY
    agent for
    Windows
    2.7 or later.
This feature is supported on the following devices:
  • CylanceGATEWAY
    for
    Windows
    2.0.0.13 or later.
  • Android
    or
    Chromebook
    device users that are running the
    CylancePROTECT Mobile
    app.
Force apps to use the tunnel
This setting requires all non-loopback connections to use the tunnel. If you select this option and have split tunneling enabled, all traffic will use the tunnel. On
Windows
devices, if you select this option and have split tunneling enabled, connections that don't use the tunnel may not function as expected. This feature is supported on the following devices:
  • Unmanaged
    macOS
    devices that are running
    macOS
    10.15 or later and
    CylanceGATEWAY
    for
    macOS
    2.0.17 or later.
  • Unmanaged
    iOS
    devices that are running
    iOS
    14.0 or later and
    CylancePROTECT Mobile
    app 2.4.0.1731 or later.
  • Windows
    devices that are running
    CylanceGATEWAY
    for
    Windows
Allow apps to use the local network
This setting allows the apps that are forced to use the tunnel to reach local network destinations. This feature is supported on the following devices:
  • Unmanaged
    macOS
    devices that are running
    macOS
    10.15 or later and
    CylanceGATEWAY
    for
    macOS
    2.0.17 or later.
  • Unmanaged
    iOS
    devices that are running
    iOS
    14.2 or later and
    CylancePROTECT Mobile
    app 2.4.0.1731 or later. 
  • Windows
    devices that are running
    CylanceGATEWAY
    for
    Windows
    2.5 or later.
This setting is only valid if "Force apps to use the tunnel" is enabled.
Block network traffic from restricted apps
This setting prevents all non-loopback network connections from apps that cannot use the tunnel. If you do not select this setting, the restricted apps can use the default network connection. This feature is supported on devices that are running the
CylanceGATEWAY
for
Windows
agent.
Allow other Windows users to use the tunnel
This setting allows all users that use the same
Windows
device to use the tunnel. If you select this option, any per-app tunnel criteria applies. If you do not select this option, apps run by other
Windows
users are treated as restricted apps.
Allow incoming connections
This setting allows incoming TCP connections and UDP flows from non-tunnel, non-loopback interfaces.
CylanceGATEWAY
never routes incoming connections through the tunnel. This feature is supported on devices that are running the
CylanceGATEWAY
for
Windows
agent.
Tunnel reauthentication
Tunnel reauthentication
This setting specifies how frequently users must authenticate before they establish a tunnel.
When you enable this feature,
BlackBerry
recommends that you set the "Allow authentication reuse" option to specify the period after which users need to authenticate again.
This feature is supported on the following devices:
  • CylanceGATEWAY
    for
    macOS
    2.5 or later.
  • CylanceGATEWAY
    for
    Windows
    2.5 or later.
Allow authentication reuse
When enabled, this setting specifies a reuse period after which users who have authenticated and established a tunnel are required to authenticate again. The reuse period can be set between 5 minutes and 365 days from their last authentication. For example, if you set the reset period to 10 days, users must authenticate again 10 days after their first authentication before they can establish a tunnel. By default, this setting is disabled.
If you do not enable the Allow authentication reuse and specify a reuse period, users must authenticate each time they establish a tunnel.
This setting is only valid if "Tunnel reauthentication" is enabled.
Grace period
This setting allows users to reconnect to the tunnel without authenticating if the connection to the tunnel is established within 2 minutes of the connection being disconnected. By default, this option is enabled when you turn on tunnel reauthentication.
This setting is only valid if "Tunnel reauthentication" is enabled.
Split tunneling
Split tunneling
This setting allows traffic to public destinations to bypass
CylanceGATEWAY
. You can specify whether the destination must use the tunnel or cannot use the tunnel using the following options:
  • Inclusive: You can type the CIDRs and FQDNs for destinations that must route through the tunnel. For enhanced user experience, the management console periodically refreshes the FQDN to IP address resolution.
    FQDN addresses do not support wildcards.
  • Exclusive: You can type the CIDRs for destinations that you do not want to use the tunnel. You can use this option when you only have a few destinations that you want to exclude from using the tunnel, all other network traffic will use the tunnel. FQDNs are not supported.
If you have configured both options, only the option that is selected and displayed is applied to the network traffic, but all settings are retained to allow you to easily change between the options.
If you enable split tunneling, connections to allowed public destinations bypass the tunnel and the
CylanceGATEWAY
cloud services unless you specify that connections to the destination must use the tunnel. If you enable split tunneling and do not enable split DNS, all DNS queries are evaluated against the configured ACL rules and network access controls are applied before traffic is routed to the public destination. If you are using source IP pinning, all destinations configured for source IP pinning must use the tunnel.
If you make changes to tunneling settings or incoming connections, users must disable and then enable Work Mode in the
CylanceGATEWAY
agent installed on
Windows
and
macOS
devices or in the
CylancePROTECT Mobile
app on
iOS
,
Android
, and 64-bit
Chromebook
devices for the changes to take effect.
Split DNS
When enabled, this setting allows DNS lookups for the domains that are listed in the Private Network > DNS > Forward Lookup Zone configuration to be completed through the tunnel where network access controls are applied. All other DNS lookups are completed using local DNS. If you enabled Safe Mode, DNS traffic that does not use the Gateway tunnel is protected by Safe Mode. Split DNS is disabled by default.
Android
and 64-bit
Chromebook
devices do not support split DNS tunneling and will use the tunnel where access controls are applied.
This setting is only valid if "Split Tunneling" is enabled.