Gateway Service policy parameters
If you are configuring
CylanceGATEWAY
on devices that are activated with an EMM solution such as BlackBerry UEM
, you can also specify options in your EMM solution that control how CylanceGATEWAY
works on devices.Item | Description |
|---|---|
General information | |
Name | This is a name for the rule. |
Description | This is a brief description of the purpose for the rule. |
Agent Configuration | |
Allow Gateway to run only if the device is managed by BlackBerry UEM or Microsoft Intune | This setting specifies that iOS , Android , or Chromebook devices must be managed by BlackBerry UEM or Microsoft Intune before users can use CylanceGATEWAY . This feature requires one of the following:
For more information, see Connecting Cylance Endpoint Security to MDM solutions to verify whether devices are managed |
Allow Gateway to establish tunnels only on MDM managed devices where Gateway is configured as the managed VPN | You can require that a device be enrolled in Mobile Device Management (MDM) for your organization with CylanceGATEWAY configured as a VPN provider before CylanceGATEWAY Work Mode will create a tunnel on that device. This feature is supported on the following devices:
|
Allow Gateway to run only if CylancePROTECT Desktop is also activated on the device | This setting requires that users have CylancePROTECT Desktop installed and activated from the same tenant. This feature is supported on the following devices:
|
Safe Mode | You can enable Safe Mode for your users. With Safe Mode, CylanceGATEWAY blocks apps and users from accessing potentially malicious destinations and enforces an acceptable use policy (AUP) by intercepting DNS requests. The CylanceGATEWAY cloud services evaluate each DNS query against the configured ACL rules and network protection settings (for example DNS Tunneling and Zero Day Detections such as DGA, Phishing, and Malware), and then instructs the agent to allow or block the request in real time. If allowed, the DNS request completes normally over the bearer network. Otherwise, the CylanceGATEWAY agent overrides the normal response to prevent access.When enabled, Safe Mode automatically takes effect when Work Mode is disabled. When enabled for Windows devices, the agent is minimized in the system tray when it launches. Enabling Safe Mode does not prevent users from opening the agent and enabling or disabling Work Mode (if the users' policy allows such operations).Safe Mode events appear in the CylanceGATEWAY Events screen and Alerts view and are sent to the SIEM solution or syslog server, if configured. When enabled, Safe Mode will protect all DNS traffic that does not use the CylanceGATEWAY tunnel (for example, allow Gateway to establish tunnels only on MDM managed devices where Gateway is configured as the managed VPN, per-app tunnel, split tunneling).This feature is supported on the following devices:
This feature is not supported in environments that use secure DNS with DoT (DNS-over-TLS) and DoH (DNS-over-HTTPS) protocols. DNS queries sent using DoT or DoH cannot be viewed by CylanceGATEWAY . Safe Mode and : On CylanceGATEWAY agent for macOS macOS , the CylanceGATEWAY agent uses a system extension to implement Safe Mode. If you add the “P7E3XMAM8G:com.blackberry.big3.gatewayfilter” system extension to an allowed list, it can load automatically without user interaction when the CylanceGATEWAY agent is activated. Otherwise, instruct your users to allow the CylanceGATEWAY system extension when they are prompted during activation. For information on how to add a system extension to an allowed list, see your macOS documentation. For more instructions on how to activate the CylanceGATEWAY agent to use Safe Mode, see Activate Safe Mode in the CylanceGATEWAY agent in the user guide. Safe Mode and third-party VPNs : If your environment is configured to use Safe Mode and a third-party VPN, you must review and, if necessary, adjust the VPN DNS settings to ensure that the DNS settings only route the DNS queries for traffic that is defined to use the VPN tunnel. If you enable Safe Mode and the VPN DNS settings are not reviewed, the VPN may not work as expected. By default, the configuration for many VPNs is to route all DNS traffic through the VPN tunnel when active. |
Enforce the "Start CylanceGATEWAY when I sign in" setting | This setting specifies whether to force the CylanceGATEWAY agent on macOS or Windows devices to start automatically when users log in. This policy setting overrides the "Start CylanceGATEWAY when I sign in" setting in the agent. BlackBerry recommends that you enable this option in the Gateway Service policy.This feature is supported on the following devices:
|
Automatically start CylanceGATEWAY when user signs in | This setting starts the CylanceGATEWAY agent automatically when users sign in to the device, but users can still stop the agent manually. When you enable both this setting and "Enable Work Mode Automatically" for Windows devices, the agent is minimized in the system tray when it launches.This setting is only valid if the "Enforce the Start CylanceGATEWAY when I sign in" setting is enabled. |
Enforce the 'Enable Work Mode Automatically' setting | This setting specifies whether to force the CylanceGATEWAY agent on macOS or Windows devices to enable Work Mode automatically when the agent starts. This policy setting overrides the "Enable Work Mode Automatically" setting in the agent. This feature is supported on the following devices:
|
Enable Work Mode Automatically | This setting enables Work Mode automatically when the CylanceGATEWAY agent starts, but users can still manually enable and disable Work Mode after the agent starts. When you enable both this setting and "Automatically start CylanceGATEWAY when user signs in" for Windows devices, the agent is minimized in the system tray when it launches. This setting is only valid if the "Enforce the Enable Work Mode Automatically setting" is enabled. |
Tunnel Use | |
Per-app tunnel | This setting specifies which apps can send data through the tunnel to the CylanceGATEWAY cloud services. You can configure per-app tunnel with either an Allowed apps or Restricted apps list. For example, if you select the Allowed apps option and specify apps that can use the tunnel, and then change the option to Restricted apps, the listed apps cannot use the tunnel. Possible options:
This feature is supported on the following devices:
|
Force apps to use the tunnel | This setting requires all non-loopback connections to use the tunnel. If you select this option and have split tunneling enabled, all traffic will use the tunnel. On Windows devices, if you select this option and have split tunneling enabled, connections that don't use the tunnel may not function as expected. This feature is supported on the following devices:
|
Allow apps to use the local network | This setting allows the apps that are forced to use the tunnel to reach local network destinations. This feature is supported on the following devices:
This setting is only valid if "Force apps to use the tunnel" is enabled. |
Block network traffic from restricted apps | This setting prevents all non-loopback network connections from apps that cannot use the tunnel. If you do not select this setting, the restricted apps can use the default network connection. This feature is supported on devices that are running the CylanceGATEWAY for Windows agent. |
Allow other Windows users to use the tunnel | This setting allows all users that use the same Windows device to use the tunnel. If you select this option, any per-app tunnel criteria applies. If you do not select this option, apps run by other Windows users are treated as restricted apps. |
Allow incoming connections | This setting allows incoming TCP connections and UDP flows from non-tunnel, non-loopback interfaces. CylanceGATEWAY never routes incoming connections through the tunnel. This feature is supported on devices that are running the CylanceGATEWAY for Windows agent. |
Tunnel reauthentication | |
Tunnel reauthentication | This setting specifies how frequently users must authenticate before they establish a tunnel. When you enable this feature, BlackBerry recommends that you set the "Allow authentication reuse" option to specify the period after which users need to authenticate again. This feature is supported on the following devices:
|
Allow authentication reuse | When enabled, this setting specifies a reuse period after which users who have authenticated and established a tunnel are required to authenticate again. The reuse period can be set between 5 minutes and 365 days from their last authentication. For example, if you set the reset period to 10 days, users must authenticate again 10 days after their first authentication before they can establish a tunnel. By default, this setting is disabled. If you do not enable the Allow authentication reuse and specify a reuse period, users must authenticate each time they establish a tunnel. This setting is only valid if "Tunnel reauthentication" is enabled. |
Grace period | This setting allows users to reconnect to the tunnel without authenticating if the connection to the tunnel is established within 2 minutes of the connection being disconnected. By default, this option is enabled when you turn on tunnel reauthentication. This setting is only valid if "Tunnel reauthentication" is enabled. |
Split tunneling | |
Split tunneling | This setting allows traffic to public destinations to bypass CylanceGATEWAY . You can type CIDR addresses or FQDNs for destinations that must route through the tunnel. For enhanced user experience, the management console periodically refreshes the FQDN to IP address resolution.
FQDN addresses do not support wildcards. If you enable split tunneling, connections to allowed public destinations bypass the tunnel and the CylanceGATEWAY cloud services unless you specify that connections to the destination must use the tunnel. If you enable split tunneling and do not enable split DNS, all DNS queries are evaluated against the configured ACL rules and network access controls are applied before traffic is routed to the public destination. You can type CIDR addresses or FQDNs for destinations that must route through the tunnel. If you are using source IP pinning, all destinations configured for source IP pinning must use the tunnel. If you make changes to tunneling settings or incoming connections, users must disable and then enable Work Mode in the CylanceGATEWAY agent installed on Windows and macOS devices or in the CylancePROTECT Mobile app on iOS , Android , and 64-bit Chromebook devices for the changes to take effect. |
Split DNS | When enabled, this setting allows DNS lookups for the domains that are listed in the Private Network > DNS > Forward Lookup Zone configuration to be completed through the tunnel where network access controls are applied. All other DNS lookups are completed using local DNS. If you enabled Safe Mode, DNS traffic that does not use the Gateway tunnel is protected by Safe Mode. Split DNS is disabled by default. Android and 64-bit Chromebook devices do not support split DNS tunneling and will use the tunnel where access controls are applied. This setting is only valid if "Split Tunneling" is enabled. |
and enter the full path or include a wildcard in the path for desktop apps or add the