- Cylance Endpoint Security requirements
- Requirements: Cylance console
- Requirements: CylancePROTECT Desktop
- Requirements: CylanceOPTICS
- Requirements: CylancePROTECT Mobile app
- Requirements: BlackBerry Connectivity Node
- Requirements: CylanceGATEWAY Connector
- Requirements: CylanceGATEWAY agents
- Requirements: CylanceAVERT
- Cylance Endpoint Security network requirements
- Cylance Endpoint Security proxy requirements
- Logging in to the management console
- Installing the BlackBerry Connectivity Node
- Linking to your company directory
- Setting up administrators
- Adding users and devices
- Enrolling CylancePROTECT Mobile and CylanceGATEWAY users
- Setting up zones to manage CylancePROTECT Desktop and CylanceOPTICS
- Setting up CylancePROTECT Desktop
- Testing your CylancePROTECT Desktop deployment
- Using device policies to manage CylancePROTECT Desktop devices
- Installing the CylancePROTECT Desktop agent for Windows
- Installing the CylancePROTECT Desktop agent for macOS
- Installing the CylancePROTECT Desktop agent for Linux
- Require users to provide a password to remove the CylancePROTECT Desktop agent
- Setting up CylancePROTECT Mobile
- Setting up CylanceOPTICS
- Setting up CylanceGATEWAY
- Defining your private network
- Setting up the CylanceGATEWAY Connector
- Install the CylanceGATEWAY Connector to a vSphere environment
- Install the CylanceGATEWAY Connector to an ESXi environment
- Prerequisites to install CylanceGATEWAY Connector to a Microsoft Entra ID environment
- Install the CylanceGATEWAY Connector to a Microsoft Entra ID environment
- Install the CylanceGATEWAY Connector to a Hyper-V environment
- Install the CylanceGATEWAY Connector to an AWS environment
- Configure the CylanceGATEWAY Connector in the VM environment
- Access the CylanceGATEWAY Connector using OpenSSH
- Configure your firewall for the CylanceGATEWAY Connector
- Enroll the CylanceGATEWAY Connector with the BlackBerry Infrastructure
- View details for an enrolled CylanceGATEWAY Connector
- Configure the CylanceGATEWAY Connector
- Managing CylanceGATEWAY Connectors
- Manage CylanceGATEWAY Connectors
- Update a CylanceGATEWAY Connector
- UDP connectivity test responses
- Specify your private network
- Specify your private DNS
- Specify your DNS suffixes
- Specify private CylanceGATEWAY agent IP ranges
- Bring your own IP addresses (BYOIP)
- Setting up the CylanceGATEWAY Connector
- Network Address Translation with CylanceGATEWAY
- Define network services
- Controlling network access
- Configuring network protection
- Searching ACL rules and Network Services
- Using source IP pinning
- Configuring the Gateway service options
- Gateway Service policy parameters
- Configure Gateway service options
- Specifying how devices activated with an EMM solution use the CylanceGATEWAY tunnel
- Specify which apps use CylanceGATEWAY on iOS devices
- Specify which apps use CylanceGATEWAY on iOS devices in a Microsoft Intune environment
- Specify CylanceGATEWAY options on Android Enterprise devices
- Specify CylanceGATEWAY options on Chromebook devices
- Specify CylanceGATEWAY options on Android Enterprise devices in your Microsoft Intune environment
- Connecting Cylance Endpoint Security to MDM solutions to verify whether devices are managed
- Installing the CylanceGATEWAY agent
- Defining your private network
- Setting up CylanceAVERT
- Managing updates for the CylancePROTECT Desktop and CylanceOPTICS agents
- Connecting Cylance Endpoint Security to external services
- Appendix: Best practices for deploying CylancePROTECT Desktop on Windows virtual machines
Application control
Application control is an optional setting for
Windows
and Linux
devices that allows users to restrict any changes to executables on the device. Only applications that are on the device before application control is enabled are allowed to execute. Typically, application control is used for fixed function devices that are not changed after it's set up (for example, point-of-sale devices). When application control is enabled, attempts to add applications and make changes to applications on the device are denied. This means that applications cannot be downloaded from web browsers or copied from another device or computer (such as an external or shared drive).
The main objectives of application control are:
- Deny the execution of executable files from remote or external drives.
- Deny the creation of new executables on the local drive.
- Deny changes to existing files on the local drive.
Consider the following when using application control:
- TheCylancePROTECT DesktopandCylanceOPTICSagent update process is disabled when application control is enabled.
- You cannot remove theCylancePROTECT DesktopandCylanceOPTICSagents when application control is enabled.
- It is not recommended to runCylanceOPTICSon systems that use application control. When application control is enabled,CylanceOPTICSdoes not function properly due to the restrictive nature of application control.
- All executable files on remote or external drives are denied from executing when application control is enabled. To prevent production outages or excessive network activity, application control does not monitor file transfers to remote or external drives.
Application control settings
Option | Description |
|---|---|
Application Control | This setting specifies whether to enable application control. When you enable application control, the following recommended settings will be automatically applied:
If you want to change any of these settings, clear the selection from the specified tabs. |
Change Window | When enabled, this setting temporarily disables application control to allow editing and running new applications or to perform updates, including updating the agent. After performing the necessary changes, clear this check box to close the change window and re-enable application control. When you use this setting to temporarily disable application control, changes such as folder exclusions are retained. If you disable the Application Control setting, the settings are reset to default. |
Folder Exclusions (includes subfolders) | This setting specifies an absolute path of folders that are allowed to make application changes and additions when application control is enabled. This setting applies to devices running Windows agent 1410 or later.Example: C:\Program Files\Microsoft SQL Server Folder exclusions are only available for local internal drives. Exclusions for removable or remote drives are not supported. |
Viewing application control activity
You can find the application control activity of a device from its
Device Details
page in the Threats & Activities
section.