Cylance Endpoint Security requirements
Logging in to the management console
- Custom authentication
- Enhanced authentication sign in
  - Sign in to the Cylance Endpoint Security management console using enhanced authentication
  - Generate a new SSO callback URL
Configuring a new Cylance Endpoint Security tenant
- Default configuration settings for a new Cylance Endpoint Security tenant
- Export, import, or reset the configuration of a Cylance Endpoint Security tenant
Installing the BlackBerry Connectivity Node
Linking to your company directory
Setting up administrators
Adding users and devices
Enrolling CylancePROTECT Mobile and CylanceGATEWAY users
- Create an enrollment policy
- Supported enrollment email variables
Setting up zones to manage CylancePROTECT Desktop and CylanceOPTICS
- Add and configure a zone
Setting up CylancePROTECT Desktop
Setting up CylancePROTECT Mobile
Setting up CylanceOPTICS
- Install the CylanceOPTICS agent on devices
  - Configuration requirements for macOS 11.x and later
  - OS commands for the CylanceOPTICS agent
- Enable and configure CylanceOPTICS
Setting up CylanceGATEWAY
Setting up CylanceAVERT
Managing updates for the CylancePROTECT Desktop and CylanceOPTICS agents
- Manage updates for the CylancePROTECT Desktop and CylanceOPTICS agents
Connecting Cylance Endpoint Security to external services
- Integrating Cylance Endpoint Security with Okta
  - Prerequisites for adding an Okta connector
  - Add and configure an Okta connector
- Integrating Cylance Endpoint Security with Mimecast
  - Prerequisites for adding a Mimecast connector
  - Add and configure a Mimecast connector
Appendix: Best practices for deploying CylancePROTECT Desktop on Windows virtual machines

Device control

Device control protects devices by controlling USB mass storage devices connecting to devices in the organization. When you enable device control, you can allow full access, read-only, or block USB mass storage devices, such as USB flash drives, external hard drives, and smartphones. As part of the policy, you can also use exclusions to define the access level for specific mass storage devices using the vendor ID, product ID, and serial number. For example, you can block all USB mass storage devices, but create exclusions to allow full access to some authorized devices only.

Device control is available for

Windows

devices running agent version 2.1.1410 or later, and

macOS

devices running agent version 3.3.1000 or later.

Device control does not affect USB peripherals such as a mouse or keyboard. For example, when you create a policy to block all USB mass storage device types, a user can still use a USB keyboard.

Device control is not supported for SD cards at this time. However, if utilized with a USB card reader device, device control might detect the USB device.

When device control is enabled, all USB mass storage devices that are inserted are logged, along with the policy action that was applied (full access, read-only, or block). If the policy action is set to read-only or block, and desktop notifications are enabled on the device, a pop-up notification appears on the device when a USB mass storage device is connected. You can find the log of device control events on the

Protection > External Devices

screen in the console.

Device control setting	Description
Windows device control	This setting turns on device control for Windows devices and allows you to select the policy to apply for each USB device type. The exclusion list is shared between Windows and macOS devices when device control is enabled for both OS platforms.
macOS device control	This setting turns on device control for macOS devices and allows you to select the policy to apply for each USB device type. The exclusion list is shared between Windows and macOS devices when device control is enabled for both OS platforms.

Device control policy action	Description
Block	This setting blocks the device from accessing external USB storage devices.
Read Only	This setting allows read-only access to external USB storage devices. Read-only access allows devices to view the contents of an external USB device but does not allow write or delete access to the USB device. The following USB device types can be configured for read-only access for Windows devices only: Still image USB CD/DVD RW USB drive VMWare USB passthrough Windows portable device When adding exclusions, this setting applies to Windows devices only and will be ignored for macOS devices.
Full Access	This setting allows read, write, and delete access to the external USB storage devices.

Supported USB device types	Description	Agent platform
Android	This is a portable device running Android OS, such as a smartphone or a tablet. When an Android device is connected, its device type might be identified as Android , Still Image, or Windows Portable Device. If you want to block Android devices, consider blocking Still Image and Windows Portable Device as well.	Windows
iOS	This is an portable Apple device running iOS , such as an iPhone or iPad . Some iOS devices will not charge when device control is enabled and set to block unless the device is powered off. Apple includes their charging capability within functions of the device that are required for our iOS device blocking capability. Non- Apple devices do not bundle their charging capability in this manner and are not impacted.	Windows
Still Image	This device type includes scanners, digital cameras, multi-mode video cameras with frame capture, and frame grabbers. The agent considers Canon cameras to be a Windows Portable Device, not a Still Image device.	Windows
USB CD DVD RW	This is a USB optical drive.	Windows , macOS
USB Drive	This is a USB hard drive or USB flash drive.	Windows , macOS
VMware USB Passthrough	This is a VMware virtual machine client that has USB devices connected to the host.	Windows
Windows Portable Device	These are portable devices that use the Microsoft Windows Portable Device (WPD) driver technology, such as mobile phones, digital cameras, and portable media players.	Windows

Section:

Using device policies to manage CylancePROTECT Desktop devices

Add an external storage exclusion

Bulk import of device control exclusions