Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Cylance Endpoint Security
  4. Cylance Endpoint Security Setup Guide
  5. Accessing the management console and configuring authentication
  6. Enhanced authentication sign in

Enhanced authentication sign in

The management console provides enhanced authentication capabilities, including local multi-factor authentication and more granular authentication policies and policy assignments. You can configure the environment to specify the types of authentication that administrators must complete to sign in to the
Cylance
 console and users must complete before they can activate the
CylancePROTECT Mobile
 app and
CylanceGATEWAY
 agent. By default, administrators use the
Cylance
 console password to access the management console. Users will use their directory credentials (username only) or their
BlackBerry Online Account
 credentials (full email address) to activate the
CylancePROTECT Mobile
 app and
CylanceGATEWAY
 agent based on how the depending on how the
CylanceGATEWAY
 agent was activated. For tenants created in March 2024 or later, by default, administrators will be required to enter a one-time password to access the
Cylance
 console after they set up their console password.
You can create authentication policies for your tenant that specify the types of authentication that must be completed by all administrators and users on the tenant. Only one tenant policy can be created for
Cylance
 console sign-in, the
CylancePROTECT Mobile
 app, and
CylanceGATEWAY
 agent. You can create authentication policies for users that specify the types of authentication administrators and users on the tenant must complete. The type of authentication added to the tenant policy and authentication policy must be completed in the order that they are specified in the policy. As a failsafe, you may configure one administrator to access the
Cylance
 console using their username and a strong password.
The updated sign-in flow is now the only method to access the
Cylance
 console. Any authentication policies that you applied in your console during the preview period have taken effect.
To configure enhanced authentication for sign-in, perform one of the following actions:

Configure enhanced authentication for sign-in to the
Cylance
 console

If your tenant was created before March 2024, complete these steps if you want to configure your users to authenticate with the
Cylance
 console using an authenticator such as One-Time Password in addition to the
Cylance
 password. For a walkthrough of how to add the One-Time Password authenticator to your tenant policy, see Add the One-Time Password authentication for administrators to access the
Cylance
 console.
Step
Action
Step 1
Sign in to the
Cylance
 console using your existing username and password.
Step 2
Add an authenticator (for example, One-Time Password or Enterprise). By default, the following authenticators are configured for use in your environment: One-time password,
Cylance
 console password and enterprise authentication.
Step 3
Create an authentication policy that uses the password and the authenticator that you created (optional).
As a failsafe, create one authentication policy that only uses the
Cylance
 console password and assign it to one administrator.
Step 4
Create a tenant policy for administrators and users.

Remove One-Time Password authentication for sign-in to the
Cylance
 console

Tenants created in March 2024 or later require users to enter a One-Time Password after they enter the
Cylance
 console password each time before they can access the console. Complete these steps if you want to remove the One-Time Password requirement for users to authenticate with the console. For a walkthrough of how to remove the One-Time Password authenticator from your tenant policy, see Remove One-Time Password authentication for administrators to access the
Cylance
 console.
Step
Action
Step 1
Sign in to the
Cylance
 console using your existing username and password and one-time password.
Step 2
Remove the One-Time Password authenticator from the Administration Console tenant policy.
Step 3
Sign in to the
Cylance
 console and test the
Cylance
 console password policy.

Configure a new IDP SAML authenticator for SSO and IDP-initiated access to the
Cylance
 console

Complete these steps if you want to configure a new IDP SAML authenticator for users to authenticate with the
Cylance
 console. Users can use their IDP credentials to access the console from the sign-in page or use IDP-initiated SSO to access the console from the IDP user portal. For a walkthrough of how to configure your IDP SAML, see How do I configure IDP SAMLs for enhanced authentication and IDP-initiated access to the
Cylance
 console and select your IDP.
Step
Action
Step 1
In the IDP environment, create a new SAML application.
Step 2
Configure the IDP to communicate with
Cylance Endpoint Security
.
Step 3
In the
Cylance
 console, Add an authenticator.
Step 4
Create an authentication policy that uses the password and the authenticator that you created.
As a failsafe, create one authentication policy that only uses the
Cylance
 console password and assign it to one administrator.
Step 5
In the IDP environment, update the SSO Callback URL that you generated in the
Cylance
 console.
Step 6
Step 7
(Optional) Disable Custom Authentication (Settings > Application).

Update an existing IDP SAML authenticator to enabled IDP-initiated access to the
Cylance
 console

Complete these steps only if your IDP SAML authenticator was created before December 2023 and you want to enable IDP-initiated SSO for users to access the console from the IDP user portal. For a walkthrough, see How do I update IDP (SAML) authenticators to enable IDP-initiated access to the
Cylance
 console and select your IDP.
Step
Action
Step 1
Sign in to the
Cylance
 console using your existing username and password.
Step 2
In the current IDP SAML authenticator, generate a new SSO callback URL.
Step 3
Step 4
In the IDP environment, update the existing SAML settings.