Cyolo Connect - Client Guide
Introduction
This page provides details about installtion and use of the Cyolo Connect client.
See also:
- Cyolo Connect - Admin Settings
- Cyolo Connect - Device Management
- Cyolo Connect - Secure Web Gateway
- Cyolo Connect - Creating Device Policies
Installation
If users have managed devices with Cyolo Connect previously installed, network applications
and device posture profile checks will work on the user’s device. Users can determine that Cyolo
Connect is running if they see the Cyolo Connect icon in their toolbar.
Users with Administrative rights on their devices can download Cyolo Connect from the
Applications Portal. Different download options are available for different operating systems.
For a silent installation, run the following command. For example:
msiexec /qn /i some.msi TENANT=https://example.cyolo.ioUninstallation
To uninstall Cyolo Connect, run the following:
- **Windows: **Open the Run dialog box with the keyboard shortcut Win + R, type in the
**Appwiz.cpl **command and press Enter to open the Add/Remove Programs and uninstall the agent. Alternatively, open the Control Panel, locate the Cyolo Agent, and uninstall it. - **MacOS: **Use this command to uninstall: sudo /Library/Application
Support/cyolo/connect/connect uninstall - Linux: Use this command to uninstall: sudo deb -r cyolo-connect
Cyolo Connect Menu and Toolbar
Users can check the Cyolo Connect status by finding the Cyolo Connect icon in their toolbar.
The icons represent the following statuses (from left to right): Logged in, Logged out, No
internet, Paused, Loading, and Restricted connectivity.
- Login and Logout: Different identities can log into the tenant from the same device, but
only one at a time. - Pause and Resume: Pauses the connectivity to the tenant and may affect the restricted
connectivity (if configured). - Unrestricted and restricted connectivity: Indicates whether the device connectivity is
restricted or not. - Available Networks: Directs the user to the Application Portal. Users can manage network
connections through the tenant's Application Portal. - Certificates: Users can select an installed certificate for authentication and indicator
verification. - Accounts: Users can switch between different tenants. The menu displays the selected
tenant.
Implementation Details
Windows
- Backend: Windows Filtering Platform (WFP)
- Functionality: a sublayer named io.cyolo.killswitch ensures that all outbound network traffic
is blocked when the Cyolo Connect Agent is not connected, unless specified in the exceptions. As this is not the “main” sublayer that is used by the windows firewall, the rules created by the kill-switch will not show up in tools such as wf.msc an administrator can view and edit those rules using tools such as WFPExplorer.
macOS
- Backend Technology: BSD Packet Filter (pf)
- Functionality: A policy file name /etc/io.cyolo.killswitch.conf contains rules that block all
outbound network traffic when the Cyolo Connect Agent is not connected, with specified exceptions. The pf firewall on macOS enforces these rules to ensure network security. Additional rules that are added at runtime are stored within a table called outbound_exceptions an administrator may view and edit those rules using the pf tool.
Linux
- Backend Technology: iptables
- Functionality: a chain called io.cyolo.killswitch is created in the filter table and set as the
default action of the OUTBOUND chain. an administrator may view and edit those rules using the iptables tool.
Captive Portal
In restricted mode, profiles specify whether temporary access to detected captive portals is
allowed on the device. When enabled, access is granted until the user establishes internet
connectivity.
Known captive portal detection hosts are automatically whitelisted:
macos | attwifi.apple.com captive.apple.com |
windows | msftncsi.com msftconnecttest.com |
linux | 204.pop-os.org nmcheck.gnome.org ping.archlinux.org conncheck.opensuse.org network-test.debian.org connectivity-check.ubuntu.com |
additional | clients3.google.com detectportal.fireforx.com connectivitycheck.gstatic.com captive.cyolo.io |
The underlying network is monitored for changes such as changing the default route or
adding/removing a uni-cast IP address from one of the physical network interface - in the case
that a network change is detected, the following actions take place:
- For the first 15 seconds in the new network, all outbound TCP is permitted
- The agent starts polling for access to captive.cyolo.io:80 every second
- In the case that it sees a 204 response, TCP connectivity is restricted again
- In the case that it sees something else, a captive portal is assumed to be present in the
network and TCP connectivity is left permitted. - Once captive.cyolo.io returns a 204, TCP connectivity will be restricted again
Upon user login to the Cyolo tenant, Cyolo Connect pulls the profile configuration and applies
it to the device. Configuration updates occur every 5 minutes when the device is connected to
the tenant. Login and resume also trigger the configuration pulling.
Updated about 7 hours ago