By default, Phishing and Content Protection uses an on-device VPN to obtain domain information when a user or application tries to connect to a site. If the domain accessed is determined to be safe, then it will be allowed. If it is unsafe, the user will be blocked or warned from accessing the domain based on administrator policy. Flagged URLs are reported back to the MES Console so that the administrator has visibility into the detected threats. Only the domain information is used for classification and detection, actual URLs, and traffic data are not sent off of the device. This preserves the user's privacy while still informing you of how often your users encounter malicious sites and URLs.

PREREQUISITE: When deploying Phishing and Content Protection in the on-device VPN mode, ensure that TCP port 853 is open on your firewall to allow Lookout to classify URLs.

CONSIDERATIONS:

• In some cases, the Safe Browsing VPN can conflict with other VPNs on a device. If another VPN is still starting up, Lookout may not register its presence and may start its VPN instead. If a VPN is already active on the device, Lookout does not attempt to run the Safe Browsing VPN.

• On iOS devices, the PCP paused policy doesn't account for partial paused conditions where a per-app VPN is running or has run. iOS manages the VPN configurations but does not provide enough information for Lookout to determine if the third party VPN present is a per-app VPN or a full device VPN. In these cases Lookout will show PCP paused even when the Safe Browsing VPN has resumed running.