By default, Phishing and Content Protection uses an on-device VPN to obtain domain information when a user or application tries to connect to a site. If the domain accessed is determined to be safe, then it will be allowed. If it is unsafe, then the user will be blocked or warned from accessing the domaIn based on administrator policy. Only the domain information is used for classification and detection, actual URLs, and traffic data are not sent off of the device. This preserves the user's privacy while still informing you of how often your users encounter malicious sites and URLs.

In some cases, the Safe Browsing VPN can conflict with other VPNs on a device. If another VPN is still starting up, Lookout may not register its presence and may start its VPN instead. If a VPN is already active on the device, Lookout does not attempt to run the Safe Browsing VPN.

Prerequisite: When deploying Phishing and Content Protection in the on-device VPN mode, ensure that TCP port 853 is open on your firewall to allow Lookout to classify URLs.