For enterprise Secure Internet Access subscriptions, administrators can inspect or bypass TLS at the tenant level with the help of the Default TLS Action option.

TLS interception is disabled by default to protect privacy for the organization and its users and allows administrators to define web access policies to allow or block requests based on a website's domain. However, granular controls and scanning might not work when TLS inspection is disabled. To protect users from malicious traffic, Lookout recommends that administrators enable tenant-level TLS interception. Enabling the TLS intercept at the tenant level might affect the user experience because the proxy will intercept all requests. As a result, some apps (those that use certificate pinning) and websites might not work through the proxy. Administrators can define the TLS bypass policies for those specific apps and websites.

Notes

• DLP scan, malware scan, and phishing protection work only for the intercepted traffic.
• Secure Cloud Access and Secure Private Access for onboarded applications will continue to work regardless of the TLS intercept settings.