Microsoft Defender for Endpoint and your privacy on Android and iOS mobile devices

Why does Microsoft Defender for Endpoint use a VPN and is my browsing activity being tracked? 

Microsoft Defender for Endpoint uses a virtual private network (VPN) to provide Web Protection capabilities that protect you against phishing or web-based attacks. This is a local (or self-looping) VPN, and unlike traditional VPNs, it can't direct or redirect traffic off the device.

How does Microsoft Defender for Endpoint detect malicious websites while respecting my privacy?

To detect malicious websites, Microsoft Defender for Endpoint uses on-device capabilities, and in some cases, remote services. Your personal information is not sent while using the remote service to detect malicious websites.

Whether a website is flagged as "malicious" or "potentially unsafe" is based on various indicators—including sensitive information requests (such as phishing sites asking for credentials), site reputation, or the presence of malicious scripts—and is not based on the type or category of the website.

Your organization can only see information about phishing or potentially unsafe connections. Your personal data and browsing activity are never seen by your organization or Microsoft.

Can my organization or Microsoft access my personal data or view my browsing activity? 

Neither Microsoft nor your organization can see data from apps installed on your device, browsing content, or stored browsing history. The only time your organization will see a website domain, URL, or your email address would be if you were to attempt to visit a site that has been flagged as malicious by Microsoft Defender for Endpoint for containing harmful programs that might steal your personal or financial information.  

What information will my organization be able to see?  

Your organization will be able to see the following information:

• Antivirus alerts (only on Android): Details about malicious apps found on your device.

• Web protection alerts: Details about malicious or unsafe websites blocked by Microsoft Defender for Endpoint on your device. Note that whether a website is flagged as "malicious" or "phish" is based on a few indicators—including sensitive information requests, site reputation, or the presence of malicious scripts—and is not based on the type or category of the website. 

• Device information: Device identifier, tenant identifier, logged-on user, and device details like OS version, model, and CPU info.

• Information about apps that are managed by your organization: For example, name, package and version information. Your organization can also choose to configure Defender for Endpoint to send information about all apps installed on the device. By default, this information is not sent to your organization.

• Wi-Fi network information: Details about the Wi-Fi access point name (SSID) and MAC address associated with your Wi-Fi network (and on Android only, any certificate information).

  Note: The organization will have access to this info only if you have given permission in the app. If you do not give permission, no information will be sent.

Your organization does not have access to the following information on your device: 

• Call history

• Web browsing history (except for unsafe websites blocked by Microsoft Defender for Endpoint) 

• Your location history

• Content of email and text messages

• Your contacts

• Your passwords

• Your calendar

• Your content stored on your device (e.g., photos, videos, data from other apps)

If you have further concerns, complaints, or questions about privacy, you can contact us by sending an email to mdatpmobile@microsoft.com.

Where can I get more information about privacy?

Here are a few additional resources for learning more about your privacy when using our products and services:

• Microsoft Privacy Statement

• Android privacy information

• iOS privacy information

See also

Microsoft security help and learning