# How Does Device Protection Work? Aikido Device Protection installs a lightweight Layer 4 proxy on each device. It only inspects supported package manager traffic. Everything else bypasses it. ### Decisions happen on the device All allow and block decisions happen locally. Aikido does not receive your traffic, browsing history, or downloaded files. The agent downloads only the data it needs to enforce policy: * **Allowlists and blocklists** * **Malware signatures** * **Policy rules and exceptions** After that sync, the device can enforce rules on its own. ### It only intercepts supported ecosystems The proxy is not a general web filter. It only intercepts [supported package ecosystems](/aikido-device-protection/endpoint-protection.md#supported-ecosystems). All other traffic passes through unchanged. Supported package managers use HTTPS. To inspect that traffic, the agent installs a local Certificate Authority on the device. That CA is generated and stored locally. It never leaves the device. It is only used for the ecosystems Aikido monitors. ### Aikido only sees install outcomes Package contents stay on the device. General browsing stays invisible to Aikido. Aikido only receives install outcomes, such as: * Allowed installs * Blocked installs * Flagged installs ### Sync and reporting frequency The agent stays in sync with Aikido on a predictable schedule: * **Heartbeat:** every 10 minutes * **SBOM:** generated and synced once a day * **Installs and blocks:** reported immediately The agent needs outbound internet access to reach Aikido. Allowlist `*.aikido.dev` over HTTPS on port 443. ### Limitations * **Aikido Device Protection is not a virus scanner.** It does not inspect files, processes, or your system for existing threats. Instead, it works by blocking malware before it can reach your device. This means that if malware is already present on a device, Aikido Device Protection will not detect or remove it, and the device should be considered compromised. * **Aikido Device Protection currently does not support Docker or Podman on macOS** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.aikido.dev/aikido-device-protection/miscellaneous-aikido-endpoint/how-does-endpoint-protection-work.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.