Set up your Lookout Mobile Threat Defense integration with Intune
The following steps are required to set up Lookout Mobile Threat Defense subscription:
An existing Lookout Mobile Endpoint Security tenant that is not already associated with your Azure AD tenant cannot be used for the integration with Azure AD and Intune. Contact Lookout support to create a new Lookout Mobile Endpoint Security tenant. Use the new tenant to onboard your Azure AD users.
Collect Azure AD information
Your Lookout Mobility Endpoint Security tenant will be associated with your Azure AD subscription to integrate Lookout with Intune. To enable your Lookout Mobile Threat Defense service subscription, Lookout support (firstname.lastname@example.org) needs the following information:
- Azure AD Tenant ID
- Azure AD Group Object ID for full Lookout console access
- Azure AD Group Object ID for restricted Lookout console access (optional)
Use the following steps to gather the information you need to give to the Lookout support team.
Sign in to the Azure portal and select your subscription.
When you choose the name of your subscription, the resulting URL includes the subscription ID. If you have any issues finding your subscription ID, see this Microsoft support article for tips on finding your subscription ID.
Find your Azure AD Group ID. The Lookout console supports 2 levels of access:
Full Access: The Azure AD admin can create a group for users that have Full Access and optionally create a group for users that will have Restricted Access. Only users in these groups will be able to login to the Lookout console.
Restricted Access: The users in this group will have no access to several configuration and enrollment-related modules of the Lookout console, and have read-only access to the Security Policy module of the Lookout console.
For more details on the permissions, read this article on the Lookout website.
The Group Object ID is on the Properties page of the group in the Azure AD management portal.
Once you have gathered this information, contact Lookout support (email: email@example.com). Lookout Support will work with your primary contact to onboard your subscription and create your Lookout Enterprise account, using the information that you collected.
Configure your subscription
After Lookout support creates your Lookout Enterprise account, an email from Lookout is sent to the primary contact for your company with a link to the login url:https://aad.lookout.com/les?action=consent.
The first login to the Lookout console must be by with a user account with the Azure AD role of Global Admin to register your Azure AD tenant. Later, sign in doesn't this level of Azure AD privilege. A consent page is displayed. Choose Accept to complete the registration. Once you have accepted and consented, you are redirected to the Lookout Console.
In the Lookout Console, from the System module, choose the Connectors tab, and select Intune.
Go Connectors > Connection Settings and specify the Heartbeat Frequency in minutes.
Configure enrollment groups
As a best practice, create an Azure AD security group in the Azure AD management portal containing a small number of users to test Lookout integration.
All the Lookout-supported, Intune-enrolled devices of users in an enrollment group in Azure AD that are identified and supported are enrolled and eligible for activation in Lookout MTD console.
In the Lookout Console, from the System module, choose the Connectors tab, and select Enrollment Management to define a set of users whose devices should be enrolled with Lookout. Add the Azure AD security group Display Name for enrollment.
The Display Name is case-sensitive as shown the in the Properties of the security group in the Azure portal. As shown in the image below, the Display Name of the security group is camel case while the title is all lower case. In the Lookout console match the Display Name case for the security group.
The best practice is to use the default (5 minutes) for the increment of time to check for new devices. Current limitations, Lookout cannot validate group display names: Ensure the DISPLAY NAME field in the Azure portal exactly matches the Azure AD security group. Creating nest groups is not supported: Azure AD security groups used in Lookout must contain users only. They cannot contain other groups.
Once a group is added, the next time a user opens the Lookout for Work app on their supported device, the device is activated in Lookout.
Once you are satisfied with your results, extend enrollment to additional user groups.
Configure state sync
In the State Sync option, specify the type of data that should be sent to Intune. Both device status and threat status are required for the Lookout Intune integration to work correctly. These settings are enabled by default.
Configure error report email recipient information
In the Error Management option, enter the email address that should receive the error reports.
Configure enrollment settings
In the System module, on the Connectors page, specify the number of days before a device is considered as disconnected. Disconnected devices are considered as noncompliant and will be blocked from accessing your company applications based on the Intune conditional access policies. You can specify values between 1 and 90 days.
Configure email notifications
If you want to receive email alerts for threats, sign in to the Lookout console with the user account that should receive notifications. On the Preferences tab of the System module, choose the threat levels that should notifications and set them to ON. Save your changes.
If you no longer want to receive email notifications, set the notifications to OFF and save your changes.
Configure threat classification
Lookout Mobile Threat Defense classifies mobile threats of various types. The Lookout threat classifications have default risk levels associated with them. These can be changed at any time to suit your company requirements.
Risk levels are an important aspect of Mobile Threat Defense because the Intune integration calculates device compliance according to these risk levels at runtime. The Intune administrator sets a rule in policy to identify a device as noncompliant if the device has an active threat with a minimum level of High, Medium, or Low. The threat classification policy in Lookout Mobile Threat Defense directly drives the device compliance calculation in Intune.
Once the setup is complete, Lookout Mobile Threat Defense starts to poll Azure AD for devices that correspond to the specified enrollment groups. You can find information about the devices enrolled on the Devices module. The initial status for devices is shown as pending. The device status changes once the Lookout for Work app is installed, opened, and activated on the device. For details on how to get the Lookout for Work app pushed to the device, see Add Lookout for work apps with Intune.