设置 Lookout 移动威胁防御订阅Set up your Lookout Mobile Threat Defense subscription

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

以下是设置 Lookout 移动威胁防御所需的步骤:The following steps are required to set up Lookout Mobile Threat Defense:

# 步骤Step
11 收集 Azure AD 信息Collect Azure AD information
22 配置订阅Configure your subscription
33 配置注册组Configure enrollment groups
44 配置状态同步Configure state sync
55 配置错误报告电子邮件收件人信息Configure error report email recipient information
66 配置注册设置Configure enrollment settings
77 配置电子邮件通知Configure email notifications
88 配置威胁分类onfigure threat classification
11 监视注册Watching enrollment

重要

未与 Azure AD 租户关联的现有 Lookout Mobile Endpoint Security 租户不能用于 Azure AD 与 Intune 的集成。An existing Lookout Mobile Endpoint Security tenant that is not already associated with your Azure AD tenant cannot be used for the integration with Azure AD and Intune. 请联系 Lookout 支持部门以创建新的 Lookout Mobile Endpoint Security 租户。Contact Lookout support to create a new Lookout Mobile Endpoint Security tenant. 请使用新的租户载入 Azure AD 用户。Use the new tenant to onboard your Azure AD users.

收集 Azure AD 信息Collect Azure AD information

Lookout 移动终结点安全租户会与 Azure AD 订阅关联,以将 Lookout 和 Intune 集成。Your Lookout Mobility Endpoint Security tenant will be associated with your Azure AD subscription to integrate Lookout with Intune. 若要启用 Lookout 移动威胁防御服务订阅,Lookout 支持人员 (enterprisesupport@lookout.com) 需要以下信息:To enable your Lookout Mobile Threat Defense service subscription, Lookout support (enterprisesupport@lookout.com) needs the following information:

  • Azure AD 租户 IDAzure AD Tenant ID
  • 具有 Lookout 控制台完全访问权限的 Azure AD 组对象 IDAzure AD Group Object ID for full Lookout console access
  • 具有 Lookout 控制台受限访问权限的 Azure AD 组对象 ID(可选)Azure AD Group Object ID for restricted Lookout console access (optional)

以下步骤介绍了如何收集提供给 Lookout 支持团队的信息。Use the following steps to gather the information you need to give to the Lookout support team.

  1. 登录到 Azure AD 管理门户,然后选择订阅。Sign in to the Azure AD management portal and select your subscription. 显示租户名称的 Azure AD 页面的屏幕快照screenshot of the Azure AD page showing the name of the tenant
  2. 选择订阅名称时,所生成的 URL 包括订阅 ID。When you choose the name of your subscription, the resulting URL includes the subscription ID. 如果查找订阅 ID 时遇到任何问题,请参阅 Microsoft 支持文章获取有关查找订阅 ID 的提示。If you have any issues finding your subscription ID, see this Microsoft support article for tips on finding your subscription ID.
  3. 查找 Azure AD 组 ID。Find your Azure AD Group ID. Lookout 控制台支持 2 个级别的访问:The Lookout console supports 2 levels of access:

    • 完全访问:Azure AD 管理员可创建具有完全访问权限的用户组,还可创建具有受限访问权限的用户组。Full Access: The Azure AD admin can create a group for users that will have Full Access and optionally create a group for users that will have Restricted Access. 仅这两个组的用户可登录到 Lookout 控制台Only users in these groups will be able to login to the Lookout console.
    • 受限访问:该组中的用户无法访问 Lookout 控制台的某些配置和注册相关模块,可对 Lookout 控制台的“安全策略”模块进行只读访问。Restricted Access: The users in this group will have no access to several configuration and enrollment related modules of the Lookout console, and have read-only access to the Security Policy module of the Lookout console.

    有关各种权限的详细信息,请参阅 Lookout 网站上的这篇文章For more details on the permissions, read this article on the Lookout website.

    “组对象 ID”位于“Azure AD 管理控制台”的组“属性”页。The Group Object ID is on the Properties page of the group in the Azure AD management console.

    突出显示 GroupID 字段的属性页屏幕截图

  4. 收集此信息后,请联系 Lookout 支持人员(电子邮件:enterprisesupport@lookout.com)。Once you have gathered this information, contact Lookout support (email: enterprisesupport@lookout.com). Lookout 支持将使用你收集的信息,与主要联系人合作提供订阅并创建 Lookout 企业帐户。Lookout Support will work with your primary contact to onboard your subscription and create your Lookout Enterprise account, using the information that you collected.

配置订阅Configure your subscription

  1. Lookout 支持人员创建 Lookout 企业账户后,将向公司的主要联系人发送电子邮件,附带登录 URL 的链接:https://aad.lookout.com/les?action=consent。After Lookout support creates your Lookout Enterprise account, an email from Lookout is sent to the primary contact for your company with a link to the login url:https://aad.lookout.com/les?action=consent.

  2. 首次登录到 Lookout 控制台时必须使用具有 Azure AD 全局管理员角色的用户帐户,以便注册 Azure AD 租户。The first login to the Lookout console must be by with a user account with the Azure AD role of Global Admin to register your Azure AD tenant. 后续登录无需这一级别的 Azure AD 特权。Later, sign in doesn't this level of Azure AD privilege. 此时会显示同意页。A consent page is displayed. 选择“接受”完成注册。Choose Accept to complete the registration.

    首次登录 Lookout 控制台时登录页面的屏幕截图 接受并同意后,会重定向到 Lookout 控制台。screenshot of the first time login page of the Lookout console Once you have accepted and consented, you are redirected to the Lookout Console.

    请参阅 Lookout 集成疑难解答获取有关登录问题的帮助。See troubleshooting Lookout integration for help with login problems.

  3. “Lookout 控制台”中,从“系统”模块选择“连接器”选项卡,然后选择“Intune”。In the Lookout Console, from the System module, choose the Connectors tab, and select Intune.

    Lookout 控制台的屏幕截图,其中打开了“连接器”选项卡并突出显示了“Intune”选项

  4. 转到“连接器” > “连接设置”,以分钟为单位指定“检测信号频率”。Go Connectors > Connection Settings and specify the Heartbeat Frequency in minutes.

    连接设置选项卡的屏幕截图,其中显示了已配置信号检测频率

配置注册组Configure enrollment groups

  1. 最佳做法是在 Azure AD 管理门户中创建一个 Azure AD 安全组,并在其中包含少量用于测试 Lookout 集成的用户。As a best practice, create an Azure AD security group in the Azure AD management portal containing a small number of users to test Lookout integration.

    Azure AD 注册组中标识和支持的所有受 Lookout 支持并注册了 Intune 的设备,都注册了 Lookout 设备威胁防护并可在其中激活。All the Lookout-supported, Intune-enrolled devices of users in an enrollment group in Azure AD that are identified and supported are enrolled and eligible for activation in Lookout device threat protection.

  2. “Lookout 控制台”的“系统”模块中,选择“连接器”选项卡,然后选择“注册管理”定义一组其设备应注册 Lookout 的用户。In the Lookout Console, from the System module, choose the Connectors tab, and select Enrollment Management to define a set of users whose devices should be enrolled with Lookout. 添加用于注册的 Azure AD 安全组“显示名称”。Add the Azure AD security group Display Name for enrollment.

    Intune 连接器注册页面的屏幕截图

    重要

    正如 Azure 门户安全组的“属性”中所示,“显示名称”区分大小写。The Display Name is case sensitive as shown the in the Properties of the security group in the Azure portal. 如下图所示,安全组的“显示名称”为大小写混用,而标题全为小写。As shown in the image below, the Display Name of the security group is camel case while the title is all lower case. 在 Lookout 控制台中,请匹配安全组的“显示名称”的大小写。In the Lookout console match the Display Name case for the security group. Azure 门户 Azure Active Directory 服务属性页的屏幕截图screenshot of the Azure portal, Azure Active Directory service, properties page

    最佳做法是使用递增时间的默认值(5 分钟)检查新设备。The best practice is to use the default (5 minutes) for the increment of time to check for new devices.

    当前限制:Current limitations:

    • Lookout 无法验证组显示名称。Lookout cannot validate group display names. 请确保 Azure 门户中的“显示名称”字段与 Azure AD 安全组完全匹配。Ensure the DISPLAY NAME field in the Azure portal exactly matches the Azure AD security group.
    • 不支持创建嵌套组。Creating nest groups is not supported. Lookout 中使用的 Azure AD 安全组仅能包含用户。Azure AD security groups used in Lookout must contain users only. 不能包含其他组。They cannot contain other groups.
  3. 添加组后,用户下次在其受支持的设备上打开 Lookout for Work 应用时,将在 Lookout 中激活该设备。Once a group is added, the next time a user opens the Lookout for Work app on their supported device, the device is activated in Lookout.

  4. 如果结果合意,则将注册扩展到其他用户组。Once you are satisfied with your results, extend enrollment to additional user groups.

配置状态同步Configure state sync

在“状态同步”选项中,指定要发送到 Intune 的数据类型。In the State Sync option, specify the type of data that should be sent to Intune. 需同时启用设备状态和威胁状态,Lookout Intune 集成才能正常工作。Both device status and threat status are required for the Lookout Intune integration to work correctly. 默认情况下这些状态都已启用。These are enabled by default.

配置错误报告电子邮件收件人信息Configure error report email recipient information

在“错误管理”选项中,输入应接收错误报告的电子邮件地址。In the Error Management option, enter the email address that should receive the error reports.

Intune 连接器错误管理页面屏幕截图

配置注册设置Configure enrollment settings

在“系统”模块中的“连接器”页上,指定在将设备视为已断开连接之前的天数。In the System module, on the Connectors page, specify the number of days before a device is considered as disconnected. 会将断开连接的设备视为不合规,并基于 Intune 条件访问策略阻止它们访问公司应用程序。Disconnected devices are considered as non-compliant and will be blocked from accessing your company applications based on the Intune conditional access policies. 可以指定介于 1 到 90 天之间的值。You can specify values between 1 and 90 days.

配置电子邮件通知Configure email notifications

如果希望接收有关威胁的电子邮件警报,请使用要接收通知的用户帐户登录 Lookout 控制台If you want to receive email alerts for threats, sign in to the Lookout console with the user account that should receive notifications. 在“系统”模块“首选项”选项卡上选择通知的威胁级别,并将其设置为“开启”。On the Preferences tab of the System module, choose the threat levels that should notifications and set them to ON. 保存你的更改。Save your changes.

显示用户帐户的“首选项”页面屏幕截图 如果希望不再收到通知,请将通知设置为“关闭”并保存修改。screenshot of the preferences page with the user account displayed If you no longer want to receive email notifications, set the notifications to OFF and save your changes.

配置威胁分类Configure threat classification

Lookout 移动威胁防御将移动威胁分为多种类型。Lookout Mobile Threat Defense classifies mobile threats of various types. Lookout 威胁分类关联了默认威胁等级。The Lookout threat classifications have default risk levels associated with them. 可随时对其进行修改,以满足公司需求。These can be changed at any time to suit your company requirements.

显示威胁和分类的“策略”页面屏幕截图

重要

风险等级在移动威胁防御中十分重要,因为 Intune 集成将在运行时根据这些风险等级计算设备符合性。Risk levels are an important aspect of Mobile Threat Defense because the Intune integration calculates device compliance according to these risk levels at runtime. Intune 管理员在策略中设置规则,使其在设备中存在最低等级为高级中级低级的活跃威胁时将设备确定为不合规。The Intune administrator sets a rule in policy to identify a device as non-compliant if the device has an active threat with a minimum level of High, Medium, or Low. Lookout 移动威胁防御中的威胁分类策略直接引导 Intune 中的设备符合性计算。The threat classification policy in Lookout Mobile Threat Defense directly drives the device compliance calculation in Intune.

监视注册Watching enrollment

此步骤完成后,Lookout 移动威胁防御将开始轮询 Azure AD,查找与指定注册组相对应的设备。Once the setup is complete, Lookout Mobile Threat Defense starts to poll Azure AD for devices that correspond to the specified enrollment groups. 可在“设备”模块查看有关已注册设备的信息。You can find information about the devices enrolled on the Devices module. 设备的初始状态显示为“待定”。The initial status for devices is shown as pending. 在设备上安装、打开和激活 Lookout for Work 应用后,设备状态将发生改变。The device status changes once the Lookout for Work app is installed, opened, and activated on the device. 有关如何将 Lookout for Work 应用推送到设备的详细信息,请参阅配置并部署 Lookout for Work 应用主题。For details on how to get the Lookout for Work app pushed to the device, see the Configure and deploy Lookout for work apps topic.

后续步骤Next steps

启用 Lookout MTP 连接 IntuneEnable Lookout MTP connection Intune