設定 Lookout Mobile Threat Defense 與 Intune 的整合Set up your Lookout Mobile Threat Defense integration with Intune

設定 Lookout Mobile Threat Defense 訂閱需要下列步驟:The following steps are required to set up Lookout Mobile Threat Defense subscription:

# 步驟Step
11 收集 Azure AD 資訊Collect Azure AD information
22 設定訂閱Configure your subscription
33 設定註冊群組Configure enrollment groups
44 設定狀態同步處理Configure state sync
55 設定錯誤報告電子郵件收件者資訊Configure error report email recipient information
66 設定註冊設定Configure enrollment settings
77 設定電子郵件通知Configure email notifications
88 設定威脅分類onfigure threat classification
99 監控註冊Watching enrollment
重要

尚未與 Azure AD 租用戶建立關聯的現有 Lookout Mobile Endpoint Security 租用戶無法用來整合 Azure AD 與 Intune。An existing Lookout Mobile Endpoint Security tenant that is not already associated with your Azure AD tenant cannot be used for the integration with Azure AD and Intune. 請與 Lookout 支援部門連絡,以建立新的 Lookout Mobile Endpoint Security 租用戶。Contact Lookout support to create a new Lookout Mobile Endpoint Security tenant. 請使用新的租用戶來連接 Azure AD 使用者。Use the new tenant to onboard your Azure AD users.

收集 Azure AD 資訊Collect Azure AD information

您的 Lookout Mobility Endpoint Security 租用戶與 Azure AD 訂用帳戶將會建立關聯,以將 Lookout 及 Intune 整合在一起。Your Lookout Mobility Endpoint Security tenant will be associated with your Azure AD subscription to integrate Lookout with Intune. 若要啟用 Lookout Mobile Threat Defense 服務訂閱,您必須提供下列資訊給 Lookout 支援 (enterprisesupport@lookout.com)︰To enable your Lookout Mobile Threat Defense service subscription, Lookout support (enterprisesupport@lookout.com) needs the following information:

  • Azure AD 租用戶識別碼Azure AD Tenant ID
  • 完整存取 Lookout 主控台的 Azure AD 群組物件識別碼Azure AD Group Object ID for full Lookout console access
  • 限制存取 Lookout 主控台的 Azure AD 群組物件識別碼 (選擇性)Azure AD Group Object ID for restricted Lookout console access (optional)

請使用下列步驟收集您需要提供給 Lookout 支援小組的資訊。Use the following steps to gather the information you need to give to the Lookout support team.

  1. 登入 Azure 入口網站,然後選取您的訂閱。Sign in to the Azure portal and select your subscription.

  2. 當您選擇訂閱名稱時,產生的 URL 會包含訂閱識別碼。When you choose the name of your subscription, the resulting URL includes the subscription ID. 如果您在尋找訂用帳戶 ID 時發生任何問題,可參閱這篇 Microsoft 支援文章以取得尋找訂用帳戶 ID 的提示。If you have any issues finding your subscription ID, see this Microsoft support article for tips on finding your subscription ID.

  3. 尋找您的 Azure AD 群組識別碼。Find your Azure AD Group ID. Lookout 主控台支援 2 個存取層級:The Lookout console supports 2 levels of access:

    • 完整存取︰Azure AD 系統管理員可以建立擁有「完整存取」權限的使用者群組,並選擇性地建立擁有「限制存取」權限的使用者群組。Full Access: The Azure AD admin can create a group for users that will have Full Access and optionally create a group for users that will have Restricted Access. 只有這些群組中的使用者才能夠登入 Lookout 主控台Only users in these groups will be able to login to the Lookout console.
    • 限制存取︰此群組中的使用者無法存取 Lookout 主控台的幾項設定及註冊相關模組,但可唯讀存取 Lookout 主控台的 [安全性原則] 模組。Restricted Access: The users in this group will have no access to several configuration and enrollment related modules of the Lookout console, and have read-only access to the Security Policy module of the Lookout console.

      提示

      如需權限的詳細資訊,請參閱 Lookout 網站上的這篇文章For more details on the permissions, read this article on the Lookout website.

      注意

      Azure AD 管理入口網站中,您可以在群組的 [屬性] 頁面上找到 [群組物件識別碼]。The Group Object ID is on the Properties page of the group in the Azure AD management portal.

  4. 收集這項資訊之後,請連絡 Lookout 支援 (電子郵件︰enterprisesupport@lookout.com)。Once you have gathered this information, contact Lookout support (email: enterprisesupport@lookout.com). Lookout 支援部門會與您的主要連絡人合作,一同登入您的訂用帳戶,並使用您收集的資訊來建立 Lookout 企業帳戶。Lookout Support will work with your primary contact to onboard your subscription and create your Lookout Enterprise account, using the information that you collected.

設定訂閱Configure your subscription

  1. 當 Lookout 支援建立了您的 Lookout Enterprise 帳戶後,Lookout 會傳送電子郵件給貴公司的主要連絡人,並提供下列登入 URL 的連結:https://aad.lookout.com/les?action=consent。After Lookout support creates your Lookout Enterprise account, an email from Lookout is sent to the primary contact for your company with a link to the login url:https://aad.lookout.com/les?action=consent.

  2. 第一次登入 Lookout 主控台必須使用具有 Azure AD 全域管理員角色的使用者帳戶,才能註冊您的 Azure AD 租用戶。The first login to the Lookout console must be by with a user account with the Azure AD role of Global Admin to register your Azure AD tenant. 以後的登入不需要此層級的 Azure AD 權限。Later, sign in doesn't this level of Azure AD privilege. 隨即顯示同意頁面。A consent page is displayed. 選擇 [接受] 以完成註冊。Choose Accept to complete the registration. 接受並同意之後,會將您重新導向至 Lookout 主控台。Once you have accepted and consented, you are redirected to the Lookout Console.

    Lookout 主控台之第一次登入頁面的螢幕擷取畫面

    [注意] 如需登入問題的說明,請參閱 Lookout 整合疑難排解[NOTE] See troubleshooting Lookout integration for help with login problems.

  3. Lookout 主控台中,從 [系統] 模組選擇 [連接器] 索引標籤,然後選取 [Intune]。In the Lookout Console, from the System module, choose the Connectors tab, and select Intune.

    開啟 [連接器] 索引標籤並醒目提示 [Intune] 選項之 Lookout 主控台的螢幕擷取畫面

  4. 移至 [連接器] > [連線設定],設定 [Heartbeat Frequency](活動訊號頻率) (以分鐘為單位)。Go Connectors > Connection Settings and specify the Heartbeat Frequency in minutes.

    顯示已設定 [活動訊號頻率] 之 [連線設定] 索引標籤的螢幕擷取畫面

設定註冊群組Configure enrollment groups

  1. 最佳做法是在包含少數使用者的 Azure AD 管理入口網站建立 Azure AD 安全性群組,以測試 Lookout 整合。As a best practice, create an Azure AD security group in the Azure AD management portal containing a small number of users to test Lookout integration.

    [注意] Azure AD 註冊群組中所識別及支援的使用者所有支援 Lookout、註冊 Intune 的裝置,都已註冊且有資格在 Lookout MTD 主控台中啟用。[NOTE] All the Lookout-supported, Intune-enrolled devices of users in an enrollment group in Azure AD that are identified and supported are enrolled and eligible for activation in Lookout MTD console.

  2. Lookout 主控台中,選擇 [系統] 模組的 [連接器] 索引標籤,然後選取 [Enrollment Management](註冊管理) 定義裝置應該註冊 Lookout 的一組使用者。In the Lookout Console, from the System module, choose the Connectors tab, and select Enrollment Management to define a set of users whose devices should be enrolled with Lookout. 新增 Azure AD 安全性群組 [顯示名稱] 以進行註冊。Add the Azure AD security group Display Name for enrollment.

    Intune 連接器註冊頁面的螢幕擷取畫面

    重要

    [顯示名稱] 區分大小寫,如 Azure 入口網站安全性群組的 [內容] 所示。The Display Name is case sensitive as shown the in the Properties of the security group in the Azure portal. 如下圖所示,當標題全部小寫時,安全性群組的 [顯示名稱] 使用駝峰式命名法。As shown in the image below, the Display Name of the security group is camel case while the title is all lower case. 在 Lookout 主控台中比對安全性群組 [顯示名稱] 的大小寫。In the Lookout console match the Display Name case for the security group. Azure 入口網站中 Azure Active Directory 服務的屬性頁面螢幕擷取畫面screenshot of the Azure portal, Azure Active Directory service, properties page

    注意

    針對檢查新裝置的時間遞增量,最佳做法是使用預設的 5 分鐘。The best practice is to use the default (5 minutes) for the increment of time to check for new devices. 目前的限制:Lookout 無法驗證群組顯示名稱:請確定 Azure 入口網站的 [顯示名稱] 欄位與 Azure AD 安全性群組完全一致。Current limitations, Lookout cannot validate group display names: Ensure the DISPLAY NAME field in the Azure portal exactly matches the Azure AD security group. 不支援建立巢狀群組:Lookout 使用的 Azure AD 安全性群組必須只包含使用者。Creating nest groups is not supported: Azure AD security groups used in Lookout must contain users only. 不能包含其他群組。They cannot contain other groups.

  3. 一旦加入群組,下次使用者在其支援的裝置上開啟 Lookout for Work 應用程式時,裝置會在 Lookout 中啟用。Once a group is added, the next time a user opens the Lookout for Work app on their supported device, the device is activated in Lookout.

  4. 對結果滿意後,請將註冊延伸到其他使用者群組。Once you are satisfied with your results, extend enrollment to additional user groups.

設定狀態同步處理Configure state sync

在 「State Sync」 (狀態同步處理) 選項中,指定應傳送至 Intune 的資料類型。In the State Sync option, specify the type of data that should be sent to Intune. 裝置狀態和威脅狀態要同時存在,Lookout 與 Intune 的整合才能正常運作。Both device status and threat status are required for the Lookout Intune integration to work correctly. 預設會啟用這些設定。These settings are enabled by default.

設定錯誤報告電子郵件收件者資訊Configure error report email recipient information

在 「Error Management」 (錯誤管理) 選項中,輸入應接收錯誤報告的電子郵件地址。In the Error Management option, enter the email address that should receive the error reports.

Intune 連接器之 [錯誤管理] 頁面的螢幕擷取畫面

設定註冊設定Configure enrollment settings

在 [系統] 模組的 [連接器] 頁面上,指定經過天數,在這之後裝置會視為中斷連線。In the System module, on the Connectors page, specify the number of days before a device is considered as disconnected. 已中斷連線的裝置會視為不相容,而且根據 Intune 條件式存取原則,將無法存取您的公司應用程式。Disconnected devices are considered as non-compliant and will be blocked from accessing your company applications based on the Intune conditional access policies. 您可以指定 1 到 90 天之間的值。You can specify values between 1 and 90 days.

Lookout 註冊設定

設定電子郵件通知Configure email notifications

若要接收威脅的電子郵件警示,請使用要用來接收通知的使用者帳戶登入 Lookout 主控台If you want to receive email alerts for threats, sign in to the Lookout console with the user account that should receive notifications. 在 [系統] 模組的 [喜好設定] 索引標籤上,選擇應該通知的威脅層級,並設定為 [開啟]。On the Preferences tab of the System module, choose the threat levels that should notifications and set them to ON. 儲存您的變更。Save your changes.

顯示使用者帳戶喜好設定頁面的螢幕擷取畫面 如果您不想再收到電子郵件通知,請將通知設定為 [關閉],然後儲存變更。screenshot of the preferences page with the user account displayed If you no longer want to receive email notifications, set the notifications to OFF and save your changes.

設定威脅分類Configure threat classification

Lookout Mobile Threat Defense 會將各種類型的行動裝置威脅進行分類。Lookout Mobile Threat Defense classifies mobile threats of various types. Lookout 威脅分類具有相關聯的預設風險層級。The Lookout threat classifications have default risk levels associated with them. 您可以隨時變更這些層級,以符合您公司的需求。These can be changed at any time to suit your company requirements.

顯示威脅和分類之原則頁面的螢幕擷取畫面

重要

風險層級對於 Mobile Threat Defense 而言很重要,因為 Intune 整合會根據這些風險層級,在執行階段計算裝置合規性。Risk levels are an important aspect of Mobile Threat Defense because the Intune integration calculates device compliance according to these risk levels at runtime. Intune 管理員可在原則中設定規則,以判斷裝置的現行威脅最低層級為何 () 時,要將其識別為不相容。The Intune administrator sets a rule in policy to identify a device as non-compliant if the device has an active threat with a minimum level of High, Medium, or Low. Lookout Mobile Threat Defense 中的威脅分類原則會直接在 Intune 中驅動裝置合規性計算。The threat classification policy in Lookout Mobile Threat Defense directly drives the device compliance calculation in Intune.

監控註冊Watching enrollment

完成設定之後,Lookout Mobile Threat Defense 就會開始輪詢 Azure AD,找出對應至指定註冊群組的裝置。Once the setup is complete, Lookout Mobile Threat Defense starts to poll Azure AD for devices that correspond to the specified enrollment groups. 您可以在 [裝置] 模組中找到已註冊裝置的相關資訊。You can find information about the devices enrolled on the Devices module. 裝置的初始狀態會顯示為 [擱置中]。The initial status for devices is shown as pending. 在裝置上安裝、開啟及啟用 Lookout for Work 應用程式之後,裝置狀態將會變更。The device status changes once the Lookout for Work app is installed, opened, and activated on the device. 如需如何取得推送至裝置之 Lookout for Work 應用程式的詳細資訊,請參閱使用 Intune 新增 Lookout for Work 應用程式主題。For details on how to get the Lookout for Work app pushed to the device, see the Add Lookout for work apps with Intune topic.

後續步驟Next steps

設定 Lookout 應用程式Set up Lookout apps