Configure Lookout & Microsoft Intune
Lookout’s mobile app, Lookout for work, is installed and run on mobile devices.
This app captures file system, network stack, and device and application telemetry where available, then sends it to the Lookout cloud service to assess the device’s risk for mobile threats. You can change risk level classifications for threats in the Lookout console to suit your requirements.
How to configure Lookout and Intune
First thing first, the Microsoft Intune tenant needs to get the integration between Microsoft Intune and Lookout to work. When you look in the Intune portal, you see the settings of Third Party Service Integration with Lookout Status.
Create the following groups, and those groups can be created in your local Active Directory or directly in Azure AD. The following groups need to be created;
|Lookout Administrators||All Administrators for the Lookout Service|
|Lookout Restricted Administrators||Restricted Admin access to the Lookout service|
|Lookout Users||All users that need Lookout for Work (enrollment group)|
When using Lookout Administrators and Lookout Restricted Administrators, you need to configure the Azure AD group’s object ID to the support desk of Lookout.
After the groups’ configuration is done, you need to add your Tenant Global Admin in the Lookout Administrators to configure the connection between Lookout MTP and Microsoft Intune.
The next step is to accept the consent for allowing Lookout MTP to get access to Microsoft Intune. Lookout MTP needs to have access to the following;
- Send device threat information to Microsoft Intune.
- Read directory data from Azure AD.
- Access your organization’s directory
Log in with the Azure AD Global Admin to https://aad.lookout.com/les?action=consent and accept the consent.
After the consent has been accepted, the connector can be setup in the console of Lookout MTP.
Login to the Lookout MTP console via http://aad.lookout.com and go to:
- System > Connectors > Add Connector > choose Intune
After selecting Intune, the connector needs to be created. This can be done by clicking on Create Connector as shown in the figure below.
The action of discovering users and their devices is done based on enrollment groups. This can be one or more Azure AD group.
Once the connector has been created, click Enrollment Management, add the Azure AD group’s display name, and save changes.
Next, we need to enable the connection in the Microsoft Intune console. Browse in the Microsoft Intune console to Admin > Third-Party Service Integration > Lookout Status.
Enable the Connect with Lookout MTP switch and look at the status to be changing from Provisioned to Active.
More information about integration in the next posts.