home

Mobile Endpoint Security

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Page Sections

Deploying to Android Enterprise Devices Using Dual Enrollment

Platform Requirements

iOS:

Unsupported

Android
  • Android Enterprise devices in Work Profile mode
  • Lookout for Work 6.8 or higher.
  • Requires a new activation of Lookout for Work on the device, so any users who have already activated using another deployment method must re-activate.

How it Works

  1. Lookout collects device information from UEM.
  2. Lookout creates a "Pending" device entry in the Lookout MES Console for the work profile on the device and for the parent device entry.
  3. Lookout communicates the "Pending" state to UEM, which moves the device to the Lookout MES - Pending User Group.
  4. UEM pushes Lookout for Work, App Configuration, and optionally app permission configuration to the work profile of the device
  5. The user activates Lookout for Work on the work profile, and the app prompts them to enroll in Lookout for Work on the personal profile using a provided enrollment code.
  6. Lookout for Work communicates the "Activated" status of the work profile.
  7. Lookout for Work communicates the "Activated" status of the personal profile upon activation, associating it with the parent device entry created in Step 2.
  8. With both profiles active, the device is no longer considered Pending, and moves to a Secured state if no threats are present.

    The Lookout MES Console displays the security status of the consolidated parent device (work profile plus personal profile) on the Devices page, and lists the status of each child profile on the device details page. Lookout unifies the threat reporting from both instances of Lookout for Work to determine the security status and activation status of a device when communicating with your MDM. "Secured" means the device has no threats present on either the personal or work profile.

    • The Security Status is always the highest level threat present in either profile, even if one profile is still pending. The status is "Secured" only when both profiles are activated and no threats are present.
    • The Activation Status is "Pending" if either profile is pending activation. It is "Activated" if both profiles are active, and "Deactivated" if the device is Deactivated in the Lookout MES Console.

    This means that a device is only considered "Secured" if both the work and personal profiles are activated and secure.

    Dual Enrollment deployments support a mixed fleet of Android Enterprise and other devices. When configuring App Config settings for a user group as documented in Adding the Android Lookout for Work App, pushing an App Config profile with "Dual Enrollment = false" causes affected devices to show in the Lookout MES Console as Work Profile only, and they are treated as single profile devices.

    Because MDMs cannot pre-grant permissions on a personal profile, it is not possible to activate Lookout for Work in Dual Enrollment mode without end user interaction, so you cannot use Zero Click Activation for these devices.