home

Mobile Endpoint Security

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Mobile Endpoint Security

Setting up your BlackBerry UEM Connector in the Lookout Mobile Endpoint Security Console

Configuring the UEM Connector in the Lookout MES Console

  1. Log in to the Lookout MES Console at https://app.lookout.com.
  2. In the left sidebar, click Integrations.
  3. Under Choose a product to set up, click the BlackBerry tile.
    The BlackBerry UEM connector page opens.
  4. Under Connector Settings, enter the following:
    FieldValue
    Label for this MDM connection

    (Optional) A user friendly name for the connector.

    If you have multiple connectors configured, this label displays in the MDM column of the Lookout MES Console Devices list so that you can determine which connector and MDM instance a device belongs to.

    Server address

    The public, fully qualified domain name of your BlackBerry UEM server.

    This must be a public URL in order for the Lookout MES Console to successfully communicate with your UEM server.

    UsernameThe API User username and password from Creating an API User.
    Password
    SRP IDThe SRP ID from Retrieving the BlackBerry SRP ID.
    BlackBerry UEM API port

    By default, the SOAP API port is 18084. Ensure the ports is not blocked by your firewall.

    For additional information, see BlackBerry UEM listening ports in the BlackBerry documentation.

  5. (Mandatory if BB Web Services is configured.) To route Lookout traffic through a proxy, enter the proxy address and credentials in the Proxy Settings fields.
  6. Click Create Integration in the top right corner.

    If creation is successful, a banner notification appears and additional sections become enabled. If you get a certificate error, click Certificate Details. Otherwise continue with Step 7.

    1. Look for errors on the certificate details screen.
      Typical errors include expired or broken certificates as shown here:
      ErrorHow to Fix the Error
      Expired certificate The certificate expiration date is in the past.Replace the MDM certificate with a new certificate.
      Broken certificate. One or more intermediate certificates do not validate correctly.Replace the MDM certificate with a valid certificate.
    2. Retry entering all required information into the Integration connector.
  7. Scroll down to Enrollment Management and enter the following:
    FieldValue
    Automatically drive Lookout for Work enrollment on Blackberry UEM managed devicesON
    Use the following group to identify devices that should have the Lookout for Work app activatedSelect your enrollment User Group from Creating User Groups for Enrollment and Device State Sync. This should be Lookout for Work.
    How often should Lookout check for new devices?Lookout recommends using the default 5 minute interval.
    Automatically send activation emails to Blackberry UEM managed devices

    Toggle this ON if you are using MAM enrollment, otherwise leave it OFF.

    This toggle is unavailable if Privacy Controls are enabled for your tenant. If you are using MAM enrollment and do not see this toggle, contact Lookout Enterprise Support to disable the additional privacy controls. Lookout requires the device email information to send enrollment requests to MAM users.

    Delete device on unenrollmentON
  8. Scroll down to State Sync and enable Synchronize device status to Blackberry UEM.
  9. Select the user groups you created in Creating User Groups for Enrollment and Device State Sync.

    If you choose not to synchronize a specific state to BES UEM, leave the corresponding toggle off.

    1. Device Status:
      FieldValue
      Devices that have not activated Lookout yetLookout MES - Pending
      Devices with Lookout activatedLookout MES - Activated
      Devices with Lookout deactivatedLookout MES - Deactivated
    2. Connection Status:
      FieldValue
      Devices that are unreachable by LookoutLookout MES - Unreachable
      Devices that have lost connectivity with LookoutLookout MES - Disconnected
    3. Risk Status:
      FieldValue
      Devices with any issues presentLookout MES - Threats Present
      Devices with low risk issues presentLookout MES - Low Risk
      Devices with medium risk issues presentLookout MES - Moderate Risk
      Devices with high risk issues presentLookout MES - High Risk
      Devices with no issues presentLookout MES - Secured
  10. If you have purchased the feature to add specific Risk Classifications to synchronize with your MDM you can add them using this procedure. a Risk Classification section is visible in the Lookout connector.
    Otherwise continue on to step 11.
    1. In your MDM, follow the steps in Creating User Groups for Device State Sync and Enrollment to define an additional unique group name for each risk classification you want to synchronize with your MDM.
      Here are some examples:
      Example Risk ClassificationExample GroupExample Description
      Phishing and Content Protection DisabledLookout MES - PCP DisabledDevices with PCP disabled
      VPN Permission Not AcceptedLookout MES - VPN ProhibitedDevices with VPN Permission not accepted
    2. In the Lookout connector Risk Classification section (visible only if you purchased this feature), follow these substeps:
      1. Click Add Risk Classification.
      2. Set to Enable.
      3. Choose the desired risk classification from the dropdown to synchronize with your MDM.

        Risk classification synchronization occurs only if a state sync event occurs.

      4. Choose the group name for the selected risk classification from the dropdown to synchronize with your MDM.

        If you choose not to synchronize a specific state to your MDM, leave the corresponding toggle off.

      5. Repeat steps i - iv for each additional risk classification you want to synchronize with your MDM.

        Each risk classification you add here must have a corresponding unique group name defined in your MDM.

  11. If you are using MAM enrollment, configure Application Blocking:

    Configure this section based on the needs of your organization. Lookout recommends the following settings:

    Block all Dynamics applications on devices...Recommended Setting
    … in a pending stateON so that pending users activate Lookout for Work.
    … in a deactivated stateON so users do not deactivate Lookout for Work.
    … in a disconnected stateOFF so users aren't blocked from Dynamics apps when they don't have connectivity to Lookout.
    … with low risk issues presentOFF so users aren't blocked from Dynamics apps for low risk issues.
    … with medium risk issues presentON
    … with high risk issues presentON
  12. Scroll down to Error Management and enter an email address for error reporting.
  13. (Optional) Scroll down to Group Management and enter a Lookout MES Console Device Group for new devices from this connector.

    By default, new devices are added to the Default Group in the Lookout MES Console. For more information about Device Groups, see the Lookout MES Console Administrator's Guide.

  14. Scroll up and click Save Changes in the top right corner.

    You can review connector settings from the Integrations module at any time.

  15. If you are running multiple BlackBerry UEM tenants, repeat these steps to create one connector per tenant.

Last updated: September 30, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.