Setting up your MaaS360 Connector in the Lookout Mobile Endpoint Security Console

Once you have configured MaaS360, you can set up a connector in the Lookout MES Console.

Log in to the Lookout MES Console at https://app.lookout.com.
In the left sidebar, click Integrations.
Under Choose a product to set up, click the IBM MaaS360 tile.

The MaaS360 connector page opens.

Under Connector Settings, enter the following:


Field	Value
Label for this MDM Connection	(Optional) A user friendly name for the connector.
MaaS360 URL	The API Root URL for your MaaS360 server. This varies by the MaaS360 instance on which your account exists, for example: M1: https://services.fiberlink.com/ M2: https://services.m2.maas360.com/ M3: https://services.m3.maas360.com/ ... M6: https://services.m6.maas360.com/ Your administrator should have an email from IBM with this information.
Username	Enter the MaaS360 Username and Password from Creating an API User.
Admin Password
Access Key	Your administrator should have an email from IBM with this information. If you still do not know your MaaS360 API Key or Application ID, refer to the IBM developerworks wiki.
App ID
Billing ID	Your corporate identifier, for example, `30048295` which must be 8 digits. In MaaS360, navigate to SETUP > Deployment Settings: Your Corporate Identifier is listed at the top of the page.

(Optional) To route Lookout traffic through a proxy, enter the proxy address and credentials in the Proxy Settings fields.

Click Create Integration in the top right corner.

If creation is successful, a banner notification appears and additional sections become enabled.

If you get a certificate error, click Certificate Details. Otherwise continue with Step 7.

Look for errors on the certificate details screen.

Typical errors include expired or broken certificates as shown here:


Error	How to Fix the Error
Expired certificate The certificate expiration date is in the past.	Replace the MDM certificate with a new certificate.
Broken certificate. One or more intermediate certificates do not validate correctly.	Replace the MDM certificate with a valid certificate.

Retry entering all required information into the Integration connector.

Scroll down to Enrollment Management and enter the following:


Field	Value
Automatically drive Lookout for Work enrollment on MaaS360 managed devices	ON
Use the following label to identify devices that should have the Lookout for Work app activated	Your enrollment group in MaaS360. This should be the `Lookout for Work` device group.
How often should Lookout check for new devices?	Lookout recommends using the default 5 minute intervals.
Automatically send activation emails to MaaS360 managed devices	OFF For an MDM integration, you should drive enrollment through your MDM, not via Lookout MES Console invitation emails.
Delete device on unenrollment	(Non configurable) ON

Scroll down to State Sync and enter the custom attributes you created in MaaS360 for the following:


Field	Value
Custom attribute used to convey device activation state	`lookout_activation_state`
Custom attribute set when a device is unreachable by Lookout	`lookout_unreachable`
Custom attribute set when a device is disconnected	`lookout_disconnected`
Custom attribute with issue state level, if any	`lookout_threat_level`
Custom attribute used to set device state	`lookout_device_state`

If you choose not to synchronize a specific state to MaaS360, leave the corresponding toggle off.

If you have purchased the feature to add specific Risk Classifications to synchronize with your MDM you can add them using this procedure.

Otherwise continue on to step 10.

If you purchased the feature to add Risk Classifications to synchronize with your MDM, a Risk Classification section is visible in the Lookout connector.

In your MDM, follow the steps in Creating Custom Attributes for Device State Sync to define an additional unique custom attribute for each risk classification you want to synchronize with your MDM.

Here are some examples:


Example Risk Classification	Example Custom Attribute	Example Description
Phishing and Content Protection Disabled	Lookout MES - PCP Disabled	Devices with PCP disabled
VPN Permission Not Accepted	Lookout MES - VPN Prohibited	Devices with VPN Permission not accepted

In the Lookout connector Risk Classification section (visible only if you purchased this feature), follow these substeps:
1. Click Add Risk Classification.
2. Set to Enable.
3. Choose the desired risk classification from the dropdown to synchronize with your MDM.
  Risk classification synchronization occurs only if a state sync event occurs.
4. Choose the custom attribute for the selected risk classification from the dropdown to synchronize with your MDM.
  If you choose not to synchronize a specific state to your MDM, leave the corresponding toggle off.
5. Repeat steps i - iv for each additional risk classification you want to synchronize with your MDM.
  Each risk classification you add here must have a corresponding unique custom attribute defined in your MDM.

Scroll down to Error Management and enter an email address for error reporting.
(Optional) Scroll down to Group Management and enter a Lookout MES Console Device Group for new devices from this connector.

By default, new devices are added to the Default Group in the Lookout MES Console. For more information about Device Groups, see the Lookout MES Console Administrator's Guide.
Scroll up and click Save Changes in the top right corner.
You can review connector settings from the Integrations module at any time.

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Setting up your MaaS360 Connector in the Lookout Mobile Endpoint Security Console

lookout-footer