Create Jamf PRO Connector in MES Console
- Log into Lookout Console.
- Click Integrations.
- Click the tile Jamf Pro under "Choose a product to set up." The Connector Settings page opens:
- Enter these parameters.
Label for this MDM connection (Optional) A user-friendly name for the connector.
If you have multiple connectors configured, this label displays in the MDM column of the Lookout MES Console Devices list so that you can determine which connector and MDM instance a device belongs to.
Jamf Pro URL Jamf Pro server URL, for example: https://<server name>.jamfcloud.com/JSSResource
Username Enter the administrative username for Jamf Pro which has been provided by the Jamf administrator. Password Enter the Jamf Pro administrative password. The Jamf administrator provides an initial password which should have been changed on the first login. - Click Create Integration.If creation is successful, a banner notification appears and additional sections become enabled.
If you get a certificate error, click Certificate Details. Otherwise continue with Step 6.
- Look for errors on the certificate details screen.Typical errors include expired or broken certificates as shown here:
Error How to Fix the Error Expired certificate The certificate expiration date is in the past. Replace the MDM certificate with a new certificate. Broken certificate. One or more intermediate certificates do not validate correctly. Replace the MDM certificate with a valid certificate. - Retry entering all required information into the Integration connector.
- Look for errors on the certificate details screen.
- Scroll down to Enrollment Management and enter the following:
Automatically drive Lookout for Work enrollment on Jamf Pro managed devices ON Select the group which contain devices that should be enrolled in Lookout for Work: Select your enrollment Smart Group from . How often should Lookout check the MDM for new devices to enroll? Lookout recommends using the default 5 minute interval. You can or increase up to 360 minutes depending on how often you want to discover new devices. Automatically send activation emails to Jamf Pro managed devices OFF
For an MDM integration, Lookout recommends to drive enrollment through your MDM, not via Lookout MES Console invitation emails.
Delete device on unenrollment ON - Click Save Changes.
- Scroll down to State Sync and choose parameters from the dropdown menus.The parameters are extended attributes configured previously in the Jamf Pro console.
- Scroll down to State Sync and turn ON Synchronize device status to jamf PRO.
- If you have purchased the feature to add specific Risk Classifications to synchronize with your MDM you can add them using this procedure.Otherwise continue on to step 11.Note:
NOTE: If you purchased the feature to add Risk Classifications to synchronize with your MDM, a Risk Classification section is visible in the Lookout connector.
- In your MDM, follow the steps in Create Mobile Device Extension Attributes to define an additional unique extension attribute for each risk classification you want to synchronize with your MDM.Here are some examples:
Example Risk Classification Example Attribute Example Description Phishing and Content Protection Disabled Lookout MES - PCP Disabled Devices with PCP disabled VPN Permission Not Accepted Lookout MES - VPN Prohibited Devices with VPN Permission not accepted - In the Lookout connector Risk Classification section (visible only if you purchased this feature), follow these substeps:
- Click Add Risk Classification.
- Set to Enable.
- Choose the desired risk classification from the dropdown to synchronize with your MDM.
Note:
NOTE: Risk classification synchronization occurs only if a state sync event occurs.
- Choose the extension attribute for the selected risk classification from the dropdown to synchronize with your MDM.
Note:
NOTE: If you choose not to synchronize a specific state to your MDM, leave the corresponding toggle off.
- Repeat steps i - iv for each additional risk classification you want to synchronize with your MDM.
Note:
NOTE: Each risk classification you add here must have a corresponding unique extension attribute defined in your MDM.
- In your MDM, follow the steps in Create Mobile Device Extension Attributes to define an additional unique extension attribute for each risk classification you want to synchronize with your MDM.
- Scroll down to Error Management and enter an email address for error reporting.
- (Optional) Scroll down to Group Management and enter a Lookout MES Console Device Group for new devices from this connector.Note:
NOTE: By default, new devices are added to the Default Group in the Lookout MES Console. For more information about Device Groups, see the Lookout MES Console Administrator's Guide.
- Scroll up and click Save Changes in the top right corner.You can review connector settings from the Integrations module at any time.
- If you are running multiple Jamf Pro tenants, repeat these steps to create one connector per tenant.