These steps assume the device owner is a member of an Entra ID Group mapped to an MES Enrollment Group as documented in Step 6 of Setting up your Intune Connector.

Because the Entra ID Group has the application listed as a "Required Install", Intune automatically pushes the Lookout for Work application to registered devices. The device user must install the app and then open it and click Sign in with Entra ID.

Users must accept the following permissions:

iOS:

• Notifications: Lookout uses this permission to alert the user of threats on the device.
• Location: Lookout uses Location information to read WiFi network IDs.
• VPN (only if your deployment uses the On-Device Threat Remediation or Safe Browsing features): Lookout uses an on-device VPN to analyze network traffic in order to identify malicious sites.

Android:

On Android Enterprise devices, the following permissions are automatically granted through Intune:

• Phone (Device ID & call information): Lookout uses this permission to retrieve the device IMEI and correlate it with the same managed device in Entra ID.
• Contacts: Lookout uses this permission to import Company Profile information during Entra ID activation.
• Storage (Photos/Media/Files): Lookout uses this permission to analyze the files on a device for threats.
• Location (Wi-Fi connection information): Lookout uses Location information to read WiFi network IDs.
• VPN (only if you enable On-Device Threat Remediation or Safe Browsing from the Lookout MES Console): Lookout uses an on-device VPN to analyze network traffic in order to identify malicious sites.