home

Mobile Endpoint Security

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Mobile Endpoint Security

Adding the Android Lookout for Work app to Intune and Assigning it to Users

Creating and Assigning Managed App Configuration for the Android Enterprise App

Deploying managed app config to Android Enterprise devices is supported with Lookout for Work 6.4 and higher. If you choose to do so, users do not require Microsoft Authenticator to activate, and you can pre-grant the required permissions to Lookout.

Lookout uses different managed app configuration values for Android Enterprise Work Profile devices and Android Enterprise Fully Managed Devices. If you have both types of devices in your fleet, you must assign the users to separate Entra ID groups so that you can apply the correct managed app configuration to each group.

If you do not provide managed app configuration for the Android app, users can activate Lookout for Work by using Microsoft Authenticator and manually granting permissions.

  1. Log in to the Microsoft Intune admin center.
  2. In the left sidebar menu, click Apps.
  3. In the Apps blade, under Policy, click App configuration policies.
  4. Click + Add > Managed devices.
  5. Set the following:
    FieldValue
    Name 
    Lookout for Work Android
    Description(Optionally enter a description)
    Device enrollment typeManaged devices
    PlatformAndroid Enterprise
    Profile TypeAll Profile Types
    Targeted appSelect the app you defined earlier in Intune and click OK.
  6. Click Next.
  7. Under Permissions, click +Add and check the following:
    PermissionPermission nameDescription
    Contacts (read) 
    READ_CONTACTS
    		Allows Lookout to import the Entra ID company profile and authenticate the device against Entra ID.
    Location access (fine) 
    ACCESS_FINE_LOCATION
    		(Optional) On Android 8.1+, access the SSID for the Wifi network, allowing Lookout to display it upon encountering a Network threat.

    If the permission is not granted, the name of the compromised network is listed as <unknown ssid>.

    Phone state (read) 
    READ_PHONE_STATE
    		Allows Lookout to retrieve the device ID and correlate a device with its entry in Intune.
    External storage (read) 
    READ_EXTERNAL_STORAGE

    Allows Lookout to read external storage.

    Required for file system monitoring, so that Lookout can look for malware on the file system.

    External storage (write) 
    WRITE_EXTERNAL_STORAGE

    Allows Lookout to write to external storage.

    Required to remediate malware found on the SD card, as well as for backup functionality.

  8. Click OK.
  9. Set the Permission state dropdown for each permission to Auto grant.
  10. Scroll down to Configuration Settings and set the Configuration settings format dropdown to Use configuration designer.
  11. Click Add and check the following:
    • MDM name
    • MDM Device ID
    • Global Enrollment Code
    • Email
    • Dual Enrollment
    • HSM Key value
  12. Click OK.
  13. Set the following case-sensitive values:
    Configuration KeyValueValut Type
    HSM Key valueboolfalse
    Dual EnrollmentStringfalse
    EmailString{{userprincipalname}}
    MDM Device IDString

    • {{aaddeviceid}} for Android Enterprise Work Profile devices.

    • {{AzureADDeviceid}} for Android Enterprise Fully Managed devices.

    • {{intune_device_id}} for Android devices that enroll in Intune before enrolling in Entra ID.

    Global Enrollment CodeString

    Enter the alphanumeric Enrollment Code from the System > Account screen in your Lookout MES Console.

    MDM nameStringINTUNE
    ZeroTouchActivationStringTrue
  14. Click Next.
  15. On the 3. Assignment tab, under Included Groups, click + Select groups to include:
  16. Search for and click all groups that you want to assign.
    Use the same group(s) you used for initial enrollment.
  17. Click Select.
  18. Click Next, then click Create.
  19. If you have a mix of work profile and fully managed devices in your fleet, repeat these steps to create a second managed app configuration.

    The app configuration assigned to user groups with Android Enterprise Work Profile devices must use an MDM Device ID value of {{aaddeviceid}}.

    The app configuration assigned to user groups with Android Enterprise Fully Managed devices must use an MDM Device ID value of {{AzureADDeviceid}}.

Last updated: November 20, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.