home

Mobile Endpoint Security

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Mobile Endpoint Security

Deploying Lookout with VMWare Workspace ONE Unified Endpoint Management (UEM)

Setting up your Workspace ONE Connector in the Lookout Mobile Endpoint Security Console

Once you have created an API user, an enrollment Smart Group, and tags for syncing device state between Lookout and Workspace ONE, you can create your Workspace ONE Connector in the Lookout Mobile Endpoint Security (MES) Console. If you have multiple tenants, you must repeat the following steps to connect to each of them:

  1. Log in to the Lookout MES Console at https://app.lookout.com.
  2. In the left sidebar, click Integrations.
  3. Under Choose a product to set up, click the Workspace ONE tile.
    The Workspace ONE Connector page opens.
  4. Under Connector Settings, enter the following:
    FieldValue
    Label for this MDM connection

    (Optional) A user-friendly name for the connector.

    If you have multiple connectors configured, this label displays in the MDM column of the Lookout MES Console Devices list so that you can determine which connector and MDM instance a device belongs to.

    Workspace ONE URLYour Workspace ONE server URL, https://<server name>.awmdm.com
    API TokenCopy the API key from Creating an API Key.
    AuthenticationCertificate Authentication (Recommended): Click Choose file... and then enter your Passphrase.
    Basic Authentication: Enter the username and password for the API user you created in Creating an API Role and User. If you use basic authentication, you must update the connector configuration whenever the API user's password expires and has to be changed.
  5. (Optional) To route Lookout traffic through a proxy, enter the proxy address and credentials in the Proxy Settings fields.
  6. Click Create Integration in the top right corner.
    If creation is successful, a banner notification appears and additional sections become enabled.

    If you get a certificate error, click Certificate Details. Otherwise continue with Step 7.

    1. Look for errors on the certificate details screen.
      Typical errors include expired or broken certificates as shown here:
      ErrorHow to Fix the Error
      Expired certificate The certificate expiration date is in the past.Replace the MDM certificate with a new certificate.
      Broken certificate. One or more intermediate certificates do not validate correctly.Replace the MDM certificate with a valid certificate.
    2. Retry entering all required information into the Integration connector.
  7. Scroll down to Enrollment Management and enter the following:
    FieldValue
    Automatically drive Lookout for Work enrollment on Workspace ONE managed devicesON
    Use the following Workspace ONE smart groups to identify devices that should be enrolled in Lookout for Work:Select your enrollment Smart Group from Creating Smart Groups & Tags. This should be Lookout for Work.
    How often should Lookout check for new devices?Lookout recommends using the default 5 minute interval.
    Automatically send activation emails to Workspace ONE managed devices

    OFF

    For an MDM integration, you should drive enrollment through your MDM, not via Lookout MES Console invitation emails.

    Delete device on unenrollmentON
  8. Scroll down to State Sync and enable Synchronize device status to Workspace ONE.
  9. Select the tags you created in Creating Smart Groups & Tags.
    If you choose not to synchronize a specific state to Workspace ONE, leave the corresponding toggle off.
    1. Device Status:
      FieldValue
      Devices that have not activated Lookout yetLookout MES - Pending
      Devices with Lookout activatedLookout MES - Activated
      Devices with Lookout deactivatedLookout MES - Deactivated
    2. Connection Status:
      FieldValue
      Devices that are unreachable by LookoutLookout MES - Unreachable
      Devices that have lost connectivity with LookoutLookout MES - Disconnected
    3. Risk Status:
      FieldValue
      Devices with any issues presentLookout MES - Threats Present
      Devices with low risk issues presentLookout MES - Low Risk
      Devices with medium risk issues presentLookout MES - Moderate Risk
      Devices with high risk issues presentLookout MES - High Risk
      Devices with no issues presentLookout MES - Secured
  10. If you have purchased the feature to add specific Risk Classifications to synchronize with Workspace ONE, you can add them using this procedure.
    Otherwise continue on to step 11.

    If you purchased the feature to add Risk Classifications to synchronize with Workspace ONE, a Risk Classification section is visible in the Lookout Workspace ONE connector.

    1. In Workspace ONE, follow the steps in Creating Smart Groups & Tags to define an additional unique smart group tag for each risk classification you want to synchronize with Workspace ONE.
      Here are some examples:
      Example Risk ClassificationExample Smart Group TagExample Tag Description
      Phishing and Content Protection DisabledLookout MES - PCP DisabledDevices with PCP disabled
      VPN Permission Not AcceptedLookout MES - VPN ProhibitedDevices with VPN Permission not accepted
    2. In the Lookout Workspace ONE connector Risk Classification section (visible only if you purchased this feature), follow these substeps:
      1. Click Add Risk Classification.
      2. Set to Enable.
      3. Choose the desired risk classification from the dropdown to synchronize with Workspace ONE.

        Risk classification synchronization occurs only if a state sync event occurs.

      4. Choose the tag for the selected risk classification from the dropdown to synchronize with Workspace ONE.

        If you choose not to synchronize a specific state to Workspace ONE, leave the corresponding toggle off.

      5. Repeat steps i - iv for each additional risk classification you want to synchronize with Workspace ONE.

        Each risk classification you add here must have a corresponding unique tag defined in Workspace ONE.

  11. Scroll down to Error Management and enter an email address for error reporting.
  12. (Optional) Scroll down to Group Management and enter a Lookout MES Console Device Group for new devices from this connector.

    By default, new devices are added to the Default Group in the Lookout MES Console. For more information about Device Groups, see the Lookout MES Console Administrator's Guide.

  13. Scroll up and click Save Changes in the top right corner.
    You can review connector settings from the Integrations module at any time.
  14. If you are running multiple Workspace ONE tenants, repeat these steps to create one connector per tenant.

Last updated: November 20, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.