Lookout Mobile Endpoint Security Console Administrator Permissions
You may wish to prevent some Lookout administrators from modifying configuration, such as the Connector settings or policies in the Protections module that define risk levels and responses. You can set a Lookout MES Console administrator to have Full Access, Restricted Access, Analyst Access, Analyst Read Only Access, Read Only Access, or Enrollment Only Access, summarized below:
✅ = Regular Access: The administrator can access the module and modify settings.
🔒 = Locked: The administrator can access the module, but cannot modify settings.
❌ = No Access: The administrator does not see the module when logged into the MES Console.
| MES Console Module | Full Access | Restricted | Analyst | Analyst Read Only | Read Only | Enrollment Only |
|---|---|---|---|---|---|---|
| Core Modules | ||||||
| Dashboard | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Issues | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Issues > Issue Details | ✅ | ✅ (Limited)1 | ✅ (Limited)1 | 🔒 | 🔒 | ❌ |
| Devices | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Devices > Device Details | ✅ | ✅ | ✅ | 🔒 | 🔒 | ❌ |
| Apps (MES Comprehensive) | ✅ | ✅ | ✅ | 🔒 | 🔒 | ❌ |
| Apps > App Details | ✅ | 🔒 | ✅ | 🔒 | 🔒 | ❌ |
| Apps > Custom Policies | ✅ | 🔒 | ✅ | 🔒 | 🔒 | ❌ |
| Vulnerabilities | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Research | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ |
| Protections | ✅ | 🔒 | 🔒 | 🔒 | 🔒 | ❌ |
| Protections > Phishing and Content Protection | ✅ | 🔒 | ✅ | 🔒 | 🔒 | ❌ |
| Protections > On-Device Threat Protection | ✅ | 🔒 | 🔒 | 🔒 | 🔒 | ❌ |
| Integrations | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| System Modules | ||||||
| Account | ✅ | 🔒 | 🔒 | 🔒 | 🔒 | ❌ |
| Manage Admins | ✅ | 🔒 | 🔒 | 🔒 | 🔒 | ❌ |
| Manage Device Groups | ✅ | 🔒 | 🔒 | 🔒 | 🔒 | ❌ |
| Manage Enrollment | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ (Limited)3 |
| iOS Configuration | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Audit Trail | ✅ | ✅ Limited)2 | ✅ (Limited)2 | ✅ (Limited)2 | ✅ (Limited)2 | ❌ |
| Application Keys | ✅ | 🔒 | 🔒 | 🔒 | ❌ | ❌ |
1 Cannot allowlist side-loaded or non-app store apps.
2 Can only view/export personal activity.
3 Can only view the Invite Management tab of the module and click Renew Token to refresh enrollment codes for existing invites. Cannot manage other enrollment settings or send new invites.
You can view and edit the permission level assigned to a given admin from .
