home

Security Service Edge

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Security Service Edge

Creating Policies for Data Protection and Application Security

Create Cloud Authentication policies

  1. Select Protect > Cloud Authentication.
  2. Click New.
  3. Enter a Policy Name (required) and a Description (optional).
    The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces
  4. (Optional) To specify a time range in which the cloud application will be available, click the Time Window toggle.
    Then, select these options:
    • The days of the week for which you want to apply a time window
    • The time range for those days

    To add another time window, click the + icon at the right, then select the days and time ranges for that time window.

    To add a time range for after office hours, (example: 7:00 PM to 8:00 AM), you need to configure two time-window settings: the first for the hours up until midnight; the second for the hours starting at midnight and ending at the desired morning time.

    • Set a time range from 7:00 PM until 0:00 (midnight).
    • Click the + sign to add a time range from 0:00 (midnight) until 8:00 am.

  5. Click Next.
  6. Select the cloud applications to which the policy should apply.

    Login is the available activity type.

  7. Select a context type.
  8. Enter the additional details for the context type you selected.
    Context TypeOptions
    UsersSelect All or Selected. For Selected, enter a valid email address for each user.
    User Group

    User groups are organized into directories. When you select User Group as a context type, the available directories containing the groups are listed in the left column.

    Select a directory to view the user groups it contains. The user groups for that directory are displayed.

    Select the groups from the list and click the right-arrow icon to move them to the Selected User Groups column and click Save. These are the groups to which the policy will apply.

    To search for a directory or group, click the Search icon at the top. To refresh the list, click the Refresh icon at the top.

    LocationCheck one or more locations, or check Select All.
    Device Profile

    Select a context type and a target for each type.

    Managed status: Select an option.

    • Managed
    • Unmanaged

    Compliance Status: Select one or more options.

    • Protected
    • Disconnected
    • Compliant
    • Non-Compliant

    Depending on what you select, some other options are disabled. For example, if you select Protected, Disconnected is disabled. If you select Disconnected, Protected is disabled.

    Threat Status: Select one or more options.

    • Secure
    • Low
    • Medium
    • High

    Click the + sign at the right to add Device Profile contexts.

    After you have selected and configured all of the context options for Device Profile (Managed Status, Compliance Status, and Threat Status), you cannot select additional targets if you add another Device Profile context rule.

    Device OS

    From the Match prompt, select an operator: Equal To, Not Equal To, Greater Than, or Less Than.

    From the Device OS prompt, select an OS and an OS version. For Equal To or Not Equal To, you can select multiple OS versions or click Select All. For Greater Than or Less Than, you can select only one OS version from each category.

    Click Save.

    Device OS context policies are currently supported only on OS versions under 11 for both Windows and MacOS.

    App Types

    Select an application type from the App Types list. The types listed are based on the cloud application selected for this policy.

    Example 1 - Office 365

    The App Types list displays the Office 365 application types. You can select one, some, or all of the applications listed.

    • Click the > icon to display the app types and check the types to include for the policy.
    • To include other thick apps for the policy, check Other Thick Apps.
    • To select all types (including Other Thick Apps), check Select All.
    • Click Save. Example 2 - Box

    The App Types list displays the available Box application types.

    • Click the > icon to display the app types and check the types you want to include for the policy.
    • To include other thick apps for the policy, check Other Thick Apps.
    • To select all types (including Other Thick Apps), check Select All.
    • Click Save.
    Browser Types

    From the Match prompt, select an operator: Equal To, Not Equal To, Greater Than, or Less Than.

    From the Browser Types prompt, select a browser type and version. For Equal To or Not Equal To, you can select multiple browser versions or click Select All. For Greater Than or Less Than, you can select only one browser version from each category.

    Click Save.

    User Risk

    The User Risk specifies a risk level for the user accessing the cloud application.

    Select a risk score level: Low & Above, Medium & Above, or High.

    Login Risk

    You can configure a policy with Login Risk authentication to restrict access based on Geo Anomaly and device posture. This configuration can block attempts at access by those with compromised credentials.

    For accurate policy enforcement, configure Geo Anomaly IP and user allowlist settings.

    This context type applies only to unmanaged devices. The default selection is Geo Location Anomaly.

    Source IP

    Select a valid IP address range.

    (Optional) To add another IP address range, click the + icon and enter the values.

    Click Save.

    IP Risk Score

    The IP Risk Score specifies a risk level for the IP address being accessed. For example, to deny login from a device with a risk score level of medium and above, select Medium & Above.

    Select a risk score level: Low & Above, Medium & Above, or High.

  9. Click Next and select a session action:
    • Allow & Log
    • Deny
    • Allow & Go Direct

    When forward proxy is used for SSO-enabled cloud applications, a Cloud Authentication policy with the Allow & Go Direct action will enable traffic to be sent to the cloud via a direct URL instead of via a hyphenated URL after SSO authentication.

  10. Select a secondary action.

    • For Allow & Log and Allow & Go Direct actions, the option is Notification. Select a notification. The list includes notifications you created earlier.

    • For the Deny action, the options are Notification and Remediation. For Notification, select a message. For Remediation, select a remediation notification.

  11. Click Next and review the policy summary.
  12. Click Confirm to save the policy, or click Previous to make any modifications

Last updated: November 20, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.