Like said, the Lookout service is currently hosted on Amazon Web Services and Microsoft Intune is hosted on Microsoft Intune.
First of all the feature needs to be available in your Microsoft Intune tenant to be able to get the integration between Microsoft Intune and Lookout to work. When you look in the Admin workspace of the Intune Console, you see a node called Third Party Service Integration with Lookout Status like shown below. The integration is available since the September update of Microsoft Intune.
Setting up Groups
But first let’s prepare the enablement of the integration creating three Azure AD security groups, those groups can be created in your local Active Directory or directly in Azure AD. The following groups need to be created;
|Lookout Administrators||All Administrators for the Lookout Service||Yes|
|Lookout Restricted Administrators||Restricted Admin access to the Lookout service||No|
|Lookout Users||All users that need Lookout for Work (enrollment group)||Yes|
When using Lookout Administrators and Lookout Restricted Administrators, you need to supply the object ID of the Azure AD group to the support desk of Lookout. This can be done as follows.
Go to the new Azure Portal (https://portal.azure.com) and click Azure Active Directory. Click in the Quick Tasks Find Group and look for the Lookout groups you created. To get the Object ID, click the groups one by one and look for the Object ID in the Overview > Essentials section like shown below.
After the configuration of the groups is done by Lookout, you need to add your Tenant Global Admin in the Lookout Administrators to be able to configure the connection between Lookout MTP and Microsoft Intune.
The next step is to accept consent for allowing Lookout MTP to get access to Microsoft Intune, Lookout MTP needs to have access to the following;
- Send device threat information to Microsoft Intune
- Read directory data (Azure AD)
- Access your organization’s directory
Login with the Azure AD Global Admin to https://aad.lookout.com/les?action=consent and accept the consent like shown below.
After the consent has been accepted the connector can be setup in the console of Lookout MTP. So login to the Lookout MTP console via http://aad.lookout.com and browse to System > Connectors. Click Add Connector and choose Intune as shown below.
After selecting Intune the connector needs to be created. This can be done by clicking on Create Connector like shown in the figure below.
The discovery of users and their devices is done based on enrollment groups. This can be one or more Azure AD group, in this example we only use one group (Lookout Users). After the connector has been created click Enrollment Management and supply the display name of the Azure AD group like shown below in the figure.
Click Save Changes.
Next we need to enable the connection in the Microsoft Intune console. Browse in the Microsoft Intune console to Admin > Third Party Service Integration > Lookout Status. Enable the Connect with Lookout MTP switch and look at the status to be changing from Provisioned to Active.
In the next blog we will have a look at the administrative experience, remember to be able to use the integration of Lookout with Intune you need a separate Lookout MTP license.
Want to see the integration in action?
At IT/Dev Connections (10/10 10/13) I will show the same during at our full day Microsoft Enterprise Mobility +Security workshop ; How You Can Digitally Transform Any Organization on Monday! Be sure to join Kenny Buntinx, Tim De Keukelaere and me in Las Vegas, there are still tickets available!
Other blogs in this series:
- Integration Microsoft Intune and Lookout Mobile Threat Protection is there
- Intune and Lookout: the architecture of the integration
- Intune and Lookout: how to integrate?
- Intune and Lookout: the admin experience.
- Intune and Lookout: the end user experience. (coming up)
- Intune and Lookout: supporting iOS devices (coming up)