Intune and Lookout: the admin experience

mtp-blog-3-00The fourth blog about the integration of Microsoft Intune and Lookout MTP we will have a look at the administrative side of things. We will have a look at what we are able to configure in relation to threats, we will have a look the devices that can be managed both in Lookout and how we need to setup compliance within Microsoft Intune.

Lookout Admin Portal

The Lookout Admin Portal is accessible from, after you configured the consent like described in the last blog you are able to access. If you want to get a view of your current state of your devices, this is the place to be! The portal is divided into six workspaces;

Workspace Description
Dashboard Get a direct view of the current status of your devices, how many devices are enrolled, how many are infected with what threat level and what king of source. Of course you will see the threats over time and all the numbers by category.
Threats See active and resolved threats, you are allowed to create filters to get the right export for your management or security officer. Click on threats to get more information.
Devices See all active and pending devices with the current threat levels. Click on the devices to get information about the device and active or resolved threats.
Policy See what threat categories Lookout is able to detect and configure the severity of the threat to Low, Medium or High. Also iOS apps can be whitelisted when sideloading apps
System Configure not only the Intune connector but also thinks like what kind of alerts you want to receive as an admin.
Support Link to the support website and ticket system of Lookout.


The dashboard gives you an overview about the state of your devices that are protected by Lookout for Work. Lookout for Work reports its status to the Lookout service and the gathered information will be shown. Get an easy overview of the device deployment, devices that are at risk, active threats and see trends about application threats, file threats, network threats and OS threats.

Lookout MTP Dashboard



Looking at the Threats in the threats workspace of the Lookout web-console you can easy filter threats based on risks, status, OS, threat types and classifications. By default, all active, resolved and ignored threats of the last 30 days are shown. Since no threat records are removed you are able to show all the historical threats from your company.

Active threats

Clicking on an active (or resolved/ignored) threat gives you information about the threat on the device. This way you know what the impact can be and what is potentially happened with the device. Also binary analysis provided by Lookout can be accesses and analyzed.

This view gives you also an overview of the history of the threat in your environment.

Information about the threat

Looking at the binary analysis will give us information about the app itself and the threat analysis which can help you assessing if the detected threat is one that needs to be resolved immediately or not.

Detailed information about the threat


The devices workspace gives us a real time overview of the devices that are managed and gathered from Intune by Lookout. The devices can have different states;

State Description
Secured Device is protected by Lookout, no threats are detected
Activated Lookout for Work is activated
Pending Device is gathered from Intune and user needs to install and/or active Lookout for Work.
Deactivated Lookout for Work is deactivated from the Lookout MTP console. For instance when user leaves company.
Low Risk A low risk is detected on the device and the risk is still active.
Medium Risk A medium risk is detected on the device and the risk is still active.
High Risk A high risk is detected on the device and the risk is still active.

Besides the current state the device type, the UPN that is used to activate Lookout for Work and if the device is managed by Intune is displayed.

When clicking on a device, more information about the device itself, the installed Lookout for Work app and the threat history can be found. Per threat more information can be gathered like in the threat workspace.

Device information


The risk levels of the policy categories like listed in the first blog of this series can be configured to be Low, Medium or High, like shown below. This way you are able to create custom protection for your company.

For iOS apps can also be whitelisted so that custom Line Of Business apps can be side loaded via Microsoft Intune.

Configure the threat levels


The System workspace is the place to be to configure the Lookout Mobile Threat Protection cloud service. In the third blog I showed how to setup the connector between Microsoft Intune and Lookout MTP.

Configure Lookout MTP

The System workspace is devices in several tabs;

Tab Description
Account See the information about your subscription and the current license usage by your company.
Admin All administrators and restricted administrators are listed that are member of the Azure AD groups that were created in the last blog.
Enrollment Configure the language of the console and when a device is considered as disconnected. By default a device is considered as disconnected when Lookout did not contact the service for 30 days.
iOS For iOS an iPA file needs to be downloaded and signed with your Apple Enterprise Developer certificate. (will cover this in the last blog of this series)
Connectors Create and configure the connector for Microsoft Intune.
Preferences Configure if you as an admin wants to receive emails when a Low, Medium and/or High threat is detected. This needs to be configured per admin and all levels are selected by default.


Microsoft Intune side

In Intune not much needs to be done besides by pushing the Android and iOS Lookout for Work Apps as required apps for the mobile devices and the maximum allowed threat level in the Compliance Policy needs to be configured.

In the Compliance Policy that needs to be deployed to all users that need to use Lookout for Work you need to configure one of the following maximum allowed threat levels;

Threat level Description
None (secured) No threat is allowed, if a low threat or higher is detected the device will be considered as non-compliant and all access to apps (like Exchange Online, SharePoint Online, Skype for Business Online, CRM Online, Exchange on-premises) that use Conditional Access is blocked.
Low Only low threats are allowed to keep the device compliant.
Medium Only low and medium threats are allowed to keep the device compliant.
High All threats are allowed to keep your device compliant.

In the next blog we will have a look at the end user experience, remember to be able to use the integration of Lookout with Intune you need a separate Lookout MTP license.

Other blogs in this series:



Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

October update to Intune service coming up!

Next Post

Action required: Check your Conditional Access policies!

Related Posts