Ignite is the largest event for Microsoft where important announcements are being made. This was also the case in the first week of November, in which Microsoft has announced new products and services. Brad Anderson, Corporate Vice President (CVP) Microsoft 365 made several important announcements. During his 45-minute breakout session (BRK008) entitled “Modern Management: How / why you do it now”, Brad demonstrated the integration of Lookout’s Mobile Endpoint Security (MES) solution with Microsoft Intune based on an App Protection Policy, also known as Mobile Application Management (MAM).
What is the MES solution from Lookout?
Lookout MES is a solution for the mobile workers of a company. It provides comprehensive and continuous risk assessment on iOS and Android devices to protect users against app, device, network and phishing based threats. These security features cannot currently be filled in by Microsoft Intune. That is why a Mobile Endpoint Security integration with Microsoft Intune is recommended for companies, which also protects the mobile endpoints against all kinds of threats. After all, a Windows device is protected with an endpoint solution such as Microsoft Defender, so why not protect a mobile device (iOS/Android) with an endpoint solution?
Previously it was only possible to integrate a MES solution such as Lookout with Microsoft
Intune based on Mobile Device Management (MDM). This meant that the mobile
device always had to be managed in Microsoft Intune to be able to use the
Lookout integration. The consequence of this was that companies could only
provide Lookout with end users with a business device. End users with mobile
devices purchased by themselves are often unwilling to give their device under
management to the management organization of their organization.
With this new integration option of both companies, this is a thing of the past. Microsoft Intune is now able to enforce Lookout’s MES solution with only an App Protection Policy for both platforms. Lookout is currently the only party that makes this integration possible for both iOS and Android.
Secure BYOD for Office 365 users
Companies who already use both Microsoft Intune and the Lookout’s MES solution can easily configure this new feature by the following steps. These steps can now also be found on the Microsoft website.
Mobile Threat Defense Connector
First of all, the MTD Connector needs to be adjusted to make this new feature available.
Step 2 – In the Intune dashboard, choose “Device Compliance” and then select “Mobile Threat Defense” under the “Setup” section.
Step 3 – Select the MTD Connector “Lookout for Work”.
Step 4 – Enable the App Protection Policy for the platforms iOS and/or Android and click “Save” to close the window.
App Protection Policy
Finally, the Mobile Threat Defense integration must be enabled in an existing or new App Protection Policy. In this example we already have an existing App Protection Policy and only need to configure the MTD integration.
Step 1 – In the Intune dashboard, choose “Client apps” and then select “App Protection Policies” under the “Manage” section.
Step 2 – Create a new policy or select an existing App Protection Policy from the Android or iOS/iPadOS platform. In this example, an existing Android App Protection Policy has been chosen.
Step 3 – After selecting the App Protection Policy, we click on “Properties” and edit the “Conditional Launch” section at the bottom of the screen.
Step 4 – In the App Protection Policy under the section “Device conditions” we add the setting “Max allowed device threat level” with a matching value “Secure” and the corresponding action “Block access“. Then we click on “Review + Save” and again on “Save“.
Step 5 – The App Protection Policy has been saved and has now an integration with Lookout’s MES solution.
The steps for opening Microsoft Outlook without Lookout on a personal mobile device of an end user that only has an App Protection Policy on it.
- The end user opens the mobile Outlook app on his personal mobile device and logs in to the e-mail for checking the work.
- Microsoft verifies the login details of the end user AND checks the device risk level of Lookout.
- End-user activates Lookout and scans the device for threats and alerts the end user that his device is safe.
- If the device is free of threats, the end user is returned directly to his Outlook inbox.
- If a threat is detected, access to company data is blocked and the user is instructed to correct the threat.
The full end-user experience can be seen in the next two instructional videos:
1. Lookout for Work is enforced when it is missing on the mobile device
2. Access to company data is blocked in the event of a threat.
All benefits at a glance:
- Only devices that are defined as healthy by Lookout administrators can access company data.
- The end-user privacy is respected because MDM registration of the mobile device is not required.
- Intune App Protection Policy is required, but the device does not need to be managed.
- This approach is unremarkable for the end-user unless there is a problem on the device.
- Once a problem is resolved, the end-user is returned to the managed app he used.