Integrate Workspace ONE Mobile Threat Defense With Workspace ONE UEM

There are two distinct paths to integrating Workspace ONE Mobile Threat Defense and Workspace ONE UEM. When you reach step 6 of this integration workflow, you must select between them.

Path One: Workspace ONE Intelligent Hub with mobile threat detections built in

  • No additional app required for devices enrolled in Workspace ONE UEM with Hub including registered modes.
  • Addresses vulnerabilities, behaviors, configurations, threats including malware, zero day, and machine in the middle attacks.
    • Does not include phishing and content protection.
  • Simplifies delivery of protections to corporate and personal devices.

Path Two: Lookout for Work App

  • Required for devices not HUB enrolled into Workspace ONE UEM, lending support to unmanaged device scenarios.
  • Required to enable phishing and content protection.
  • Required for Android devices when dual enrollment (work and personal profiles) is required.
  • Once implemented all security functions, including detection and notification, occur through the app.

For a full list of threat protections, see Capabilities by Deployment Type

Take the following steps to fully prepare your Workspace ONE Mobile Threat Defense and Workspace ONE UEM environments to work together to protect your mobile endpoints.

Step 1 Create an API Role and Assign it to an Admin

  1. Log in to the Workspace ONE UEM Console using your administrator account.
  2. Navigate to Accounts > Administrators > Roles.
  3. Select the Add Role button. The Create Role page displays.
  4. Enter the role name MTD_API_Admin and a description.
  5. Under the Categories column to the left, expand API and select Rest. Enable the Read check boxes for each of the following permissions.

    • Admins
    • Apps
    • Devices
    • Groups
    • Users

    this screenshot shows the Create Role screen with all the REST API permissions selected for the Mobile Threat Defense admin role.

  6. Under the Categories column to the left, expand Device Management and select Bulk Management. Enable the Edit check box for the Bulk Management permission.

    this screenshot shows the Create Role screen with the bulk management permission selected for the Mobile Threat Defense admin role.

  7. Under the Categories column to the left, scroll down and expand Settings, then select Tags and enable the Edit check box for the Tags permission.

    this screenshot shows the Create Role screen with the tags permission selected for the Mobile Threat Defense admin role.

  8. Select the Save button to save the role.

  9. Navigate to Accounts > Administrators > List View.
  10. Select the Add button and select Add Admin. The Add/Edit Admin page displays.
  11. On the Basic tab, enter the Username and values for all other required (*) fields for this Mobile Threat Defense admin.
  12. Switch to the Roles tab and select the Select Role text box. In the drop down menu that displays, scroll down to the role you created earlier, MTD_API_Admin
  13. In the Select Organization Group field, enter the name of your main (parent) organization group.
  14. Select Save to assign the role to the admin.

Step 2 Create an API Key

  1. Log in to the Workspace ONE UEM Console using your administrator account.
  2. Navigate to Groups & Settings > All Settings > System > Advanced > API > REST API. The REST API configuration page displays.
  3. For the Enable API Access option, select Enabled.
  4. Select the Add button. A blank key entry displays at the bottom of the listing. Add the Service Name WS1-MTD with an Account Type of Admin. This generates an API key which is used to configure the Workspace ONE Mobile Threat Defense console.
  5. Select the generated key from the API Key text box for WS1-MTD.
  6. Copy the key to clipboard with Ctrl-C (on Windows) or Command-C (on macOS).

    NOTE: This key will be pasted to the API Token in the Set Up Workspace ONE Mobile Threat Defense Console step, later in this workflow.

  7. Select Save.

Step 3 Create a Smart Group

When you create a smart group, whatever organization group (OG) you are in at the time you create it becomes the home OG of that smart group. So if you want to include the maximum number of devices in your smart group, you must first move to the highest level customer OG available.

  1. In the Workspace ONE UEM Console, move to the organization group (OG) that manages all the devices you want to protect with Mobile Threat Defense.
    • Move OGs by clicking the OG selector button in Workspace ONE UEM. Do not create a smart group from the Global OG.
  2. Navigate to Groups & Settings > Groups > Assignment Groups.
  3. Select the Add Smart Group button. The Create New Smart Group screen displays.
  4. In the Name text box, enter a name for the smart group, such as Devices in Customer OG.
  5. Select which devices belong in the smart group by taking one or both of the following steps.
    1. In the Organization Group section, the name of the OG you moved to in step 1 displays. Enable this check box to include all devices in this OG for the smart group.
    2. Optionally, in addition to the OG you selected, select the User Group section and Add user groups. This action includes all the devices in these user groups in the Mobile Threat Defense smart group.
  6. You can include or exclude devices by filling out the Additions and Exclusions sections. For more information, see Create a Smart Group
  7. Select Save.

Step 4 Create the Tags

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Advanced > Tags.
  2. Select Create Tag. The Create Tag dialog displays.
  3. In the Name text box, enter the Tag Name from the table.

    Tag Name Description
    MTD - Activated Activated devices
    MTD - Deactivated Deactivated devices
    MTD - Disconnected Devices that have lost connectivity with Mobile Threat Defense
    MTD - Pending Devices that have not activated Mobile Threat Defense yet
    MTD - Unreachable Devices that are unreachable by Mobile Threat Defense
    MTD - Threats Present Compromised devices
    MTD - Secured Secured devices
    MTD - Low Risk Low risk devices
    MTD - Medium Risk Medium risk devices
    MTD - High Risk High risk devices
  4. Select Save.

  5. Repeat Steps 2-4 to create each tag from the table.

Step 5 Set Up Workspace ONE Mobile Threat Defense Console

  1. Log in to the Mobile Threat Defense console.
  2. In the left panel, select Integrations.
  3. Under Choose a product to set up, select the Workspace ONE button.
  4. Under Connector Settings, complete the following options.

    Setting Description
    Label for this MDM connection This optional entry identifies and differentiates between all your integrations.
    Workspace ONE URL Enter your Workspace ONE server URL, for example, https://cnXXXX.awmdm.com
    API Token Paste the API Key you copied in the Create an API Key step. Ctrl-V (for Windows) and Command-V (for macOS).
    Authentication Certificate Authentication (Recommended): Upload a Workspace ONE UEM certificate and select a passphrase.

    Basic Authentication: Enter the same username and password as the admin to which you assigned the MTD_API_Admin in step 1. If you select Basic Authentication, you must update the connector configuration each time the API admin’s password expires.
    The alternative to this limitation is to set the API Admin password to never expire.
    Configure this setting in Workspace ONE UEM by navigating to Accounts > Administrators > List View, find the admin in the listing, select the Edit (this edit icon is in the shape of a pencil) icon, in the Basic tab of the Add/Edit Admin screen, set the Require password change at next login option to Disabled.
  5. Select Create Integration in the top-right corner. A banner notification displays indicating a successful integration and additional sections display.

  6. Scroll down to the Enrollment Management section and complete the following options.

    Setting Description
    Automatically drive Lookout for Work enrollment on Workspace ONE managed devices Set to ON.
    Use the following Workspace ONE smart groups to identify devices that should be enrolled in Lookout for Work: Select the smart group you created in step 3. In this workflow example, that smart group name is Devices in Customer OG but you must select the smart group you created.
    How often should Lookout check for new devices? Set to 5 to sync newly enrolled devices and unenrolled devices from UEM every 5 minutes.
    Automatically send activation emails to Workspace ONE managed devices Set to OFF. For an MDM integration, you should drive enrollment through your MDM, not via Mobile Threat Defense Console invitation emails.
    Delete device on unenrollment Set to ON to delete devices in Mobile Threat Defense when they are unenrolled from Workspace ONE UEM.
  7. Scroll down to the State Sync section and enable the option Synchronize device status to Workspace ONE.

  8. Select and assign the tags you created in step 4 per the following table. If you opt not to synchronize a specific device state to Workspace ONE, then leave the corresponding toggle off/null.

    Option Value
    Device Status:
    Devices that have not activated Mobile Threat Defense yet MTD - Pending
    Devices with Mobile Threat Defense activated MTD - Activated
    Devices with Mobile Threat Defense deactivated MTD - Deactivated
    Connection Status:
    Devices that are unreachable by MTD MTD - Unreachable
    Devices that have lost connectivity with MTD MTD - Disconnected
    Risk Status:
    Devices with any issues present MTD - Threats Present
    Devices with low risk issues present MTD - Low Risk
    Devices with medium risk issues present MTD - Moderate Risk
    Devices with high risk issues present MTD - High Risk
    Devices with no issues present MTD - Secured
  9. Scroll down to the Error Management section and enter an email address to which errors are reported.

  10. Scroll up and select Save Changes in the top-right corner. You can review connector settings from the Integrations at any time.
  11. (Optional for Workspace ONE UEM On-Premises Customers) You can configure specific IP addresses in the network definitions and rules which are enforced by firewall and proxy configurations for outbound web requests. As an admin of an on-premises environment for Workspace ONE UEM, you must include the following IP addresses needed by Lookout in an allowlist. This makes outbound service calls from the Lookout cloud to the Workspace ONE UEM server possible. The following IP addresses must be allowlisted.

    • 52.11.153.147
    • 52.11.153.253
    • 54.153.102.83
    • 54.153.102.84

    In the event IP addresses must be updated, Lookout provides 6 weeks advance notice to all system admins of the MTD console, giving you time to update your allowlist and avoid any interruption or inconsistency of service. Lookout makes every attempt to limit IP address updates to only once per year.

Step 6 Choose Between Deploying the Workspace ONE Intelligent Hub App and the Lookout for Work App

The last step of the integration requires that you select between deploying the Workspace ONE Intelligent Hub app and the Lookout for Work app.

You can only select one path.

Deploy the Workspace ONE Intelligent Hub App

OR

Deploy the Lookout for Work App

check-circle-line exclamation-circle-line close-line
Scroll to top icon