There are two distinct paths to integrating Workspace ONE Mobile Threat Defense and Workspace ONE UEM. When you reach step 6 of this integration workflow, you must select between them.
Path One: Workspace ONE Intelligent Hub with mobile threat detections built in
Path Two: Lookout for Work App
For a full list of threat protections, see Capabilities by Deployment Type
Take the following steps to fully prepare your Workspace ONE Mobile Threat Defense and Workspace ONE UEM environments to work together to protect your mobile endpoints.
MTD_API_Adminand a description.
Under the Categories column to the left, expand API and select Rest. Enable the Read check boxes for each of the following permissions.
Under the Categories column to the left, expand Device Management and select Bulk Management. Enable the Edit check box for the Bulk Management permission.
Under the Categories column to the left, scroll down and expand Settings, then select Tags and enable the Edit check box for the Tags permission.
Select the Save button to save the role.
WS1-MTDwith an Account Type of Admin. This generates an API key which is used to configure the Workspace ONE Mobile Threat Defense console.
Copy the key to clipboard with Ctrl-C (on Windows) or Command-C (on macOS).
NOTE: This key will be pasted to the API Token in the Set Up Workspace ONE Mobile Threat Defense Console step, later in this workflow.
When you create a smart group, whatever organization group (OG) you are in at the time you create it becomes the home OG of that smart group. So if you want to include the maximum number of devices in your smart group, you must first move to the highest level customer OG available.
Devices in Customer OG.
In the Name text box, enter the Tag Name from the table.
|MTD - Activated||Activated devices|
|MTD - Deactivated||Deactivated devices|
|MTD - Disconnected||Devices that have lost connectivity with Mobile Threat Defense|
|MTD - Pending||Devices that have not activated Mobile Threat Defense yet|
|MTD - Unreachable||Devices that are unreachable by Mobile Threat Defense|
|MTD - Threats Present||Compromised devices|
|MTD - Secured||Secured devices|
|MTD - Low Risk||Low risk devices|
|MTD - Medium Risk||Medium risk devices|
|MTD - High Risk||High risk devices|
Under Connector Settings, complete the following options.
|Label for this MDM connection||This optional entry identifies and differentiates between all your integrations.|
|Workspace ONE URL||Enter your Workspace ONE server URL, for example, https://cnXXXX.awmdm.com|
|API Token||Paste the API Key you copied in the Create an API Key step. Ctrl-V (for Windows) and Command-V (for macOS).|
|Authentication||Certificate Authentication (Recommended): Upload a Workspace ONE UEM certificate and select a passphrase.
Basic Authentication: Enter the same username and password as the admin to which you assigned the
The alternative to this limitation is to set the API Admin password to never expire.
Configure this setting in Workspace ONE UEM by navigating to Accounts > Administrators > List View, find the admin in the listing, select the Edit () icon, in the Basic tab of the Add/Edit Admin screen, set the Require password change at next login option to Disabled.
Select Create Integration in the top-right corner. A banner notification displays indicating a successful integration and additional sections display.
Scroll down to the Enrollment Management section and complete the following options.
|Automatically drive Lookout for Work enrollment on Workspace ONE managed devices||Set to ON.|
|Use the following Workspace ONE smart groups to identify devices that should be enrolled in Lookout for Work:||Select the smart group you created in step 3. In this workflow example, that smart group name is
|How often should Lookout check for new devices?||Set to 5 to sync newly enrolled devices and unenrolled devices from UEM every 5 minutes.|
|Automatically send activation emails to Workspace ONE managed devices||Set to OFF. For an MDM integration, you should drive enrollment through your MDM, not via Mobile Threat Defense Console invitation emails.|
|Delete device on unenrollment||Set to ON to delete devices in Mobile Threat Defense when they are unenrolled from Workspace ONE UEM.|
Scroll down to the State Sync section and enable the option Synchronize device status to Workspace ONE.
Select and assign the tags you created in step 4 per the following table. If you opt not to synchronize a specific device state to Workspace ONE, then leave the corresponding toggle off/null.
|Devices that have not activated Mobile Threat Defense yet||MTD - Pending|
|Devices with Mobile Threat Defense activated||MTD - Activated|
|Devices with Mobile Threat Defense deactivated||MTD - Deactivated|
|Devices that are unreachable by MTD||MTD - Unreachable|
|Devices that have lost connectivity with MTD||MTD - Disconnected|
|Devices with any issues present||MTD - Threats Present|
|Devices with low risk issues present||MTD - Low Risk|
|Devices with medium risk issues present||MTD - Moderate Risk|
|Devices with high risk issues present||MTD - High Risk|
|Devices with no issues present||MTD - Secured|
Scroll down to the Error Management section and enter an email address to which errors are reported.
(Optional for Workspace ONE UEM On-Premises Customers) You can configure specific IP addresses in the network definitions and rules which are enforced by firewall and proxy configurations for outbound web requests. As an admin of an on-premises environment for Workspace ONE UEM, you must include the following IP addresses needed by Lookout in an allowlist. This makes outbound service calls from the Lookout cloud to the Workspace ONE UEM server possible. The following IP addresses must be allowlisted.
In the event IP addresses must be updated, Lookout provides 6 weeks advance notice to all system admins of the MTD console, giving you time to update your allowlist and avoid any interruption or inconsistency of service. Lookout makes every attempt to limit IP address updates to only once per year.
The last step of the integration requires that you select between deploying the Workspace ONE Intelligent Hub app and the Lookout for Work app.
You can only select one path.