Deploy the Lookout for Work App

You can use Workspace ONE UEM to deploy the Lookout for Work app for Android and iOS.

Android Devices

IMPORTANT: You must manage Android 10 devices under Android Enterprise to activate Lookout for Work. Only Lookout for Work version 6.1.0 and later supports Android 10.

Lookout for Work Functionality on Android Enterprise

Issue Type Work Managed Device Work Profile
Network Issues Full visibility into network issues Full visibility into network issues
Device Issues Full visibility into device level issues Full visibility into device level issues
App Issues (Mobile Threat Defense Comprehensive) Full visibility into app issues Reports app issues for work profile apps only.
Web Content Issues (Phishing and Content Protection Add-on) Full protection around phishing and content issues. Protects against phishing and content issues for network traffic inside the work profile only.

Distribute Lookout for Work for Android Enterprise

You can distribute the Android Enterprise (managed) version of Lookout for Work using the Google Play store. Take the following steps to add the URL of the Google Play store listing for Lookout for Work to Workspace ONE UEM. Device end users then download and install the app directly from the Google Play Store.

  1. In Workspace ONE UEM, select the Add button, then select Public Application. The Add Application screen displays.
  2. For Platform, select Android. For Souce, select Search App Store. In the Name text box, enter Lookout for Work Select Next and the Add Application screen displays the search results.
  3. In the Add Application screen, select the Lookout for Work entry. This is how it appears in the App Catalog of Workspace ONE UEM. Select Approve to continue. The Lookout for Work app modal screen displays, showing which device resources and data the app has access to. Select Approve again to proceed. The Approval Settings display.
  4. Under Approval Settings, enable the option to keep approved when app requests new permissions. Select Done. The Edit Application screen displays. Select Save & Assign. The Lookout for Work - Assignment screen displays.
  5. In the Name text box, enter Lookout for Work Android. Under Assignment Groups, select the smart group you created for MTD. In this workflow example, that smart group name is Devices in Customer OG but you must select the smart group you created. For App Delivery Method, select Auto.
  6. In the left panel, select Application Configuration. Enable both the Managed Access and Send Configuration options.
  7. Select the ADD link at the bottom of the screen to include a custom configuration when the app is deployed. You must create four Configuration Keys with a Value Type and give them each a custom Configuration Value per the following.

    Take care when entering these values, they are case sensitive. In particular, ‘name’ in “MDM name” and ‘value’ in “HSM Key value”

    Configuration Key Configuration Value
    MDM name AIRWATCH
    MDM Device ID {DeviceUuId}
    MDM Connection ID leave this key value blank
    Android ID leave this key value blank
    Identification leave this key value blank
    Global Enrollment Code See explanation this image matches the footnote indicator in the above screenshots below.
    Email {EmailAddress} this key value is optional
    Dual Enrollment false
    Device Unique Identifier {DeviceUuId}
    HSM Key Value Disable
  8. Once all the keys and values have been added, select Create. The Preview Assigned Devices screen displays.

  9. Select Publish to deploy the App Assignment to the devices previewed here. You are taken to Resources > Apps > Details View for the Lookout for Work assignment.
  10. The assignment is complete.

this image matches the footnote indicator in the above screenshots The Configuration Value for this Configuration Key is found in the Mobile Threat Defense Console by navigating to System > Account and locating the Global Enrollment Code at the bottom of the screen. NOTE: If you are integrating multiple Mobile Threat Defence tenants (such as for staging and production environments), each tenant uses a different code and requires a unique app config profile.

View a video walkthrough of adding the Lookout for Work app to your Android Enterprise UEM environment.

this is a thumbnail image of a video about adding the Lookout for Work app for Android Enterprise

Distribute Lookout for Work for Android Legacy

You can distribute the Android legacy (unmanaged) version of Lookout for Work using the Google Play store. Take the following steps to add the URL of the Google Play store listing for Lookout for Work to Workspace ONE UEM. Device end users then download and install the app directly from the Google Play Store.

  1. In Workspace ONE UEM, select the Add button, then select Public Application. The Add Application screen displays.
  2. For Platform, select Android. For Souce, select Enter URL. In the Enter URL text box, enter https://play.google.com/store/apps/details?id=com.lookout.enterprise Select Next and the Add Application screen displays.
  3. In the Add Application screen, enter the name Lookout for Work for Android. This is how it appears in the App Catalog of Workspace ONE UEM. Select Save & Assign to continue. The Assignment screen displays.
  4. In the Name text box, enter Lookout for Work Assignment. Under Assignment Groups, select the smart group you created for MTD. In this workflow example, that smart group name is Devices in Customer OG but you must select the smart group you created. For App Delivery Method, select Auto.
  5. In the left panel, select Application Configuration. Enable both the Managed Access and Send Configuration options.
  6. Select the ADD link at the bottom of the screen to include a custom configuration when the app is deployed. You must create four Configuration Keys with a Value Type and give them each a custom Configuration Value per the following.

    Take care when entering these values, they are case sensitive. In particular, ‘name’ in “MDM name” and ‘value’ in “HSM Key value”

    Configuration Key Value Type Configuration Value
    MDM name String AIRWATCH
    MDM Device ID String {DeviceUuId}
    Global Enrollment Code String See explanation this image matches the footnote indicator in the above screenshots below.
    Email String {EmailAddress} this key value is optional
    Dual Enrollment Boolean false
    Device Unique Identifier String {DeviceUuId}
    HSM Key Value Boolean Disable
  7. Once all the keys and values have been added, select Save. The Preview Assigned Devices screen displays.

  8. Select Publish to deploy the App Assignment to the devices previewed here. You are taken to Resources > Apps > Details View for the Lookout for Work assignment.
  9. The assignment is complete.

this image matches the footnote indicator in the above screenshots The Configuration Value for this Configuration Key is found in the Mobile Threat Defense Console by navigating to System > Account and locating the Global Enrollment Code at the bottom of the screen. NOTE: If you are integrating multiple Mobile Threat Defence tenants (such as for staging and production environments), each tenant uses a different code and requires a unique app config profile.

Configure Permissions and Zero Click Activation for Android Devices

You can pre-grant permissions to your Android Enterprise devices to run the Lookout for Work app without requiring the user to authenticate.

If you want to enable Zero Click activation, take the following steps to deploy a VPN profile from Workspace ONE UEM that opens the Lookout for Work app automatically. The provided App Config and pre-granted permissions enable Lookout for Work to activate without requiring any interaction from the user.

  1. While logged in as an admin in the Workspace ONE UEM Console, select the Add button in the top banner.

    this screenshot shows the Add drop down menu, accessible from all UEM screens. It allows you to add admins, devices, users, profiles, and apps.

  2. Select Profile, the Add Profile screen displays.

  3. Select Android.
  4. Enter a name and optional description for the permissions profile.
  5. Under Profile Scope, select “Production”.
  6. Leave the OEM Settings in its deactivated (off) state.
  7. Scroll down and locate the Permissions section.
  8. Select the ADD button to the right of the Permissions title.
  9. Under Permission Policy, select “Grant all permissions”.
  10. Under the Select App text box, enter “Lookout for Work for Android”.
  11. To configure Zero-Click activation:
    1. Scroll up and locate Custom Settings section.
    2. Select the ADD button to the right of the Custom Settings title.
    3. Copy the following code and paste it into the Custom Settings text box:
    <characteristic uuid="l00k0ut1-5cf7-4fc1-a757-742f3df81a1b" type="com.airwatch.android.androidwork.app:com.lookout.enterprise" target="1"><parm name="profile_name" value="VPN Configuration" type="string" /><parm name="action" value="1" type="string" /><parm name="EnableAlwaysOnVPN" value="True" type="boolean" /><parm name="aw_vpn_uuid" value="leek0ut4-ae9e-4caa-94e3-1b5c32655ced" type="string" /><parm name="vpn_connection_set_active" value="True" type="boolean" /></characteristic>
    

    This deploys an always-on VPN that opens Lookout for Work on the device. NOTE: The GUID values above can be used across multiple devices without issue.

  12. Select Next and the Assignment/Deployment/Preview screen displays.
  13. Under Smart Group, select the smart group you created in step 3. In this workflow example, that smart group name is Devices in Customer OG but you must select the smart group you created.
  14. Select your Deployment options.
    • Assignment Type – Determines how the profile is deployed to devices.
      • Auto – The profile is deployed to all devices.
      • Optional – An end user can optionally install the profile from the Self-Service Portal (SSP), or it can be deployed to individual devices at the administrator’s discretion. End users can also install profiles representing Web applications, using a Web Clip, or a Bookmark payload. If you configure the payload to show in the App Catalog, then you can install it from the App Catalog.
      • Interactive – The end user can only install the profile by using the Self Service Portal (SSP). For more information, see Self Service Portal.
      • Compliance – The profile is applied to the device by the Compliance Engine when the user fails to take corrective action toward making their device compliant.
    • Allow Removal – Select whether your users can remove the app profile.
    • Managed By – Leave this set to the organization group selected when you created the smart group in step 3.
    • Install Only Area – You can use this option to set a geofence, provided you have one defined. For more inforamtion, see Geofence Areas.
    • Schedule Install Time – You can schedule the install only during selected time periods.
  15. Select Save and Publish.

iOS Devices

  1. While logged in as an admin in the Workspace ONE UEM Console, select the Add button in the top banner, then select Public Application.

    this screenshot shows the Add drop down menu, accessible from all UEM screens. It allows you to add admins, devices, users, profiles, and apps.

    The Add Application screen displays.

  2. Under Platform, select “Apple iOS”.

  3. In the Name text box, enter Lookout for Work and press the enter key.
  4. Locate the app from the search results by clicking the +Select button. The Add Application - Lookout for Work screen displays.
  5. Accept the default values on this screen and select Save & Assign. The Distribution screen displays.
  6. Under Name, enter Lookout for Work Assignment.
  7. Under Assignment Groups, enter Lookout for Work.
  8. Under Deployment Begins, enter a date and time the deployment begins.
  9. Under App Delivery Method, select “Auto”.
  10. In the left side panel, select Application Configuration.
  11. Enable both the Managed Access and Send Configuration options.
  12. Select the ADD link at the bottom of the screen to include a custom configuration when the app is deployed. You must create four Configuration Keys with a Value Type and give them each a custom Configuration Value per the following table.

    Keys and values are case sensitive.

    Configuration Key Value Type Configuration Value
    DEVICE_UDID String {DeviceUId}
    MDM String AIRWATCH
    EMAIL String {EmailAddress} this key value is optional
    GLOBAL_ENROLLMENT_CODE String See explanation this image matches the footnote indicator in the above screenshots below.
    DeviceUniqueIdentifier String {DeviceUuId}

    this image matches the footnote indicator in the above screenshots The Configuration Value for this Configuration Key is found in the Mobile Threat Defense Console by navigating to System > Account and locating the Global Enrollment Code at the bottom of the screen. NOTE: If you are integrating multiple Mobile Threat Defence tenants (such as for staging and production environments), each tenant uses a different code and requires a unique app config profile.

  13. Once all the keys and values have been added, select Save. The Preview Assigned Devices screen displays.

  14. Select Publish to deploy the App Assignment to the devices previewed here. You are taken to Resources > Apps > Details View for the Lookout for Work assignment.
  15. The assignment is complete.

View a video walkthrough of adding the Lookout for Work iOS app to your UEM environment.

this is a thumbnail image of a video about adding the Lookout for Work iOS app

Forced Activation for Lookout for Work iOS

Lookout for Work for iOS 5.5 and later features a forced activation option. With the forced activation setting enabled, an MDM administrator pushes a VPN profile to managed iOS devices as part of the activation process. The on-device VPN blocks traffic when a device attempts to connect to a site via HTTP (HTTPS traffic is permitted), until the device user opens Lookout for Work.

NOTE: In some cases, users might have cached sites on their device that default to HTTPS access even when entering the site’s HTTP address in the search or navigation bar. The VPN does not block this traffic.

Supervised devices receive a notification alerting them to the activation requirement. All devices are directed to the following URL when traffic is blocked. https://activate.lookout.com/activate.html

this screenshot shows the webpage seen by users blocked by Lookout for Work for iOS.

Once the user activates Lookout for Work for iOS, users see the following notification confirming that internet access has been restored.

this screenshot shows the notification seen by users who have activated Lookout for Work for iOS.

Configure Forced Activation for Lookout for Work iOS

When you configure a virtual private network (VPN), you must create a new profile (start at step 1) or edit an existing profile (start at step 5).

  1. (new profile start) While logged in as an administrator in the Workspace ONE UEM Console, select the Add button in the top banner, then select Profile.

    this screenshot shows the Add drop down menu, accessible from all UEM screens. It allows you to add admins, devices, users, profiles, compliance policies, content, and apps.

    The Add Profile screen displays.

  2. Select Apple iOS followed by Device.

  3. In the General payload, enter a Name and Description and configure your assignment and deployment options.
    • Deployment - Managed
    • Assignment Type - Auto
    • Allow Removal - Select the best option for your environment.
    • Managed By - Select the organization group that you selected when you created the Smart Group in step 3.
  4. Under Smart Groups, select the smart group you made in step 3. In this workflow example, that smart group name is Devices in Customer OG but you must select the smart group you created.
  5. (edit an existing profile start) In the left side panel of the profile to which you want to add a VPN payload, select VPN then select the Configure button. Apply the following settings.

    Option Label Setting
    Connection Name Lookout for Work
    Connection Type Custom
    Identifier com.lookout.work
    Server vpn.mdm.safebrowsing.lookout.com
    Account {EmailUserName
    Disconnect on idle (sec) leave blank
    Per-App VPN Rules leave blank (check box unchecked)
    User Authentication Certificate
    Identity Certificate None
    Enable VPN On Demand Enabled (check box checked)
    Use new on-demand keys Enabled (check box checked)
    Action Connect
    Interface Match Any
    URL Probe leave blank
    SSID Match leave blank
    DNS Domain Match leave blank
    Proxy leave blank
  6. If you are deploying this VPN profile to supervised iOS devices and you have created a device profile payload that pregrants the Notifications permission, then under Custom Data, select the +Add link and enter the following key and value.

    Option Label Setting
    Custom Data Key: NOTIFICATIONS_PREGRANTED Value: True
check-circle-line exclamation-circle-line close-line
Scroll to top icon