You can use Workspace ONE UEM to deploy the Lookout for Work app for Android and iOS.
IMPORTANT: You must manage Android 10 devices under Android Enterprise to activate Lookout for Work. Only Lookout for Work version 6.1.0 and later supports Android 10.
Lookout for Work Functionality on Android Enterprise
Issue Type | Work Managed Device | Work Profile |
---|---|---|
Network Issues | Full visibility into network issues | Full visibility into network issues |
Device Issues | Full visibility into device level issues | Full visibility into device level issues |
App Issues (Mobile Threat Defense Comprehensive) | Full visibility into app issues | Reports app issues for work profile apps only. |
Web Content Issues (Phishing and Content Protection Add-on) | Full protection around phishing and content issues. | Protects against phishing and content issues for network traffic inside the work profile only. |
You can distribute the Android Enterprise (managed) version of Lookout for Work using the Google Play store. Take the following steps to add the URL of the Google Play store listing for Lookout for Work to Workspace ONE UEM. Device end users then download and install the app directly from the Google Play Store.
Lookout for Work
Select Next and the Add Application screen displays the search results.Lookout for Work
entry. This is how it appears in the App Catalog of Workspace ONE UEM. Select Approve to continue. The Lookout for Work app modal screen displays, showing which device resources and data the app has access to. Select Approve again to proceed. The Approval Settings display.Lookout for Work Android
. Under Assignment Groups, select the smart group you created for MTD. In this workflow example, that smart group name is Devices in Customer OG
but you must select the smart group you created. For App Delivery Method, select Auto.Select the ADD link at the bottom of the screen to include a custom configuration when the app is deployed. You must create four Configuration Keys with a Value Type and give them each a custom Configuration Value per the following.
Take care when entering these values, they are case sensitive. In particular, ‘name’ in “MDM name” and ‘value’ in “HSM Key value”
Configuration Key | Configuration Value |
---|---|
MDM name |
AIRWATCH |
MDM Device ID |
{DeviceUuId} |
MDM Connection ID |
leave this key value blank |
Android ID |
leave this key value blank |
Identification |
leave this key value blank |
Global Enrollment Code |
See explanation ![]() |
Email |
{EmailAddress} this key value is optional |
Dual Enrollment |
false |
Device Unique Identifier |
{DeviceUuId} |
HSM Key Value |
Disable |
Once all the keys and values have been added, select Create. The Preview Assigned Devices screen displays.
The Configuration Value for this Configuration Key is found in the Mobile Threat Defense Console by navigating to System > Account and locating the Global Enrollment Code at the bottom of the screen. NOTE: If you are integrating multiple Mobile Threat Defence tenants (such as for staging and production environments), each tenant uses a different code and requires a unique app config profile.
View a video walkthrough of adding the Lookout for Work app to your Android Enterprise UEM environment.
You can distribute the Android legacy (unmanaged) version of Lookout for Work using the Google Play store. Take the following steps to add the URL of the Google Play store listing for Lookout for Work to Workspace ONE UEM. Device end users then download and install the app directly from the Google Play Store.
https://play.google.com/store/apps/details?id=com.lookout.enterprise
Select Next and the Add Application screen displays.Lookout for Work for Android
. This is how it appears in the App Catalog of Workspace ONE UEM. Select Save & Assign to continue. The Assignment screen displays.Lookout for Work Assignment
. Under Assignment Groups, select the smart group you created for MTD. In this workflow example, that smart group name is Devices in Customer OG
but you must select the smart group you created. For App Delivery Method, select Auto.Select the ADD link at the bottom of the screen to include a custom configuration when the app is deployed. You must create four Configuration Keys with a Value Type and give them each a custom Configuration Value per the following.
Take care when entering these values, they are case sensitive. In particular, ‘name’ in “MDM name” and ‘value’ in “HSM Key value”
Configuration Key | Value Type | Configuration Value |
---|---|---|
MDM name |
String | AIRWATCH |
MDM Device ID |
String | {DeviceUuId} |
Global Enrollment Code |
String | See explanation ![]() |
Email |
String | {EmailAddress} this key value is optional |
Dual Enrollment |
Boolean | false |
Device Unique Identifier |
String | {DeviceUuId} |
HSM Key Value |
Boolean | Disable |
Once all the keys and values have been added, select Save. The Preview Assigned Devices screen displays.
The Configuration Value for this Configuration Key is found in the Mobile Threat Defense Console by navigating to System > Account and locating the Global Enrollment Code at the bottom of the screen. NOTE: If you are integrating multiple Mobile Threat Defence tenants (such as for staging and production environments), each tenant uses a different code and requires a unique app config profile.
You can pre-grant permissions to your Android Enterprise devices to run the Lookout for Work app without requiring the user to authenticate.
If you want to enable Zero Click activation, take the following steps to deploy a VPN profile from Workspace ONE UEM that opens the Lookout for Work app automatically. The provided App Config and pre-granted permissions enable Lookout for Work to activate without requiring any interaction from the user.
While logged in as an admin in the Workspace ONE UEM Console, select the Add button in the top banner.
Select Profile, the Add Profile screen displays.
<characteristic uuid="l00k0ut1-5cf7-4fc1-a757-742f3df81a1b" type="com.airwatch.android.androidwork.app:com.lookout.enterprise" target="1"><parm name="profile_name" value="VPN Configuration" type="string" /><parm name="action" value="1" type="string" /><parm name="EnableAlwaysOnVPN" value="True" type="boolean" /><parm name="aw_vpn_uuid" value="leek0ut4-ae9e-4caa-94e3-1b5c32655ced" type="string" /><parm name="vpn_connection_set_active" value="True" type="boolean" /></characteristic>
This deploys an always-on VPN that opens Lookout for Work on the device. NOTE: The GUID values above can be used across multiple devices without issue.
Devices in Customer OG
but you must select the smart group you created.While logged in as an admin in the Workspace ONE UEM Console, select the Add button in the top banner, then select Public Application.
The Add Application screen displays.
Under Platform, select “Apple iOS”.
Lookout for Work
and press the enter key.Lookout for Work Assignment
.Lookout for Work
.Select the ADD link at the bottom of the screen to include a custom configuration when the app is deployed. You must create four Configuration Keys with a Value Type and give them each a custom Configuration Value per the following table.
Keys and values are case sensitive.
Configuration Key | Value Type | Configuration Value |
---|---|---|
DEVICE_UDID |
String | {DeviceUId} |
MDM |
String | AIRWATCH |
EMAIL |
String | {EmailAddress} this key value is optional |
GLOBAL_ENROLLMENT_CODE |
String | See explanation ![]() |
DeviceUniqueIdentifier |
String | {DeviceUuId} |
The Configuration Value for this Configuration Key is found in the Mobile Threat Defense Console by navigating to System > Account and locating the Global Enrollment Code at the bottom of the screen. NOTE: If you are integrating multiple Mobile Threat Defence tenants (such as for staging and production environments), each tenant uses a different code and requires a unique app config profile.
Once all the keys and values have been added, select Save. The Preview Assigned Devices screen displays.
View a video walkthrough of adding the Lookout for Work iOS app to your UEM environment.
Lookout for Work for iOS 5.5 and later features a forced activation option. With the forced activation setting enabled, an MDM administrator pushes a VPN profile to managed iOS devices as part of the activation process. The on-device VPN blocks traffic when a device attempts to connect to a site via HTTP (HTTPS traffic is permitted), until the device user opens Lookout for Work.
NOTE: In some cases, users might have cached sites on their device that default to HTTPS access even when entering the site’s HTTP address in the search or navigation bar. The VPN does not block this traffic.
Supervised devices receive a notification alerting them to the activation requirement. All devices are directed to the following URL when traffic is blocked. https://activate.lookout.com/activate.html
Once the user activates Lookout for Work for iOS, users see the following notification confirming that internet access has been restored.
When you configure a virtual private network (VPN), you must create a new profile (start at step 1) or edit an existing profile (start at step 5).
(new profile start) While logged in as an administrator in the Workspace ONE UEM Console, select the Add button in the top banner, then select Profile.
The Add Profile screen displays.
Select Apple iOS followed by Device.
Devices in Customer OG
but you must select the smart group you created.(edit an existing profile start) In the left side panel of the profile to which you want to add a VPN payload, select VPN then select the Configure button. Apply the following settings.
Option Label | Setting |
---|---|
Connection Name | Lookout for Work |
Connection Type | Custom |
Identifier | com.lookout.work |
Server | vpn.mdm.safebrowsing.lookout.com |
Account | {EmailUserName |
Disconnect on idle (sec) | leave blank |
Per-App VPN Rules | leave blank (check box unchecked) |
User Authentication | Certificate |
Identity Certificate | None |
Enable VPN On Demand | Enabled (check box checked) |
Use new on-demand keys | Enabled (check box checked) |
Action | Connect |
Interface Match | Any |
URL Probe | leave blank |
SSID Match | leave blank |
DNS Domain Match | leave blank |
Proxy | leave blank |
If you are deploying this VPN profile to supervised iOS devices and you have created a device profile payload that pregrants the Notifications permission, then under Custom Data, select the +Add link and enter the following key and value.
Option Label | Setting |
---|---|
Custom Data | Key: NOTIFICATIONS_PREGRANTED Value: True |