This week at Ignite, Microsofts Brad Anderson showed the new integration of Mobile Endpoint Security (MES) with Microsoft Intune for App Protection Policy (APP). There are already several Mobile Threat Defense partners, like Lookout, who had an integration with Intune, but the signals from those providers where used for the Mobile Device Management compliancy checks. Now this is expanded to App protection, which is a Mobile Application Management solution.
Mobile Endpoint Security is a solution for mobile devices with iOS or Android as operating system. It provides comprehensive mobile security, to secure the devices against app, network and system security based threats.
Before the integration of these MES solutions with Intune App Protection, it was only available on the Mobile Device Management level. This means companies could only enforce MES solutions on managed devices, which are usually corporate owned devices. On personal (BYOD) devices there was no solution to enforce the installation of a MES solution, or the user needed to enroll the personal device in a MDM solution, like Intune. With this new integration between Microsoft Intune and the Mobile Endpoint Security providers, this has changed.
At the moment of writing only Lookout provides the new solution on both iOS and Android. So let`s have a look at how this needs to be configured in Intune. We also have a look at how this looks at a personal (Android) devices.
In this article I assume the connection between Microsoft Intune and Lookout for Work is already in-place and will therefor not show how that setup is done.
Mobile Threat Defense Connector
We first enable the integration between Microsoft Intune and Lookout for Work for Application Protection Policy. This can be done by using the Microsoft Endpoint Manager console (Intune portal).
- Sign-in to the Device Management Portal
- Browse to Tenant administration – Connectors and Tokens
- Browse to Mobile Threat Defense (MTD)
- Click the MTD connector (Lookout for Work) to edit the connector settings
- Under App Protection Policy settings set both switches to On
- Click Save
By enabling MTD for Application Protection Policy, on the background a classic Conditional Access policy is created, named [Lookout MTP] Device Policy. The policy should not be edited, as stated by the documentation.
Create an Application Protection Policy
To enforce the use of Lookout for Work on a personal device we need to create an Application Protection policy. In this example I create a new policy for unmanaged devices, by setting devices types to unmanaged. But you can also edit an existing policy or apply it to all or only managed devices.
In this policy we set what will happen when the minimum threat level is exceeded; Block Access or Remove corporate data.
- Still in the Device Management Portal
- Browse to Apps – App protection policies
- Click Create policy
- Choose Android or iOS/ iPadOS
- Give the policy a Name
- Enter a Description (optional)
- Click Next
- Set Target to apps on all device types to No
- Choose Unmanaged as Device type
- In the Apps section choose the apps to which the policy should apply
- Click Next
- Choose your preferred settings on the Data protection tab
- Click Next
- Choose your preferred settings on the Access requireents tab
- Click Next
On the Conditional Launch tab under Device conditions we add Max allowed device threat level as setting, to enforce Lookout for Work on the targeted devices. Under value we set the maximum allowed threat level. Under action we choose what happens when the threat level is above the maximum level; Block access or Wipe data.
- Add Max allowed threat level as Setting
- Choose the preferred threat level under Value
- Choose the Action
- Click Next
- Select a security group of choice to assign the policy to
- click Next
- Click Create
The setup part is finished, let`s move over to our personal, unmanaged mobile device.
End-user experience: Setup Outlook
I show the end-user experience on an un-managed Android devices. I already authenticated with username and password, the account is added to Outlook.
As the App protection Policy comes in directly, we are enforced to install the Company Portal app. The Company Portal app is needed to apply the APP policy on Android devices.
Click Go to store, to open the App store. Download and install the Company Portal app.
There is no need to sign-in to the Company Portal app, as that will enroll your device in Intune (for MDM).
After the Company Portal app is downloaded, we are enforced to register the device (at Azure AD).
When registration is finished and we switch back to Outlook, we see an new pop-up screen. The screen shows us the next step we need to take before we can access the mailbox, set up the Lookout for Work app.
The App store is opened, click Install to install Lookout for Work.
When we switch back to Outlook without setting up the Lookout for Work app, below screen is shown. Click Launch, to setup Lookout for Work.
When Lookout for Work is setup, click Recheck.
The status is rechecked, Confirming app status…..
Everything is set, access to the mailbox is allowed.
End-user experience: threat is detected
To see how this all works when a threat is detected, you can search the Google Play store for an Antivirus Test app. I used Zoner AntiVirus Test.
As soon as the antivirus test app is installed, Lookout shows a message Lookout Virus Alert. ” Zoner AntiVirus Test” is a virus. The threat level of the device is raised.
As the threat level exceeds the maximum set threat level, access is blocked.
After removing the threat, click Recheck, to gain access again to the mailbox.
Or, depending on the action which is set in the App Protection Policy, the Organizational data is removed.
At the moment of writing I only tested the setup with an Android device. The testing behavior differed several times. Access to the mailbox was blocked sometimes almost immediately and the other time took pretty long.
We understood from Lookout, they are aware of this issue and working hard on this issue to resolve this very soon.
On iOS devices this issue should not be present, but I haven`t had the chance yet to test on iOS.