Note: you can download a PDF of this document here.
Configuring iOS Support
In order to provide the best security possible, Lookout distributes its Lookout for Work iOS app outside of the iOS App Store. Before distributing apps that aren’t in the App Store for employees of your enterprise, you need to re-sign them with your iOS Enterprise Developer Certificate.
- iOS Enterprise Developer Program membership
- Mac running OS X 10.9 or newer
- You may need admin access on the Mac in order to run applications downloaded from the internet
- You will need to install the Xcode Command Line Tools from:https://developer.apple.com/downloads/
- You will need to add the "WWDR Certificate (Expiring 02/07/23)" to your keychain. It can be found at:https://www.apple.com/certificateauthority/
- The private key for the Enterprise Distribution Certificate must be installed on the Mac
Setting up the iOS Enterprise Developer account
Step 1. Log in to your iOS Enterprise Developer account
1.1 Log in to your iOS Enterprise Developer account athttps://developer.apple.com/account/#/membership
1.2 You can verify this is an iOS Enterprise Developer account (and not a normal iOS Developer account) by clicking “Membership” and checking the program type “Apple Developer Enterprise Program”
Step 2. Create a new Application Identifier
In order to distribute a new application, you’ll first need to create a new, unique App ID. Lookout recommends using com.lookout.enterprise.YourCompanyName
2.1 From the Program Resource column on the left click “Certificates, IDs, & Profiles.”
2.2 Then click “App IDs” under identifiers.
2.3 Click the “+” button in the upper right corner.
2.4 For Name put “Lookout for Work”
Under App ID Prefix if it allows you to choose a value select the value value with “(Team ID)” written after it.
For App ID Suffix select the “Explicit App ID” radio button
For Bundle ID put “com.lookout.enterprise.YourCompanyName”
Note: YourCompanyName should not contain any punctuation or special characters. For example, “Acme Inc” should become “AcmeInc”. You will need to remember this value later!
2.5 Under App Services check “Push Notifications”. No other boxes need to be checked. It is okay if some options are stuck checked. Then click Continue.
2.6 On the following screen double check that the App ID Description is “Lookout for Work”, the Identifier is TeamID.com.lookout.enterprise.YourCompanyName and Push Notifications are “Configurable”. If you need to fix anything, click “Back” otherwise hit “Register” and then “Done”.
Step 3: Now, navigate to Certificates, and create a VoIP Certificate.
Select the App ID you just created (or your existing one) Certifcates>Production. This will require creating a certificate signing request via Keychain, follow Apple's instructions.
3.1 Select Production section under Certificates and then the “+” icon.
3.2 Select VoIP Services Certificate then the “Continue” button
3.3 From the drop down menu, select the App ID that was previously made in step 2
3.4 Create a CSR file from the Mac Keychain Access by going to Certificate Assistant>Request a Certificate from a Certificate Authority...
3.5 Input your email address, select “Saved to disk”, select Continue and save the CSR.
3.6 Go back to your Apple Developer account and choose the CSR created from the Keychain Access and select “Continue”
3.7 Download the certificate file and and import to your Keychain Access as login.
Step 4. Create a distribution provisioning profile using the same App ID.
4.1 Now that there are VoIP services associated with your app, the profile will include them. Under Provisioning Profiles on the left navigation bar click “Distribution” and then click the “+” in the upper right corner.
4.2 Select “In House” under “Distribution” on the next screen and then click “Continue”
4.3 Select “Lookout for Work (TeamID.com.lookout.enterprise.YourCompanyName)” as the App ID for this in-house provisioning profile. Click Continue.
4.4 Select the newest distribution certificate that you can. You will need to have the private key for this certificate on the Mac you use for re-signing the IPA. Lookout recommends using a certificate that will not expire in the next 6 months.
Note: If there aren’t any certificates, you don’t have the private key available or they all expire soon, go to “Certificates -> Production” to create a new certificate. You may have up to 2 active Enterprise Certificates at any given time, so be careful not to revoke a certificate somebody else is actively using to distribute another app. More instructions are available here.
4.5 Give the Profile a nice name like “Lookout for Work Enterprise Distribution Profile” and click “Generate”
4.6 Click “Download” on the next screen and save this file. The profile will be used with Lookout’s IPA resigning Tool.
You will embed this file into the Lookout for Work IPA which allows it to be installed on all of your employee’s devices.
Step 5 Export the VoIP Push Keys
In order to send voip push notifications to apps, Lookout needs the certificate and its identity, which were created on your mac during the Apple Developer Portal process.
5.1. Open the Keychain app on your mac, located in the Utilities folder (in Applications)
5.2. Click on Certificates (on the left), search for voip (on the right), and then drag in the voip_services.cer file you downloaded above. Your new certificate should appear.
5.3. Click on the disclosure triangle, select both the certificate and key. Right-click, and select "Export 2..."
Select .p12 format and set a password (optional), you will need to upload the Voip cert after uploading the resigned IPA to the Lookout console.
Step 6 Re-Signing the iOS Application (IPA)
6.1 Download the Lookout for Work IPA from the Lookout Mobile Threat Protection Console by going to System -> iOS or by visiting this URL:https://mtp.lookout.com/les/system/ios
6.2 Download the Lookout IPA Signing Tool mac app here:
Unzip and launch Lookout IPA Signing Tool.app. You may have to confirm you want to open an app you downloaded from the internet.
6.3 Sign the LookoutForWork.ipa using your enterprise certificate
6.4 Click the "Choose" button and select the LookoutForWork.ipa file you downloaded in Step 1. Then click Next.
6.5 Click the "Choose" button and select the Lookout_for_Work_Enterprise_Distribution_Profile.mobileprovision you downloaded earlier from the iOS Enterprise Developer portal. Click Next again.
If necessary, change the Bundle ID to com.lookout.enterprise.YourCompanyName(Note: In most cases this will be automatically filled in for you)
Very important: This App ID must be the exact same as the name you used earlier to create your App ID and Provisioning Profile earlier.
6.6 Last, select a signing certificate. The correct signing certificate for distribution should begin with “iPhone Distribution:” and then your company name. If you have multiple options here that match this, you may have to try a few times until you select the correct one that matches your Provisioning Profile.
If you don’t have a signing certificate to select you have 2 options.
- Track down the Developer Profile of the Mac that generated the previous Enterprise Signing certificate
- Generate a new Enterprise Signing certificate using these instructions here
6.7 If all goes well, you should see a "Save .ipa" button. Click this and it will give you a chance to choose a location to save the signed LookoutForWork-resigned.ipa file to.
6.8 Upload the LookoutForWork-resigned.ipa (or LES-resigned.ipa) to the Lookout Mobile Threat Protection console on the System -> iOS tab. When you upload the IPA we will validate that it has been signed correctly, the bundle id has been properly changed among other things. We will also allow you to distribute it directly to devices that aren’t managed by MDM through email.
6.9 Upload the .p12 file with the password you used in step 5.3 to the Lookout iOS Console.
Distribute the Re-Signed Lookout for Work IPA
You can now distribute this IPA to your employees using any Enterprise App Store, any MDM capable of pushing In House iOS Applications or directly through the invitation process on the MTP Console.
You can also test installing this on a device by dragging it into iTunes or Xcode while you have an iOS device plugged into the Mac.
Note: You should not distribute this re-signed IPA to anyone who isn’t employed by your company or you risk violating Apple’s Enterprise Terms of Service.