Managing Device Security

Question 1

On a Mac, which type of account is required to perform software upgrades?

A. Local administrator
B. Network
C. Shared
D. Standard

Answer 1

A. Local administrator

A local administrator account is required to perform a software upgrade on a Mac.

Question 2

Why would you defer software updates on Apple devices?

A. To roll back an update if it’s unsuccessful
B. To test critical apps and infrastructure before deploying the update
C. To verify that your organization’s iPhone and iPad devices are managed

Answer 2

B. To test critical apps and infrastructure before deploying the update

Testing apps and infrastructure before deployment is critical.

Question 3

What is the maximum number of days that you can defer software updates on Apple devices?

A. 30
B. 60
C. 90
D. 99

Answer 3

C. 90

You can defer software updates up to 90 days.

Question 4

Which payload manages the ability to schedule a scan of a managed Apple device?

A. Content Filter
B. Restrictions
C. Security & Privacy
D. Software Update

Answer 4

D. Software Update

Use the Software Update payload to manage the installation of macOS beta releases and automatic installation of macOS updates or app updates from the App Store.

Question 5

How are security fixes distributed to Apple devices in a Rapid Security Response?

A. In minor software updates
B. In major software upgrades
C. In both major upgrades and minor updates

Answer 5

A. In minor software updates

Rapid Security Responses distribute security fixes in minor software updates.

Question 6

Which payload do you use to configure specific rules when users create a password or passcode on their enrolled device?

A. Passcode
B. Password
C. Restrictions
D. Security & Privacy

Answer 6

A. Passcode

You choose the Passcode payload to configure specific rules for the creation of passwords or passcodes on enrolled devices.

Question 7

What is the purpose of configuring a Passcode payload?

A. It helps retrieve a user’s passcode if the user can’t sign in for some reason.
B. It requires that users set passcodes for all apps that they use on their devices.
C. It enables your organization to change a user’s passcode remotely if a device is lost or stolen.
D. It enforces passcode rules that help prevent unauthorized access to your organization’s devices and data.

Answer 7

D. It enforces passcode rules that help prevent unauthorized access to your organization’s devices and data.

You configure a Passcode payload with specific rules that users must follow when creating a device passcode or password.

Question 8

The Passcode payload configures passcode rules for iPhone and iPad devices, whereas the Password payload configures password rules for Mac computers.

A. True
B. False

Answer 8

B. False

The Passcode payload configures passcode rules for iPhone and iPad, as well as password rules for Mac.

Question 9

What must a user do when you install the Passcode payload on the user’s iPhone?

A. The user must enter a passcode using the specified settings within 60 minutes.
B. The user must accept the payload to permit the specified settings to take effect.
C. The user must restart the device to install the payload, then enter a new passcode.

Answer 9

A. The user must enter a passcode using the specified settings within 60 minutes.

If the user doesn’t do so within that time frame, the payload forces the user to enter a passcode using the specified settings.

Question 10

How can you tell if a restriction applies only to a supervised device?

A. The restriction description contains “(supervised only).”
B. The restriction displays only if a device is supervised.
C. The restriction is dimmed on unsupervised devices.
D. The restriction appears in the group named Supervised Restrictions.

Answer 10

A. The restriction description contains “(supervised only).”

MDM solutions indicate when a restriction applies only to supervised devices.

Question 11

What is the purpose of configuring a Restrictions payload for Apple devices?

A. Restrictions prevent users from unenrolling a device from MDM.
B. Restrictions prevent unauthorized users from accessing a device.
C. Restrictions prevent users from accessing a specific app, service, or function of a device.

Answer 11

C. Restrictions prevent users from accessing a specific app, service, or function of a device.

You configure a Restrictions payload to prevent access to a specific app, service, or function on a device.

Question 12

What happens if you select “(supervised only)” restriction settings for an unsupervised device?

A. The “(supervised only)” settings don’t take effect unless you have previously supervised the device.
B. The “(supervised only)” settings override any configuration that the user sets on the unsupervised device.
C. The “(supervised only)” settings require you to turn on device supervision before you can save the payload.

Answer 12

A. The “(supervised only)” settings don’t take effect unless you have previously supervised the device.

You can select “(supervised only)” settings for unsupervised devices, but the settings don’t take effect unless the device is supervised.

Question 13

Which MDM restriction lets you manage a user’s ability to connect Thunderbolt or USB devices to a Mac?

A. Allow connected accessories while locked
B. Automatically enable accessory connections
C. Allow Thunderbolt or USB device connections

Answer 13

C. Allow Thunderbolt or USB device connections

The MDM restriction “Allow Thunderbolt or USB device connections” lets you manage a user’s ability to connect Thunderbolt or USB devices to a Mac by disabling the “Allow accessories to connect” setting in System Settings > Privacy & Security.

Question 14

What happens when you select the “Allow connected accessories while locked” restriction and an iPhone or iPad device is connected to a computer with a compatible Ethernet adapter?

A. The device maintains a data connection to a connected network only when a user unlocks it.
B. The device maintains a data connection to a connected network before a user unlocks it.
C. The device automatically unlocks after an hour so that you can refresh it using MDM.

Answer 14

B. The device maintains a data connection to a connected network before a user unlocks it.

When you select the “Allow connected accessories while locked” restriction and an iPhone or iPad device is connected to a computer with a compatible Ethernet adapter, the device maintains a data connection even before a user unlocks it.

Question 15

What’s required before you can restrict accessory connections on iPhone or iPad?

A. Device supervision
B. A Managed Apple ID
C. An unsupervised Apple device

Answer 15

A. Device supervision

Configurations to restrict accessory connections require that your iPhone and iPad devices be supervised.

Question 16

How do you ensure that only trusted host computers can pair with your organization’s iPhone and iPad devices?

A. Allow pairing with only Mac computers.
B. Distribute the correct digital certificate to users’ groups and devices.
C. Distribute the correct supervision identities to users’ devices.

Answer 16

C. Distribute the correct supervision identities to users’ devices.

When you deselect the “Pair with non-Apple Configurator hosts” restriction — and distribute the correct supervision identities to users’ devices — you ensure that only trusted computers holding a valid supervision host certificate are allowed to access iPhone or iPad over Thunderbolt or USB.

Question 17

Which of the following can you use to distribute a certificate identity to a device in a configuration profile?

A. A .p12 file
B. A PKI token
C. An MD5 hash file

Answer 17

A. A .p12 file

You can put a certificate identity into a PKCS #12 file protected with a password, and push the file to the device in a configuration profile.

Question 18

When you compose a Mail message on a managed Apple device, what happens when Mail finds the certificate for a recipient email?

A. The user is asked to choose a certificate to sign the message.
B. A “Sign this message” option appears left of the “To:” field.
C. A padlock icon appears to the right of the recipient’s contact name, and the address text is blue.

Answer 18

C. A padlock icon appears to the right of the recipient’s contact name, and the address text is blue.

Mail consults the GAL to discover the recipient’s S/MIME certificate. When Mail finds the certificate for your recipient, a padlock icon appears to the right of the recipient’s contact name, and the address text is blue.

Question 19

What do managed Apple devices require to send signed messages in Mail using S/MIME?

A. Your email address must be in the recipient’s GAL.
B. You must have your identity’s private key in your keychain.
C. Recipients must have your identity’s private key in their keychains.

Answer 19

B. You must have your identity’s private key in your keychain.

Private keys are important for signing messages in Mail. To send signed messages in Mail using S/MIME on a managed Apple device, you must have your identity’s private key in your keychain.

Question 20

What do managed Apple devices require to send encrypted messages in Mail using S/MIME?

A. The public key from the recipient’s certificate
B. An encryption extension in the recipient’s certificate
C. A restriction payload with the “Allow sending encrypted messages using S/MIME” setting selected

Answer 20

A. The public key from the recipient’s certificate

Public keys are important for encrypting messages in Mail. To send encrypted messages in Mail using S/MIME on a managed Apple device, you must have the public key from the recipient’s certificate in your keychain.

Question 21

What happens when you use Safari on iPhone or iPad to visit a site with a revoked certificate?

A. You are asked to delete the certificate.
B. You are directed to the CA’s website to update the certificate.
C. “This Connection Is Not Private” appears instead of the contents of the site.

Answer 21

C. “This Connection Is Not Private” appears instead of the contents of the site.

When you use Safari on iPhone or iPad to visit a site with a revoked certificate, “This Connection Is Not Private” appears instead of the contents of the site.

Question 22

Which type of query can you use to list all installed apps on a device?

A. Security
B. Installed app
C. Device information
D. Operating system

Answer 22

C. Device information

Device information queries return a device’s information about apps installed, battery level, and device name.

Question 23

Which type of query can you use to find information about Find My and FileVault settings?

A. Security
B. Installed app
C. Device information
D. Operating system

Answer 23

A. Security

Security queries return a device’s information about whether it has the following enabled: Activation Lock, Find My, FileVault, Firmware password (for Intel-based Mac computers), and more.

Question 24

Which type of query can you use to list all devices that need to be updated to new system software?

A. Security
B. Installed app
C. Device information
D. Operating system

Answer 24

D. Operating system

Operating system queries return a device’s information about the product version and whether specific update options are enabled.