MDM Flash

Question 1

Where are MDM configuration profiles located on iPhone/iPad?

Answer 1

Settings > General > VPN & Device Management

Question 2

Where are MDM configuration profiles located on Mac?

Answer 2

System Settings > General > Device Management

Question 3

What file extension do configuration profiles use?

Answer 3

.mobileconfig (XML files)

Question 4

What are the three types of MDM enrollment?

Answer 4

User Enrollment, Device Enrollment, Automated Device Enrollment

Question 5

Which enrollment type provides the most management capabilities?

Answer 5

Automated Device Enrollment (devices are both managed and supervised)

Question 6

What’s the difference between Enrollment Profile and Configuration Profile?

Answer 6

Enrollment Profile: Contains identity certificates to associate device with MDM. Configuration Profile: Contains payloads for settings/restrictions

Question 7

How long can MDM defer software updates on supervised devices?

Answer 7

1-90 days for supervised devices

Question 8

Which Setup Assistant pane CANNOT be skipped on devices in Apple Business Manager?

Answer 8

Remote Management pane

Question 9

What happens when MDM skips a Setup Assistant pane?

Answer 9

Device uses more privacy-preserving default settings

Question 10

Which devices can be set up without user interaction via Ethernet?

Answer 10

Mac and Apple TV

Question 11

What’s required for macOS 13+ Setup Assistant on Apple Business Manager devices?

Answer 11

Internet connection

Question 12

Do Rapid Security Responses follow MDM software update deferrals?

Answer 12

No, they don’t follow deferral rules and can be managed separately

Question 13

What happens when a user unenrolls a personal device from MDM?

Answer 13

All managed apps and their data may be removed (depends on MDM admin settings)

Question 14

Which Apple devices have built-in MDM framework support?

Answer 14

iPhone, iPad, Mac, Apple Watch, Apple Vision Pro, Apple TV

Question 15

What are the two types of configuration profiles?

Answer 15

Device profiles (affect entire device) and User profiles (specific users)

Question 16

What’s the most secure EAP protocol for enterprise Wi-Fi via MDM?

Answer 16

EAP-TLS (uses digital certificates for authentication)

Question 17

What are examples of MDM payload types?

Answer 17

Wi-Fi networks, passcode policies, FileVault settings, printer configurations, software update restrictions

Question 18

What are the three main MDM capabilities?

Answer 18

Update software/device settings, monitor compliance with policies, remotely wipe or lock devices

Question 19

Does the presence of a configuration profile always mean MDM management?

Answer 19

No, you must check specifically for an MDM enrollment profile

Question 20

What’s needed to reenroll a device that was unenrolled from MDM?

Answer 20

IT administrator assistance is typically required

Question 21

What are available EAP protocols for enterprise Wi-Fi in MDM?

Answer 21

EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-FAST, EAP-MSCHAPv2

Question 22

What can MDM control regarding automatic updates?

Answer 22

Download control (user choice/off/on) and Installation control (user choice/off/on)

Question 23

What’s the recommended cadence options for iOS/iPadOS updates via MDM?

Answer 23

iOS 17 only, iOS 18 only, or user choice

Question 24

What can MDM enforce regarding software updates?

Answer 24

Set deadline for required updates regardless of configured deferrals

Question 25

What happens when you remove a configuration profile?

Answer 25

Removes all associated settings, apps, and data

Question 26

What's supervision in MDM context?

Answer 26

Organization-owned devices with enhanced management control beyond standard managed devices

Question 27

What can Apple Configurator do for MDM?

Answer 27

Back up and restore multiple devices, deploy apps/settings/configurations, create blueprints for deployment

Question 28

What's a blueprint in Apple Configurator?

Answer 28

Combination of settings, apps, profiles, and identity information for device deployment

Question 29

Can Apple Configurator restore backups between different device types?

Answer 29

No, supervised device backups can only be restored to other supervised devices

Question 30

What administrative roles can work with Managed Apple Accounts?

Answer 30

Administrator, Site Manager, People Manager, Device Enrollment Manager, Content Manager, Instructor, Staff, Student

Question 31

What happens to organizational data encryption keys when a personal device unenrolls from MDM?

Answer 31

Separate encryption keys are destroyed during MDM unenrollment, ensuring organizational data becomes inaccessible. This cryptographic separation protects against data leakage after unenrollment.

Question 32

What are the key management differences between User Enrollment and Automated Device Enrollment?

Answer 32

User Enrollment: Limited to work apps/data, user retains control. Automated Device Enrollment: Full device control, supervised status, can skip Setup Assistant screens, comprehensive restrictions.

Question 33

If MDM sets a 60-day software update deferral but then enforces an update with a deadline, which takes precedence?

Answer 33

The enforcement deadline overrides deferrals. MDM can set deadlines for required updates regardless of configured deferrals, allowing urgent security patches while maintaining normal update management.

Question 34

What operational challenge does certificate expiration create in EAP-TLS Wi-Fi deployments via MDM?

Answer 34

Expired certificates break Wi-Fi authentication. Organizations must track expiration dates, coordinate certificate renewal, and update MDM payloads to maintain network access.

Question 35

Can supervision status be transferred between devices using Apple Configurator backups?

Answer 35

No, supervision status cannot be transferred via backups. Supervision is determined by enrollment method (Automated Device Enrollment) and Apple Business Manager registration, not backup data.

Question 36

Why does skipping Setup Assistant panes result in privacy-preserving defaults rather than leaving settings unconfigured?

Answer 36

Apple's security-by-default design ensures that when organizations skip user choice screens, the system automatically selects the most privacy-protective option to prevent security gaps.

Question 37

Why don't Rapid Security Responses follow normal MDM deferral rules?

Answer 37

RSRs address critical security vulnerabilities requiring immediate patching. They bypass deferrals to ensure critical security patches deploy rapidly regardless of normal update policies.

Question 38

What's the functional relationship between Enrollment Profiles and Configuration Profiles?

Answer 38

Enrollment Profiles establish the trust relationship (certificates, MDM server association). Configuration Profiles use that trust to deploy settings. Enrollment Profile authenticates the device to receive Configuration Profiles.

Question 39

Why do iPhone/iPad have single software deferral settings while Mac has separate controls?

Answer 39

iOS/iPadOS has simpler update categories. macOS has complex update types (OS updates, upgrades, Safari, XProtect, system files) requiring granular control for enterprise environments.

Question 40

What are the advantages of using blueprints in Apple Configurator versus individual profile deployment?

Answer 40

Blueprints ensure consistent deployments, reduce configuration errors, provide standardized security policies, and enable faster deployment. Individual profiles offer more device-specific customization flexibility.

Question 41

Why can only Mac and Apple TV achieve zero-touch deployment via Ethernet?

Answer 41

Mac and Apple TV support pre-boot network capabilities and can download/apply configurations without user interaction. iPhone/iPad require user interaction for initial network setup and trust establishment.

Question 42

Why is EAP-TLS considered the most secure EAP method for enterprise Wi-Fi?

Answer 42

EAP-TLS uses mutual certificate authentication (both client and server verify identity) and is immune to password attacks. Other methods like PEAP and TTLS rely on passwords which can be compromised.

Question 43

Why might a configuration profile be present on a device that isn't actively MDM managed?

Answer 43

Configuration profiles can be manually installed, remain after unenrollment, or be inactive. Active MDM requires an MDM enrollment profile with valid certificates and active server communication.

Question 44

What security benefit do different administrative roles provide in Apple Business Manager?

Answer 44

Role separation (Administrator, Site Manager, People Manager, etc.) implements least privilege access. Each role has specific permissions, preventing single points of failure and reducing security risks.

Question 45

What's the difference between device-level and user-level configuration profiles?

Answer 45

Device profiles affect all users and persist through user changes, ensuring consistent policies. User profiles are user-specific and may not apply when different users access the device.

Question 46

What protects organizational data when personal devices unenroll from MDM?

Answer 46

Managed apps and data use separate encryption keys that are destroyed during unenrollment. This ensures organizational data becomes permanently inaccessible after unenrollment.

Question 47

Why does Apple require internet connectivity for Setup Assistant on Apple Business Manager devices with macOS 13+?

Answer 47

Internet connectivity enables device identity verification with Apple servers, certificate validation, and secure enrollment profile download to prevent unauthorized device enrollment.

Question 48

How does MDM compliance monitoring differ from configuration deployment?

Answer 48

Compliance monitoring requires two-way communication - not just pushing settings but actively checking device state, comparing against policies, and reporting violations in real-time.

Question 49

What additional capabilities does device supervision provide beyond standard MDM management?

Answer 49

Supervision enables Setup Assistant control, enhanced restrictions, and deeper system access through Apple's supervision framework. These require special privileges only granted to supervised devices.

Question 50

What advantage does having built-in MDM frameworks across all Apple devices provide?

Answer 50

Universal MDM frameworks enable consistent management policies across device types, simplified administration tools, and unified security models, reducing complexity while improving security.