Sample questions

Question 1

Who retains the license of a managed app in Apple Business Manager or Apple School Manager when the
app is revoked?
A. The device user
B. The organization
C. The Managed Apple ID user
D. The personal Apple ID owner

Answer 1

B. The organization

Question 2

Which security MDM query can you use to check whether the startup volume is protected on a Mac?
A. Find My enabled
B. Passcode present
C. Secure boot status
D. Hardware encryption type

Answer 2

C. Secure boot status

Question 3

Content caching is configured with a 300GB cache size on a managed Mac mini to support Shared iPad
users. Users tell you that large files stored in iCloud take longer to download than before.
How can you speed up downloads of iCloud user data?
A. Increase the cache size.
B. Use the MDM command PurgeCache to empty the cache.
C. Do nothing. Content caching doesn’t store iCloud user data.
D. Delete the /Library/Application Support/Apple/AssetCache folder.

Answer 3

A. Increase the cache size.

Question 4

Which security MDM query should you use to check whether Mac computers have access to websites
while preventing unauthorized access to user files?
A. Firewall settings
B. Find My enabled
C. Passcode present
D. Hardware encryption type

Answer 4

A. Firewall settings

Question 5

The BetterBag Information Security team wants to prevent users from manually installing configuration
profiles in System Settings on their device-enrolled Mac computers.
What is required on the managed Mac computers to implement this strategy?
A. They must be supervised.
B. They must be using macOS 13 or later.
C. They must be assigned in Apple Business Manager.
D. They must be enrolled with Automated Device Enrollment.

Answer 5

B. They must be using macOS 13 or later.

Question 6

BetterBag IT wants to verify that Mac users can’t start up from any volume other than the designated
startup volume.
Which security MDM query can you use?
A. Find My enabled
B. Passcode present
C. Firmware password status
D. Hardware encryption type

Answer 6

C. Firmware password status

Question 7

A BetterBag custom app quits unexpectedly. The app developer asks you for the log report.
How do you locate and send the correct log?
A. Open Activity Monitor, click View, and select Run System Diagnostics.
B. In Terminal, type tail -f /Applications/BetterBag.app/Contents/MacOS/BetterBag.
C. Open Console, click Log Reports from the sidebar, search for BetterBag, select the log, and click the
Share button.
D. Open Console, click Diagnostic Reports from the sidebar, search for BetterBag, select the log, and press
the Share button.

Answer 7

C. Open Console, click Log Reports from the sidebar, search for BetterBag, select the log, and click the
Share button.

Question 8

Which two certificate components can you use to securely identify a client or server and encrypt the
communication between them?
A. Public key and private key
B. Trust key and trust certificate
C. Intermediate certificate and trust key
D. Trust certificate and intermediate certificate

Answer 8

A. Public key and private key

Question 9

Leticia needs to verify that a group of new employees have set up their managed iPad devices to prevent
unauthorized users from accessing their orientation files.
Which security MDM query can she use?
A. Passcode present
B. Secure boot status
C. Firmware password status
D. Can Activation Lock be managed

Answer 9

A. Passcode present

Question 10

BetterBag requires that FileVault encryption protects all managed Mac computers.
What must BetterBag’s MDM solution escrow to grant a secure token to mobile accounts?
A. A content token
B. A bootstrap token
C. A personal recovery key
D. An institutional recovery key

Answer 10

B. A bootstrap token

Question 11

BetterBag’s security team wants to recover managed iPhone devices that were stolen.
Which MDM setting do you enable to locate a stolen iPhone?
A. Apple Maps
B. Find My
C. Location Services
D. Managed Lost Mode

Answer 11

D. Managed Lost Mode

Question 12

BetterBag uses Automated Device Enrollment for all of its managed Apple devices. You must remove all
data from a previous user’s Mac before you can deploy it to the next user.
Which MDM command can you use to reprovision devices?
A. Uninstall Managed Apps
B. Erase Provisioning Profile
C. Install Provisioning Profile
D. Erase All Content and Settings

Answer 12

D. Erase All Content and Settings

Question 13

The BetterBag accounting department wants to ensure that the financial data contained on its iPad devices
is secure.
Which security MDM query can you use to confirm that sensitive data is secure?
A. Secure boot status
B. Hardware encryption type
C. Firmware password status
D. Can Activation Lock be managed

Answer 13

B. Hardware encryption type

Question 14

BetterBag wants to verify that customers can’t log in to retail kiosk iPad devices.
Which security MDM query can you use?
A. Secure boot status
B. Firmware password status
C. Can Activation Lock be managed
D. Passcode compliant with profiles

Answer 14

D. Passcode compliant with profiles

Question 15

Which MDM command helps prevent an unauthorized person from accessing data on a lost or stolen
iPhone or iPad?
A. ActivationLockRequest
B. DeviceLock
C. EraseDevice
D. SetAutoAdminPassword

Answer 15

C. EraseDevice

Question 16

The BetterBag security team wants to verify that employees have met requirements to secure their iPad
devices from loss and theft.
Which security MDM query should they use?
A. Find My enabled
B. Secure boot status
C. Firmware password status
D. Can Activation Lock be managed

Answer 16

A. Find My enabled

Question 17

A former employee’s managed iPhone needs to be returned to service. Your MDM solution can’t remove
Activation Lock.
How can you disable organization-linked Activation Lock?
A. Enter the personal Apple ID credentials in iCloud settings at the Activation Lock screen.
B. Enter the Managed Apple ID credentials that created the device enrollment token at the Activation
Lock screen.
C. In Apple Business Manager or Apple School Manager, find the device and send the clear
Activation Lock command.
D. Use your MDM solution to send the clear passcode command to the device. The device-based
Activation Lock will be automatically disabled.

Answer 17

B. Enter the Managed Apple ID credentials that created the device enrollment token at the Activation
Lock screen.

Question 18

BetterBag IT wants to configure its executives’ iPad devices to access the organization Wi-Fi network with
the most secure encryption available. IT needs BetterBag’s Wi-Fi network to also maintain compatibility
with other devices that may not support the latest standard.
Which authentication method is most likely to meet these requirements?
A. WPA2 Personal
B. WPA3 Enterprise
C. Wi-Fi Protected Access
D. Wired Equivalent Privacy

Answer 18

A. WPA2 Personal

Question 19

You manually added donated Mac computers to Apple School Manager and enrolled them in your
MDM solution.
What is the management status of the Mac computers after you’ve manually added and enrolled them in
your MDM solution?
A. They’re supervised, and a user can unenroll them at any time.
B. They’re unsupervised, and a user can unenroll them at any time.
C. A user can release them from device management for up to 30 days.
D. A user can release them from device management for up to 60 days.

Answer 19

C. A user can release them from device management for up to 30 days.

Question 20

Which security MDM query should you use to check whether a Mac computer’s critical file locations
are secured?
A. Find My enabled
B. Passcode present
C. Hardware encryption type
D. System Integrity Protection enabled

Answer 20

D. System Integrity Protection enabled

Question 21

Which Terminal command should you use if you want to write shell scripts and automate certain processes
with Apple Configurator for Mac?
A. automator
B. cfgenrollment
C. cfgutil
D. startosinstall

Answer 21

C. cfgutil

Question 22

Which Setup Assistant screen can you not configure to be skipped on a supervised iPhone that’s enrolled
in Apple Business Manager?
A. Apple ID
B. Language
C. Location Services
D. Terms and Conditions

Answer 22

B. Language

Question 23

A BetterBag user receives a “Cellular Plan is Ready to be Installed” notification in Settings on their
managed iPhone. A cellular plan can’t be installed on their managed iPhone even though the user can
make calls.
What is the most likely reason that a cellular plan can’t be installed?
A. The eSIM was already used.
B. The iPhone can’t reach the Apple Lookup Service.
C. The AllowESIMModification restriction is enabled.
D. The AllowESIMModification restriction is disabled.

Answer 23

D. The AllowESIMModification restriction is disabled.

Question 24

Which MDM command can initiate an iPhone to download an eSIM profile from a carrier’s
(SM-DP+) server?
A. InstallESIM
B. CarrierActivation
C. Provision Cellular Plan
D. Refresh Cellular Plans

Answer 24

D. Refresh Cellular Plans

Question 25

Which setting configures Automatic Proxy Setup in the Global HTTP Proxy MDM payload?
A. Authentication type
B. Password
C. Proxy PAC URL
D. Security type

Answer 25

C. Proxy PAC URL

Question 26

Which role in Apple Business Manager or Apple School Manager has default permissions to add, assign,
unassign, and release devices?
A. Administrator
B. Content Manager
C. Manager
D. Staff

Answer 26

A. Administrator

Question 27

BetterBag requires a maximum passcode age on all iPhone and iPad devices.
What is the maximum passcode age you can set with an MDM solution?
A. 90 days
B. 180 days
C. 365 days
D. 730 days

Answer 27

D. 730 days

Question 28

What is the maximum number of days an MDM solution can retrieve the Activation Lock bypass codes from
newly supervised iPad devices?
A. 7 days
B. 15 days
C. 21 days
D. 90 days

Answer 28

B. 15 days

Question 29

Which declaration type is used to convey overall management state to the device and describes details
about the organization and capabilities of the MDM solution?
A. Devices
B. Enrollments
C. Management
D. Security

Answer 29

C. Management

Question 30

Nisha is preparing to deploy a fleet of Mac computers. She wants to ensure that only approved Mac
computers can access content caching.
In which payload should she configure this setting?
A. Content Caching
B. Privacy and Security
C. Restrictions
D. System Settings

Answer 30

C. Restrictions