Apple DEP - 2024 Flashcards
Need More Study
Relays
An array of dictionaries that describes one or more relay servers that can be chained together.
RelayUUID
A globally-unique identifier for this relay configuration. This UUID is used to route Managed Apps through the servers contained in Relays.
Match domains
A list of domain strings used to determine which connection should be routed through the servers contained in Relays. Any connection that matches the domain exactly or that is a subdomain of the listed domain will use the relay servers, unless they match an excluded domain. If no domains are listed, traffic to all domains, except those matching an excluded domain, is routed to the relay servers.
Excluded domains
A list of domain strings that shouldn’t be routed through the servers contained in Relays. Any connection that matches the domain exactly or that is a subdomain of the listed domain will not use the relay server.
APNS
TCP port 5223, 443, 2197 and IP range - 17.0.0.0/8
Declarative Device Management
It uses declarations to asynchronously update the device settings, restrictions, assets, and more. With status channels, devices proactively report the status of objects like passcode compliance and MDM-installed apps — without constant polling from the MDM server.
With declarative device management, the device asynchronously applies settings and reports the status back to the MDM solution without constant polling.
macOS Recovery on a Mac with Apple silicon Available Apps
Time Machine System Restore
Install macOS
Safari
Disk Utility
Startup Security Utility
Terminal
Share Disk
Startup Disk
Organization ID - Apple Business manager
Your Organization ID can be used to associate reseller-purchased devices or custom apps from third-party developers with Apple Business Manager
Federated Authentication - Apple Business manager
Federated authentication allows your users to sign in to their Managed Apple ID by signing into their Identity Provider
Google Workspace
Microsoft Entra ID
using their own Identity Provider
MDM Server Assignment -Apple Business manager
MDM server token download to upload to MDM
declarative device management
a device can apply management logic to itself without cues from the server and report important state changes to the server as they happen. The server doesn’t need to cue or poll the device.
Automated Device Enrollment
provides a zero-touch process with the most automated and scalable approach to procure, distribute, enroll, and manage organization-owned devices with MDM. Devices must be in your Apple Business Manager or Apple School Manager portal, and devices your organization purchases directly from Apple or a participating Apple Authorized Reseller or carrier are automatically added. You can add other organization-owned devices to the portal manually. Never add user-owned devices to your Apple Business Manager or Apple School Manager portal.
Device Enrollment
covers organization-owned devices that aren’t eligible for Automated Device Enrollment. Organizations use Device Enrollment to manually enroll devices in their MDM solutions. Examples include donated devices, devices set up by the user that are already in use, and devices bought outside official Apple procurement channels. Anyone with access to your MDM solution’s enrollment portal can enroll or reenroll devices already deployed. Unlike Automated Device Enrollment, a user can remove management from the device after enrollment.
User Enrollment
is for user-owned devices and requires an organization-provided Managed Apple ID. To enroll their devices in MDM, users either use their Managed Apple ID or manually install a user enrollment profile. If a user removes the enrollment profile, the MDM configuration profiles, settings, and managed apps are removed with it.
Apple Configurator on a Mac
to add iPhone, iPad, and Apple TV devices to your Apple Business Manager or Apple School Manager account
Apple Configurator app for iPhone
to add a Mac, iPhone, or iPad
user-owned device
You can’t manage Find My, Activation Lock, or Managed Lost Mode
Account-Based User Enrollment
users sign in to their work or school account on their device using their Managed Apple ID. If the account is federated, the user is redirected to the federated identity provider. Service discovery identifies the MDM solution’s enrollment URL. The MDM solution sends an enrollment profile to the device.
Profile-Based User Enrollment
the organization provides users with a URL or a self-service app and users then take the following steps:
Open the self-service app or open the URL in a browser. The device downloads the enrollment profile and any configuration profiles.
Agree to install the downloaded configuration profiles and enroll in MDM. This process on the Mac differs from the process on iPhone and iPad.
Sign in with their Managed Apple ID. If the account is federated, users are redirected to the federated identity provider.
When enrollment completes, users have an additional account in Settings on their iPhone, iPad, or Mac.
apple silicon how to block users from recovery mode
You can set Recovery Lock for computers with Apple silicon
DNS
An MDM solution must use a fully qualified domain name that can be resolved from both inside and outside the organization’s network.
IP address
Most MDM solutions require a static IP address.
Apple devices use a wide range of 802.1X wireless authentication protocols
Apple devices into many Remote Authentication Dial-In User Service (RADIUS) authentication environments.
authenticate wireless devices to your network using one of these strategies:
Open networks/Public
Captive networks
Wi-Fi Protected Access 2 (WPA2) Personal
Wi-Fi Protected Access 3 (WPA3) Personal
WPA2 Enterprise
WPA3 Enterprise
Configuration method (iOS 16.4, iPadOS 16.4, and macOS Ventura 13.3 or later): Private networks configured using a mobile device management (MDM) profile are preferred over manually joined networks.
Highest supported Wi-Fi standard: For example, Wi-Fi 6 networks are preferred over Wi-Fi 5 networks.
Frequency band: 6 GHz, then 5 GHz, then 5 GHz (DFS), then 2.4 GHz.
Security: WPA Enterprise, then WPA Personal, then WEP.
Signal strength: Learn more about RSSI and wireless roaming for enterprise.
standard VPN protocols
IKEv2, Cisco IPsec, and L2TP over IPsec
Bonjour zero-configuration network protocol
With Bonjour, devices can automatically find services on a network
iPhone, iPad, and Mac can use Bonjour to connect to AirPrint-compatible printers and to AirPlay-compatible devices like Apple TV. Some apps and built-in iOS, iPadOS, and macOS features also use Bonjour to discover other devices for collaboration and sharing. However, you can configure both AirPrint and AirPlay to be fully functional in an organization without the use of Bonjour. For example, you can manage AirPrint destinations using DNS records within an organization, whereas AirPlay uses a direct peer-to-peer connectivity model by default.
Platform SSO
With macOS 13 or later, SSO extensions are available to the login window. Users can unlock their Mac computer with their identity provider (IdP) credentials, then automatically sign in to apps and websites. The local account password and the IdP password are kept in sync, and users can continue to unlock their Mac computers with Touch ID and Apple Watch.
Mac computers using macOS 13 or later also limit the profiles command-line tool to 10 of the following requests per 24 hours for devices owned by an organization that appear in Apple School Manager, Apple Business Manager, or Apple Business Essentials:
profiles show
profiles validate
profiles renew
How Apple separates user data from organization data
App data containers
Calendar
Keychain items
Mail attachments and body of the mail message
Notes
Reminders
icloud
MDM solution to convert unmanaged apps to managed apps
If the device is supervised, the switch to a managed app from an unmanaged app happens without user interaction
If the MDM solution requests it. If the device isn’t supervised, the user must formally accept management.
Managed Open In restrictions (iOS and iPadOS)
Allow documents from unmanaged sources in managed destinations
Allow documents from managed sources in unmanaged destinations
Managed pasteboard
Mark apps as nonremovable
Prevent Managed Apps from backing up data
Use app configuration settings
Use app feedback settings that can be read by MDM
Download managed documents from Safari
Prevent Managed Apps from storing data in iCloud
A Managed Apple ID
Using account-driven Device Enrollment to enroll iPhone and iPad devices and Mac computers in management without a user needing to manually install a profile
Configuring access management to control where Managed Apple IDs can sign in and what apps and services they can use
Your passcode policies can include these requirements on iPhone, iPad, and Mac
An alphanumeric value
Minimum passcode length
Minimum number of complex characters
Maximum passcode age
Time before autolock
Passcode history (unable to use previous passwords)
Grace period for device lock
Maximum number of failed attempts before a device is erased
Touch ID doesn’t replace the need for a device passcode or user password
which is still required after device startup, restart, or logout (on a Mac)
However, a device passcode or user password is always required in some scenarios (for example, to change an existing device passcode or user password or to remove existing fingerprint enrollments or create new ones)
The four stages of User Enrollment into MDM are
Service discovery: The device identifies itself to the MDM solution.
User enrollment: The user provides credentials to an identity provider (IdP) for authorization to enroll in the MDM solution.
Session token: A session token is issued to the device to allow ongoing authentication.
MDM enrollment: The enrollment profile is sent to the device with payloads configured by the MDM administrator.
Apple School manager
Are integrated with a Student Information System (SIS) or uploading .csv files (Apple School Manager only) SFTP
An MDM solution can identify the following for User Enrollment
Device name
Serial number
Model name and number
Capacity and space available
Operating system version number
Installed apps
An MDM solution can’t identify the following for User Enrollment
Email, calendars, and contacts
SMS or iMessage
Safari browser history
FaceTime or phone call logs
Personal reminders and notes
Frequency of app use
Device location
Apple bypass code generator
The MDM solution creates its own bypass code, and sends it to Apple servers
Apple Customer Number
The Apple Customer Number is the account number (or numbers) assigned to your organization by Apple, used to purchase Apple hardware or software. It’s required in order to verify your organization’s eligibility for certain programs. If you don’t know the numbers, contact your purchasing agent, finance department, or Apple account team. This number isn’t the same as your GSX account number.
Note: When entering your Apple Customer Number, omit any leading zeros.
Reseller Number
A Reseller Number is a unique identifier for each Apple Authorized Reseller or cellular carrier who participates in Apple School Manager. When you add a participating Apple Authorized Reseller’s or carrier’s Reseller Number to your account profile (and you give that reseller your Organization ID), you authorize that reseller to submit devices you purchased through them to Apple so their serial numbers appear in Apple School Manager.
Organization ID
An Organization ID is your unique identifier in Apple School Manager. When you give a participating Apple Authorized Reseller or cellular carrier your Organization ID (and you add that reseller’s Number to your account profile), you authorize that reseller to submit devices you purchased through them to Apple so their serial numbers appear in Apple School Manager. The Organization ID can also be used with app developers so they can distribute Custom Apps specific to your organization.
Apple School Manager
Sync user accounts from your Student Information System(SIS), Google Workspace, Microsoft Entra ID, or your identity provider, or with files you create and upload using SFTP.
Apple Business Manager Non Federated Accounts
Users with the role of Administrator or People Manager can’t sign in using federated authentication; they can only manage the federation process.
Apple Business Manager Server Setup
Download the public key certificate file from your MDM solution.
Saving a public certificate to Apple Business Manager generates a server token you upload into your MDM Solution
Manual Added device into ABM 30 day counter
This 30-day provisional period begins after you assign the device to and enroll it in a third-party MDM server linked to Apple Business Manager, Apple Business Essentials, or Apple School Manager.
Apple School Manager Roles
Administrator
Site Manager
People Manager
Device Enrollment Manager
Content Manager
Manager
Staff
Instructor
Student
Apple Business Manager Roles
Administrator
People Manager
Device Enrollment Manager
Content Manager
Staff
tethered caching.
Data is stored on the mac device
New apple devices into ABM
You must enter your Apple Customer Numbers or the Reseller Numbers of your participating Apple Authorized Reseller or carrier
Auto Advance for Mac or Apple TV
Auto Advance allows you to skip all Mac or Apple TV Setup Assistant panes automatically.
What is Classroom
App for teachers - When teaching in class, you can launch a specific app, website, or textbook page. You can also send documents to and receive them from your students, and share student work locally on a TV, monitor, or projector using Apple TV. Finally, you can see which apps students are working in and, at the end of the class, view a summary of how students spent their time
Use of cameras is restricted
Cameras are disabled and the Camera icon is removed from the Home Screen in iOS and iPadOS. Users can’t take photographs or videos.
Install apps using App Store restricted
App Store is disabled and its icon is removed from the Home Screen. Users can’t install or update apps.
four types of MDM queries
1 device information
2 operating system
3 installed app
4 security
Network test
Network Quality- Tests upload and download speeds
Netstat - generates displays that show network status and protocol statistics
Always on VPN
protocol IKEv2
Rapid Security Responses and MDM
MDM solutions can use the following restriction keys on supervised iPhone, iPad and Mac devices:
allowRapidSecurityResponseInstallation: To disable the responses from being applied.
allowRapidSecurityResponseRemoval: To block the user from being able to remove the responses.
Lockdown Mode
Configuration profiles can’t be installed, and the device can’t be enrolled in Mobile Device Management or device supervision while in Lockdown Mode.
Enrollment type
types enforce supervision on Mac computers running macOS 11 or later?
Automated Device Enrollment
Device Enrollment
Your organization has 50 Apple devices deployed over three network subnets.
You want to turn on content caching on a Mac mini to optimize your internet bandwidth for all three network subnets.
Which setting should you use in the content caching advanced options?
Cache content for: devices using the same public IP address
Use custom public IP addresses
Devices using custom local networks
App notifications
disable HTTPS Interception
entire 17.0.0.0/8 address block
MacOS Recovery
Need to enter Admin password before getting to the recovery options