Apple Deployment and Management Flashcards
What links a device to an MDM solution?
- APNs
- A firewall
- A restriction
- An enrollment profile
4 - An enrollment profile
An enrollment profile links a device to the MDM solution.
What does MDM need to operate, specifically for APNs and SSL?
- Certificates
- Restrictions
- Enrollment profiles
1 - Certificates
MDM requires multiple certificates to operate, including an APNs certificate to talk to clients and an SSL certificate to communicate securely.
Which Apple device capability allows MDM to secure devices?
- Location Services
- Enrollment profiles
- Built-in device security features
3 - Built-in device security features
An MDM solution allows you to use the device’s built-in security features.
How do devices report their status when using declarative device management?
- Declarations
- The status channel
- Profiles
2 - The status channel
The status channel is what a device uses to update the MDM server with information about itself.
In which type of enrollment and ownership model can users personalize apps and data on their managed devices?
1. BYOD, organization-owned
2. Nonpersonalized, organization-owned
3. Personally enabled, organization-owned
3 - Personally enabled, organization-owned
The organization assigns devices to users, and after configuration, users can personalize their devices with their own apps and data.
In which type of ownership model can users personalize apps and data on their personal devices?
- BYOD, User Enrollment
- BYOD, organization-owned
- Nonpersonalized, organization-owned
- Personally enabled, organization-owned
1 - BYOD, User Enrollment
BYOD users can customize their personal devices before and after enrolling them in an MDM solution.
In which ownership model can IT administrators restrict the installed apps and personal data on a device meant to be shared with multiple users?
- BYOD, User Enrollment
- BYOD, personally enabled
- Nonpersonalized, organization-owned
- Personally enabled, organization-owned
3 - Nonpersonalized, organization-owned
IT administrators typically centrally configure and manage shared or single-purpose devices.
How do you enroll devices ineligible for automatic enrollment in Apple Business Manager or Apple School Manager?
- Device Enrollment
- Automated Device Enrollment
- Automatic enrollment
- No enrollment possible
1 - Device Enrollment
You can choose to manually enroll devices in your MDM solution by installing an enrollment profile locally on the devices.
Which type of enrollment is ideal for devices you need to distribute to multiple users in multiple regions?
- Device Enrollment
- User Enrollment
- Automated Device Enrollment
3 - Automated Device Enrollment
Automated Device Enrollment is the most convenient choice because you can enroll devices in MDM without physically handling or preparing devices before users receive them.
Which type of enrollment do you commonly use for BYOD deployments?
- Device
- User
- Automated device
2 - User
BYOD deployments most commonly employ User Enrollment. You can provide BYOD users a customized URL to an enrollment portal.
What do you need to consider when evaluating MDM solutions?
- Support for watchOS
- Pricing structure and subscription model
- A device’s life cycle and trade-in value
2 - Pricing structure and subscription model
Understand your organization’s budget and growth projections, then compare MDM solution pricing and subscription options.
Which is a deployment model to consider as part of your device management goals?
- Application Programming Interface (API)
- Over-the-air (OTA) enrollment
- One-to-one
3 - One-to-one
Also known as personally enabled, one-to-one is a deployment model you can consider when understanding your organization’s needs.
Which is an important user authentication feature of an MDM solution that you should consider?
- Support and integration with your identity provider or directory service
- Support for future versions of macOS, iOS, and iPadOS
- Support for the BYOD deployment model
1 - Support and integration with your identity provider or directory service
Verify if the MDM solution supports your current identity provider or directory service.
Which aspect of your organization’s infrastructure should you evaluate to ensure that your organization meets the network roaming needs of users throughout a building?
- Number of devices per user
- Wi-Fi coverage and capacity
- Adequate number of access points per device
- Sources of interference caused by construction materials
2 - Wi-Fi coverage and capacity
Evaluating Wi-Fi coverage and capacity helps you strategically place wireless access points that have enough power to meet the roaming needs throughout your organization’s facilities.
Which type of network uses individual user credentials or device- and/or user-based certificates to control who or which devices can use the network?
- Provisioning network
- WPA2 Personal network
- WPA2 Enterprise network
3 - WPA2 Enterprise network
WPA2 Enterprise network uses individual user credentials or device- and/or user-based certificates to control who or what devices can use the network.
Which functions require Apple devices to continuously access APNs?
- Bonjour access, content caching, and internet connection sharing
- SSO, VPN connectivity, and Wi-Fi network roaming
- Notifications of operating-system and app updates, MDM policies, and messages
- Ad and location tracking, Keychain data backup, and app suggestions
3 - Notifications of operating-system and app updates, MDM policies, and messages
Apple devices learn of operating-system and app updates, MDM policies, and incoming messages through continuous access to APNs. Make sure that your organization allows network traffic access to Apple’s network on the entire 17.0.0.0/8 address block on port 5223, with a fallback option of port 443.
What should you do to ensure that Apple devices can access APNs and other Apple services on your organization’s network?
- Configure all devices to auto-establish secure VPN access to Apple’s network.
- Deploy devices with an SSO payload that are configured to allow access to Apple’s network.
- Adjust network configurations on web proxies or firewall ports to allow access to Apple’s network.
- Set up your network to work with Bonjour so that devices can connect to APNs and Apple services.
3 - Adjust network configurations on web proxies or firewall ports to allow access to Apple’s network.
For Apple devices to access APNs and Apple services, you might need to adjust network configurations on web proxies or firewall ports to allow network traffic access to Apple’s network. Make sure that your organization allows network traffic access to Apple’s network on the entire 17.0.0.0/8 address block on port 5223, with a fallback option of port 443.
What’s the most commonly deployed authentication technology that both AD and SSO use?
- Kerberos
- MSCHAPv2
- OAuth
- SAML
1 - Kerberos
Kerberos is the most commonly deployed authentication technology that both AD and SSO use.
Which Kerberos feature allows users to sign in once and access multiple authenticated services?
- Sign in with Apple at Work & School
- OAuth
- Ticket-granting ticket (TGT)
- SAML
3 - Ticket-granting ticket (TGT)
TGT generates a ticket for the use of any resource that supports Kerberos without requiring the user to authenticate again.
Which feature allows administrators to streamline the creation of Managed Apple IDs based on existing Google Workspace or Azure AD data?
- MSCHAPv2
- Federated Authentication
- Active Directory
- SAML
2 - Federated Authentication
Federated authentication can link Apple Business Manager, Apple Business Essentials, or Apple School Manager to your instance of Google Workspace or Azure AD to automatically create Managed Apple IDs for your users.
What’s a benefit of using Apple Business Manager or Apple School Manager to automate MDM enrollment during initial setup of managed Apple devices?
- You can track the location of managed devices.
- You can make the enrollment mandatory and nonremovable on user-owned devices.
- You can make the enrollment mandatory and nonremovable on organization-owned devices.
3 - You can make the enrollment mandatory and nonremovable on organization-owned devices.
Using Apple Business Manager or Apple School Manager provides additional enrollment options for managed, organization-owned Apple devices.
Which strategy would be most effective in a scenario where an organization wants to ensure that users always have the apps they need on their devices and to control the access and exchange of the organization’s sensitive information?
- Deploy devices to users in shared mode.
- Install a nonremovable managed app onto the devices.
- Convert all unmanaged apps on the devices to managed apps.
2 - Install a nonremovable managed app onto the devices.
Nonremovable managed apps are ideal for deployment scenarios where an organization wants to ensure that users always have the apps they need on their devices and to control the access and exchange of the organization’s sensitive information.
What’s the main benefit of using managed device attestation when deploying Apple devices in an organization?
- It allows the MDM administrator to use a bypass code to erase a device and assign it to a new user.
- It allows a user to unlock the storage on APFS volumes that require a secure token and then become owners of the volume.
- It provides a strong assurance to MDM administrators of device properties that can be evaluated as part of a client certificate identity enrollment request.
3 - It provides a strong assurance to MDM administrators of device properties that can be evaluated as part of a client certificate identity enrollment request.
Managed device attestation provides a strong assurance to MDM administrators of device properties that can be evaluated as part of a client certificate identity enrollment request.
Why might you create a security policy that enforces the use of FileVault for data encryption on a managed Mac?
- This policy ensures that users can’t disable FileVault.
- When you use an MDM solution to enable FileVault, it adds a Recovery Key to a user’s iCloud account.
- FileVault is compatible with any Apple device.
- You can use third-party encryption algorithms to configure FileVault.
1 - This policy ensures that users can’t disable FileVault.
Users can’t disable FileVault if you enforce it with a configuration profile on managed Mac computers.
Which benefit helps IT administrators reduce the need to perform extensive configurations on Apple devices?
- Many security features are turned on by default.
- Users can select a security profile in Setup Assistant.
- IT administrators can deliver and enforce policies without an MDM solution.
- IT administrators can issue remote commands to devices to erase all private information.
1 - Many security features are turned on by default.
Because many security features on Apple devices are turned on by default, administrators save time when they configure devices.
What happens if your Apple device can’t validate the trust chain of a signing CA?
- The service encounters an error.
- The CA is added to the unapproved list.
- The user is asked to enter the device password or passcode.
1 - The service encounters an error.
If your Apple device can’t validate the trust chain of a signing CA, the service encounters an error.
Which MDM payload setting can you use to turn off updating certificates wirelessly for iPhone and iPad devices?
- Automatic sync while roaming
- Allow users to accept untrusted TLS certificates
- Allow automatic updates to certificate trust settings
3 - Allow automatic updates to certificate trust settings
When you deselect this option and push the payload to your device, you prevent wireless certificate updates.
You’ve installed a payload on your managed Apple device that prevents users from accepting untrusted TLS certificates.
What happens when users try to access a webpage that uses an untrusted TLS certificate and then tap Show Details?
- They’re asked to contact the issuing CA to validate the certificate.
- They can tap “view the certificate,” but they can’t trust this certificate or visit the site.
- They can’t tap “view the certificate,” and they can view only the unsecured version of the webpage.
2 - They can tap “view the certificate,” but they can’t trust this certificate or visit the site.
When you deselect the option “Allow users to accept untrusted TLS certificates,” users can’t accept untrusted TLS certificates or visit sites that use untrusted certificates.
How do you configure Custom Apps to appear in the sidebar?
- In Settings, select Apps and Books, then click Enable next to Custom Apps.
- In Settings, select Enrollment Information, then click Enable next to Custom Apps.
- In Roles, choose the role for which to enable custom apps, then select the View Custom Apps checkbox.
2 - In Settings, select Enrollment Information, then click Enable next to Custom Apps.
You enable Custom Apps in Settings > Enrollment Information. When you enable the Custom Apps option, it appears below the Content section in the sidebar.
What’s the purpose of using federated authentication with Apple Business Manager or Apple School Manager?
- Federated authentication links to your Google Workspace or Azure AD domain.
- Federated authentication verifies your organization’s eligibility.
- Federated authentication verifies ownership of the domains that you use with your portal.
1 - Federated authentication links to your Google Workspace or Azure AD domain.
When you link to Google Workspace or Azure AD, people can use their user names and passwords from your domain as Managed Apple IDs.
You didn’t import user data into Apple Business Manager after configuring federated authentication.
Which Apple Business Manager settings pane can you use to import user data into Apple Business Manager?
- Accounts
- Directory Sync
- Enrollment Information
2 - Directory Sync
In the Directory Sync pane, you can sync Apple Business Manager with user data from your Google Workspace or Azure AD.
Which of the following roles has the least user privileges?
- Staff
- Administrator
- Content Manager
1 - Staff
The Staff role has the least user privileges.
Which type of additional user should you create immediately after sign-up is complete?
- Administrator
- Device Enrollment Manager
- People Manager
- Content Manager
1 - Administrator
After sign-up is complete, you’re the only person who can sign in. Create a second administrator account in case you can’t sign in for any reason.
Which roles must your account have to add or edit locations in Apple Business Manager?
- Administrator or Site Manager
- Administrator or People Manager
- People Manager or Content Manager
2 - Administrator or People Manager
Only an Administrator or a People Manager can add or edit locations in Apple Business Manager.
You’ve created a number of users with Content Manager, Device Enrollment Manager, and People Manager roles.
What should you do next to give each user access?
- Enter a secure password for each user.
- Ask each user to enroll in your portal.
- Create sign-in information and email it to each user.
3 - Create sign-in information and email it to each user.
You can choose to either email users their sign-in information directly or download it as a PDF or CSV file.
Which statement about adding an MDM server in Apple Business Manager or Apple School Manager is true?
- Adding an MDM server creates a link to your MDM solution.
- Adding an MDM server eliminates the need for an MDM solution.
- Adding an MDM server configures an additional server in your MDM solution.
1 - Adding an MDM server creates a link to your MDM solution.
Adding an MDM server establishes a secure relationship between your MDM solution and Apple Business Manager or Apple School Manager.
What’s the purpose of the public key certificate file that you download from your MDM server before you add the server to your Apple Business Manager or Apple School Manager portal?
- It enables the MDM server to securely send email through the portal.
- It configures two-step verification between your MDM server and the portal.
- It contains a public key that the MDM server uses to encrypt the portal server token.
3 - It contains a public key that the MDM server uses to encrypt the portal server token.
You upload the public key certificate file to Apple Business Manager or Apple School Manager when you add your MDM server.
After you add your MDM server in your Apple Business Manager or Apple School Manager portal, what must you do so that the MDM server securely connects to the portal?
- Enter the encryption key that the portal generates into the MDM server.
- Verify that the secure URL for your MDM server in the portal is correct.
- Download the server token from the portal and upload it to the MDM server.
3 - Download the server token from the portal and upload it to the MDM server.
The server token is a P7M file that your MDM server uses to securely connect to Apple Business Manager or Apple School Manager.
On your Mac, which Apple Configurator tool do you use to add donated iPhone and iPad devices to Apple Business Manager, Apple School Manager, or Apple Business Essentials?
- Blueprints
- Profile Editor
- Prepare Assistant
- Device Assignments
3 - Prepare Assistant
You can use Apple Configurator with Prepare Assistant to manually add iPhone and iPad devices to Apple Business Manager, Apple School Manager, or Apple Business Essentials.
What happens if a Wi-Fi payload isn’t included in a configuration profile when using Apple Configurator on your Mac to manually add iPhone or iPad devices to Apple Business Manager, Apple School Manager, or Apple Business Essentials?
- Adding the device fails with a network error.
- The device is added to Apple Business Manager, Apple School Manager, or Apple Business Essentials but isn’t able to connect to Wi-Fi.
- Apple Configurator continues trying to add the device to Apple Business Manager, Apple School Manager, or Apple Business Essentials until you click Cancel.
1 - Adding the device fails with a network error.
Because iPhone and iPad devices require an internet connection to be added to Apple Business Manager, Apple School Manager, or Apple Business Essentials, you must install a configuration profile with a Wi-Fi payload.
As an administrator in Apple Business Manager, Apple School Manager, or Apple Business Essentials, you’re manually adding a newly purchased Mac to your organization.
What else do you need to complete the task?
- AppleCare+ for Mac chat or phone support
- An enrollment profile for your MDM solution and a device supporting AirDrop
- Another Mac, Apple Configurator, and a Thunderbolt or Ethernet cable to connect them
- Your iPhone, the Apple Configurator for iPhone app, and a Wi-Fi connection to the internet
4 - Your iPhone, the Apple Configurator for iPhone app, and a Wi-Fi connection to the internet
You can use Shared Wi-Fi credentials with Apple Configurator for iPhone to add the Mac computer to your organization.
You want to link your MDM solution with Apps and Books for managed distribution to your devices.
What must you download in Apple Business Manager and then upload to your MDM solution?
- A server token
- A public key certificate
- A CSV file containing all device serial numbers
- Your organization’s Apple Customer ID
1 - A server token
A server token is a file that connects your MDM solution to the volume purchasing feature.
Your organization wants to retain full ownership and control of apps that you bought through Apps and Books.
Which license type should you choose?
- Custom licenses
- Managed licenses
- Redemption codes
- Supervised licenses
2 - Managed licenses
Choose Managed when you buy licenses for managed distribution. Your organization retains full ownership and control of apps through assignment with your MDM solution.
You buy books and choose licenses for managed distribution.
What happens to ownership of the books when you distribute them?
- Book ownership always transfers to users. You can’t revoke or reassign books.
- You choose whether you want to retain or transfer ownership of books when you distribute them.
- The organization retains full ownership and control, so you can revoke and reassign them later.
1 - Book ownership always transfers to users. You can’t revoke or reassign books.
Regardless of whether you choose licenses for managed distribution or redemption codes, book ownership always transfers to the user.
What must multiple subnets share so that a network can use a single content cache, without requiring DNS changes?
- DNS
- Subnet
- Bandwidth
- Public IP Address
4 - Public IP Address
You can set the caching server to provide content caching for subnets of the local network that share a common public IP address.
When an iPhone device on your network tries to download Apple content that could be cached, the Apple content server instructs the device to check with the local network’s cache first.
- True
- False
1 - True
With content caching, when an iPhone device on your network downloads an iOS update from the App Store, content caching keeps a copy of the update.
Which issue could arise when multiple devices request the same data and caching is NOT turned on?
- Data becomes less secure.
- Bandwidth consumption increases.
- Only the first device can download the requested data.
- No issue — each device downloads the requested data.
2 - Bandwidth consumption increases.
When the second device requests the same content, the bandwidth consumption doubles because the second device also needs to download the content from the internet.
For best results, deploy content caching on a Mac that has a single wired Ethernet connection as its only network connection.
- True
- False
2 - True
Use an Ethernet connection to the network for best results.
Where do you turn on content caching on your Mac?
- System Settings > Privacy & Security
- System Settings > Sharing
- System Settings > Network
- System Settings > Displays
2 - System Settings > Sharing
Use the Content Caching option in Sharing settings to manage content caching on your Mac.
Which setting should you select to prevent your computer from going to sleep and interfering with content caching?
- Wake for network access
- Put hard disks to sleep when possible
- Enable Power Nap while plugged into a power source
- Prevent automatic sleeping when the display is off
4 - Prevent automatic sleeping when the display is off
Content caching requires the Mac to be turned on.
With internet connection sharing, you can use a Mac computer’s internet connection to cache content for iPhone or iPad devices that are physically connected to the Mac through USB.
- True
- False
1 - True
A Mac with internet connection sharing turned on and with an Ethernet connection can cache content for iPhone and iPad devices.
Which advanced option do you use to set the cache size?
- Peers
- Storage
- Clients
- Parents
2 - Storage
You view and set the cache size in the Storage tab.
Which Mac sharing service becomes unavailable when the content caching internet connection setting is turned on?
- Internet Sharing
- Remote Management
- Media Sharing
- File Sharing
1 - Internet Sharing
Internet Sharing on a Mac becomes unavailable when the content caching internet connection setting is turned on.
When you use Activity Monitor to check performance statistics for content caching, which comparison can tell you how much content caching is helping?
- The closer the Maximum Cache Pressure value is to the Data Served value, the more content caching is helping.
- The further the Maximum Cache Pressure value is from the Data Served value, the more content caching is helping.
- The closer the Data Served From Cache values are to the Data Served values, the more content caching is helping.
- The further the Data Served From Cache values are from the Data Served values, the more content caching is helping.
3 - The closer the Data Served From Cache values are to the Data Served values, the more content caching is helping.
Comparing the closeness of these two values is the best way to determine how content cache is helping.
Where does the content caching service send log messages?
- To the main system.log
- To the subsystem com.apple.AssetCache
- To the subsystem com.apple.ContentCache
- To the subsystem com.apple.AssetCacheManagerUtil
2 - To the subsystem com.apple.AssetCache
Specifying this subsystem in the log
command filters the displayed results to those associated with content caching.
Which command can you use to configure advanced settings for content caching?
defaults write
AssetCacheManagerUtil status
AssetCacheManagerUtil settings
1 - defaults write
When used with sudo
, the defaults write
command allows you to configure advanced settings for content caching.
Which tool can you use to display advanced settings for the content caching service?
- Activity Monitor
- Console
- System Settings
- Terminal
4 - Terminal
You can use the command-line interface in Terminal to configure all settings, both basic and advanced, for content caching.
Which statement about entering Apple Customer Numbers and Reseller Numbers is correct?
- You can enter both an Apple Customer Number and a Reseller Number.
- You can enter an Apple Customer Number or a Reseller Number but not both.
- You can enter only one Apple Customer Number, but multiple Reseller Numbers.
1 - You can enter both an Apple Customer Number and a Reseller Number.
You can enter both an Apple Customer Number and a Reseller Number and even add multiple numbers if you need them.
Your organization has multiple MDM servers linked in Apple Business Manager or Apple School Manager.
What should you do to automatically assign iPhone devices and Mac computers to different MDM servers?
- Choose your preferred assignment method in MDM Server Assignment, then select the default MDM server for each device type.
- Edit the assignment options in Default MDM Server Assignment settings and choose a different server for iPhone devices and Mac computers.
- Upload a CSV file containing iPhone device serial numbers and assign them to
one MDM server, then upload a CSV file for Mac computers and assign them to a different MDM server.
2 - Edit the assignment options in Default MDM Server Assignment settings and choose a different server for iPhone devices and Mac computers.
If you have linked more than one MDM server, you can choose default assignments by device type in Default MDM Server Assignment settings.
You made multiple orders for new iPhone devices and you want the devices from one order assigned to a different MDM server than the others.
What’s the best way to do that?
- Use MDM Server Assignment to change the Default MDM Server Assignment for iPhone.
- Select Devices, filter by order number and device type, then select All Devices to change assignments.
- Use MDM Server Assignment to enter a new Reseller Number for the order to filter device assignments.
- Use Devices to download a CSV file containing iPhone device serial numbers
for that order only. Edit the file and upload it with the unique server
assignment for the iPhone devices in that order.
2 - Select Devices, filter by order number and device type, then select All Devices to change assignments.
You can select All Devices to edit the MDM Server assignments of all devices matching the search criteria.
You’re responsible for managing 10 identical iPad devices that your organization uses in a training classroom and networking isn’t available onsite. Each week you need to retrieve the files stored on each device by the recent students and set up the devices for a new class.
Which approach is best for this task?
- Apple Configurator for Mac
- Apple Configurator for Mac with Shared iPad
- Apple Configurator for Mac with your MDM solution
1 - Apple Configurator for Mac
You can use Apple Configurator for Mac to create a single backup configuration that you apply to all the devices at the start of class and that you retrieve files with at the end.
Which type of content can you assign to iPhone or iPad with Apple Configurator for Mac?
- Apps
- User settings
- Purchased music
- Podcasts
1 - Apps
Distributing apps to multiple Apple devices simplifies deployment.
Which of the following devices can Apple Configurator for iPhone add to Apple Business Manager, Apple Business Essentials, and Apple School Manager?
- iPhone with iOS 15, iPad with iPadOS 16.1, and Mac with macOS 11 or later installed.
- iPhone with iOS 16, iPad with iPadOS 16.1, Mac with macOS 12.0.1, and Apple TV with tvOS 16 or later installed.
- iPhone with iOS 16, iPad with iPadOS 16.1, and Mac with macOS 12.0.1 or later installed.
- iPhone with iOS 16, iPad with iPadOS 15, and Mac with macOS 11 or later installed.
3 - iPhone with iOS 16, iPad with iPadOS 16.1, and Mac with macOS 12.0.1 or later installed.
Apple Configurator for iPhone can add iPhone, iPad, and Mac to Apple Business Manager, Apple Business Essentials, and Apple School Manager.
Which type of information about iPad can you view in Apple Configurator for Mac?
- Camera status
- iPad location
- Console log
- Ebook licenses
3 - Console log
You can find the Console log by choosing File > Get Info from the Apple Configurator for Mac menu bar.
From where do you install the cfgutil
tool?
- From the App Store
- From Apple Configurator for Mac
- From Profile Manager
- From
/Applications/Utilities
on your Mac
2 - From Apple Configurator for Mac
The cfgutil
tool is one of the automation tools that you can install from Apple Configurator for Mac.
Which tool can you use to automate configurations with shell scripts?
- Blueprints
- Automator app
- Command-line tool
cfgutil
3 - Command-line tool cfgutil
The command-line tool cfgutil
in the Terminal app helps you write shell scripts and automate specific processes.
Which tool can you use to create your own workflows for bulk deployments?
- Blueprints
- Automator app
- Command-line tool
2 - Automator app
You can use the Automator app to create automated workflows for others to use when configuring devices.
Which tool can you use to automate configurations with a template tool to add configuration profiles and apps?
- Blueprints
- Automator app
- Command-line tool
1 - Blueprints
Blueprints use template tools to record actions that you can then apply to devices.
Which tool can you use to automate configurations with a template tool to add configuration profiles and apps?
- Blueprints
- Automator app
- Command-line tool
1 - Blueprints
Blueprints use template tools to record actions that you can then apply to devices.
What is a configuration profile?
- A System Report file with hardware and software configuration from a device
- An automation file to script Apple Configurator actions
- A file with user data from Apple devices
- A file with payloads for Apple devices
4 - A file with payloads for Apple devices
A profile is a file with payloads that contain settings and authorization information for Apple devices.
Which method can you use to build configuration profiles with payloads specific to macOS?
- Apple Configurator
- Apple Business Manager
- An MDM solution
3 - An MDM solution
To create custom configuration profiles that contain settings specific to macOS, use an MDM solution.
Which tool can you use to set up payloads for Apple TV?
- Profile Editor
- Prepare Assistant
- Setup Assistant
- Blueprints
1 - Profile Editor
Use the Profile Editor to create configuration profiles for Apple TV as well as iPhone and iPad devices.
An MDM solution is the only way to create and distribute a configuration profile.
- True
- False
2 - False
You can also create a configuration profile with Apple Configurator and then distribute it using a message, a web page, Apple Configurator, or an MDM solution.
What is the benefit of signing configuration profiles?
- A signed profile prevents users from removing the profile from the device.
- Signing a configuration profile makes it more resistant to tampering during distribution.
- Signing a configuration profile allows a device to communicate securely with an MDM solution.
2 - Signing a configuration profile makes it more resistant to tampering during distribution.
If someone modifies a profile after you sign it, the MDM framework won’t allow that profile to be installed on a device.
Which payload prevents a user from later configuring an option that is hidden in Setup Assistant during device setup?
- App Configuration
- Parental Controls
- Restrictions
- Security & Privacy
3 - Restrictions
Configure Restrictions to restrict functions for Setup Assistant options that you hide during device setup. Restrictions remain in place until removed.
What allows you to configure which Setup Assistant panes users see during device setup?
- App Configuration
- Require credentials for enrollment
- Assigning devices to your MDM solution in Apple Business Manager, Apple Business Essentials, or Apple School Manager
- Security & Privacy
3 - Assigning devices to your MDM solution in Apple Business Manager, Apple Business Essentials, or Apple School Manager
You must configure them to enroll during setup.
On Mac computers with macOS 13 and Apple silicon or an Apple T2 Security Chip, users can complete Setup Assistant without a network connection.
- True
- False
2 - False
Users need a network connection to complete Setup Assistant on Mac computers with macOS 13 and Apple silicon or an Apple T2 Security Chip. Prior to macOS 13, users could complete Setup Assistant without an internet connection.
How can you ensure that only authorized users can enroll a device?
- Add a Restrictions payload to the device
- Configure a Setup Assistant option
- Select the option to require user authentication during enrollment
3 - Select the option to require user authentication during enrollment
The user will need to authenticate in order to enroll.
Setup Assistant guides users through setting up their Apple devices after they access the Home Screen.
- True
- False
2 - False
Setup Assistant guides users before they get to the Home Screen.
You can manage user devices through your MDM solution and still give users some freedom to personalize the configuration.
- True
- False
1 - True
You can use your MDM solution to manage devices but still permit users to personalize some settings.
You downloaded a configuration profile on iPhone from a website or an email message.
Where on the device do you install it?
- Install the profile in the Settings app.
- Delete the attachment, and go to a webpage.
- Don’t do anything because the profile installs automatically.
1 - Install the profile in the Settings app.
Users install the profile in the Settings app.
What happens when the user manually enrolls a device in the MDM solution?
- Nothing happens until the user restarts the device.
- The MDM solution records information about the device, such as the serial number and installed apps.
- The user receives a web address where they can download the enrollment profile.
- The user receives a web address where they can download the configuration profile.
2 - The MDM solution records information about the device, such as the serial number and installed apps.
When the user connects to the MDM solution using the device, the MDM solution records information about the device.
When you run the profiles
command in Terminal, in which scenario are you limited to 10 requests in a 24-hour period?
- Running
profiles renew
on a Mac with macOS 12 installed - Running
profiles show
on iPhone with iOS 16 installed - Running
profiles status
on a Mac with macOS 13 installed - Running
profiles validate
on a Mac with macOS 13 installed
4 - Running profiles validate
on a Mac with macOS 13 installed
Three options are limited to 10 requests in a 24-hour period: profiles show
, profiles validate
, and profiles renew
.
What’s also removed when a user removes an enrollment profile from their device?
- User data
- The current operating system
- Organization data
- Managed Apps based on that configuration profile
4 - Managed Apps based on that configuration profile
A user can remove an enrollment profile from their device, including all configuration profiles and their settings, as well as Managed Apps based on that enrollment profile.
What is service discovery in the four stages of user enrollment?
- Users identify themselves to the MDM solution.
- The MDM solution notifies an enrolled device through APNs that it needs to contact the server.
- The device identifies itself to the MDM solution.
- Users visit a specified self-service site to enroll their devices.
3 - The device identifies itself to the MDM solution.
If users enroll their own devices, the devices identify themselves to an organization’s MDM solution.
What happens when users remove an enrollment profile from their devices?
- Users can continue to use their apps, but an MDM solution doesn’t manage their apps anymore.
- The devices reset and erase all settings.
- All configuration profiles, their settings, and managed apps based on that enrollment profile are removed with it.
- Users are asked to reenroll the devices into the MDM solution.
3 - All configuration profiles, their settings, and managed apps based on that enrollment profile are removed with it.
If users bring their own devices, they can remove the enrollment profiles to disassociate from an organization’s MDM solution.
How would you send new settings to user devices?
- Send users a self-service URL.
- Change and send a new updated configuration profile.
- Remove the configuration profile, and send a new one.
- Email users a link for a new configuration profile.
2 - Change and send a new updated configuration profile.
The easiest way to send new settings is to use your MDM solution to change and send an updated configuration profile to users.
What MDM enrollment options can you give users if your organization has a BYOD policy?
- Send an enrollment profile by email or SMS.
- Provide a self-service portal if supported.
- All of the above
3 - All of the above
Sending an enrollment profile by email or SMS and setting up a self-service portal are two common options you can offer users to enroll their devices.
Which iPad is compatible with Shared iPad?
- iPad Pro
- iPad Air
- iPad 4th generation
- iPad mini 3
1 - iPad Pro
Any iPad Pro is compatible with Shared iPad.
Which service can you configure on a Mac to temporarily store iCloud user data from shared iPad devices?
- iCloud
- Content Caching
- Internet Sharing
2 - Content Caching
When you have a Mac with the Content Caching service turned on, Shared iPad can locally save iCloud user data in addition to iPadOS and app updates.
Where can you find apps that are Optimized for Shared iPad?
- Apple Configurator
- Classroom
- Apps and Books
3 - Apps and Books
Apps optimized for Shared iPad are labeled in Apps and Books.
You can ship devices directly to users without touching or preparing the devices if your organization purchases them directly from a participating Apple Authorized Reseller or carrier and you automatically enroll them in MDM with Apple Business Manager, Apple Business Essentials, or Apple School Manager.
- True
- False
1 - True
Organizations that purchase devices directly from a participating Apple Authorized Reseller or carrier can enroll the devices automatically in an MDM solution with Apple Business Manager, Apple Business Essentials, or Apple School Manager.
When you set up a device with Setup Assistant, which of the following might you be required to enter to complete the enrollment in MDM?
- iCloud account credentials
- Managed Apple ID credentials
- Passcode credentials
2 - Managed Apple ID credentials
The option to add Managed (or personal) Apple ID credentials appears after you enroll the device in MDM if the administrator allows the option in Setup Assistant.
Which of the following is a task that a user can complete with help from a self-support site or app?
- Download internal business apps
- Purchase apps from the App Store
- Install personalized apps on a device
- Enroll a device in Apple Business Manager, Apple Business Essentials, or Apple School Manager
1 - Download internal business apps
If an organization provides self-support sites, these sites can allow users to access device enrollment in MDM, downloads of internal business apps, and other device management services.
What do you use to connect Apple devices to networks that use 802.1X EAP-TLS authentication?
- A configuration profile
- A PAC file
- A
.plist
file
1 - A configuration profile
To connect Apple devices to networks that use 802.1X EAP-TLS authentication, MDM administrators must create the appropriate settings for their networks in configuration profiles and then push them to their devices.
Which security type do you use to configure managed Apple devices to connect to 802.1X networks?
- WEP
- WPA3 Enterprise
- WPA3 Personal
2 - WPA3 Enterprise
Configuring your managed Apple devices with this type gives them access to a broad range of 802.1X authentication environments.
You can use WPA2/WPA3 Enterprise authentication at the login window of macOS.
- True
- False
1 - True
You can authenticate to a network from the login window when your Mac is set up with a compatible directory service and configured to use this mode with MDM.
You’re using your MDM solution to configure iPhone and iPad devices to connect to Wi-Fi networks using EAP-TLS.
Which of these types of certificates payloads can you use for authentication?
- Active Directory Certificate
- PKCS #12 Certificate
- S/MIME Certificate
2 - PKCS #12 Certificate
You can use a PKCS #12 identity certificate (.p12
or .pfx
) payload or a SCEP payload for authentication to Wi-Fi networks using EAP-TLS on iPhone and iPad devices.
How does a PAC file influence the way an Apple device communicates over a network?
- The device uses the authentication credentials defined in the PAC file to connect to servers.
- The device follows the PAC file rules that define the proxy server’s location and traffic allowed to connect directly.
- The device constructs a list of approved websites by using the web addresses that the PAC file defines.
2 - The device follows the PAC file rules that define the proxy server’s location and traffic allowed to connect directly.
The proxy server’s location and rules for allowed direct traffic defined in the PAC file manage the way an Apple device communicates over a network.
Which of these alternatives to a proxy server URL could you use to configure a payload with proxy settings for an Apple device?
- A .plist file with allowed websites
- A domains restriction
- WPAD using DHCP option 252
3 - WPAD using DHCP option 252
When configuring an Apple device to use a proxy, you can use WPAD using DHCP option 252 instead of a proxy server URL.
What must the server identity certificate contain in the SubjectAltName field?
- The CA name
- The rest of the trust chain
- The user’s group name
- The server’s DNS name or IP address
4 - The server’s DNS name or IP address
The server identity certificate must contain the server’s DNS name or IP address in the SubjectAltName field.
What must users of an MDM solution install so that custom VPN works on Apple devices?
- Profile Manager and VPN Manager
- The appropriate authentication app
- Configuration profile and VPN Manager
- VPN Manager and User Authentication Profile
2 - The appropriate authentication app
You need the vendor’s VPN app.
Which VPN connection type provides more granular control over which data goes through VPN?
- Per-App VPN
- VPN On Demand
- Always-On VPN
1 - Per-App VPN
Per-App VPN connections are established on a per-app basis, which provides more granular control over which data goes through VPN.
How do you enable managed distribution?
- Enroll devices in MDM.
- Download a spreadsheet of app licenses.
- Link your MDM solution to at least one location in Apple Business Manager or Apple School Manager.
- Purchase content through Apps and Books in Apple Business Manager or Apple School Manager.
3 - Link your MDM solution to at least one location in Apple Business Manager or Apple School Manager.
To enable managed distribution, you link your MDM solution to at least one location in your Apple Business Manager or Apple School Manager account.
Which distribution model permanently transfers apps to users?
- Custom apps
- Redemption codes
- Managed distribution to users
- Managed distribution to devices
2 - Redemption codes
Distributing app licenses through redemption codes transfers ownership of an app to the user who redeems the code.
Your organization wants developers to read a software architecture book available in Apps and Books. Funding is limited, so the engineering lead wants to know if a book can be transferred between developers after they finish reading it.
Who has the authority to revoke a book license after distribution?
- No one
- The user
- The content manager
- The MDM administrator
1 - No one
When you distribute books, ownership permanently transfers to the users; you can’t revoke or reassign book licenses.
When you use managed distribution to assign apps directly to devices, your organization retains full control and ownership of the app licenses.
- True
- False
1 - True
Using managed distribution with MDM, your organization retains full control and ownership of app licenses with the ability to assign, revoke, and reassign apps to devices.
How is an app installed on a user’s device after the app is assigned to that device?
- The user must accept the app installation.
- Your MDM solution automatically pushes the app to the supervised device.
- The user receives an invitation to download and install the app from the App Store.
2 - Your MDM solution automatically pushes the app to the supervised device.
Your MDM solution can automatically push it to supervised devices without requiring user invitation or acceptance.
When does the number of available app licenses for supervised devices change in your MDM solution apps library?
- After the user installs or deletes the app
- After the user accepts or rejects the installation
- After you assign or revoke an app to a device or device group
3 - After you assign or revoke an app to a device or device group
After you assign or revoke an app using your MDM solution, the number of app licenses available for assignment adjusts accordingly.
What must a user do before you can assign apps to them with managed distribution?
- Install a managed distribution profile on their device
- Accept an invitation to enroll in managed distribution
- Sign in to an MDM solution and create a Managed Apple ID
- Sign in to Apple Business Manager or Apple School Manager and enroll in Apps and Books
2 - Accept an invitation to enroll in managed distribution
The user must accept the invitation by signing in with their Apple ID and agreeing to the terms and conditions.
When you assign an app to a group for managed distribution, who must accept the invitation to enroll in managed distribution?
- Your MDM solution administrator
- Each individual user in the group
- The Apple Business Manager or Apple School Manager administrator
2 - Each individual user in the group
Each user in the group receives an invitation to enroll in managed distribution.
What do you use on a managed, user-owned iPhone or iPad to prevent users from opening unmanaged attachments or documents in managed sources?
- A restriction
- A managed domain
- A managed account
1 - A restriction
Open In management uses a set of restrictions to prevent users from opening attachments or documents from managed sources in unmanaged destinations on a managed iPhone or iPad.
What do you use on a managed, user-owned iPhone to prevent managed apps from storing data in iCloud?
- A restriction
- A managed domain
- A managed account
1 - A restriction
You can use your MDM solution to push a restriction to your managed devices to keep managed app data from being backed up to iTunes and iCloud.
Which condition applies when a Managed Pasteboard restriction is installed on a managed device?
- The Paste button is dimmed.
- The Paste button doesn’t appear.
- A “Paste Not Allowed” notification displays.
3 - A “Paste Not Allowed” notification displays.
If the user isn’t allowed to paste content in an app due to the restriction, they get a “Paste Not Allowed” notification that includes the organization name.
Which apps can users use to open the email attachment in the organization account after Managed Open In restrictions are in place?
- Only apps that the user installs
- Any app installed on the device
- Only apps installed from the App Store
- Only managed apps that the MDM solution installs
4 - Only managed apps that the MDM solution installs
Apps that the MDM solution installs are considered managed. You can apply restrictions to managed apps that limit how users can share attachments with unmanaged apps.
Where can you confirm whether iCloud restrictions are active in a managed Mac?
- In iCloud Keychain in Keychain Access
- In System Settings > Privacy & Security
- In Restrictions in System Information
- In About This Mac in the Apple menu
2 - In System Settings > Privacy & Security
After you’ve used MDM to push restrictions to your devices, the profile displays those restrictions. Using System Settings, you can review the restrictions by choosing the profile containing them.
Which type of payload do you use to prevent a user from removing system apps on iPhone?
- Restrictions
- Privacy & Security
- Software Updates
1 - Restrictions
Use a Restrictions payload to prevent users from removing system apps on iPhone.
Where on a Mac with macOS 13.0 or later do you access the options to configure Gatekeeper?
- In System Settings > General, below Security settings.
- In System Settings > Control Center, below Security settings.
- In System Preferences > Security & Privacy, in the General tab.
- In System Settings > Privacy & Security, below Security settings.
4 - In System Settings > Privacy & Security, below Security settings.
In macOS 13.0 or later you configure Gatekeeper below Security settings in System Settings > Privacy & Security.
You apply an MDM payload to prevent users from installing apps from the App Store to a device.
Which types of apps are still available to download to the device?
- Games and Reader apps
- All free apps that don’t have in-app purchases
- Managed apps, MDM-installed apps, system apps, and updates to those apps
3 - Managed apps, MDM-installed apps, system apps, and updates to those apps
The device can still receive managed apps, MDM-installed apps, system apps, and updates to those apps despite restrictions on access to the App Store.
What is a benefit of enabling FileVault on a Mac startup volume?
- Additional security by requiring a login password to decrypt data
- Increased encryption by increasing the number of bits in the key from 0 to 128
- Enhanced privacy by encoding all data sent over a Mac computer’s network connections
1 - Additional security by requiring a login password to decrypt data
On Mac computers with Apple silicon or the T2 chip, data is always encrypted on the startup volume. Turning on FileVault provides additional security by requiring a login password to decrypt data.
What is the purpose of a PRK (Personal Recovery Key) ?
- To initiate an “Erase All Content and Settings” command
- To unlock the startup disk if the user forgets their login password
- To authorize the installation of macOS software updates and upgrades
2 - To unlock the startup disk if the user forgets their login password
When you first turn on FileVault on an individual unmanaged Mac, you choose how you want to unlock the startup disk if the user forgets their login password: with the Apple ID they use for iCloud or with a PRK.
When managing FileVault using MDM, which of the following is required?
- The managed Mac must be supervised.
- An IRK must be installed on the managed Mac.
- A user must log in on the managed Mac using an administrator account.
1 - The managed Mac must be supervised.
You can manage FileVault settings on Mac computers that are enrolled in and supervised by your MDM solution, using either Automated Device Enrollment or Device Enrollment.
On a Mac, which type of account is required to perform software upgrades?
- Local administrator
- Network
- Shared
- Standard
1 - Local administrator
A local administrator account is required to perform a software upgrade on a Mac.
Why would you defer software updates on Apple devices?
- To roll back an update if it’s unsuccessful
- To test critical apps and infrastructure before deploying the update
- To verify that your organization’s iPhone and iPad devices are managed
2 - To test critical apps and infrastructure before deploying the update
Testing apps and infrastructure before deployment is critical.
What is the maximum number of days that you can defer software updates on Apple devices?
- 30
- 60
- 90
- 99
3 - 90
You can defer software updates up to 90 days.