Apple Deployment and Management Flashcards
What links a device to an MDM solution?
- APNs
- A firewall
- A restriction
- An enrollment profile
4 - An enrollment profile
An enrollment profile links a device to the MDM solution.
What does MDM need to operate, specifically for APNs and SSL?
- Certificates
- Restrictions
- Enrollment profiles
1 - Certificates
MDM requires multiple certificates to operate, including an APNs certificate to talk to clients and an SSL certificate to communicate securely.
Which Apple device capability allows MDM to secure devices?
- Location Services
- Enrollment profiles
- Built-in device security features
3 - Built-in device security features
An MDM solution allows you to use the device’s built-in security features.
How do devices report their status when using declarative device management?
- Declarations
- The status channel
- Profiles
2 - The status channel
The status channel is what a device uses to update the MDM server with information about itself.
In which type of enrollment and ownership model can users personalize apps and data on their managed devices?
1. BYOD, organization-owned
2. Nonpersonalized, organization-owned
3. Personally enabled, organization-owned
3 - Personally enabled, organization-owned
The organization assigns devices to users, and after configuration, users can personalize their devices with their own apps and data.
In which type of ownership model can users personalize apps and data on their personal devices?
- BYOD, User Enrollment
- BYOD, organization-owned
- Nonpersonalized, organization-owned
- Personally enabled, organization-owned
1 - BYOD, User Enrollment
BYOD users can customize their personal devices before and after enrolling them in an MDM solution.
In which ownership model can IT administrators restrict the installed apps and personal data on a device meant to be shared with multiple users?
- BYOD, User Enrollment
- BYOD, personally enabled
- Nonpersonalized, organization-owned
- Personally enabled, organization-owned
3 - Nonpersonalized, organization-owned
IT administrators typically centrally configure and manage shared or single-purpose devices.
How do you enroll devices ineligible for automatic enrollment in Apple Business Manager or Apple School Manager?
- Device Enrollment
- Automated Device Enrollment
- Automatic enrollment
- No enrollment possible
1 - Device Enrollment
You can choose to manually enroll devices in your MDM solution by installing an enrollment profile locally on the devices.
Which type of enrollment is ideal for devices you need to distribute to multiple users in multiple regions?
- Device Enrollment
- User Enrollment
- Automated Device Enrollment
3 - Automated Device Enrollment
Automated Device Enrollment is the most convenient choice because you can enroll devices in MDM without physically handling or preparing devices before users receive them.
Which type of enrollment do you commonly use for BYOD deployments?
- Device
- User
- Automated device
2 - User
BYOD deployments most commonly employ User Enrollment. You can provide BYOD users a customized URL to an enrollment portal.
What do you need to consider when evaluating MDM solutions?
- Support for watchOS
- Pricing structure and subscription model
- A device’s life cycle and trade-in value
2 - Pricing structure and subscription model
Understand your organization’s budget and growth projections, then compare MDM solution pricing and subscription options.
Which is a deployment model to consider as part of your device management goals?
- Application Programming Interface (API)
- Over-the-air (OTA) enrollment
- One-to-one
3 - One-to-one
Also known as personally enabled, one-to-one is a deployment model you can consider when understanding your organization’s needs.
Which is an important user authentication feature of an MDM solution that you should consider?
- Support and integration with your identity provider or directory service
- Support for future versions of macOS, iOS, and iPadOS
- Support for the BYOD deployment model
1 - Support and integration with your identity provider or directory service
Verify if the MDM solution supports your current identity provider or directory service.
Which aspect of your organization’s infrastructure should you evaluate to ensure that your organization meets the network roaming needs of users throughout a building?
- Number of devices per user
- Wi-Fi coverage and capacity
- Adequate number of access points per device
- Sources of interference caused by construction materials
2 - Wi-Fi coverage and capacity
Evaluating Wi-Fi coverage and capacity helps you strategically place wireless access points that have enough power to meet the roaming needs throughout your organization’s facilities.
Which type of network uses individual user credentials or device- and/or user-based certificates to control who or which devices can use the network?
- Provisioning network
- WPA2 Personal network
- WPA2 Enterprise network
3 - WPA2 Enterprise network
WPA2 Enterprise network uses individual user credentials or device- and/or user-based certificates to control who or what devices can use the network.
Which functions require Apple devices to continuously access APNs?
- Bonjour access, content caching, and internet connection sharing
- SSO, VPN connectivity, and Wi-Fi network roaming
- Notifications of operating-system and app updates, MDM policies, and messages
- Ad and location tracking, Keychain data backup, and app suggestions
3 - Notifications of operating-system and app updates, MDM policies, and messages
Apple devices learn of operating-system and app updates, MDM policies, and incoming messages through continuous access to APNs. Make sure that your organization allows network traffic access to Apple’s network on the entire 17.0.0.0/8 address block on port 5223, with a fallback option of port 443.
What should you do to ensure that Apple devices can access APNs and other Apple services on your organization’s network?
- Configure all devices to auto-establish secure VPN access to Apple’s network.
- Deploy devices with an SSO payload that are configured to allow access to Apple’s network.
- Adjust network configurations on web proxies or firewall ports to allow access to Apple’s network.
- Set up your network to work with Bonjour so that devices can connect to APNs and Apple services.
3 - Adjust network configurations on web proxies or firewall ports to allow access to Apple’s network.
For Apple devices to access APNs and Apple services, you might need to adjust network configurations on web proxies or firewall ports to allow network traffic access to Apple’s network. Make sure that your organization allows network traffic access to Apple’s network on the entire 17.0.0.0/8 address block on port 5223, with a fallback option of port 443.
What’s the most commonly deployed authentication technology that both AD and SSO use?
- Kerberos
- MSCHAPv2
- OAuth
- SAML
1 - Kerberos
Kerberos is the most commonly deployed authentication technology that both AD and SSO use.
Which Kerberos feature allows users to sign in once and access multiple authenticated services?
- Sign in with Apple at Work & School
- OAuth
- Ticket-granting ticket (TGT)
- SAML
3 - Ticket-granting ticket (TGT)
TGT generates a ticket for the use of any resource that supports Kerberos without requiring the user to authenticate again.
Which feature allows administrators to streamline the creation of Managed Apple IDs based on existing Google Workspace or Azure AD data?
- MSCHAPv2
- Federated Authentication
- Active Directory
- SAML
2 - Federated Authentication
Federated authentication can link Apple Business Manager, Apple Business Essentials, or Apple School Manager to your instance of Google Workspace or Azure AD to automatically create Managed Apple IDs for your users.
What’s a benefit of using Apple Business Manager or Apple School Manager to automate MDM enrollment during initial setup of managed Apple devices?
- You can track the location of managed devices.
- You can make the enrollment mandatory and nonremovable on user-owned devices.
- You can make the enrollment mandatory and nonremovable on organization-owned devices.
3 - You can make the enrollment mandatory and nonremovable on organization-owned devices.
Using Apple Business Manager or Apple School Manager provides additional enrollment options for managed, organization-owned Apple devices.
Which strategy would be most effective in a scenario where an organization wants to ensure that users always have the apps they need on their devices and to control the access and exchange of the organization’s sensitive information?
- Deploy devices to users in shared mode.
- Install a nonremovable managed app onto the devices.
- Convert all unmanaged apps on the devices to managed apps.
2 - Install a nonremovable managed app onto the devices.
Nonremovable managed apps are ideal for deployment scenarios where an organization wants to ensure that users always have the apps they need on their devices and to control the access and exchange of the organization’s sensitive information.
What’s the main benefit of using managed device attestation when deploying Apple devices in an organization?
- It allows the MDM administrator to use a bypass code to erase a device and assign it to a new user.
- It allows a user to unlock the storage on APFS volumes that require a secure token and then become owners of the volume.
- It provides a strong assurance to MDM administrators of device properties that can be evaluated as part of a client certificate identity enrollment request.
3 - It provides a strong assurance to MDM administrators of device properties that can be evaluated as part of a client certificate identity enrollment request.
Managed device attestation provides a strong assurance to MDM administrators of device properties that can be evaluated as part of a client certificate identity enrollment request.
Why might you create a security policy that enforces the use of FileVault for data encryption on a managed Mac?
- This policy ensures that users can’t disable FileVault.
- When you use an MDM solution to enable FileVault, it adds a Recovery Key to a user’s iCloud account.
- FileVault is compatible with any Apple device.
- You can use third-party encryption algorithms to configure FileVault.
1 - This policy ensures that users can’t disable FileVault.
Users can’t disable FileVault if you enforce it with a configuration profile on managed Mac computers.