Learning Guide Questions Flashcards
What links a device to an MDM solution?
A. APNs
B. A firewall
C. restriction
D. An enrollment profile
D. An enrollment profile
Explanation:
An enrollment profile links a device to the MDM solution.
What does MDM need to operate, specifically for APNs and SSL?
A. Certificates
B. Restrictions
C. Enrollment profiles
A. Certificates
Explanation:
MDM requires multiple certificates to operate, including an APNs certificate to talk to clients and an SSL certificate to communicate securely.
Which Apple device capability allows MDM to secure devices?
A. Location Services
B. Enrollment profiles
C. Built-in device security features
C. Built-in device security features
Explanation:
An MDM solution allows you to use the device’s built-in security features.
How do devices report their status when using declarative device management?
A. Declarations
B. The status channel
C. Profiles
B. The status channel
Explanation:
The status channel is what a device uses to update the MDM server with information about itself.
Which statement about the Apple management framework is true?
A. It’s built into Apple devices.
B. It doesn’t support personal devices.
C. It provides settings created by third parties to manage Apple devices.
A. It’s built into Apple devices.
Explanation:
Each MDM solution uses the built-in Apple management framework to manage features and settings for each platform.
After a device has enrolled in an MDM server, what happens next?
A. The device reports status to the server.
B. The device polls the server for any commands.
C. The server sends push notifications to the device.
C. The server sends push notifications to the device.
Explanation:
After a device enrolls in the MDM server, the server sends push notifications to the device when there are commands to process on the device.
What transformative update to the MDM protocol allows a device to react autonomously to its own state changes and apply management logic to itself without cues from the server?
A. User Enrollment
B. Device Assignment
C. Declarative device management
C. Declarative device management
Explanation:
Declarative device management allows the device to be autonomous and proactive, freeing up the server to be lightweight, reactive, and able to subscribe to updates without constant polling.
What happens if you install an exclusive payload setting onto a managed Apple device that already contains settings for the same payload?
A. The payload setting will be undefined.
B. The payload setting overwrites the previous setting.
C. The payload setting will be combined and the more restrictive setting will be applied.
B. The payload setting overwrites the previous setting.
Explanation:
Exclusive payloads can have only one possible version of a setting and you can apply this type of setting only once.
When is it recommended to test beta software releases?
A. Quarterly
B. Year-round
C. When new devices are added to your organization
B. Year-round
Explanation:
A modern approach to managing Apple devices involves committing to the latest software, testing year-round, and ensuring that everything works together.
In which type of enrollment and ownership model can users personalize apps and data on their managed devices?
A. BYOD, organization-owned
B. Nonpersonalized, organization-owned
C. Personally enabled, organization-owned
C. Personally enabled, organization-owned
Explanation:
The organization assigns devices to users, and after configuration, users can personalize their devices with their own apps and data.
In which type of ownership model can users personalize apps and data on their personal devices?
A. BYOD, User Enrollment
B. BYOD, organization-owned
C. Nonpersonalized, organization-owned
D. Personally enabled, organization-owned
A. BYOD, User Enrollment
Explanation:
BYOD users can customize their personal devices before and after enrolling them in an MDM solution.
In which ownership model can IT administrators restrict the installed apps and personal data on a device meant to be shared with multiple users?
A. BYOD, User Enrollment
B. BYOD, personally enabled
C. Nonpersonalized, organization-owned
D. Personally enabled, organization-owned
C. Nonpersonalized, organization-owned
Explanation:
IT administrators typically centrally configure and manage shared or single-purpose devices.
Which method should you use to enroll devices that are ineligible for automatic enrollment in Apple Business Manager or Apple School Manager?
A. Device Enrollment
B. Automated Device Enrollment
C. Automatic enrollment
D. No enrollment possible
A. Device Enrollment
Explanation:
You can enroll devices ineligible for automatic enrollment in Apple Business Manager or Apple School Manager.
Which type of enrollment is ideal for devices you need to distribute to multiple users in multiple regions?
A. Device Enrollment
B. User Enrollment
C. Automated Device Enrollment
C. Automated Device Enrollment
Explanation:
Automated Device Enrollment is the most convenient choice because you can enroll devices in MDM without physically handling or preparing devices before users receive them.
Which type of enrollment do you commonly use for BYOD deployments?
A. Device
B. User
C. Automated device
B. User
Explanation:
BYOD deployments most commonly employ User Enrollment with a dedicated Managed Apple Account.
What do you need to consider when evaluating MDM solutions?
A. Support for a wireless infrastructure
B. Pricing structure and subscription model
C. A device’s life cycle and trade-in value
B. Pricing structure and subscription model
Explanation:
Understand your organization’s budget and growth projections, then compare MDM solution pricing and subscription options.
Which is a deployment model to consider as part of your device management goals?
A. Application Programming Interface (API)
B. Over-the-air (OTA) enrollment
C. One-to-one
C. One-to-one
Explanation:
One-to-one is a deployment model that provides at least one dedicated device configured specifically for each user.
Which is an important user authentication feature of an MDM solution that you should consider?
A. Support and integration with your identity provider or directory service
B. Support for future versions of Apple’s software platforms.
C. Support for the BYOD deployment model
A. Support and integration with your identity provider or directory service
Explanation:
Verify if the MDM solution supports your current identity provider or directory service.
Which aspect of your organization’s infrastructure should you evaluate to ensure that your organization meets the network roaming needs of users throughout a building?
A. Number of devices per user
B. Wi-Fi coverage and capacity
C. Adequate number of access points per device
D. Sources of interference caused by construction materials
B. Wi-Fi coverage and capacity
Explanation:
Evaluating Wi-Fi coverage and capacity helps you strategically place wireless access points that have enough power to meet the roaming needs throughout your organization’s facilities.
Which type of network uses individual user credentials or device- and/or user-based certificates to control who or which devices can use the network?
A. Provisioning network
B. WPA2 Personal network
C. WPA2 Enterprise network
C. WPA2 Enterprise network
Explanation:
WPA2 Enterprise network uses individual user credentials or device- and/or user-based certificates to control who or what devices can use the network.
Which functions require Apple devices to continuously access APNs?
A. Bonjour access, content caching, and internet connection sharing
B. SSO, VPN connectivity, and Wi-Fi network roaming
C. Notifications of operating-system and app updates, MDM policies, and messages
D. Ad and location tracking, Keychain data backup, and app suggestions
C. Notifications of operating-system and app updates, MDM policies, and messages
Explanation:
Apple devices learn of operating-system and app updates, MDM policies, and incoming messages through continuous access to APNs. Make sure that your organization allows network traffic access to Apple’s network on the entire 17.0.0.0/8 address block on port 5223, with a fallback option of port 443.
What should you do to ensure that Apple devices can access APNs and other Apple services on your organization’s network?
A. Configure all devices to auto-establish secure VPN access to Apple’s network.
B. Deploy devices with an SSO payload that are configured to allow access to Apple’s network.
C.Adjust network configurations on web proxies or firewall ports to allow access to Apple’s network.
D. Set up your network to work with Bonjour so that devices can connect to APNs and Apple services.
C. Adjust network configurations on web proxies or firewall ports to allow access to Apple’s network.
Explanation:
For Apple devices to access APNs and Apple services, you might need to adjust network configurations on web proxies or firewall ports to allow network traffic access to Apple’s network. Make sure that your organization allows network traffic access to Apple’s network on the entire 17.0.0.0/8 address block on port 5223, with a fallback option of port 443
What’s the most commonly deployed authentication technology that both AD and SSO use?
A. Kerberos
B. MSCHAPv2
C. OAuth
D. SAML
A. Kerberos
Explanation:
Kerberos is the most commonly deployed authentication technology that both AD and SSO use.
Which Kerberos feature allows users to sign in once and access multiple authenticated services?
A. Sign in with Apple at Work & School
B. OAuth
C. Ticket-granting ticket (TGT)
D. SAML
C. Ticket-granting ticket (TGT)
Explanation:
TGT generates a ticket for the use of any resource that supports Kerberos without requiring the user to authenticate again.
Which feature allows administrators to streamline the creation of Managed Apple Accounts based on existing Google Workspace or Microsoft Entra ID data?
A. MSCHAPv2
B. Federated Authentication
C. Active Directory
D. SAML
B. Federated Authentication
Explanation:
Federated authentication can link Apple Business Manager, Apple Business Essentials, or Apple School Manager to your instance of Google Workspace or Microsoft Entra ID to automatically create Managed Apple Accounts for your users.
What’s a benefit of using Apple Business Manager or Apple School Manager to automate MDM enrollment during initial setup of managed Apple devices?
A. You can track the location of managed devices.
B. You can make the enrollment mandatory and nonremovable on user-owned devices.
C. You can make the enrollment mandatory and nonremovable on organization-owned devices.
C.
You can make the enrollment mandatory and nonremovable on organization-owned devices.
Explanation:
Using Apple Business Manager or Apple School Manager provides additional enrollment options for managed, organization-owned Apple devices.
Which strategy would be most effective in a scenario where an organization wants to ensure that users always have the apps they need on their devices and to control the access and exchange of the organization’s sensitive information?
A. Deploy devices to users in shared mode.
B. Install a nonremovable managed app onto the devices.
C. Convert all unmanaged apps on the devices to managed apps.
B. Install a nonremovable managed app onto the devices.
Explanation:
Nonremovable managed apps are ideal for deployment scenarios where an organization wants to ensure that users always have the apps they need on their devices and to control the access and exchange of the organization’s sensitive information.
What’s the main benefit of using Managed Device Attestation when deploying Apple devices in an organization?
A. It allows the MDM administrator to use a bypass code to erase a device and assign it to a new user.
B. It allows a user to unlock the storage on APFS volumes that require a secure token and then become owners of the volume.
C. It provides a strong assurance to MDM administrators of device properties that can be evaluated as part of a client certificate identity enrollment request.
C. It provides a strong assurance to MDM administrators of device properties that can be evaluated as part of a client certificate identity enrollment request.
Explanation:
Managed Device Attestation provides a strong assurance to MDM administrators of device properties that can be evaluated as part of a client certificate identity enrollment request.
Why might you create a security policy that enforces the use of FileVault for data encryption on a managed Mac?
A. This policy ensures that users can’t disable FileVault.
B. When you use an MDM solution to enable FileVault, it adds a Recovery Key to a user’s iCloud account.
C. FileVault is compatible with any Apple device.
D. You can use third-party encryption algorithms to configure FileVault.
A. This policy ensures that users can’t disable FileVault.
Explanation:
Users can’t disable FileVault if you enforce it with a configuration profile on managed Mac computers.
Which benefit helps IT administrators reduce the need to perform extensive configurations on Apple devices?
A. Many security features are turned on by default.
B. Users can select a security profile in Setup Assistant.
C. IT administrators can deliver and enforce policies without an MDM solution.
D, IT administrators can issue remote commands to devices to erase all private information.
A. Many security features are turned on by default.
Explanation:
Because many security features on Apple devices are turned on by default, administrators save time when they configure devices.
What happens if your Apple device can’t validate the trust chain of a signing CA?
A. The service encounters an error.
B. The CA is added to the unapproved list.
C. The user is asked to enter the device password or passcode.
A. The service encounters an error.
Explanation:
If your Apple device can’t validate the trust chain of a signing CA, the service encounters an error.
Which MDM payload setting can you use to turn off updating certificates wirelessly for iPhone and iPad devices?
A. Automatic sync while roaming
B. Allow users to accept untrusted TLS certificates
C. Allow automatic updates to certificate trust settings
C. Allow automatic updates to certificate trust settings
Explanation:
When you deselect this option and push the payload to your device, you prevent wireless certificate updates.
You’ve installed a payload on your managed Apple device that prevents users from accepting untrusted TLS certificates.
What happens when users try to access a webpage that uses an untrusted TLS certificate and then tap Show Details?
A. They’re asked to contact the issuing CA to validate the certificate.
B. They can tap “view the certificate,” but they can’t trust this certificate or visit the site.
C. They can’t tap “view the certificate,” and they can view only the unsecured version of the webpage.
B. They can tap “view the certificate,” but they can’t trust this certificate or visit the site.
Explanation:
When you deselect the option “Allow users to accept untrusted TLS certificates,” users can’t accept untrusted TLS certificates or visit sites that use untrusted certificates.
How do you configure Custom Apps to appear in the sidebar?
A. In Settings, select Apps and Books, then click Enable next to Custom Apps.
B. In Settings, select Enrollment Information, then click Enable next to Custom Apps.
C. In Roles, choose the role for which to enable custom apps, then select the View Custom Apps checkbox.
B. In Settings, select Enrollment Information, then click Enable next to Custom Apps.
Explanation:
You enable Custom Apps in Settings > Enrollment Information. When you enable the Custom Apps option, it appears below the Content section in the sidebar.
What’s the purpose of using federated authentication with Apple Business Manager or Apple School Manager?
A. Federated authentication verifies your organization’s eligibility.
B. Federated authentication verifies ownership of the domains that you use with your portal.
C. Federated authentication allows users to log into one system with the user name and password from another system.
C. Federated authentication allows users to log into one system with the user name and password from another system.
Explanation:
When you link to Google Workspace or Microsoft Entra ID, people can use their user names and passwords from your domain as Managed Apple Accounts.
You didn’t import user data into Apple Business Manager after configuring federated authentication.
Which Apple Business Manager settings pane can you use to import user data into Apple Business Manager?
A. Accounts
B. Directory Sync
C. Enrollment Information
B. Directory Sync
Explanation:
In the Directory Sync pane, you can sync Apple Business Manager with user data from your Google Workspace or Microsoft Entra ID.
Which of the following roles has the least user privileges?
A. Staff
B. Administrator
C. Content Manager
A. Staff
Explanation:
The Staff role has the least user privileges.
Which type of additional user should you create immediately after sign-up is complete?
A. Administrator
B. Device Enrollment Manager
C. People Manager
D. Content Manager
A. Administrator
Explanation:
After sign-up is complete, you’re the only person who can sign in. Create a second administrator account in case you can’t sign in for any reason.
Which roles must your account have to add or edit locations in Apple Business Manager?
A. Administrator or Site Manager
B. Administrator or People Manager
C. People Manager or Content Manager
B. Administrator or People Manager
Explanation:
Only an Administrator or a People Manager can add or edit locations in Apple Business Manager.
You’ve created a number of users with Content Manager, Device Enrollment Manager, and People Manager roles.
What should you do next to give each user access?
A. Enter a secure password for each user.
B. Ask each user to enroll in your portal.
C. Create sign-in information and email it to each user.
C. Create sign-in information and email it to each user.
Explanation:
You can choose to either email users their sign-in information directly or download it as a PDF or CSV file.
Which statement about adding an MDM server in Apple Business Manager or Apple School Manager is true?
A. Adding an MDM server creates a link to your MDM solution.
B. Adding an MDM server eliminates the need for an MDM solution.
C. Adding an MDM server configures an additional server in your MDM solution.
A. Adding an MDM server creates a link to your MDM solution.
Explanation:
Adding an MDM server establishes a secure relationship between your MDM solution and Apple Business Manager or Apple School Manager.
What’s the purpose of the public key certificate file that you download from your MDM server before you add the server to your Apple Business Manager or Apple School Manager portal?
A. It enables the MDM server to securely send email through the portal.
B. It configures two-step verification between your MDM server and the portal.
C. It contains a public key that the MDM server uses to encrypt the portal server token.
C. It contains a public key that the MDM server uses to encrypt the portal server token.
Explanation:
You upload the public key certificate file to Apple Business Manager or Apple School Manager when you add your MDM server.
After you add your MDM server in your Apple Business Manager or Apple School Manager portal, what must you do so that the MDM server securely connects to the portal?
A. Enter the encryption key that the portal generates into the MDM server.
B. Verify that the secure URL for your MDM server in the portal is correct.
C. Download the server token from the portal and upload it to the MDM server.
C. Download the server token from the portal and upload it to the MDM server.
Explanation:
The server token is a P7M file that your MDM server uses to securely connect to Apple Business Manager or Apple School Manager.
On your Mac, which Apple Configurator tool do you use to add donated iPhone and iPad devices to Apple Business Manager, Apple Business Essentials, or Apple School Manager?
A. Blueprints
B. Profile Editor
C. Prepare Assistant
D. Device Assignments
C. Prepare Assistant
Explanation:
You can use Apple Configurator with Prepare Assistant to manually add iPhone and iPad devices to Apple Business Manager, Apple Business Essentials, or Apple School Manager.
What happens if a Wi-Fi payload isn’t included in a configuration profile when using Apple Configurator on your Mac to manually add iPhone or iPad devices to Apple Business Manager, Apple Business Essentials, or Apple School Manager?
A. Adding the device fails with a network error.
B. The device is added to Apple Business Manager, Apple Business Essentials, or Apple School Manager but isn’t able to connect to Wi-Fi.
C. Apple Configurator continues trying to add the device to Apple Business Manager, Apple Business Essentials, or Apple School Manager until you click Cancel.
A. Adding the device fails with a network error.
Explanation:
Because iPhone and iPad devices require an internet connection to be added to Apple Business Manager, Apple Business Essentials, or Apple School Manager, you must install a configuration profile with a Wi-Fi payload.
As an administrator in Apple Business Manager, Apple Business Essentials, or Apple School Manager, you’re manually adding a newly purchased Mac to your organization.
What else do you need to complete the task?
A. AppleCare+ for Mac chat or phone support
B. An enrollment profile for your MDM solution and a device supporting AirDrop
C. Another Mac, Apple Configurator, and a Thunderbolt or Ethernet cable to connect them
D. Your iPhone, the Apple Configurator for iPhone app, and a Wi-Fi connection to the internet
C. Your iPhone, the Apple Configurator for iPhone app, and a Wi-Fi connection to the internet
Explanation:
You can use Shared Wi-Fi credentials with Apple Configurator for iPhone to add the Mac computer to your organization.
Your organization wants to retain full ownership and control of apps that you bought through Apps and Books.
Which license type should you choose?
A. Custom licenses
B. Managed licenses
C. Redemption codes
D. Supervised licenses
B. Managed licenses
Explanation:
Choose Managed when you buy licenses for managed distribution. Your organization retains full ownership and control of apps through assignment with your MDM solution
You buy books and choose licenses for managed distribution.
What happens to ownership of the books when you distribute them?
A. Book ownership always transfers to users. You can’t revoke or reassign books.
B. You choose whether you want to retain or transfer ownership of books when you distribute them.
C. The organization retains full ownership and control, so you can revoke and reassign them later.
A. Book ownership always transfers to users. You can’t revoke or reassign books.
Explanation:
Regardless of whether you choose licenses for managed distribution or redemption codes, book ownership always transfers to the user.
What must multiple subnets share so that a network can use a single content cache, without requiring DNS changes?
A. DNS
B. Subnet
C. Bandwidth
D. Public IP Address
D. Public IP Address
Explanation:
You can set the caching server to provide content caching for subnets of the local network that share a common public IP address.
When an iPhone device on your network tries to download Apple content that could be cached, the Apple content server instructs the device to check with the local network’s cache first.
A. True
B. False
A. True
Explanation:
With content caching, when an iPhone device on your network downloads an iOS update from the App Store, content caching keeps a copy of the update.
Which issue could arise when multiple devices request the same data and caching is NOT turned on?
A. Data becomes less secure.
B. Bandwidth consumption increases.
C. Only the first device can download the requested data.
D. No issue — each device downloads the requested data.
B. Bandwidth consumption increases.
Explanation:
When the second device requests the same content, the bandwidth consumption doubles because the second device also needs to download the content from the internet.
For best results, deploy content caching on a Mac that has a single wired Ethernet connection as its only network connection.
A. True
B. False
A. True
Expanation:
Use an Ethernet connection to the network for best results.
Where do you turn on content caching on your Mac?
A. System Settings > Privacy & Security
B. System Settings > Sharing
C. System Settings > Network
D. System Settings > Displays
B. System Settings > Sharing
Explanation:
Use the Content Caching option in Sharing settings to manage content caching on your Mac.
Which setting should you select to prevent your computer from going to sleep and interfering with content caching?
A. Wake for network access
B. Put hard disks to sleep when possible
C. Enable Power Nap while plugged into a power source
D. Prevent automatic sleeping when the display is off
D. Prevent automatic sleeping when the display is off
Explanation:
Content caching requires the Mac to be turned on.
With internet connection sharing, you can use a Mac computer’s internet connection to cache content for iPhone or iPad devices that are physically connected to the Mac through USB.
A. True
B. False
A. True
Explanation:
A Mac with internet connection sharing turned on and with an Ethernet connection can cache content for iPhone and iPad devices.
Which advanced option do you use to set the cache size?
A. Peers
B. Storage
C. Clients
D. Parents
B. Storage
Explanation:
You view and set the cache size in the Storage tab.
Which Mac sharing service becomes unavailable when the content caching internet connection setting is turned on?
A. Internet Sharing
B. Remote Management
C. Media Sharing
D. File Sharing
A. Internet Sharing
Explanation:
Internet Sharing on a Mac becomes unavailable when the content caching internet connection setting is turned on.
When you use Activity Monitor to check performance statistics for content caching, which comparison can tell you how much content caching is helping?
A. The closer the Maximum Cache Pressure value is to the Data Served value, the more content caching is helping.
B. The further the Maximum Cache Pressure value is from the Data Served value, the more content caching is helping.
C. The closer the Data Served From Cache values are to the Data Served values, the more content caching is helping.
D. The further the Data Served From Cache values are from the Data Served values, the more content caching is helping.
C. The closer the Data Served From Cache values are to the Data Served values, the more content caching is helping.
Explanation:
Comparing the closeness of these two values is the best way to determine how content cache is helping.
Where does the content caching service send log messages?
A. To the main system.log
B. To the subsystem com.apple.AssetCache
C. To the subsystem com.apple.ContentCache
D. To the subsystem com.apple.AssetCacheManagerUtil
B. To the subsystem com.apple.AssetCache
Explanation:
Specifying this subsystem in the log command filters the displayed results to those associated with content caching.
Which command can you use to configure advanced settings for content caching?
A. defaults write
B. AssetCacheManagerUtil status
C. AssetCacheManagerUtil settings
A. defaults write
Explanation:
When used with sudo, the defaults write command allows you to configure advanced settings for content caching.
Which tool can you use to display advanced settings for the content caching service?
A. Activity Monitor
B. Console
C. System Settings
D. Terminal
D. Terminal
Explanation:
You can use the command-line interface in Terminal to configure all settings, both basic and advanced, for content caching.
Which statement about entering Apple Customer Numbers and Reseller Numbers is correct?
A. You can enter both an Apple Customer Number and a Reseller Number.
B. You can enter an Apple Customer Number or a Reseller Number but not both.
C. You can enter only one Apple Customer Number, but multiple Reseller Numbers.
A. You can enter both an Apple Customer Number and a Reseller Number.
Explanation:
You can enter both an Apple Customer Number and a Reseller Number and even add multiple numbers if you need them.
Your organization has multiple MDM servers linked in Apple Business Manager or Apple School Manager.
What should you do to automatically assign iPhone devices and Mac computers to different MDM servers?
A. Choose your preferred assignment method in MDM Server Assignment, then select the default MDM server for each device type.
B. Edit the assignment options in Default MDM Server Assignment settings and choose a different server for iPhone devices and Mac computers.
C. Upload a CSV file containing iPhone device serial numbers and assign them to one MDM server, then upload a CSV file for Mac computers and assign them to a different MDM server.
B. Edit the assignment options in Default MDM Server Assignment settings and choose a different server for iPhone devices and Mac computers.
Explanation:
If you have linked more than one MDM server, you can choose default assignments by device type in Default MDM Server Assignment settings.
You made multiple orders for new iPhone devices and you want the devices from one order assigned to a different MDM server than the others.
What’s the best way to do that?
A. Use MDM Server Assignment to change the Default MDM Server Assignment for iPhone.
B. Select Devices, filter by order number and device type, then select All Devices to change assignments.
C. Use MDM Server Assignment to enter a new Reseller Number for the order to filter device assignments.
D. Use Devices to download a CSV file containing iPhone device serial numbers for that order only. Edit the file and upload it with the unique server assignment for the iPhone devices in that order
B. Select Devices, filter by order number and device type, then select All Devices to change assignments.
Explanation:
You can select All Devices to edit the MDM Server assignments of all devices matching the search criteria.
You’re responsible for managing 10 identical iPad devices that your organization uses in a training classroom and networking isn’t available onsite. Each week you need to retrieve the files stored on each device by the recent students and set up the devices for a new class.
Which approach is best for this task?
A. Apple Configurator for Mac
B. Apple Configurator for Mac with Shared iPad
C. Apple Configurator for Mac with your MDM solution
A. Apple Configurator for Mac
Explanation:
You can use Apple Configurator for Mac to create a single backup configuration that you apply to all the devices at the start of class and that you retrieve files with at the end.
Which type of content can you assign to iPhone or iPad with Apple Configurator for Mac?
A. Apps
B. User settings
C. Purchased music
D.Podcasts
A. Apps
Explanation:
Distributing apps to multiple Apple devices simplifies deployment.
Which of the following devices can Apple Configurator for iPhone add to Apple Business Manager, Apple Business Essentials, and Apple School Manager?
A.iPhone with iOS 15, iPad with iPadOS 16.1, and Mac with macOS 11 or later installed.
B.iPhone with iOS 16, iPad with iPadOS 16.1, Mac with macOS 12.0.1, and Apple TV with tvOS 16 or later installed.
C.iPhone with iOS 16, iPad with iPadOS 16.1, and Mac with macOS 12.0.1 or later installed.
D. iPhone with iOS 16, iPad with iPadOS 15, and Mac with macOS 11 or later installed.
C. iPhone with iOS 16, iPad with iPadOS 16.1, and Mac with macOS 12.0.1 or later installed.
Explanation:
Apple Configurator for iPhone can add iPhone, iPad, and Mac to Apple Business Manager, Apple Business Essentials, and Apple School Manager.
Which type of information about iPad can you view in Apple Configurator for Mac?
A. Camera status
B. iPad location
C. Console log
D. Ebook licenses
C. Console log
Explanation:
You can find the Console log by choosing File > Get Info from the Apple Configurator for Mac menu bar.
From where do you install the cfgutil tool?
A. From the App Store
B. From Apple Configurator for Mac
C. From Profile Manager
D. From /Applications/Utilities on your Mac
B. From Apple Configurator for Mac
Explanation:
The cfgutil tool is one of the automation tools that you can install from Apple Configurator for Mac.
Which tool can you use to automate configurations with shell scripts?
A. Blueprints
B. Shortcuts app
C. Command-line tool cfgutil
C. Command-line tool cfgutil
Explanation:
The command-line tool cfgutil in the Terminal app helps you write shell scripts and automate specific processes.
Which tool can you use to create your own workflows for bulk deployments?
A. Blueprints
B. Shortcuts app
C. Command-line tool
B. Shortcuts app
Explanation:
You can use the Shortcuts app to create automated workflows for others to use when configuring devices.
Which tool can you use to automate configurations with a template tool to add configuration profiles and apps?
A. Blueprints
B. Shortcuts app
C. Command-line tool
A. Blueprints
Explanation:
Blueprints use template tools to record actions that you can then apply to devices.
What is a configuration profile?
A. A System Report file with hardware and software configuration from a device
B. An automation file to script Apple Configurator actions
C. A file with user data from Apple devices
D. A file with payloads for Apple devices
D. A file with payloads for Apple devices
Explanation:
A profile is a file with payloads that contain settings and authorization information for Apple devices.
Which tool is most commonly used to build configuration profiles with payloads specific to macOS?
A. Apple Configurator for iPhone
B. Apple Business Manager
C. An MDM solution
C. An MDM solution
Explanation:
To create custom configuration profiles that contain settings specific to macOS, use an MDM solution.
Which tool can you use to set up payloads for Apple TV?
A. Profile Editor
B. Prepare Assistant
C. Setup Assistant
D. Blueprints
A. Profile Editor
Explanation:
Use the Profile Editor to create configuration profiles for Apple TV as well as iPhone and iPad devices.
An MDM solution is the only way to create and distribute a configuration profile.
A. True
B. False
B. False
Explanation:
You can also create a configuration profile with Apple Configurator and then distribute it using a message, a web page, Apple Configurator, or an MDM solution.
What is the benefit of signing configuration profiles?
A. A signed profile prevents users from removing the profile from the device.
B. Signing a configuration profile makes it more resistant to tampering during distribution.
C. Signing a configuration profile allows a device to communicate securely with an MDM solution.
B. Signing a configuration profile makes it more resistant to tampering during distribution.
Explanation:
If someone modifies a profile after you sign it, the MDM framework won’t allow that profile to be installed on a device.
Which payload prevents a user from later configuring an option that is hidden in Setup Assistant during device setup?
A. App Configuration
B. Parental Controls
C. Restrictions
D. Security & Privacy
C. Restrictions
Explanation
Configure Restrictions to restrict functions for Setup Assistant options that you hide during device setup. Restrictions remain in place until removed.
What allows you to configure which Setup Assistant panes users see during device setup?
A. App Configuration
B. Require credentials for enrollment
C. Assigning devices to your MDM solution in Apple Business Manager, Apple Business Essentials, or Apple School Manager
D. Security & Privacy
C. Assigning devices to your MDM solution in Apple Business Manager, Apple Business Essentials, or Apple School Manager
Explanation:
You must configure them to enroll during setup.
A Mac computer was setup and acknowledged as owned by an organization (in Apple Business Manager, Apple Business Essentials, or Apple School Manager).
While the device remains registered to the organization, Setup Assistant always requires a network connection to proceed with activation of that Mac.
A. True
B. False
A. True
Explanation:
During the first setup, users can complete Setup Assistant on a Mac without a network connection. However, after connecting to the network and being acknowledged as owned by an organization, Setup Assistant requires a network connection to proceed with activations as long as the Mac remains registered to the organization—even if the Mac is erased.
How can you ensure that only authorized users can enroll a device?
A. Add a Restrictions payload to the device
B. Configure a Setup Assistant option
C. Select the option to require user authentication during enrollment
C. Select the option to require user authentication during enrollment
Explanation:
The user will need to authenticate in order to enroll.
Which Setup Assistant pane gives additional security to managed devices?
A. Touch ID
B. Siri
C. Apple Pay
A. Touch ID
Explanation:
Touch ID and Face ID help make a device more secure.
Which payload in the MDM framework allows you to configure Apple Account settings to prevent users from storing data from managed apps in iCloud?
A. Settings
B. Restrictions
C. Startup
D. iCloud
B. Restrictions
Explanation:
You use Restrictions to prevent users from storing data from managed apps in iCloud.
What is a benefit of preconfiguring Setup Assistant?
A. Users can use personal accounts to load their own apps.
B. Users learn about each setting.
C. Users can personalize every aspect of their device settings.
D. Users become productive sooner.
D. Users become productive sooner.
Explanation:
By preconfiguring Setup Assistant, users are more productive sooner.
You downloaded a configuration profile on iPhone from a website or an email message.
Where on the device do you install it?
A. Install the profile in the Settings app.
B. Delete the attachment, and go to a webpage.
C. Don’t do anything because the profile installs automatically.
A. Install the profile in the Settings app.
Explanation:
Users install the profile in the Settings app.
What happens when the user manually enrolls a device in the MDM solution?
A. Nothing happens until the user restarts the device.
B. The MDM solution records information about the device, such as the serial number and installed apps.
C. The user receives a web address where they can download the enrollment profile.
D. The user receives a web address where they can download the configuration profile.
B. The MDM solution records information about the device, such as the serial number and installed apps.
Explanation:
When the user connects to the MDM solution using the device, the MDM solution records information about the device.
What happens when a user enrolls a device using account-driven Device Enrollment?
A. Nothing happens until the user restarts the device.
B. The user visits a web address where they can download the enrollment profile.
C. Apps installed before MDM enrollment are converted to become managed apps.
D. The new managed account is displayed prominently within Settings or System Settings.
D: The new managed account is displayed prominently within Settings or System Settings.
Explanation:
After the authentication succeeds and the device begins the MDM enrollment process, the user signs in to their Managed Apple Account.
When you run the profiles command in Terminal, in which scenario are you limited to 10 requests in a 24-hour period?
A. Running profiles renew on a Mac with macOS 12 installed
B. Running profiles show on iPhone with iOS 16 installed
C. Running profiles status on a Mac with macOS 13 installed
D. Running profiles validate on a Mac with macOS 13 installed
D. Running profiles validate on a Mac with macOS 13 installed
Explanation:
Three options are limited to 10 requests in a 24-hour period: profiles show, profiles validate, and profiles renew.
What’s also removed when a user removes an enrollment profile from their device?
A. User data
B. The current operating system
C. Organization data
C. Organization data
Explanation:
Organization data is removed when the user removes an enrollment profile from their device.
What is service discovery in the four stages of user enrollment?
A. Users identify themselves to the MDM solution.
B. The MDM solution notifies an enrolled device through APNs that it needs to contact the server.
C. The device identifies itself to the MDM solution.
D. Users visit a specified self-service site to enroll their devices.
C. The device identifies itself to the MDM solution.
Explanation:
If users enroll their own devices, the devices identify themselves to an organization’s MDM solution.
What happens when users remove an enrollment profile from their devices?
A. Users can continue to use their apps, but an MDM solution doesn’t manage their apps anymore.
B. The devices reset and erase all settings.
C. All configuration profiles, their settings, and managed apps based on that enrollment profile are removed with it.
D. Users are asked to reenroll the devices into the MDM solution.
C. All configuration profiles, their settings, and managed apps based on that enrollment profile are removed with it.
Explanation:
If users bring their own devices, they can remove the enrollment profiles to disassociate from an organization’s MDM solution.
How would you send new settings to user devices?
A. Send users a self-service URL.
B. Change and send a new updated configuration profile.
C. Remove the configuration profile, and send a new one.
D. Email users a link for a new configuration profile.
B. Change and send a new updated configuration profile.
Explanation:
The easiest way to send new settings is to use your MDM solution to change and send an updated configuration profile to users.
What MDM enrollment options can you give users if your organization has a BYOD policy?
A. Send an enrollment profile by email or SMS.
B. Provide a self-service portal if supported.
C. Enter a Managed Apple Account to start User Enrollment.
C. Enter a Managed Apple Account to start User Enrollment.
Explanation:
Navigate to Settings in iPhone or iPad devices or System Settings on a Mac computer and enter a Managed Apple Account to start User Enrollment.
Which iPad is compatible with Shared iPad?
A. iPad Air (3rd generation)
B. iPad Pro (12.9-inch)
C. iPad (5th generation)
D. iPad mini 3
A. iPad Air (3rd generation)
Which service can you configure on a Mac to temporarily store iCloud user data from shared iPad devices?
A. iCloud
B. Content Caching
C. Internet Sharing
B. Content Caching
Explanation:
When you have a Mac with the Content Caching service turned on, Shared iPad can locally save iCloud user data in addition to iPadOS and app updates.
Where can you find apps that are Optimized for Shared iPad?
A. Apple Configurator
B. Classroom
C. Apps and Books
C. Apps and Books
Explanation:
Apps optimized for Shared iPad are labeled in Apps and Books.
You can ship devices directly to users without touching or preparing the devices if your organization purchases them directly from a participating Apple Authorized Reseller or carrier and you automatically enroll them in MDM with Apple Business Manager, Apple Business Essentials, or Apple School Manager.
A. True
B. False
A. True
Explanation:
Organizations that purchase devices directly from a participating Apple Authorized Reseller or carrier can enroll the devices automatically in an MDM solution with Apple Business Manager, Apple Business Essentials, or Apple School Manager.
When you set up a device with Setup Assistant, which of the following might you be asked to enter during the enrollment in MDM?
A. iCloud email credentials
B. Managed Apple Account credentials
C. Organization-linked Activation Lock credentials
B. Managed Apple Account credentials
Explanation:
The option to add Managed (or personal) Apple Account credentials appears after you enroll the device in MDM if the administrator allows the option in Setup Assistant.
Which of the following is a task that a user can complete with help from a self-support site or app?
A. Download internal business apps
B. Purchase apps from the App Store
C. Install personalized apps on a device
D. Enroll a device in Apple Business Manager, Apple Business Essentials, or Apple School Manager
A. Download internal business apps
Explanation:
If an organization provides self-support sites, these sites can allow users to access device enrollment in MDM, downloads of internal business apps, and other device management services.
What do you use to connect Apple devices to networks that use 802.1X EAP-TLS authentication?
A. A configuration profile
B. A PAC file
C. A .plist file
A. A configuration profile
Explanation:
To connect Apple devices to networks that use 802.1X EAP-TLS authentication, MDM administrators must create the appropriate settings for their networks in configuration profiles and then push them to their devices.
Which security type do you use to configure managed Apple devices to connect to 802.1X networks?
A. WEP
B. WPA3 Enterprise
C. WPA3 Personal
B. WPA3 Enterprise
Explanation:
Configuring your managed Apple devices with this type gives them access to a broad range of 802.1X authentication environments.
You can use WPA2/WPA3 Enterprise authentication at the login window of macOS.
A. True
B. False
A. True
Explanation:
You can authenticate to a network from the login window when your Mac is set up with a compatible directory service and configured to use this mode with MDM.
You’re using your MDM solution to configure iPhone and iPad devices to connect to Wi-Fi networks using EAP-TLS.
Which of these types of certificates payloads can you use for authentication?
A. Active Directory Certificate
B. PKCS #12 Certificate
C. S/MIME Certificate
B. PKCS #12 Certificate
Explanation:
You can use a PKCS #12 identity certificate (.p12 or .pfx) payload or a SCEP payload for authentication to Wi-Fi networks using EAP-TLS on iPhone and iPad devices.
How does a PAC file influence the way an Apple device communicates over a network?
A. The device uses the authentication credentials defined in the PAC file to connect to servers.
B. The device follows the PAC file rules that define the proxy server’s location and traffic allowed to connect directly.
C. The device constructs a list of approved websites by using the web addresses that the PAC file defines.
B. The device follows the PAC file rules that define the proxy server’s location and traffic allowed to connect directly.
Explanation:
The proxy server’s location and rules for allowed direct traffic defined in the PAC file manage the way an Apple device communicates over a network.
Which of these alternatives to a proxy server URL could you use to configure a payload with proxy settings for an Apple device?
A. A .plist file with allowed websites
B. A domains restriction
C. WPAD using DHCP option 252
C. WPAD using DHCP option 252
Explanation:
When configuring an Apple device to use a proxy, you can use WPAD using DHCP option 252 instead of a proxy server URL.
What must the server identity certificate contain in the SubjectAltName field?
A. The CA name
B. The rest of the trust chain
C. The user’s group name
D. The server’s DNS name or IP address
D. The server’s DNS name or IP address
Explanation:
The server identity certificate must contain the server’s DNS name or IP address in the SubjectAltName field.
What must users of an MDM solution install so that custom VPN works on Apple devices?
A. Configuration profile and VPN Manager
B. VPN Manager and User Authentication Profile
C. The provider’s VPN app, which supplies the network extension
C. The provider’s VPN app, which supplies the network extension
Explanation:
You need the provider’s VPN app.
Which VPN connection type provides more granular control over which data goes through VPN?
A. Per-App VPN
B. VPN On Demand
C. Always-On VPN
A. Per-App VPN
Explanation:
Per-App VPN connections are established on a per-app basis, which provides more granular control over which data goes through VPN.
How do you enable managed distribution?
A. Enroll devices in MDM.
B. Download a spreadsheet of app licenses.
C. Link your MDM solution to at least one location in Apple Business Manager or Apple School Manager.
D. Purchase content through Apps and Books in Apple Business Manager or Apple School Manager.
C. Link your MDM solution to at least one location in Apple Business Manager or Apple School Manager.
Explanation:
To enable managed distribution, you link your MDM solution to at least one location in your Apple Business Manager or Apple School Manager account.
Which distribution model permanently transfers apps to users?
A. Custom apps
B. Redemption codes
C. Managed distribution to users
D. Managed distribution to devices
B. Redemption codes
Explanation:
Distributing app licenses through redemption codes transfers ownership of an app to the user who redeems the code.
Your organization wants developers to read a software architecture book available in Apps and Books. Funding is limited, so the engineering lead wants to know if a book can be transferred between developers after they finish reading it.
Who has the authority to revoke a book license after distribution?
A. No one
B. The user
C. The content manager
D. The MDM administrator
A. No one
Explanation:
When you distribute books, ownership permanently transfers to the users; you can’t revoke or reassign book licenses.
When you use managed distribution to assign apps directly to devices, your organization retains full control and ownership of the app licenses.
A. True
B. False
A. True
Explanation:
Using managed distribution with MDM, your organization retains full control and ownership of app licenses with the ability to assign, revoke, and reassign apps to devices.
How is an app installed on a user’s device after the app is assigned to that device?
A. The user must accept the app installation.
B. Your MDM solution automatically pushes the app to the supervised device.
C. The user receives an invitation to download and install the app from the App Store.
B. Your MDM solution automatically pushes the app to the supervised device.
Explanation:
Your MDM solution can automatically push it to supervised devices without requiring user invitation or acceptance.
When does the number of available app licenses for supervised devices change in your MDM solution apps library?
A. After the user installs or deletes the app
B. After the user accepts or rejects the installation
C. After you assign or revoke an app to a device or device group
C. After you assign or revoke an app to a device or device group
Explanation:
After you assign or revoke an app using your MDM solution, the number of app licenses available for assignment adjusts accordingly.
What must a user do before you can assign apps to them with managed distribution?
A. Install a managed distribution profile on their device
B. Accept an invitation to enroll in managed distribution
C. Sign in to an MDM solution and create a Managed Apple Account
D. Sign in to Apple Business Manager or Apple School Manager and enroll in Apps and Books
B. Accept an invitation to enroll in managed distribution
Explanation:
The user must accept the invitation by signing in to their Apple Account and agreeing to the terms and conditions
When you assign an app to a group for managed distribution, who must accept the invitation to enroll in managed distribution?
A. Your MDM solution administrator
B. Each individual user in the group
C. The Apple Business Manager or Apple School Manager administrator
B. Each individual user in the group
Explanation:
Each user in the group receives an invitation to enroll in managed distribution.
What do you use on a managed, user-owned iPhone or iPad to prevent users from opening unmanaged attachments or documents in managed sources?
A. A restriction
B. A managed domain
C. A managed account
A. A restriction
Explanation:
Open In management uses a set of restrictions to prevent users from opening attachments or documents from managed sources in unmanaged destinations on a managed iPhone or iPad.
What do you use on a managed, user-owned iPhone to prevent managed apps from storing data in iCloud?
A. A restriction
B. A managed domain
C. A managed account
A. A restriction
Explanation:
You can use your MDM solution to push a restriction to your managed devices to keep managed app data from being backed up to iTunes and iCloud.
Which condition applies when a Managed Pasteboard restriction is installed on a managed device?
A. The Paste button is dimmed.
B. The Paste button doesn’t appear.
C. A “Paste Not Allowed” notification displays.
C. A “Paste Not Allowed” notification displays.
Explanation:
If the user isn’t allowed to paste content in an app due to the restriction, they get a “Paste Not Allowed” notification that includes the organization name.
Which apps can users use to open the email attachment in the organization account after Managed Open In restrictions are in place?
A. Only apps that the user installs
B. Any app installed on the device
C. Only apps installed from the App Store
D. Only managed apps that the MDM solution installs
D. Only managed apps that the MDM solution installs
Explanation:
Apps that the MDM solution installs are considered managed. You can apply restrictions to managed apps that limit how users can share attachments with unmanaged apps.
Where can you confirm whether iCloud restrictions are active in a managed Mac?
A. In iCloud Keychain in Keychain Access
B. In System Settings > General > Device Management
C. In Restrictions in System Information
D. In About This Mac in the Apple menu
B. In System Settings > General > Device Management
Explanation:
After you’ve used MDM to push restrictions to your devices, the profile displays those restrictions. Using System Settings, you can review the restrictions by choosing the profile containing them.
Which type of payload do you use to prevent a user from removing system apps on iPhone?
A. Restrictions
B. Privacy & Security
C. Software Updates
A. Restrictions
Explanation:
Use a Restrictions payload to prevent users from removing system apps on iPhone.
Where on a Mac with macOS 13.0 or later do you access the options to configure Gatekeeper?
A. In System Settings > General, below Security settings.
B. In System Settings > Control Center, below Security settings.
C. In System Preferences > Security & Privacy, in the General tab.
D. In System Settings > Privacy & Security, below Security settings.
D. In System Settings > Privacy & Security, below Security settings.
Explanation:
In macOS 13.0 or later you configure Gatekeeper below Security settings in System Settings > Privacy & Security.
You apply an MDM payload to prevent users from installing apps from the App Store to a device.
Which types of apps are still available to download to the device?
A. Games and Reader apps
B. All free apps that don’t have in-app purchases
C. Managed apps, MDM-installed apps, system apps, and updates to those apps
C. Managed apps, MDM-installed apps, system apps, and updates to those apps
Explanation:
The device can still receive managed apps, MDM-installed apps, system apps, and updates to those apps despite restrictions on access to the App Store.
What is a benefit of enabling FileVault on a Mac startup volume?
A. Additional security by requiring a login password to decrypt data
B. Increased encryption by increasing the number of bits in the key from 0 to 128
C. Enhanced privacy by encrypting all data sent over a Mac computer’s network connections
A. Additional security by requiring a login password to decrypt data
Explanation:
On Mac computers with Apple silicon or the T2 chip, data is always encrypted on the startup volume. Turning on FileVault provides additional security by requiring a login password to decrypt data.
What is the purpose of a PRK? (Personal Recovery Key)
A. To initiate an “Erase All Content and Settings” command
B. To unlock the startup disk if the user forgets their login password
C. To authorize the installation of macOS software updates and upgrades
B. To unlock the startup disk if the user forgets their login password
Explanation:
When you first turn on FileVault on an individual unmanaged Mac, you choose how you want to unlock the startup disk if the user forgets their login password: with their Apple Account or with a PRK.
When managing FileVault using MDM, which of the following is required?
A. The managed Mac must be supervised.
B. An IRK must be installed on the managed Mac.
C. A user must log in on the managed Mac using an administrator account.
A. The managed Mac must be supervised.
Explanation:
You can manage FileVault settings on Mac computers that are enrolled in and supervised by your MDM solution, using either Automated Device Enrollment or Device Enrollment.
Which condition is required for a user to perform a system upgrade on a Mac laptop with Apple silicon?
A. The Mac must be plugged in.
B. The Mac must have FileVault on.
C. The user must be a volume owner.
D. The user must be a local administrator.
C. The user must be a volume owner.
Explanation:
On a Mac with Apple silicon, a user must be a volume owner to perform software updates and upgrades.
Why would you defer software updates on Apple devices?
A. To roll back an update if it’s unsuccessful
B. To test critical apps and infrastructure before deploying the update
C. To verify that your organization’s iPhone and iPad devices are managed
B. To test critical apps and infrastructure before deploying the update
Explanation:
Testing apps and infrastructure before deployment is critical.
What is the maximum number of days that you can defer software updates on Apple devices?
A. 30
B. 60
C. 90
D. 99
C. 90
Explanation:
You can defer software updates up to 90 days.
Which payload manages the ability to schedule a scan of a managed Apple device?
A. Content Filter
B. Restrictions
C. Security & Privacy
D. Software Update
D. Software Update
Explanation:
Use the Software Update payload to manage the installation of macOS beta releases and automatic installation of macOS updates or app updates from the App Store.
How are security fixes distributed to Apple devices in a Rapid Security Response?
A. In minor software updates
B. In major software upgrades
C. In both major upgrades and minor updates
A. In minor software updates
Explanation:
Rapid Security Responses distribute security fixes in minor software updates.
Which payload do you use to configure specific rules when users create a password or passcode on their enrolled device?
A. Passcode
B. Password
C. Restrictions
D. Security & Privacy
A. Passcode
Explanation:
You choose the Passcode payload to configure specific rules for the creation of passwords or passcodes on enrolled devices.
What is the purpose of configuring a Passcode payload?
A. It helps retrieve a user’s passcode if the user can’t sign in for some reason.
B. It requires that users set passcodes for all apps that they use on their devices.
C. It enables your organization to change a user’s passcode remotely if a device is lost or stolen.
D. It enforces passcode rules that help prevent unauthorized access to your organization’s devices and data.
D. It enforces passcode rules that help prevent unauthorized access to your organization’s devices and data.
Explanation:
You configure a Passcode payload with specific rules that users must follow when creating a device passcode or password.
The Passcode payload configures passcode rules for iPhone and iPad devices, whereas the Password payload configures password rules for Mac computers.
A. True
B. False
B. False
Explanation:
The Passcode payload configures passcode rules for iPhone and iPad, as well as password rules for Mac.
What must a user do when you install the Passcode payload on the user’s iPhone?
A. The user must enter a passcode using the specified settings within 60 minutes.
B. The user must accept the payload to permit the specified settings to take effect.
C. The user must restart the device to install the payload, then enter a new passcode.
A. The user must enter a passcode using the specified settings within 60 minutes.
Explanation:
If the user doesn’t do so within that time frame, the payload forces the user to enter a passcode using the specified settings.
How can you tell if a restriction applies only to a supervised device?
A. The restriction description contains “(supervised only).”
B. The restriction displays only if a device is supervised.
C. The restriction is dimmed on unsupervised devices.
D. The restriction appears in the group named Supervised Restrictions.
A. The restriction description contains “(supervised only).”
Explanation:
MDM solutions indicate when a restriction applies only to supervised devices.
What is the purpose of configuring a Restrictions payload for Apple devices?
A. Restrictions prevent users from unenrolling a device from MDM.
B. Restrictions prevent unauthorized users from accessing a device.
C. Restrictions prevent users from accessing a specific app, service, or function of a device.
C. Restrictions prevent users from accessing a specific app, service, or function of a device.
Explanation:
You configure a Restrictions payload to prevent access to a specific app, service, or function on a device.
What happens if you select “(supervised only)” restriction settings for an unsupervised device?
A. The “(supervised only)” settings don’t take effect unless you have previously supervised the device.
B. The “(supervised only)” settings override any configuration that the user sets on the unsupervised device.
C. The “(supervised only)” settings require you to turn on device supervision before you can save the payload.
A. The “(supervised only)” settings don’t take effect unless you have previously supervised the device.
Explanation:
You can select “(supervised only)” settings for unsupervised devices, but the settings don’t take effect unless the device is supervised.
Which MDM restriction lets you manage a user’s ability to connect Thunderbolt or USB devices or SD cards to a Mac?
A. Allow host pairing
B. Allow connected accessories while locked
C. Automatically enable accessory connections
B. Allow connected accessories while locked
Explanation:
You use the “Allow connected accessories while locked” restriction to manage accessory connections with supervised iPhone or iPad devices and Mac computers.
What happens when you select the “Allow connected accessories while locked” restriction and an iPhone or iPad device is connected to a computer with a compatible Ethernet adapter?
A. The device maintains a data connection to a connected network only when a user unlocks it.
B. The device maintains a data connection to a connected network before a user unlocks it.
C. The device automatically unlocks after an hour so that you can refresh it using MDM.
B. The device maintains a data connection to a connected network before a user unlocks it.
Explanation:
When you select the “Allow connected accessories while locked” restriction and an iPhone or iPad device is connected to a computer with a compatible Ethernet adapter, the device maintains a data connection even before a user unlocks it.
What’s required before you can restrict accessory connections on iPhone or iPad?
A. Device supervision
B. A Managed Apple Account
C. An unsupervised Apple device
A. Device supervision
Explanation
Configurations to restrict accessory connections require that your iPhone and iPad devices be supervised.
How do you ensure that only trusted host computers can pair with your organization’s iPhone and iPad devices?
A. Allow pairing with only Mac computers.
B. Distribute the correct digital certificate to users’ groups and devices.
C. Distribute the correct supervision identities to users’ devices.
C. Distribute the correct supervision identities to users’ devices.
Explanation:
When you deselect the “Pair with non-Apple Configurator hosts” restriction — and distribute the correct supervision identities to users’ devices — you ensure that only trusted computers with valid supervision host certificates can pair with the iPhone or iPad devices.
Which of the following can you use to distribute a certificate identity to a device in a configuration profile?
A. A .p12 file
B. A PKI token
C. An MD5 hash file
A. A .p12 file
Explanation:
You can put a certificate identity into a PKCS #12 file protected with a password, and push the file to the device in a configuration profile.
When you compose a Mail message on a managed Apple device, what happens when Mail finds the certificate for a recipient email?
A. The user is asked to choose a certificate to sign the message.
B. A “Sign this message” option appears left of the “To:” field.
C. A padlock icon appears to the right of the recipient’s contact name, and the address text is blue.
C. A padlock icon appears to the right of the recipient’s contact name, and the address text is blue.
Explanation:
Mail consults the GAL to discover the recipient’s S/MIME certificate. When Mail finds the certificate for your recipient, a padlock icon appears to the right of the recipient’s contact name, and the address text is blue.
What do managed Apple devices require to send signed messages in Mail using S/MIME?
A. Your email address must be in the recipient’s GAL.
B. You must have your identity’s private key in your keychain.
C. Recipients must have your identity’s private key in their keychains.
B. You must have your identity’s private key in your keychain.
Explanation:
Private keys are important for signing messages in Mail. To send signed messages in Mail using S/MIME on a managed Apple device, you must have your identity’s private key in your keychain.
What do managed Apple devices require to send encrypted messages in Mail using S/MIME?
A. The public key from the recipient’s certificate
B. An encryption extension in the recipient’s certificate
C. A restriction payload with the “Allow sending encrypted messages using S/MIME” setting selected
A. The public key from the recipient’s certificate
Explanation:
Public keys are important for encrypting messages in Mail. To send encrypted messages in Mail using S/MIME on a managed Apple device, you must have the public key from the recipient’s certificate in your keychain.
What happens when you use Safari on iPhone or iPad to visit a site with a revoked certificate?
A. You are asked to delete the certificate.
B. You are directed to the CA’s website to update the certificate.
C. “This Connection Is Not Private” appears instead of the contents of the site.
C. “This Connection Is Not Private” appears instead of the contents of the site.
Explanation:
When you use Safari on iPhone or iPad to visit a site with a revoked certificate, “This Connection Is Not Private” appears instead of the contents of the site.
Which type of query can you use to list all installed apps on a device?
A. Security
B. Installed app
C. Device information
D. Operating system
C. Device information
Explanation:
Device information queries return a device’s information about apps installed, battery level, and device name.
Which type of query can you use to find information about Find My and FileVault settings?
A. Security
B. Installed app
C. Device information
D. Operating system
A. Security
Explanation:
Security queries return a device’s information about whether it has the following enabled: Activation Lock, Find My, FileVault, Firmware password (for Intel-based Mac computers), and more.
Which type of query can you use to list all devices that need to be updated to new system software?
A. Security
B. Installed app
C. Device information
D. Operating system
D. Operating system
Explanation:
Operating system queries return a device’s information about the product version and whether specific update options are enabled.
Which prioritization method ensures that the most important app data always gets the best possible bandwidth, even if the network is congested with other traffic?
A. Proxies
B. Restrictions
C. Fastlane QoS marking
C. Fastlane QoS marking
Explanation:
Fastlane QoS marking ensures that the most important app data always gets the best possible bandwidth.
What is the main benefit of using a proxy server on your network?
A. The ability to encrypt content
B. The ability to specify how managed apps use cellular data
C. The ability to filter content or manage available bandwidth
C. The ability to filter content or manage available bandwidth
Explanation:
You can use a proxy server to control the routing of traffic between your local intranet and the internet.
Which MDM payload contains the settings that specify how managed apps use cellular data?
A. Cellular
B. Proxy server
C. Content Caching
D. Network Usage Rules
D. Network Usage Rules
Explanation:
You can configure the Network Usage Rules payload settings to specify how managed apps use cellular data.
Which MDM payload contains the settings that enable QoS support on your managed devices?
A. Wi-Fi
B. Proxy
C. Content Caching
D. Network Usage Rules
A. Wi-Fi
Explanation:
Apps with enabled QoS support automatically take priority over low-priority apps, such as those used for syncing documents in the background.
What is QoS marking?
A. QoS marking determines how much network data an app can use.
B. QoS classification or marking refers to the process of classifying the type of IP packets or traffic.
C. QoS marking determines how quickly app data reaches devices.
B. QoS classification or marking refers to the process of classifying the type of IP packets or traffic.
Explanation:
Apple devices can mark an app’s network traffic with QoS, and configured network devices can detect these markings and prioritize some types of traffic.
What is a requirement for QoS prioritization?
A. The network service type
B. Accurate proxy settings
C. The QoS app
A. The network service type
Explanation:
The developer must mark the network service type for QoS to use it.
Which payload can you use to set QoS priorities?
A. Certificate
B. Network Usage Rules
C. Restrictions
D. Wi-Fi
D. Wi-Fi
Explanation:
You can set QoS priorities with a Wi-Fi payload.
Which statement about Managed Lost Mode is true?
A. Managed Lost Mode requires Find My to be turned on.
B. You can use MDM to put an unsupervised iPhone or iPad device into Managed Lost Mode.
C. MDM remotely queries a lost device for its location the last time that the device was online.
C. MDM remotely queries a lost device for its location the last time that the device was online.
Explanation:
With Managed Lost Mode, you can find a supervised iPhone or iPad device that is lost or stolen because the MDM solution remotely queries for its location when the device connects to a network that both the managed device and the MDM solution can access.
What can you do when you use your MDM solution to enable Managed Lost Mode on a device?
A. You can customize the Lock Screen with a message, add a contact phone number, and include a note.
B. You can customize the Lock Screen with a bypass code, add a contact phone number, and include a note.
C. You can customize the Lock Screen with only a contact phone number and a message.
A. You can customize the Lock Screen with a message, add a contact phone number, and include a note.
Explanation:
When you enable Lost Mode on a device, you can customize the Lock Screen with a message, a contact phone number, and a note.
Which of these statements is true?
A. When an MDM solution remotely disables Managed Lost Mode, it locks the device. It also notifies the user upon locking the device screen that the MDM solution enabled Managed Lost Mode and collected the device’s location.
B. You can use your MDM solution to issue commands to disable Lost Mode on an unmanaged iPhone or iPad device.
C. You can disable Managed Lost Mode if it’s erroneously enabled or enabled on a retrieved device.
C. You can disable Managed Lost Mode if it’s erroneously enabled or enabled on a retrieved device.
Explanation:
You can disable Managed Lost Mode if it’s erroneously enabled or enabled on a retrieved device.
Using your MDM solution, you enabled Lost Mode for a lost iPad. The next day, the verified user recovered the device, and you disabled Lost Mode.
Which message appeared when the user unlocked their iPad?
A. MDM enabled Managed Lost Mode and collected the device location.
B. MDM disabled Managed Lost Mode and Activation Lock.
C. MDM enabled recovery mode and restored the device data and settings.
A. MDM enabled Managed Lost Mode and collected the device location.
Explanation:
When an MDM solution administrator remotely disables Managed Lost Mode, the user is notified that their device was locked and the MDM solution collected its location.
What happens when you use an MDM solution to wipe iPhone or iPad?
A. Wiping iPhone or iPad automatically backs up user data and settings to iCloud before restoring factory settings.
B: Wiping iPhone or iPad puts the device in recovery mode, and you must reinstall iOS.
C. Wiping iPhone or iPad restores the device to its factory settings while preserving the last installed iOS or iPadOS version.
C. Wiping iPhone or iPad restores the device to its factory settings while preserving the last installed iOS or iPadOS version.
Explanation:
Wiping iPhone or iPad removes all user data and settings and restores factory settings, preserving the last installed iOS or iPadOS version.
What happens when you use an MDM solution to enable Lost Mode on iPhone or iPad?
A. MDM wipes the device remotely.
B. MDM locks the device.
C. MDM issues a bypass code.
B. MDM locks the device.
Explanation:
When you enable Lost Mode for a missing device with your MDM solution, it locks the device, displays your custom message, and determines the device location.
What happens if Find My is turned on for a managed device and your MDM solution allows Activation Lock?
A. Activation Lock is enabled.
B. The device is locked, and its location is collected.
C. The user is notified that Activation Lock is enabled.
A. Activation Lock is enabled.
Explanation:
If Find My is enabled when your MDM solution allows Activation Lock on managed devices, Activation Lock is automatically enabled at that point.
What happens if Find My is turned off for a managed device when your MDM solution allows Activation Lock?
A. Activation Lock is enabled at that point.
B. The device is locked, and its location is collected.
C. The user is notified that Activation Lock is disabled.
D. Activation Lock is enabled the next time the user enables Find My.
D. Activation Lock is enabled the next time the user enables Find My.
Explanation:
If Find My is disabled when your MDM solution allows Activation Lock on managed devices, Activation Lock is enabled the next time the user enables Find My.
Your Mac has been wiped and Activation Lock has been enabled.
Where do you enter the bypass code?
A. Start up in recoveryOS, then enter the bypass code in the password field on the Activation Lock screen.
B. Start up in recoveryOS, then click the Recovery Assistant menu, choose “Activate with MDM key,” and enter the bypass code in the field.
C. On the Apple Account screen in Setup Assistant, enter the bypass code in the “Email or Phone Number” field.
D. On the Create a Computer Account screen in Setup Assistant, enter the bypass code in the password field.
B. Start up in recoveryOS, then click the Recovery Assistant menu, choose “Activate with MDM key,” and enter the bypass code in the field.
Explanation:
You can find the organization-linked Activation Lock bypass code in your MDM solution.
Which Mac models support Activation Lock?
A. Mac computers with Intel processors only
B. Mac computers with A12 Bionic
C. Mac computers with Apple silicon and the T2 chip
C. Mac computers with Apple silicon and the T2 chip
Explanation:
Activation Lock is available on Mac computers with Apple silicon and the T2 chip.
Someone turns in a managed iPhone device that was purchased from a reseller other than Apple or participating Apple Authorized Resellers or carriers.
Which tool do you use to add it to your organization’s Apple Business Manager, Apple Business Essentials, or Apple School Manager account?
A. Apple Configurator for Mac
B. Apple Business Manager or Apple School Manager
A. Apple Configurator for Mac
Explanation:
You use Apple Configurator for Mac to assign iPhone or iPad devices to your organization in Apple Business Manager, Apple Business Essentials, or Apple School Manager.
A user turns in an iPhone device and a Mac. Both have managed apps installed. You use your MDM solution to erase the content and settings, disable Activation Lock, and then revoke the app licenses.
Can you immediately reassign the app licenses?
A. Yes
B. No
A. Yes
Explanation:
You can reassign revoked licenses for managed apps to other users or devices.
Someone turns in a managed iPad with an eSIM that has an active data plan. You’re redeploying the iPad and want to keep the eSIM and data plan for the next user.
What MDM Remote Wipe command option do you configure when erasing the device?
A. AllowESIMModification
B. forcePreserveESIMOnErase
C. Preserve Data Plan
D. Refresh Cellular Plan
C. Preserve Data Plan
Explanation:
If you want to preserve the eSIM and want to erase the device, initiate an MDM Remote Wipe command with the Preserve Data Plan option enabled.
Your organization retires six iPhone devices and turns them in for credit toward new devices through the Apple Trade In program. Three of the iPhone devices aren’t eligible for credit.
What happens to those devices?
A. Apple recycles the devices.
B. Apple ships the devices back to you.
C. Apple deducts a recycling fee from your credit.
D. Apple ships the devices to the recycling facility of your choice.
A. Apple recycles the devices.
Explanation:
Apple recycles the devices through its recycling partners.
What happens to trade-in devices that Apple receives through the Apple Trade In program?
A. Apple refurbishes and resells all devices.
B. Apple sends all devices to its recycling partners.
C. Apple refurbishes devices that are in good condition and recycles the rest.
C. Apple refurbishes devices that are in good condition and recycles the rest.
Explanation:
Apple refurbishes reusable devices.
You should first back up devices and erase all content and settings before redeploying or recycling them. If you are recycling devices, you must then release them from management in Apple Business Manager or Apple School Manager and remove them from your MDM solution.
A. True
B. False
A. True
Explanation:
You don’t have to, but you should wipe your devices first, then you can release them from management in Apple Business Manager or Apple School Manager and remove them from MDM.
