Practice Exam Questions (Answers aren't all correct- scored 86.2 (75 of 87))

Question 1

1 of 87

Your organization’s security team wants you to disable AirDrop on managed iPhone devices from your MDM solution
Which requirement must each iPhone meet so that you can disable AirDrop?
A. They must use a Managed Apple ID
B. They must be supervised
C. They must be enrolled using account-driven Device Enrollment
D. They must be enrolled using account-driven User Enrollment

Answer 1

B. They must be supervised

Question 2

2 of 87

What should you do to prevent camera use on a supervised iPhone or iPad?
A. Use Managed Open in restrictions to control the Camera app
B. Deploy Camera as a managed app
C. Set the allowCamera restriction to true
D. Set the allowCamera restriction to false

Answer 2

D. Set the allowCamera restriction to false

Question 3

3 of 87

You enabled FileVault for organization-owned Mac computers. You also need to be able to reset user passwords on those Mac computers.
What should you escrow to the MDM server?
A. Institutional recovery key
B. Personal recovery key
C. Secure token
D. Bypass code

Answer 3

B. Personal recovery key

Read More - IRK and PRK

No longer an Institutional recovery key

Question 4

4 of 87

A user reports that they lost their supervised iPhone.
What should you do to protect the organization’s data?
A. Enable Find My in the MDM server.
B. Enable Lost Mode in Apple Business Manager or Apple School Manager.
C. Enable Find My in Apple Business Manager or Apple School Manager.
D. Enable Lost Mode in the MDM server.

Answer 4

D. Enable Lost Mode in the MDM server.

Read More

You don’t enable lost mode in ABM or ASM, rather your MDM solution

Question 5

5 of 87

Which MDM command restricts access to Startup Security Utility on a Mac with Apple silicon?
A. SetFDESetup
B. SetAccessSSUtility
C. SetRecoveryLock
D. SetFirmwarePassword

Answer 5

C. SetRecoveryLock

recoveryOS password

Question 6

6 of 87

You used MDM to set organization-linked Activation Lock. You can’t remove Activation Lock from a device that a user returned.
Which account user name and password gives you the ability to remove Activation Lock?
A. The Apple ID used for the Apple Push Notification service.
B. The Apple ID of the previous user of the device.
C. The Managed Apple ID of the previous user of the device.
D. The account that created the device enrollment token that links to the MDM solution.

Answer 6

D. The account that created the device enrollment token that links to the MDM solution.

Suppose that your MDM solution is unsuccessful in removing Activation Lock

Question 7

7 of 87

When are you required to enter your password on a Mac with Touch ID turned on?
A. When you install a downloaded application
B. When Safari autofills passwords
C. After you update macOS
D. After your Mac is locked for 24 hours

Answer 7

C. After you update macOS

Touch ID on Mac

Also, if you install a downloaded application

If your mac is locked for 48 hours, or touch id check is failed

Question 8

8 of 87

What are two functions of Secure Enclave?
Select two.
A. Encrypt tokens for Recovery Lock, Bypass Code, and Personal Recovery Key.
B. Process data from Face ID and Touch ID sensors.
C. Store certificates to secure mail, web, and other internet traffic.
D. Provide secure generation and storage of keys for encrypting data at rest.
E. Secure MDM communications and APNs notifications.

Answer 8

B. Process data from Face ID and Touch ID sensors
D. Provide secure generation and storage of keys for encrypting data at rest.

Question 9

9 of 87

You deploy a managed app to a supervised iPad that had an unmanaged version of the app installed.
What happens?
A. The unmanaged app converts to managed.
B. The user is prompted to accept the app.
C. The app remains unmanaged.
D. Both copies of the app remain on the supervised iPad.

Answer 9

A. The unmanaged app converts to managed.

If the device is supervised

Question 10

10 of 87

Where are two places you can review website passwords that you saved using Safari on your Mac?
Select two.
A. In Passwords in System Settings
B. In the Secure Keychain app in the Utilities folder
C. In Privacy in Safari Settings
D. In Privacy & Security in System Settings
E. In Passwords in Safari Settings

Answer 10

A. In Passwords in System Settings
&
E. In Passwords in Safari Settings

Question 11

11 of 87

Which two apps are available only when your Mac starts up in macOS Recovery?
Select two.
A. Terminal
B. Share Disk
C. Safari
D. Startup Security Utility
E. Disk Utility

Answer 11

C. Safari
&
E. Disk Utility

Use macOS recovery

Initial Options: Time machine, Reinstall macOS, Safari & Disk Utility

However, ALL the answers listed are in macOS recovery. Some are in Utilities Menu.

Question 12

12 of 87

Where is content cached when you simultaneously provision tethered iPad devices using Apple
Configurator?
A. On the Mac that the iPad devices are tethered to
B. On the MDM server that the iPad devices are tethered to
C. On the MDM content caching server
D. On the iCloud server

Answer 12

A. On the Mac that the iPad devices are tethered to

With tethered caching

Question 13

13 of 87

Which Mac app gives you the ability to query network responsiveness and quality?
A. Activity Monitor
B. Apple Diagnostics
C. Terminal
D. Network Utility

Answer 13

C. Terminal

Open terminal and enter “networkQuality”

More networkQuality Tips

Question 14

14 of 87

You added macOS content caching to your network.
Which two content types can the server cache for users on your network?
Select two.
A. Sharepoint files for Managed Apple IDs
B. Frequently requested web content and files
C. Apple Music content
D. Apple Books content
E. Operating system updates

Answer 14

D. Apple Books content
&
E. Operating system updates

Cache Content

Question 15

15 of 87

You start up your MacBook Pro by pressing and holding the power button. Then you click System Settings. You’re asked to seIect a user and enter that user’s password.
Why are you asked to seIect a user and enter that user’s password?
A. Startup Security Utility is set to Full Security.
B. Lockdown Mode is turned on.
C. File Vault is turned on.
D. Recovery Lock is enabled.

Answer 15

C. File Vault is turned on.

Filevault Info

Question 16

16 of 87

You’re resetting the password for the only account on a Mac. FileVault was enabled through MDM.
What do you need from your MDM solution?
A. User name and password of the account that created the MDM server token
B. Personal recovery key
C. Institutional recovery key
D. File Vault token

Answer 16

B. Personal recovery key

PRK on MDM

The IRK is consider deprecated. Apple advises to use the PRKs.

Question 17

17 of 87

Which Content Caching setting caches only operating system and app updates?
A. Only operating system Updates and App Content
B. Only Shared Content
C. Only Apple Content
D. App and operating system Updates

Answer 17

B. Only Shared Content

Content Settings

MDM Content Caching

Question 18

18 of 87

Which profile type connects a device to MDM?
A. Assignment
B. Supervision
C. Provisioning
D. Enrollment

Answer 18

D. Enrollment

Enrollment profiles

Question 19

19 of 87

Your organization is migrating to a new MDM solution. iPhone and iPad devices were previously enrolled using Automated Device Enrollment.
What must you do before you can enroll the devices in a new MDM solution using Automated Device
Enrollment?
A. Send a remote wipe command from Apple School Manager or Apple Business Manager.
B. Revive the devices.
C. Erase the devices.
D. Release the devices in Apple School Manager or Apple Business Manager.

Answer 19

C. Erase the devices.

ADE

ADE can only enroll devices that are being set up for the first time.

Question 20

20 of 87

What must you enter on a device for account-driven User Enrollment?
A. A Managed Apple ID
B. The Apple Business Manager or Apple School Manager enrollment URL
C. The MDM solution enrollment URL
D. A personal Apple ID

Answer 20

A. A Managed Apple ID

Account-Driven User Enrollment

Question 21

21 of 87

Lockdown Mode prevents which type of profile from being installed on a device from an MDM solution?
A. Supervision
B. Configuration
C. Provisioning
D. Enrollment

Answer 21

B. Configuration

Lockdown Mode

Question 22

22 of 87

What must you do to allow Auto Advance during Automated Device Enrollment for Mac?
A. Connect the Mac to a power source.
B. Press and hold Shift-Up Arrow on the right side of the keyboard.
C. Press and hold the power button for up to 10 seconds.
D. Connect the Mac to an active Ethernet connection.

Answer 22

D. Connect the Mac to an active Ethernet connection.

Auto Advance

Question 23

23 of 87

Which data can MDM solutions access when an iPhone is enrolled using account-driven Device
Enrollment?
A. Phone call logs
B. Capacity and space available
C. Device location and Significant Locations
D. Safari browsing history

Answer 23

B. Capacity and space available
Related, but note specific context link
Three major types of device enrollment

Question 24

24 of 87

Which enrollment type gives you the ability to send the iPad Home Screen Layout payload?
A. Account-driven User Enrollment
B. Account-driven Device Enrollment
C. Automated User Enrollment
D. Automated Device Enrollment

Answer 24

D. Automated Device Enrollment

Home Screen Layout Payload

C. Automated User Enrollment - may not be real, is confused with ADE

Question 25

25 of 87

Which two of these devices can Apple Configurator for Mac add to Apple School Manager or Apple
Business Manager?
Select two.
A. Apple Vision Pro
B. Mac
C. Apple Watch
D. Apple TV
E. iPad

Answer 25

D. Apple TV
&
E. iPad

Apple Configurator for Mac devices

Question 26

26 of 87

You configure a Setup Assistant payload to skip the Location Services pane.
What is the Location Services status during and after enrollment?
A. Location Services is shown during Setup Assistant and turned off, but a user can turn it on.
B. Location Services is hidden during Setup Assistant and turned off, but a user can turn it on.
C. Location Services is hidden during Setup Assistant and turned off, but an administrator can turn it on.
D. Location Services is shown during Setup Assistant and turned off, but an administrator can
turn it on.

Answer 26

B. Location Services is hidden during Setup Assistant and turned off, but a user can turn it on.

Manage setup assistant

AI check

Question 27

27 of 87

Which enrollment type for Mac results in supervision and also cryptographically separates organization
keychain items from personal keychain items?
A. Account-driven User Enrollment
B. Automated User Enrollment
C. Automated Device Enrollment
D. Account-driven Device Enrollment

Answer 27

D. Account-driven Device Enrollment

Device Enrollment and MDM

AI/recheck

Question 28

28 of 87

Which two enrollment types result in cryptographic separation of organization Calendar and personal
Calendar data on iPhone and iPad devices?
Select two.
A. Profile-driven User Enrollment
B. Account-driven Device Enrollment
C. Account-driven User Enrollment
D. Automated User Enrollment
E. Automated Device Enrollment

Answer 28

B. Account-driven Device Enrollment
&
C. Account-driven User Enrollment

Cryptographic separation

A. Profile-driven User Enrollment - was deprecated by Apple in 2024.

Question 29

29 of 87

You push a restriction payload to prevent the developer team from using Camera on their iPhone devices.
You also push a restriction payload without a camera restriction for the marketing team on their iPhone devices. One user is assigned to both teams.
What is the user’s experience?
A . The user can’t use Camera.
B. The user can use Camera in managed apps only.
C. The user can use Camera.
D. The user can use Camera in unmanaged apps only.

Answer 29

** A . The user can’t use Camera.**

Note
If you have multiple configuration profiles that contain restriction payloads with different settings for the same specific restriction on iPhone or iPad, the more restrictive one takes effect.

Question 30

30 of 87

Which restriction can you push to a supervised iPad to remove the App Store icon from the Home Screen?
A. Install apps using App Store
B. Allow app installation from a website
C. Modify account settings
D. Automatic app downloads

Answer 30

A. Install apps using App Store

[Restrictions - Install Apps](https://support.apple.com/en-in/guide/deployment/dep6b5ae23e9/web#:~:text=in%20Game%20Center.-,Install%20apps,-No%20(iOS)

Question 31

31 of 87

Your organization’s custom app delivers internal security alerts.
Which two MDM settings do you need to ensure delivery of internal security alerts on managed iPhone devices?
Select two.
A. Mark the app as nonremovable.
B. Enable Safari pop-up windows for the app’s domain.
C. Prevent removal of system apps, including Settings.
D. Configure the notifications MDM payload.
E. Use the Enable Automatic Proxy Configuration payload to prioritize the app’s traffic.

Answer 31

A. Mark the app as nonremovable.
Nonremovable
D. Configure the notifications MDM payload.
Notifications MDM payload

Question 32

32 of 87 - ??

Which Rapid Security Response payload setting can you deploy from an MDM solution?
A. Allow MDM to remove responses
B. Allow MDM to disable responses
C. Allow MDM to install responses
D. Allow MDM to delay responses

Answer 32

C. Allow MDM to install responses
RSR and MDM

Question 33

33 of 87

Which MDM restriction prevents the copying and pasting of data between managed sources in unmanaged destinations?
A. Restrict App Privacy Settings
B. Managed Clipboard
C. Managed Pasteboard
D. Restrict App Configuration Settings

Answer 33

C. Managed Pasteboard
MP

Question 34

34 of 87

You want to require your users to enter a complex password during device setup.
Which enrollment type should you use?
A. Account-driven Device Enrollment
B. Automated User Enrollment
C. Automated Device Enrollment
D. Account-driven User Enrollment

Answer 34

C. Automated Device Enrollment
User Enrolment and MDM

Question 35

35 of 87

You pushed these two payloads to your iPad devices:
-An MDM passcode policy that requires a simple passcode with a minimum of 15 characters.
-A Microsoft Exchange policy that requires a complex passcode with a minimum of eight characters
What’s enforced?
A. A complex passcode with a minimum of 15 characters
B. A simple passcode with a minimum of eight characters
C. A complex passcode with a minimum of eight characters
D. A simple passcode with a minimum of 15 characters

Answer 35

C. A complex passcode with a minimum of eight characters

If you use two device passcode policies or one device passcode policy and one Exchange passcode policy, the two sets of policies are merged and the strictest settings are enforced.

Question 36

36 of 87

What contacts Apple servers directly to unlock a managed Apple device that’s locked with an organization linked Activation Lock?
A. Apple ID Activation Service
B. Apple Push Notification service (APNs)
C. The MDM solution
D. Apple Business Manager or Apple School Manager

Answer 36

C. The MDM solution

The MDM solution interacts directly with Apple servers

Question 37

37 of 87

What is required to enable Managed Lost Mode using MDM?
A. Supervision
B. Find My
C. Managed Apple ID
D. Location Services

Answer 37

A. Supervision

Managed Lost Mode

Question 38

38 of 87

What is the maximum number of days that you can defer software updates and upgrades when you use
MDM?
A. 365
B. 180
C. 256
D. 90

Answer 38

D. 90

As part of the configuration, organisations can specify a custom deferral period from 1 to 90 days

Question 39

39 of 87

What can you deploy from MDM to prevent users from accessing a specific app on managed iPhone
devices?
A. Access control entries
B. Restriction payloads
C. Supervision payload
D. Access control lists

Answer 39

B. Restriction payloads
Restrictions

Question 40

40 of 87

Which two of these can MDM optionally provide with the EraseDevice command when you use the
Return to Service workflow?
Select two.
A. Preserve supervision status
B. Location Services
C. Wi-Fi payload
D. MDM Configuration profile
E. Register data plan

Answer 40

C. Wi-Fi payload
&
D. MDM Configuration profile
Using MDM with Return to Service

Question 41

41 of 87

What can be provided in response to an MDM query of user-enrolled devices?
A. Device location
B. Managed apps status
C. Lost Mode status
D. Safari browser history

Answer 41

B. Managed apps status
MDM queries for User Enrollment

Question 42

42 of 87

Which action helps you reduce local network traffic when you deploy a content caching server?
A. Use an MDM restriction to prevent content caching from being turned on for every user’s managed Mac.
B. Use the AssetCacheManagerUtil loadCache command to preload commonly downloaded apps every night.
C. Use an MDM restriction to prevent content caching from being turned off for every user’s managed Mac.
D. Use the assetcachelocatorutil command to define your content caching server location for every user’s managed device.

Answer 42

** A. Use an MDM restriction to prevent content caching from being turned on for every user’s managed Mac.**

Automatically activate content caching

Question 43

43 of 87

You used MDM to disable “allow pairing with non-Apple Configurator hosts” on the organization’s managed iPad devices. When you use a USB cable to connect a managed iPad to a Mac, the iPad doesn’t connect.
What must be on the Mac to allow the iPad to connect?
A. Supervision Identity
B. Intermediate Certificate
C. Server Token
D. Configuration Identity

Answer 43

A. Supervision Identity
Supervision

Question 44

44 of 87

You upload your MDM solution’s certificate to Apple Business Manager.
What does Apple Business Manager generate?
A. Content token
B. Server token.
C. MDM Intermediate Certificate
D. Private key

Answer 44

B. Server token.

Saving a public certificate to Apple Business Manager generates a server token

Question 45

45 of 87

What do you need to do before you can sync Microsoft Entra ID user data with Apple Business Manager?
A. Configure a Federation Manager account.
B. Configure a People Manager account.
C. Link Microsoft lntune to Apple Business Manager.
D. Configure and turn on federated authentication.

Answer 45

D. Configure and turn on federated authentication.
Use federated authentication

Question 46

46 of 87

Which authentication protocol do you use in Apple Business Manager to sync user accounts from your identity provider?
A. OpenlD Connect
B. Kerberos Connect
C. MS-CHAP
D. RADIUS

Answer 46

A. OpenlD Connect
Sync user accounts from your identity provider

Question 47

47 of 87

Users in your organization visit a web address to enroll devices. They also use the same Apple ID to install apps.
Which two changes should your organization implement for a more efficient workflow?
Select two.
A. Multiple personal Apple IDs
B. Device groups for management
C. Federated authentication
D. Automated Device Enrollment
E. Managed distribution

Answer 47

C. Federated authentication
&
E. Managed distribution

Maybe D. Automated Device Enrollment, if the devices are company owned

Google search has a good argument for B & E

Question 48

48 of 87

Which two features are available in both Apple Business Manager and Apple School Manager?
Select two.
A. Bulk app purchases
B. Inspect a user account
C. Directory Sync
D. App redemption codes
E. SIS/SFTP support

Answer 48

A. Bulk app purchases
&
C. Directory Sync
Using ABM or ASM

Question 49

49 of 87

Which of these account roles in Apple Business Manager or Apple School Manager can enable federated authentication?
A. Content Manager
B. Device Enrollment Manager
C. People Manager
D. Authentication Manager

Answer 49

C. People Manager
Intro to Roles and Priviledges

Question 50

50 of 87

Which statement is true about Managed Distribution for books?
A. Books can be distributed only to users.
B. Books can be distributed only to a Managed Apple ID.
C. Books can be distributed only to devices.
D. Books can be distributed only to a personal Apple ID.

Answer 50

A. Books can be distributed only to users.
Users

Question 51

51 of 87

When does the 30-day provisional period begin after you manually add Apple devices to Apple School Manager?
A. After the device is available in Apple School Manager
B. After you assign the device to a location
C. After you assign the devices to the MDM solution
D. After you enroll the devices in the MDM solution

Answer 51

D. After you enroll the devices in the MDM solution
30-Day

Question 52

52 of 87

Which app do you use to manually add iPad devices to Apple Business Manager or Apple School Manager?
A. iPad Configuration Utility
B. Apple Configurator for iPhone
C. Mac Configuration Utility
D. Apple Configurator for Mac

Answer 52

D. Apple Configurator for Mac
Manually Adding Devices to Your Organization

Question 53

53 of 87

What must you upload to your MDM solution so that you can distribute Apps and Books Store content?
A. Content token
B. Managed certificate
C. Distribution certificate
D. Server token

Answer 53

D. Server token
Transfer the Server Token

?? Content token??

Question 54

54 of 87

Where do you upload the content token to enable Managed Distribution of apps and books?
A. Your Apple Business Manager account
B. Managed Distribution Utility
C. Apple Configurator for iPhone
D. Your MDM solution

Answer 54

D. Your MDM solution
Upload the token

Password changes: If the account that downloaded the (content)token and linked the MDM solution to Apple Business Manager has their password changed, the token is invalidated.

Question 55

55 of 87

Which two roles can transfer app licenses in Apple Business Manager or Apple School Manager?
Select two.
A. Staff
B. Device Enrollment Manager
C. App Manager
D. Administrator
E. Content Manager

Answer 55

D. Administrator
&
E. Content Manager

If you’re an Administrator, you can transfer licenses to any location. As a Content Manager, you can transfer licenses between locations for which you have that role. In Apple School Manager, a Site Manager can also transfer licenses between locations for which they have that role.

Question 56

56 of 87

You used account-driven Device Enrollment to enroll your iPhone.
Which two of these data types cryptographically separates organizational and personal data?
Select two.
A. Notes
B. Safari bookmarks
C. Visual Voice mail messages
D. Calendar
E. Contacts

Answer 56

D. Calendar
&
E. Contacts

Unsure if it’s maybe notes and calendar, AI disagrees

Question 57

57 of 87

You’re signed in to your personal Apple ID on your iPhone. You used your Managed Apple ID to enroll your iPhone.
What is the result?
A. Your personal iCloud Drive is replaced with your organizational iCloud Drive until you unenroll your iPhone.
B. You’re prompted to sign out of your personal Apple ID.
C. An additional iCloud Drive appears in the Files app.
D. You’re automatically signed out of your personal Apple ID.

Answer 57

C. An additional iCloud Drive appears in the Files app.
Managed Apple IDs

Question 58

58 of 87

Which technology, commonly used for Active Directory or Open Directory, does enterprise single sign-on support in iOS, iPadOS, and macOS?
A. Automatic FileVault rotation
B. User-driven password resets
C. Passkeys
D. Kerberos

Answer 58

D. Kerberos
Enterprise SSO

Question 59

59 of 87

Which technology synchronizes local account credentials with an identity provider?
A. Microsoft Entra ID
B. Active Directory
C. Platform SSO
D. Kerberos SSO

Answer 59

C. Platform SSO
PlatformSSO
With Platform Single Sign-on (Platform SSO), developers can build SSO extensions that extend to the macOS login window, allowing users to synchronise local account credentials with an identity provider (IdP). The local account password is automatically kept in sync, so the cloud password and local passwords match. Users can also unlock their Mac with Touch ID and Apple Watch.

Question 60

60 of 87

Which two Apple devices support the Network Usage Rules MDM payload?
Select two.
A. iPhone
B. Mac
C. iPad
D. Apple TV
E. Apple Watch

Answer 60

A. iPhone
&
C. iPad
Network Usage Rules

Question 61

61 of 87

What is required to enroll a device using account-driven Device Enrollment?
A. A passkey
B. A Managed Apple ID
C. A Personal Apple ID
D. An identity provider (ldP)

Answer 61

B. A Managed Apple ID
Account-driven device

Question 62

62 of 87

Your Mac is supervised.
Which two enrollment types might have been used to enroll your Mac?
Select two.
A. Account-driven User Enrollment
B. Automated Device Enrollment
C. Account-driven Device Enrollment
D. Declaration-driven Device Enrollment
E. Manual Enrollment

Answer 62

B. Automated Device Enrollment
E. Manual Enrollment

Question 63

63 of 87

Your organization wants to prevent devices from being unenrolled from the MDM server. Which enrollment type can you configure to prevent unenrollment?
A. Profile-based User Enrollment
B. Automated User Enrollment
C. Account-driven Device Enrollment
D. Automated Device Enrollment

Answer 63

D. Automated Device Enrollment
ADE

Question 64

64 of 87

Your organization begins buying from a new Apple Authorized Reseller.
What information do you give the reseller to ensure that your devices appear in Apple Business Manager or Apple School Manager?
A. Purchase Order Number
B. Organization ID
C. D-U-N-S Number
D. Reseller Number

Answer 64

B. Organization ID
Share Org ID

Question 65

65 of 87

Your organization buys devices from a new Apple Authorized Reseller. You want to ensure that your devices appear in Apple Business Manager or Apple School Manager.
What information do you need to add in Apple Business Manager or Apple School Manager?

A. Purchase Order Number
B. D-U-N-S Number
C. Organization ID
D. Reseller number

Answer 65

D. Reseller number

Question 66

66 of 87

You’re resetting several iPad devices for new users. The iPad devices don’t progress past the Apple logo
after restart.
Which of these should you do?
A. Send the Return to Service command from the MDM solution.
B. Get a bypass code from the MDM administrator to clear Activation Lock.
C. Use Apple Configurator for iPhone to restore the iPad devices.
D. Use Apple Configurator for Mac to restore the iPad devices.

Answer 66

D. Use Apple Configurator for Mac to restore the iPad devices.

Question 67

67 of 87

What allows a device to asynchronously apply settings and report status to the MDM solution without constant polling?
A. Declarative device management
B. Automated Device Enrollment
C. Supervision
D. Apple async notification server

Answer 67

A. Declarative device management

DDM

Question 68

68 of 87

Which type of declaration isn’t supported in declarative device management?
A. Assets
B. Activations
C. Configurations
D. Enrollments

Answer 68

D. Enrollments

Declarations

Question 69

69 of 87

Which of these is a reason a user can’t change firewall settings on their organization-owned managed Mac?
A. MDM manages the firewall.
B. XProtect manages the firewall.
C. Secure Enclave manages the firewall.
D. Gatekeeper manages the firewall

Answer 69

A. MDM manages the firewall.

MDM Firewall settings

Question 70

70 of 87

Which two capabilities does Apple’s MDM framework provide on an organization-owned managed device?
Select two.
A. Remotely wiping or locking
B. Updating software
C. Diagnosing hardware issues
D. Reading SMS messages
E. Reporting user browser history

Answer 70

A. Remotely wiping or locking
B. Updating software

MDM capabilities include

Question 71

71 of 87

Which type of enrollment results in a Mac that’s managed and unsupervised?
A. Profile-based Device Enrollment
B. Automated Device Enrollment
C. Account-driven User Enrollment
D. Account-driven Device Enrollment

Answer 71

C. Account-driven User Enrollment

Enrollment Methods

Link is great resource for enrollment explainations. References ABE

Apple no longer supports Profile-based

Question 72

72 of 87

Which two settings should you confirm are configured on your network to ensure that users get notifications from APNs?
Select two.
A. Turn off HTTPS Interception
B. Turn on HTTPS Interception
C. Allow inbound connections from 17.0.0.0/8 or *apple.com
D. Allow outbound connections to 17.0.0.0/8 or *apple.com
E. Turn on client isolation from 17.0.0.0/8 or *apple.com

Answer 72

C. Allow inbound connections from 17.0.0.0/8 or *apple.com
D. Allow outbound connections to 17.0.0.0/8 or *apple.com
Configure devices to work with APNs

Question 73

73 of 87

What must be implemented on a network to allow iPad screen monitoring to work with Apple Classroom?
A. Client isolation
B. Client-to-client communication
C. Apple School Manager
D. Mobile device management

Answer 73

D. Mobile device management

MDM configuration is crucial:
You cannot enable screen monitoring in Classroom without proper MDM settings allowing it.

Question 74

74 of 87

Your Apple devices are configured to send all traffic through an HTTP proxy. The devices aren’t receiving
MDM requests.
Which service must be allowed on your network to allow your Apple devices to communicate with your
MDM solution?
A. Federated Managed Apple ID
B. NAT
C. SSH
D. APNs

Answer 74

D. APNs
Configure your web proxy
To enable Apple devices to communicate with your MDM solution when configured to use an HTTP proxy, you need to ensure that your network allows access to the Apple Push Notification service (APNs), which typically uses port 5223 on the Apple network.

Question 75

75 of 87

Which two content caching settings could you use to optimize internet bandwidth for Apple devices over three network subnets?
Select two.
A. Cache content for: Only Shared Content
B. Cache content for: Only iCloud Content
C. Cache content for: devices using the same local networks
D. Cache content for: devices using custom local networks
E. Cache content for: devices using the same public IP address

Answer 75

** A. Cache content for: Only Shared Content**
** E. Cache content for: devices using the same public IP address**
Understanding Content Caching

Question 76

76 of 87

In which order do iPhone, iPad, and Mac devices automatically join a Wi-Fi network?
A. Preferred network, private networks, public network
B. Preferred network, public network, private networks
C. Private networks, preferred network, public network
D. Public network, preferred network, private networks

Answer 76

A. Preferred network, private networks, public network

When auto-joining

Question 77

77 of 87

Which type of 802.1 X configuration allows Mac computers to connect to Wi-Fi before login and user authentication after login?
A. System+User Mode
B. System+Login Window Mode
C. System Mode
D. User Mode

Answer 77

A. System+User Mode
802.1x Networks

Question 78

78 of 87

Mac users received a recently deployed Wi-Fi profile from MDM. They report they can no longer join the
802.1 X network.
What is the most likely reason users can no longer join the Wi-Fi network?
A. The Wi-Fi network wasn’t configured to auto-join.
B. The user accounts are locked.
C. Trust to the RADIUS server wasn’t established.
D. Network users forgot their passwords.

Answer 78

C. Trust to the RADIUS server wasn’t established.
Trust Settings

Question 79

79 of 87

Which protocol should your organization use for Always-On VPN on iPhone and iPad devices?
A. SSLVPN
B. L2TP over IPsec
C. IKEv2
D. Cisco IPsec

Answer 79

C. IKEv2
VPN Overview

Question 80

80 of 87

You use MDM to ensure that managed iPhone traffic, destined for your organization domain and subdomains, is tunneled securely.
Which two settings should you configure in the Relay payload?
Select two.
A. Relays
B. Match domains
C. Relay domains
D. RelayUUID
E. Excluded domains

Answer 80

A. Relays
B. Match domains
To ensure managed iPhone traffic to your organization domain is securely tunneled using MDM, you should configure the “Relays” and “Match domains” settings in the Relay payload.
Relay MDM Payload setting

Question 81

81 of 87

Which MDM payload can you configure to prioritize traffic using Cisco Fastlane enhanced Quality of Service on Mac computers?
A. Restrictions
B. Wi-Fi
C. Network Usage Rules
D. VPN

Answer 81

B. Wi-Fi
Cisco Fastlane MDM

Question 82

82 of 87

Which setting is required when you use the Global HTTP Proxy payload for automatic proxy configuration?
A. Proxy server URL
B. Proxy type
C. Managed Apple ID user name and password
D. Port

Answer 82

A. Proxy server URL
When using the Global HTTP Proxy payload for automatic proxy configuration, the required setting is A. Proxy server URL.
Explanation: For automatic proxy configuration, you need to specify the URL of the Proxy Auto-Configuration (PAC) file, which tells the device how to automatically select the appropriate proxy server based on the website being accessed.

Question 83

83 of 87

You’re assisting the network team in troubleshooting an issue in communications with Apple services and APNs.
Which range should you exclude from routing filters to ensure full functionality?
A. 16.0.0.0 - 16.0.0.24
B. 192.0.0.0/8
C. 127.0.0.1 - 127.255.255.255
D. 17.0.0.0/8

Answer 83

D. 17.0.0.0/8
Address Block

Question 84

84 of 87

Which ports should you open on your router for full Apple Push Notification service functionality?
A. TCP ports 443, 2197, and 5223
B. UDP ports 443, 2197, and 5223
C. TCP ports 80, 548, and 5223
D. UDP ports 80, 548, and 5223

Answer 84

A. TCP ports 443, 2197, and 5223
If your Apple devices aren’t getting Apple push notifications

Question 85

85 of 87

Which setting directs app traffic through a network relay for managed iPhone devices?
A. DomainUUID of the relay
B. RelayUUID of the relay
C. Excluded domains
D. Match domains

Answer 85

B. RelayUUID of the relay
Relay MDM payload settings

Question 86

86 of 87

Which wireless measurement determines the point at which Apple devices scan for roaming candidates?
A. Noise
B. Channel
C. RSSI
D. Tx Rate

Answer 86

C. RSSI
RSSI, Wifi roaming info

Question 87

87 of 87

Which two Apple technologies use Bonjour for discovery?
Select two.
A. AirDrop
B. AirPrint
C. SharePrint
D. SharePlay
E. AirPlay

Answer 87

B. AirPrint
E. AirPlay
Bonjoir Overview