Review Questions Flashcards

1
Q

What is designed to allow only trusted operating system software from Apple to load at startup?

A

Secure boot, beginning with the Boot ROM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which hardware feature protects the biometric data used for Face ID and Touch ID?

A

Secure Enclave

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which feature encrypts all data on a volume if turned on?

A

FileVault

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Administrator credentials are required to modify which settings in the Privacy & Security pane?

A

Location Services, Full Disk Access, Gatekeeper, FileVault, and Lockdown Mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

With FileVault turned on, what is required to unlock the encrypted volume?

A

A FileVault-enabled user or recovery key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Where can recovery keys be viewed that have been escrowed with Jamf Pro?

A

Navigate to the computer’s inventory record and select Disk Encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How does Gatekeeper help prevent malware?

A

Only apps and packages signed by identified developers can be opened.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Apple app notarization?

A

Notarization is a service by Apple that allows developers who plan to distribute their software outside the App Store to submit their code to be scanned for known malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How does threat prevention block known malware?

A

Processes that match any known threats in the Jamf Protect threat database are blocked and associated files are quarantined.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The MITRE ATT&CK PRE Matrix is composed of which two tactics?

A

The PRE Matrix contains the Reconnaissance and Resource Development tactics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

In the context of the MITRE ATT&CK Matrix, what is a procedure?

A

A procedure is a real-world, documented example of a technique being used to achieve a tactical goal by a malicious actor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which feature in Jamf Protect functions as a detection method to expose malicious actors on a system or network and is built on tactics, techniques, and procedures from the MITRE ATT&CK Matrix?

A

Analytics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What do insights determine about enrolled computers?

A

Insights check for compliance with specific profiles from the CIS Benchmark for macOS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How are severity levels for alerts determined?

A

The severity level of an alert corresponds to the severity level of the analytic that triggered it: informational, low, medium, or high.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Does an action have the ability to remediate malware on an enrolled computer?

A

No, actions determine the type and amount of data that is sent back to Jamf Protect for processing. Threat prevention remediates threats on enrolled computers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What setting within a plan controls the amount of data sent to the macOS Unified Log?

A

The Log Level pop-up menu controls the amount of data sent to the macOS Unified Log; each subsequent level builds upon and includes the previous.

17
Q

What does an action configuration do when added to a plan?

A

The action configuration tells the Protect client what data to collect during an alert and where to send that information.

18
Q

How could one confirm that a plan has successfully installed on a Mac?

A

When a plan has successfully installed on a Mac, the plan profile will appear in System Settings > Privacy & Security > Profiles. We can also check via the command line with the Terminal command sudo protectctl info.

19
Q

What qualifies an alert as informational rather than low, medium, or high?

A

Informational alerts are likely to occur through everyday use of a Mac and are likely to be benign. A low severity alert or higher is likely caused by an actual threat to the computer or user and is likely not a by-product of normal use.

20
Q

What happens to files after they are quarantined by Jamf Protect?

A

Files are moved into the /Library/Application Support/JamfProtect/Quarantine directory and kept there. Any attempt to modify or view the files will cause the Jamf Protect agent to destroy and recreate the directory, but they otherwise remain in quarantine indefinitely.

21
Q

How does a custom prevent list identify specific software on enrolled Macs?

A

The prevent list uses the file hash, team ID, CDHash, or signing ID to identify specific files or processes on enrolled computers.