Review Questions

Question 1

What is designed to allow only trusted operating system software from Apple to load at startup?

Answer 1

Secure boot, beginning with the Boot ROM

Question 2

Which hardware feature protects the biometric data used for Face ID and Touch ID?

Answer 2

Secure Enclave

Question 3

Which feature encrypts all data on a volume if turned on?

Answer 3

FileVault

Question 4

Administrator credentials are required to modify which settings in the Privacy & Security pane?

Answer 4

Location Services, Full Disk Access, Gatekeeper, FileVault, and Lockdown Mode

Question 5

With FileVault turned on, what is required to unlock the encrypted volume?

Answer 5

A FileVault-enabled user or recovery key

Question 6

Where can recovery keys be viewed that have been escrowed with Jamf Pro?

Answer 6

Navigate to the computer’s inventory record and select Disk Encryption.

Question 7

How does Gatekeeper help prevent malware?

Answer 7

Only apps and packages signed by identified developers can be opened.

Question 8

What is Apple app notarization?

Answer 8

Notarization is a service by Apple that allows developers who plan to distribute their software outside the App Store to submit their code to be scanned for known malware.

Question 9

How does threat prevention block known malware?

Answer 9

Processes that match any known threats in the Jamf Protect threat database are blocked and associated files are quarantined.

Question 10

The MITRE ATT&CK PRE Matrix is composed of which two tactics?

Answer 10

The PRE Matrix contains the Reconnaissance and Resource Development tactics

Question 11

In the context of the MITRE ATT&CK Matrix, what is a procedure?

Answer 11

A procedure is a real-world, documented example of a technique being used to achieve a tactical goal by a malicious actor.

Question 12

Which feature in Jamf Protect functions as a detection method to expose malicious actors on a system or network and is built on tactics, techniques, and procedures from the MITRE ATT&CK Matrix?

Answer 12

Analytics

Question 13

What do insights determine about enrolled computers?

Answer 13

Insights check for compliance with specific profiles from the CIS Benchmark for macOS.

Question 14

How are severity levels for alerts determined?

Answer 14

The severity level of an alert corresponds to the severity level of the analytic that triggered it: informational, low, medium, or high.

Question 15

Does an action have the ability to remediate malware on an enrolled computer?

Answer 15

No, actions determine the type and amount of data that is sent back to Jamf Protect for processing. Threat prevention remediates threats on enrolled computers.

Question 16

What setting within a plan controls the amount of data sent to the macOS Unified Log?

Answer 16

The Log Level pop-up menu controls the amount of data sent to the macOS Unified Log; each subsequent level builds upon and includes the previous.

Question 17

What does an action configuration do when added to a plan?

Answer 17

The action configuration tells the Protect client what data to collect during an alert and where to send that information.

Question 18

How could one confirm that a plan has successfully installed on a Mac?

Answer 18

When a plan has successfully installed on a Mac, the plan profile will appear in System Settings > Privacy & Security > Profiles. We can also check via the command line with the Terminal command sudo protectctl info.

Question 19

What qualifies an alert as informational rather than low, medium, or high?

Answer 19

Informational alerts are likely to occur through everyday use of a Mac and are likely to be benign. A low severity alert or higher is likely caused by an actual threat to the computer or user and is likely not a by-product of normal use.

Question 20

What happens to files after they are quarantined by Jamf Protect?

Answer 20

Files are moved into the /Library/Application Support/JamfProtect/Quarantine directory and kept there. Any attempt to modify or view the files will cause the Jamf Protect agent to destroy and recreate the directory, but they otherwise remain in quarantine indefinitely.

Question 21

How does a custom prevent list identify specific software on enrolled Macs?

Answer 21

The prevent list uses the file hash, team ID, CDHash, or signing ID to identify specific files or processes on enrolled computers.