Apple Deployment and Management Test Study guide:

I would recommend taking the full course before reviewing this guide. The course contains
questions after each section which I’ve also copied out at the bottom to go through separately if
desired. The Reviewing the Learning Objectives page (also under my gotcha notes) was
definitely helpful to review after the course and look further into topics I was less familiar
with/clear about. I read through the topics again after taking the exam and they are very spot on
with what the test asks about.

A few gotchas I recall from the test that were important to understand:

Important Ports and protocols

For your Apple devices to work with APNs, allow network traffic from the devices to the Apple
network (17.0.0.0/8) directly or by using a network proxy. Apple devices must be able to connect
to specific ports on specific hosts:

TCP port 443 during device activation, and afterward for fallback if devices can’t reach APNs on
port 5223

TCP port 5223 to communicate with APNs

TCP port 443 or 2197 to send notifications from MDM to APNs

More Import ports

3283
TCP/UDP
Apple Remote Desktop and Classroom

5900
TCP - Remote Framebuffer - 6143 -rfb
Apple Remote Desktop, Screen Sharing

5900 - UDP - Apple Remote Desktop, Screen Sharing

-Remote Framebuffer, Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP)

5901–5902 -UDP - Apple Remote Desktop, Screen Sharing

- Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP)
Network relays in iOS, iPadOS, macOS, and tvOS
relays can be applied to managed apps, domains, or the entire device.
Relay MDM payload settings (IMPORTANT)
A built-in relay in iOS 17, iPadOS 17, macOS 14, and tvOS 17, or later, can be used to secure
traffic using an encrypted HTTP/3 or HTTP/2 connection as an alternative VPN. A network relay
is a special type of proxy that is optimized for performance and uses the latest transport and
security protocols. It can be used to secure the TCP and UDP traffic of a particular app, an
entire device, and when accessing internal resources. Multiple network relays can be used in
parallel including iCloud Private Relay, with no app required. For more information, see Use
network relays.

Content caching selection options:

Know these drop down options

Content caching Across Multiple Subnets

By default, content caching is limited to a specific subnet. However, you can set
the caching server to provide content caching for these configurations:
● Subnets of the local network that share a common public IP address
● Subnets of publicly accessible IP addresses (with additional DNS
changes being required)

Apple Business Manager and Apple School Manager accounts that CANNOT be
federated:
● Administrator
● People Manager

Understand the Apple Business Manager roles:

Apple School Manager can sync with SIS - not ABM

You can also use Apple School Manager to securely integrate with your Student Information
System (SIS) or use the Secure File Transfer Protocol (SFTP) to upload all the CSV files from
your SIS to Apple School Manager. You may want to use SFTP if your SIS isn’t currently
supported by Apple School Manager or if you want to import the exact same information from a
different system you currently use. For more information, refer to Import accounts into Apple
School Manager using SFTP.

Terminal command for network quality:

networkQuality

Understand 802.1X configurations/modes for Mac

You can also use WPA/WPA2/WPA3 Enterprise authentication at the login window of macOS,
so that the user logs in to authenticate to the network. The macOS Setup Assistant also
supports 802.1X authentication with user name and password credentials using TTLS or PEAP.
For more information, see the Apple Support article Use Login Window Mode for 802.1X
authentication to a network.

The types of 802.1X configurations are:

● User Mode: This mode, the simplest to configure, is used when a user joins the
network from the Wi-Fimenu and authenticates when prompted. The user must accept
the RADIUS server’s X.509 certificate and trust for the Wi-Fi connection.
● System Mode: System Mode is used for computer authentication. Authentication
using System mode occurs before a user logs in to the computer. System Mode is
commonly configured to provide authentication with the computer’s X.509 certificate
(EAP-TLS) issued by a local certificate authority.
● System+User Mode: A System+User configuration is often part of a one-to-one
deployment where the computer is authenticated with its X.509 certificate (EAP-TLS).
After the user is logged in to the computer, they can join the Wi-Fi network from the
Wi-Fi menu and enter their credentials. User credentials might be a user name and
passphrase (EAP-PEAP, EAP-TTLS) or a user certificate (EAP-TLS). After the user
has connected to the network, their credentials are stored in the login keychain and
used to join the network on future connections.
● Login Window Mode: This mode is used when the computer is bound to an
on-premise local directory service such as Active Directory. When Login Window
Mode is configured and a user enters their user name and passphrase at the login
window, the user is authenticated to the computer and then to the network using
802.1X authentication. Login Window Mode passes the user name and password
credentials only when the Login Window first appears. If the Mac goes to sleep and
the WLAN controller idle session time expires, a Mac configured only with Login
 Window Mode must be restarted or the user must log out. The user can then enter
their user name and password again.

Note: System Mode, System+User Mode (required for the System Mode configuration), and
Login Window Mode require configuration by an MDM solution. Configure the Network payload
settings with the desired Wi-Fi network settings, and apply in-scope to a device or device group
for System Mode.

Bonjour Services:
Apple Remote Desktop and Classroom

Learn how Wi-Fi roaming works and when it decides to choose a new network

How does a PAC file influence the way an Apple device communicates over a network?
The device follows the PAC file rules that define the proxy server’s location and traffic allowed to
connect directly.
The proxy server’s location and rules for allowed direct traffic defined in the PAC file manage the
way an Apple device communicates over a network.

Using HTTP web addresses for PAC files is deprecated. WPAD using DNS is unaffected by this
change. For any other configurations of PAC files, including WPAD using DHCP option 252,
macOS attempts to access the PAC file over HTTPS first, before falling back to the HTTP web
address.

How do you ensure that only trusted host computers can pair with your organization’s
iPhone and iPad devices?

Distribute the correct supervision identities to users’ devices.

When you deselect the “Pair with non-Apple Configurator hosts” restriction — and distribute the
correct supervision identities to users’ devices — you ensure that only trusted computers
holding a valid supervision host certificate are allowed to access iPhone or iPad over
Thunderbolt or USB.

Which MDM payload contains the settings that specify how managed apps use cellular
data?
Network Usage Rules
Which MDM payload contains the settings that enable QoS support on your managed
devices?
Wi-Fi

u/wankotron3000 Additions:
If anyone uses Brainscape there are 3 decks I would recommend:

1- Apple+ Deployment and Management (DEP-2024) by Slashie - This is basically a large dump
of questions, but mastering these will get you at least 50 percent.
2- Apple DEP-2024 by Jake Witt - After taking the exam, the cards here cover topics people
really need to know. Especially with Relays etc.

A few specific notes I have from my test are here:

1 - Know the basics on how MDM gets connected:

Service Discovery
User Enrollment
Session Token
MDM enrollment

2- Actual Question: 30-Day Provisional period - when does it start?

After you manually add a device to Apple Business Manager, Apple Business Essentials, or
Apple School Manager, users have a 30-day provisional period to remove it from enrollment and
supervision in device settings, or during Setup Assistant. This 30-day provisional period begins
after you assign the device to and enroll it in a third-party MDM server linked to Apple Business
Manager, Apple Business Essentials, or Apple School Manager. Alternatively, the 30-day period
begins when you assign the device to and enroll it in the device management that’s built into
Apple Business Essentials. Removing the management profile within 30 days resets the device
to factory settings and releases it from Apple Business Manager, Apple Business Essentials, or
Apple School Manager. After the 30-day period, users can’t remove the management profile and
the device remains in the system until you release it.

3- Know the different declarations

Declarations
- Configurations
- Activations
 - Assets
- Credentials
- Management
- Base Declaration

4- Actual Question: Which Apps/Services use Bonjour?

- AirPlay
- Freeform

5- Actual Question: Terminal Command to check Network Quality - command is: networkquality

6- Actual Question referencing Managed Pasteboard - NOT clipboard.

7- How Apple separates organization data

8- Apple School Manager

Sync user accounts from your Student Information System (SIS), Google Workspace, Microsoft
Entra ID, or your identity provider, or with files you create and upload using SFTP.

Reviewing the Learning Objectives

Deployment

Explain how device ownership models affect an organization’s deployment

strategy.
● Enrolling User-Owned Devices
● Managing Organization Apps and Data
● How Apple separates user data from organization data
● How users enroll their personal devices

Evaluate identity management and authentication services, such as single

sign-on (SSO) and Entra ID (formerly Azure AD), to manage secure access to
your organization’s resources on Apple devices.
 ● Evaluating Authentication and User Services
● Platform Single Sign-on for macOS

Evaluate an organization’s network infrastructure with respect to profiles and

payloads for Apple devices.
● Managing Network Traffic
● Network Usage Rules MDM payload settings for Apple devices

Compare the requirements of account-driven Device Enrollment to profile-based

Device Enrollment.
● Account-driven Device Enrollment

Identify key considerations that relate to deploying Apple devices in

organization-owned deployment scenarios.
● Managing Enrollment and Setup Assistant
● Understanding Device Enrollment
● Device Enrollment and MDM
● Automated Device Enrollment and MDM

Given a scenario, develop a deployment strategy for different ownership models

and device purchase sources.
● Managing Device Assignments
● Manage device suppliers in Apple Business Manager
● Manage device suppliers in Apple School Manager

Compare and contrast the features and functions related to managed devices
between Apple Configurator and MDM.
● Exploring Apple Configurator Features
● Preparing Devices for a Return to Service
● Revive and restore Apple devices
● Update or restore iPhone, iPad, or Apple TV devices
Explain how mobile device management impacts a user’s ability to configure
settings on Apple devices.
● Setup Assistant pane options
● Firewall MDM payload settings for Apple devices

Explain declarative device management.

● Understanding How MDM Works
● Exploring Apple's MDM Framework
● Querying Devices
● Intro to declarative device management and Apple devices
● Declarations

Recognize the key purpose and function of Apple’s management framework.

● Exploring Apple's MDM Framework
● Designing a Security Strategy
● Managing Software Updates
● Intro to mobile device management profiles
● About software updates for Apple devices
● Use MDM to deploy software updates to Apple devices
● Erase Apple devices

Explain the ownership and enrollment options for each enrollment type.
● Planning Device Ownership and Enrollment
● Designing a Security Strategy
● Intro to Apple device enrollment types
● Device Enrollment and MDM
● Automated Device Enrollment and MDM
● About Apple device supervision

Apple Business Manager and Apple

School Manager
Link Apple School Manager or Apple Business Manager to your organization’s
third-party MDM solution.
● Adding an MDM Server
● Link to a third-party MDM server in Apple Business Manager
● Link to a third-party MDM server in Apple School Manager

Explain the Directory Sync requirements for Apple School Manager or Apple
Business Manager.
● Evaluating Authentication and User Services
● Using Apple Business Manager or Apple School Manager
● Use federated authentication with Google Workspace in Apple Business
Manager

Identify the integration standards for public or in-house identity providers to

integrate with Apple School Manager or Apple Business Manager.
● Using Apple Business Manager or Apple School Manager
● Learn which Student Information Systems (SIS) that Apple School
Manager supports

Explain why an organization uses Apple School Manager or Apple Business

Manager.
● Planning Device Ownership and Enrollment
● Using Apple Business Manager or Apple School Manager
● Choosing a Distribution Method
● Managing Organization Apps and Data
● Inspect a user account in Apple School Manager
● Integrate Apple School Manager with your Student Information System
(SIS)
● Migrate from redemption codes to managed distribution
● Migrate content tokens to Apple School Manager
● Migrate content tokens to Apple Business Manager
● Intro to content distribution for Apple devices
● Intro to Apple device enrollment types
 ● Automated Device Enrollment and MDM

Identify the purpose of roles and locations in Apple School Manager or Apple
Business Manager.
● Using Apple Business Manager or Apple School Manager
● Intro to roles and privileges in Apple School Manager

Explain who owns volume purchased app and book licenses after distribution.
● Buying Content Through Apps and Books
● Choosing a Distribution Method
● Managing Organization Apps and Data
● Intro to content distribution for Apple devices

Add devices from Apple Configurator to Apple Business Manager or Apple

School Manager.
● Manually Adding Devices to Your Organization
● Add devices from Apple Configurator to Apple Business Manager
● Add devices from Apple Configurator to Apple School Manager

Buy content in volume in Apple Business Manager or Apple School Manager.

● Buying Content Through Apps and Books
● Manage content tokens in Apple Business Manager
● Manage content tokens in Apple School Manager

Manage content tokens in Apple Business Manager or Apple School Manager.

● Buying Content Through Apps and Books
● Manage content tokens in Apple Business Manager
● Manage content tokens in Apple School Manager

Transfer licenses to another location in Apple Business Manager or Apple School

Manager.
 ● Buying Content Through Apps and Books
● Transfer licenses to another location in Apple Business Manager
● Transfer licenses to another location in Apple School Manager

Networking

Configure your organization’s network infrastructure — Wi-Fi coverage and

capacity, proxies, firewalls, VPN, and Bonjour — for use by Apple devices.
● Preparing Your Network
● Get proper Wi-Fi capacity
● Use Apple products on enterprise networks
● TCP and UDP ports used by Apple software products
● Infrastructure requirements

Summarize requirements and technical considerations for integrating Apple

devices into an existing network.
● Preparing Your Network
● Use Apple products on enterprise networks

Explain how content caching in macOS caches and optimizes downloaded Apple
content on your network.
● Understanding Content Caching
● Plan for and set up content caching

Recognize how content caching across subnets works.

● Understanding Content Caching
● How content caching works

Recognize key considerations that relate to joining managed Apple devices to

Wi-Fi networks.
● Preparing Your Network
 ● Joining Wi-Fi Networks
● How iOS, iPadOS, and macOS decide which wireless network to
auto-join

Configure wireless authentication methods your organization will use to connect

Apple devices to your network.
● Joining Wi-Fi Networks
● WEP, WPA, WPA2, WPA2/WPA3 MDM settings for Apple devices
● Secure access to wireless networks
● How Apple devices join Wi-Fi networks

Configure Apple devices to connect to 802.1X wireless networks.

● Preparing Your Network
● Joining Wi-Fi Networks
● Connect Apple devices to 802.1X networks

Identify key payloads and settings that MDM uses to configure a managed Apple
device to connect automatically to a supported Wi-Fi network using a supported
authentication protocol.
● Joining Wi-Fi Networks
● Extensible Authentication Protocol (EAP) MDM settings for Apple
devices

Configure devices to automatically use Always On VPN using MDM.

● Using VPN on Apple Devices
● VPN overview for Apple device deployment

Configure a relay network extension for managed apps, domains, or the entire
device in an MDM solution.
● Managing Organization Apps and Data
● Relay MDM payload settings for Apple devices
Configure network priorities for Wi-Fi and cellular networks for Apple devices.
● Joining Wi-Fi Networks
● Managing Network Traffic
● Configuring App Priorities
● Cisco Fastlane MDM settings for Apple devices

Configure global HTTP Proxy payload settings for Apple devices.

● Managing Network Traffic
● Global HTTP Proxy MDM payload settings for Apple devices
● DNS Proxy MDM payload settings for Apple devices

Identify key ports and protocols that MDM uses to communicate with APNs.
● Preparing Your Network
● Configure devices to work with APNs

Recognize relays can be applied to managed apps, domains, or the entire

device.
● Relay MDM payload settings for Apple devices
● Use network relays on Apple devices
● Network relays
● Network relays in iOS, iPadOS, macOS, and tvOS

Evaluate and recommend strategies for your organization to optimize its network
configuration for device access to Apple-specific services.
● macOS wireless roaming for enterprise customers
● How iOS, iPadOS, and macOS decide which wireless network to
auto-join
● Wi-Fi roaming support in Apple devices

Configure network to support screen monitoring for Classroom and Apple

Remote Desktop.
● TCP and UDP ports used by Apple software products
 ● Infrastructure requirements

Security

Identify passcode configuration options for Apple devices.

● Using Passcode Payloads
● Passcode MDM payload settings for Apple devices

Recognize key restrictions that apply to supervised Apple devices.

● Using Restrictions Payloads
● About Apple device supervision
● MDM restrictions for supervised Apple devices

Recognize key restrictions that apply to unsupervised Apple devices.

● Using Restrictions Payloads
● Review MDM restrictions for Apple devices

Describe what’s encrypted in macOS, iOS, and iPadOS, including where keys
can be stored for FileVault.
● Protecting Data with FileVault
● Institutional versus personal recovery keys

Recognize the key purpose and function of Lost Mode as it relates to managed
Apple devices.
● Using MDM to Manage Lost Mode
● Managing Lost Devices
● Locate lost or stolen supervised devices
● Lock and locate Apple devices
Define the key purpose and function of Activation Lock as it relates to managed
Apple devices.
● Managing Activation Lock
● recoveryOS Password
● Activation Lock on Apple devices
● Organization-linked Activation Lock for iPhone and iPad

Describe different types of biometric capabilities on Apple devices.

● Touch ID security
● About Touch ID advanced security technology
● Uses for Face ID and Touch ID
● Use Touch ID on Mac
● Set up Face ID on iPhone

Describe key components of Apple’s security model.

● Understanding Device Enrollment
● Secure Enclave
● Face ID and Touch ID security
● Hardware security overview
● Apple Platform Security

Apply organization security policies to MDM settings that allow an organization to

install and manage apps on a managed Apple device that run securely without
compromising platform integrity.
● Managing Organization Apps and Data
● Distribute apps to devices
● Distribute Managed Apps to Apple devices

Support
Define what a keychain is, and explain what a user can do with Keychain Access
in macOS.
● Keychain data protection
● Change Passwords settings on Mac

Describe macOS Recovery and what a user can do with it.

● Mac startup key combinations
● Apps available in macOS Recovery on a Mac with Apple silicon
● Start up from macOS Recovery

Explain what Console is and how it’s used to triage or troubleshoot user issues.
● Console User Guide for Mac
● Share log messages, activities, or reports in Console on Mac

Discern and classify the key components of a digital certificate.

● Managing Certificates
● Intro to certificate management for Apple devices

Set up tethered caching.

● Intro to content caching
● Set up content caching on Mac
● Device network information MDM queries for Apple devices
● How Content Caching > Share Internet connection works with MDM

Explain what Terminal is and how it’s used to triage or troubleshoot user issues.
● Console User Guide for Mac
● Terminal User Guide for Mac
● Test Wi-Fi networks with Apple Network Responsiveness

Identify content types supported by the caching service.

● Understanding Content Caching
 ● Content types supported by content caching in macOS

Describe the changes FileVault makes to the macOS boot process.

● Protecting Data with FileVault
● Intro to macOS Recovery
● Use macOS Recovery on a Mac with Apple silicon
● Use macOS Recovery on an Intel-based Mac
● How does FileVault work on a Mac?
● Protect data on your Mac with FileVault
● Volume encryption with FileVault in macOS
● Use secure token, bootstrap token, and volume ownership in
deployments
● Manage FileVault with mobile device management

State the importance of recovery keys, personal recovery keys, and MDM
escrow.
● Protecting Data with FileVault
● How does FileVault work on a Mac?
● Protect data on your Mac with FileVault
● Mac startup key combinations
● Apps available in macOS Recovery on a Mac with Apple silicon
● Start up from macOS Recovery
● Institutional versus personal recovery keys
● FileVault MDM payload settings for Apple devices

Configure content caching on Mac.

● Understanding Content Caching
● Enabling Content Caching
● Configuring Content Caching Advanced Settings
● Optimizing Content Caching
● Set up content caching on Mac
● Change Content Caching settings on Mac
● Change content caching Clients options on Mac
● Change content caching Parents options on Mac
 ● Change content caching Peers options on Mac
● Change content caching Storage options on Mac
● Intro to content caching
● Set up content caching on Mac
● Device network information MDM queries for Apple devices
● How Content Caching > Share Internet connection works with MDM
● Content types supported by content caching in macOS

Mobile Device Management (MDM)

Describe what MDM is and how it works.

● Understanding Device Enrollment
● Enrollment profiles

Plan your MDM migration.

● Intro to planning your MDM migration
● Configure your new MDM solution
● Reenroll devices in MDM

Manually enroll user-owned devices into an MDM solution.

● Understanding Device Enrollment
● Enrolling User-Owned Devices
● User Enrollment and MDM
● User Enrollment and Managed Apple IDs
● About Lockdown Mode

Compare and contrast the actions that an MDM administrator can take on a
managed user-owned and organization-owned Apple device.
● Understanding How MDM Works
● Designing a Security Strategy
● Managing Enrollment and Setup Assistant
● Enrolling User-Owned Devices
 ● Using VPN on Apple Devices
● Using MDM to Manage Lost Mode
● Auto Advance and Automated Device Enrollment (macOS)
● MDM commands for Apple devices
● Lock and locate Apple devices
● Managing Devices and Corporate Data
● MDM commands for Apple devices
● Per App VPN
● VPN settings overview for Apple devices
● User Enrollment and per-app networking
● MDM commands for User Enrollment

Create and assign an enrollment profile in an MDM solution.

● Automated Device Enrollment MDM payload list
● Home Screen Layout MDM payload settings for Apple devices

Use Apple Configurator to enroll iPhone, iPad, or Apple TV devices into an MDM
solution.
● Exploring Apple Configurator Features

Identify which Setup Assistant options you can configure on Apple devices.
● Setup Assistant MDM payload settings for Apple devices
● Manage Setup Assistant for Apple devices

Use account-driven Device Enrollment on iPhone, iPad, and Mac to enroll in an

MDM solution.
● Managing Organization Apps and Data
● Account-driven Device Enrollment
● How Apple separates user data from organization data
● Device Enrollment and MDM

Identify restrictions that apply only to supervised Apple devices.

 ● Designing a Security Strategy
● Using Restrictions Payloads
● MDM restrictions for supervised Apple devices
● About Apple device supervision
● MDM restrictions for iPhone and iPad devices
● Review MDM restrictions for Apple devices

Prevent users from installing or removing apps.

● Designing a Security Strategy
● Managing Organization Apps and Data
● Preventing App Removal or Installation
● Review MDM restrictions for Apple devices
● MDM restrictions for iPhone and iPad devices
● Notifications MDM payload settings for Apple devices
● Distribute Managed Apps to Apple devices

Manage Rapid Security Response on Apple devices.

● Managing Software Updates
● Using Restrictions Payloads
● Rapid Security Responses and MDM

Configure Managed Open In restrictions on a managed iPhone or iPad.

● Managing Organization Apps and Data
● Managed App restrictions and capabilities

Enforce the use of passcodes during enrollment.

● Designing a Security Strategy
● Managing Enrollment and Setup Assistant
● Using Passcode Payloads
● Passcode MDM payload settings for Apple devices
● Setup Assistant pane options
● Auto Advance and Automated Device Enrollment (macOS)
● Automated Device Enrollment MDM payload list
Use an MDM solution to configure passcode requirements for Apple devices.
● Using Passcode Payloads
● Passcode MDM payload settings for Apple devices

Use an MDM solution to require FileVault on managed Mac computers.

● Protecting Data with FileVault
● Bootstrap token

Apply Lost Mode and Activation Lock on managed devices.

● Designing a Security Strategy
● Using MDM to Manage Lost Mode
● Managing Activation Lock
● Managing Lost Devices
● Organization-linked Activation Lock for iPhone and iPad
● Locate lost or stolen supervised devices

Demonstrate how to use an MDM solution to wipe devices safely.

● Managing Lost Devices
● Erase Apple devices

Identify the types of queries that are supported on a managed Apple device from
MDM.
● Querying Devices
● Security MDM queries for Apple devices

Defer software updates on managed iPhone and Apple TV devices.

● Managing Software Updates
● Deferring software updates and upgrades

List what can be managed and actions that can be taken on a device in MDM.
● Designing a Security Strategy
 ● Using Restrictions Payloads
● MDM restrictions for supervised Apple devices
● About Apple device supervision
● MDM restrictions for iPhone and iPad devices
● Review MDM restrictions for Apple devices
● MDM commands for Apple devices

Use cfgutil scripting to automate repetitive tasks not present in Apple

Configurator.
● Exploring Apple Configurator Features
● Use the Apple Configurator 2 command-line tool

Use the EraseDevice command for iPhone and iPad to quickly reset devices for
Return to Service in an MDM solution.
● Preparing Devices for a Return to Service
● Return to Service for iPhone and iPad
● Erase Apple devices
● Device Erase Command Details

Configure Setup Assistant for organization-owned Apple devices in an MDM

solution.
● Managing Enrollment and Setup Assistant
● Setup Assistant pane options

Use MDM to display detailed information about a managed Apple device.

● Querying Devices
● MDM queries for User Enrollment
● Device information MDM queries for Apple devices
● Device network information MDM queries for Apple devices
● Operating system MDM queries for Apple devices
● Installed app MDM queries for Apple devices
● Security MDM queries for Apple devices
Identify the purpose or function of using restrictions to manage Apple devices.
● Designing a Security Strategy
● Understanding Content Caching
● Using Restrictions Payloads
● Set up your content cache
● MDM restrictions for supervised Apple devices
● MDM restrictions for iPhone and iPad devices
● Review MDM restrictions for Apple devices

Manage accessory restrictions for iPhone, iPad, and Mac.

● Managing Thunderbolt and USB Pairing
● MDM management of host pairing

Deploy devices with cellular connectivity.

● Use MDM to deploy devices with cellular connections
● About the eSIM modification restriction

Questions:
1. What links a device to an MDM solution?
a. APNs
b. A firewall
c. A restriction
d. An enrollment profile
2. What does MDM need to operate, specifically for APNs and SSL?
a. Certificates
b. Restrictions
c. Enrollment profiles
3. Which Apple device capability allows MDM to secure devices?
a. Location Services
b. Enrollment profiles
c. Built-in device security features
4. How do devices report their status when using declarative device management?
a. Declarations
b. The status channel
c. Profiles
5. Which statement about the Apple management framework is true?
a. It’s built into Apple devices.
b. It doesn’t support personal devices.
c. It provides settings created by third parties to manage Apple devices.
6. After a device has enrolled in an MDM server, what happens next?
a. The device reports status to the server
b. The device polls the server for any commands.
c. The server sends push notifications to the device.
7. What transformative update to the MDM protocol allows a device to react autonomously
to its own state changes and apply management logic to itself without cues from the
server?
a. User Enrollment
b. Device Assignment
c. Declarative Management
8. What happens if you install an exclusive payload setting onto a managed Apple device
that already contains settings for the same payload?
a. The payload setting will be undefined.
b. The payload setting overwrites the previous setting.
c. The payload setting will be combined and the more restrictive setting will be
applied.
9. When is it recommended to test beta software releases?
a. Quarterly
b. Year-round
c. When new devices are added to your organization
10. In which type of enrollment and ownership model can users personalize apps and
data on their managed devices?
a. BYOD, organization-owned
b. Nonpersonalized, organization-owned
c. Personally enabled, organization-owned
11. In which type of ownership model can users personalize apps and data on their
personal devices?
a. BYOD, User Enrollment
b. BYOD, organization-owned
c. Nonpersonalized, organization-owned
d. Personally enabled, organization-owned
12. In which ownership model can IT administrators restrict the installed apps and
personal data on a device meant to be shared with multiple users?
a. BYOD, User Enrollment
b. BYOD, personally enabled
c. Nonpersonalized, organization-owned
d. Personally enabled, organization-owned
13. How do you enroll devices ineligible for automatic enrollment in Apple Business
Manager or Apple School Manager?
a. Device Enrollment
 b. Automated Device Enrollment
c. Automatic enrollment
d. No enrollment possible
14. Which type of enrollment is ideal for devices you need to distribute to multiple
users in multiple regions?
a. Device Enrollment
b. User Enrollment
c. Automated Device Enrollment
15. Which type of enrollment do you commonly use for BYOD deployments?
a. Device
b. User
c. Automated device
16. What do you need to consider when evaluating MDM solutions?
a. Support for a wireless infrastructure
b. Pricing structure and subscription model
c. A device’s life cycle and trade-in value
17. Which is a deployment model to consider as part of your device management
goals?
a. Application Programming Interface (API)
b. Over-the-air (OTA) enrollment
c. One-to-one
18. Which is an important user authentication feature of an MDM solution that you
should consider?
a. Support and integration with your identity provider or directory service
b. Support for future versions of macOS, iOS, and iPadOS
c. Support for the BYOD deployment model
19. Which aspect of your organization’s infrastructure should you evaluate to ensure
that your organization meets the network roaming needs of users throughout a
building?
a. Number of devices per user
b. Wi-Fi coverage and capacity
c. Adequate number of access points per device
d. Sources of interference caused by construction materials
20. Which type of network uses individual user credentials or device- and/or
user-based certificates to control who or which devices can use the network?
a. Provisioning network
b. WPA2 Personal network
c. WPA2 Enterprise network
21. Which functions require Apple devices to continuously access APNs?
a. Bonjour access, content caching, and internet connection sharing
b. SSO, VPN connectivity, and Wi-Fi network roaming
c. Notifications of operating-system and app updates, MDM policies, and messages
d. Ad and location tracking, Keychain data backup, and app suggestions
22. What should you do to ensure that Apple devices can access APNs and other
Apple services on your organization’s network?
a. Configure all devices to auto-establish secure VPN access to Apple’s network.
b. Deploy devices with an SSO payload that are configured to allow access to
Apple’s network.
c. Adjust network configurations on web proxies or firewall ports to allow access to
Apple’s network.
d. Set up your network to work with Bonjour so that devices can connect to APNs
and Apple services
23. What’s the most commonly deployed authentication technology that both AD and
SSO use?
a. Kerberos
b. MSCHAPv2
c. OAuth
d. SAML
24. Which Kerberos feature allows users to sign in once and access multiple
authenticated services?
a. Sign in with Apple at Work & School
b. OAuth
c. Ticket-granting ticket (TGT)
d. SAML
25. Which feature allows administrators to streamline the creation of Managed Apple
IDs based on existing Google Workspace or Entra ID data?
a. MSCHAPv2
b. Federated Authentication
c. Active Directory
d. SAML
26. What’s a benefit of using Apple Business Manager or Apple School Manager to
automate MDM enrollment during initial setup of managed Apple devices?
a. You can track the location of managed devices.
b. You can make the enrollment mandatory and nonremovable on user-owned
devices.
c. You can make the enrollment mandatory and nonremovable on
organization-owned devices.
27. Which strategy would be most effective in a scenario where an organization wants
to ensure that users always have the apps they need on their devices and to
control the access and exchange of the organization’s sensitive information?
a. Deploy devices to users in shared mode.
b. Install a nonremovable managed app onto the devices.
c. Convert all unmanaged apps on the devices to managed apps.
28. What’s the main benefit of using managed device attestation when deploying
Apple devices in an organization?
a. It allows the MDM administrator to use a bypass code to erase a device and
assign it to a new user.
 b. It allows a user to unlock the storage on APFS volumes that require a secure
token and then become owners of the volume.
c. It provides a strong assurance to MDM administrators of device properties that
can be evaluated as part of a client certificate identity enrollment request.
29. Why might you create a security policy that enforces the use of FileVault for data
encryption on a managed Mac?
a. This policy ensures that users can’t disable FileVault.
b. When you use an MDM solution to enable FileVault, it adds a Recovery Key to a
user’s iCloud account.
c. FileVault is compatible with any Apple device.
d. You can use third-party encryption algorithms to configure FileVault.
30. Which benefit helps IT administrators reduce the need to perform extensive
configurations on Apple devices?
a. Many security features are turned on by default.
b. Users can select a security profile in Setup Assistant.
c. IT administrators can deliver and enforce policies without an MDM solution.
d. IT administrators can issue remote commands to devices to erase all private
information.
31. What happens if your Apple device can’t validate the trust chain of a signing CA?
a. The service encounters an error.
b. The CA is added to the unapproved list.
c. The user is asked to enter the device password or passcode.
32. Which MDM payload setting can you use to turn off updating certificates
wirelessly for iPhone and iPad devices?
a. Automatic sync while roaming
b. Allow users to accept untrusted TLS certificates
c. Allow automatic updates to certificate trust settings
33. You’ve installed a payload on your managed Apple device that prevents users
from accepting untrusted TLS certificates. What happens when users try to
access a webpage that uses an untrusted TLS certificate and then tap Show
Details?
a. They’re asked to contact the issuing CA to validate the certificate.
b. They can tap “view the certificate,” but they can’t trust this certificate or visit the
site.
c. They can’t tap “view the certificate,” and they can view only the unsecured
version of the webpage.
34. How do you configure Custom Apps to appear in the sidebar?
a. In Settings, select Apps and Books, then click Enable next to Custom Apps.
b. In Settings, select Enrollment Information, then click Enable next to Custom
Apps.
c. In Roles, choose the role for which to enable custom apps, then select the View
Custom Apps checkbox.
35. What’s the purpose of using federated authentication with Apple Business
Manager or Apple School Manager?
 a. Federated authentication links to your Google Workspace or Azure AD domain.
b. Federated authentication verifies your organization’s eligibility.
c. Federated authentication verifies ownership of the domains that you use with
your portal.
36. You didn’t import user data into Apple Business Manager after configuring
federated authentication. Which Apple Business Manager settings pane can you
use to import user data into Apple Business Manager?
a. Accounts
b. Directory Sync
c. Enrollment Information
37. Which of the following roles has the least user privileges?
a. Staff
b. Administrator
c. Content Manager
38. Which type of additional user should you create immediately after sign-up (Apple
Busines Manager Location) is complete?
a. Administrator
b. Device Enrollment Manager
c. People Manager
d. Content Manager
39. Which roles must your account have to add or edit locations in Apple Business
Manager?
a. Administrator or Site Manager
b. Administrator or People Manager
c. People Manager or Content Manager
40. You’ve created a number of users with Content Manager, Device Enrollment
Manager, and People Manager roles. What should you do next to give each user
access?
a. Enter a secure password for each user.
b. Ask each user to enroll in your portal.
c. Create sign-in information and email it to each user.
41. Which statement about adding an MDM server in Apple Business Manager or
Apple School Manager is true?
a. Adding an MDM server creates a link to your MDM solution.
b. Adding an MDM server eliminates the need for an MDM solution.
c. Adding an MDM server configures an additional server in your MDM solution.
42. What’s the purpose of the public key certificate file that you download from your
MDM server before you add the server to your Apple Business Manager or Apple
School Manager portal?
a. It enables the MDM server to securely send email through the portal.
b. It configures two-step verification between your MDM server and the portal.
c. It contains a public key that the MDM server uses to encrypt the portal server
token.
43. After you add your MDM server in your Apple Business Manager or Apple School
Manager portal, what must you do so that the MDM server securely connects to
the portal?
a. Enter the encryption key that the portal generates into the MDM server.
b. Verify that the secure URL for your MDM server in the portal is correct.
c. Download the server token from the portal and upload it to the MDM server.
44. On your Mac, which Apple Configurator tool do you use to add donated iPhone
and iPad devices to Apple Business Manager, Apple School Manager, or Apple
Business Essentials?
a. Blueprints
b. Profile Editor
c. Prepare Assistant
d. Device Assignments
45. What happens if a Wi-Fi payload isn’t included in a configuration profile when
using Apple Configurator on your Mac to manually add iPhone or iPad devices to
Apple Business Manager, Apple School Manager, or Apple Business Essentials?
a. Adding the device fails with a network error.
b. The device is added to Apple Business Manager, Apple School Manager, or
Apple Business Essentials but isn’t able to connect to Wi-Fi.
c. Apple Configurator continues trying to add the device to Apple Business
Manager, Apple School Manager, or Apple Business Essentials until you click
Cancel.
46. As an administrator in Apple Business Manager, Apple School Manager, or Apple
Business Essentials, you’re manually adding a newly purchased Mac to your
organization. What else do you need to complete the task?
a. AppleCare+ for Mac chat or phone support
b. An enrollment profile for your MDM solution and a device supporting AirDrop
c. Another Mac, Apple Configurator, and a Thunderbolt or Ethernet cable to connect
them
d. Your iPhone, the Apple Configurator for iPhone app, and a Wi-Fi connection to
the internet
47. You want to link your MDM solution with Apps and Books for managed
distribution to your devices. What must you download in Apple Business Manager
and then upload to your MDM solution?
a. A server token
b. A public key certificate
c. A CSV file containing all device serial numbers
d. Your organization’s Apple Customer ID
48. Your organization wants to retain full ownership and control of apps that you
bought through Apps and Books. Which license type should you choose?
a. Custom licenses
b. Managed licenses
c. Redemption codes
d. Supervised licenses
49. You buy books and choose licenses for managed distribution. What happens to
ownership of the books when you distribute them?
a. Book ownership always transfers to users. You can’t revoke or reassign books.
b. You choose whether you want to retain or transfer ownership of books when you
distribute them.
c. The organization retains full ownership and control, so you can revoke and
reassign them later.
50. What must multiple subnets share so that a network can use a single content
cache, without requiring DNS changes?
a. DNS
b. Subnet
c. Bandwidth
d. Public IP Address
51. When an iPhone device on your network tries to download Apple content that
could be cached, the Apple content server instructs the device to check with the
local network’s cache first.
a. True
b. False
52. Which issue could arise when multiple devices request the same data and caching
is NOT turned on?
a. Data becomes less secure.
b. Bandwidth consumption increases.
c. Only the first device can download the requested data.
d. No issue — each device downloads the requested data.
53. For best results, deploy content caching on a Mac that has a single wired Ethernet
connection as its only network connection.
a. True
b. False
54. Where do you turn on content caching on your Mac?
a. System Settings > Privacy & Security
b. System Settings > Sharing
c. System Settings > Network
d. System Settings > Displays
55. Which setting should you select to prevent your computer from going to sleep and
interfering with content caching?
a. Wake for network access
b. Put hard disks to sleep when possible
c. Enable Power Nap while plugged into a power source
d. Prevent automatic sleeping when the display is off
56. With internet connection sharing, you can use a Mac computer’s internet
connection to cache content for iPhone or iPad devices that are physically
connected to the Mac through USB.
a. True
b. False
57. Which advanced option do you use to set the cache size?
a. Peers
b. Storage
c. Clients
d. Parents
58. Which Mac sharing service becomes unavailable when the content caching internet
connection setting is turned on?
a. Internet Sharing
b. Remote Management
c. Media Sharing
d. File Sharing
59. When you use Activity Monitor to check performance statistics for content
caching, which comparison can tell you how much content caching is helping?
a. The closer the Maximum Cache Pressure value is to the Data Served value, the
more content caching is helping.
b. The further the Maximum Cache Pressure value is from the Data Served value,
the more content caching is helping.
c. The closer the Data Served From Cache values are to the Data Served values,
the more content caching is helping.
d. The further the Data Served From Cache values are from the Data Served
values, the more content caching is helping.
60. Where does the content caching service send log messages?
a. To the main system.log
b. To the subsystem com.apple.AssetCache
c. To the subsystem com.apple.ContentCache
d. To the subsystem com.apple.AssetCacheManagerUtil
61. Which command can you use to configure advanced settings for content caching?
a. defaults write
b. AssetCacheManagerUtil status
c. AssetCacheManagerUtil settings
62. Which tool can you use to display advanced settings for the content caching
service?
a. Activity Monitor
b. Console
c. System Settings
d. Terminal
63. Which statement about entering Apple Customer Numbers and Reseller Numbers
is correct?
a. You can enter both an Apple Customer Number and a Reseller Number.
b. You can enter an Apple Customer Number or a Reseller Number but not both.
c. You can enter only one Apple Customer Number, but multiple Reseller Numbers.
64. Your organization has multiple MDM servers linked in Apple Business Manager or
Apple School Manager. What should you do to automatically assign iPhone
devices and Mac computers to different MDM servers?
 a. Choose your preferred assignment method in MDM Server Assignment, then
select the default MDM server for each device type.
b. Edit the assignment options in Default MDM Server Assignment settings and
choose a different server for iPhone devices and Mac computers.
c. Upload a CSV file containing iPhone device serial numbers and assign them to
one MDM server, then upload a CSV file for Mac computers and assign them to a
different MDM server.
65. You made multiple orders for new iPhone devices and you want the devices from
one order assigned to a different MDM server than the others. What’s the best way
to do that?
a. Use MDM Server Assignment to change the Default MDM Server Assignment for
iPhone.
b. Select Devices, filter by order number and device type, then select All Devices to
change assignments.
c. Use MDM Server Assignment to enter a new Reseller Number for the order to
filter device assignments.
d. Use Devices to download a CSV file containing iPhone device serial numbers for
that order only. Edit the file and upload it with the unique server assignment for
the iPhone devices in that order.
66. You’re responsible for managing 10 identical iPad devices that your organization
uses in a training classroom and networking isn’t available onsite. Each week you
need to retrieve the files stored on each device by the recent students and set up
the devices for a new class. Which approach is best for this task?
a. Apple Configurator for Mac
b. Apple Configurator for Mac with Shared iPad
c. Apple Configurator for Mac with your MDM solution
67. Which type of content can you assign to iPhone or iPad with Apple Configurator
for Mac?
a. Apps
b. User settings
c. Purchased music
d. Podcasts
68. Which of the following devices can Apple Configurator for iPhone add to Apple
Business Manager, Apple Business Essentials, and Apple School Manager?
a. iPhone with iOS 15, iPad with iPadOS 16.1, and Mac with macOS 11 or later
installed.
b. iPhone with iOS 16, iPad with iPadOS 16.1, Mac with macOS 12.0.1, and Apple
TV with tvOS 16 or later installed.
c. iPhone with iOS 16, iPad with iPadOS 16.1, and Mac with macOS 12.0.1 or later
installed.
d. iPhone with iOS 16, iPad with iPadOS 15, and Mac with macOS 11 or later
installed.
69. Which type of information about iPad can you view in Apple Configurator for Mac?
a. Camera status
 b. iPad location
c. Console log
d. Ebook licenses
70. From where do you install the cfgutil tool?
a. From the App Store
b. From Apple Configurator for Mac
c. From Profile Manager
d. From /Applications/Utilities on your Mac
71. Which tool can you use to automate configurations with shell scripts?
a. Blueprints
b. Automator app
c. Command-line tool cfgutil
72. Which tool can you use to create your own workflows for bulk deployments?
a. Blueprints
b. Automator app
c. Command-line tool
73. Which tool can you use to automate configurations with a template tool to add
configuration profiles and apps?
a. Blueprints
b. Automator app
c. Command-line tool
74. What is a configuration profile?
a. A System Report file with hardware and software configuration from a device
b. An automation file to script Apple Configurator actions
c. A file with user data from Apple devices
d. A file with payloads for Apple devices
75. Which method can you use to build configuration profiles with payloads specific
to macOS?
a. Apple Configurator
b. Apple Business Manager
c. An MDM solution
76. Which tool can you use to set up payloads for Apple TV?
a. Profile Editor
b. Prepare Assistant
c. Setup Assistant
d. Blueprints
77. An MDM solution is the only way to create and distribute a configuration profile.
a. True
b. False
78. What is the benefit of signing configuration profiles?
a. A signed profile prevents users from removing the profile from the device.
b. Signing a configuration profile makes it more resistant to tampering during
distribution.
 c. Signing a configuration profile allows a device to communicate securely with an
MDM solution.
79. Which payload prevents a user from later configuring an option that is hidden in
Setup Assistant during device setup?
a. App Configuration
b. Parental Controls
c. Restrictions
d. Security & Privacy
80. What allows you to configure which Setup Assistant panes users see during
device setup?
a. App Configuration
b. Require credentials for enrollment
c. Assigning devices to your MDM solution in Apple Business Manager, Apple
Business Essentials, or Apple School Manager
d. Security & Privacy
81. On Mac computers with macOS 13 and Apple silicon or an Apple T2 Security Chip,
users can complete Setup Assistant without a network connection.
a. True
b. False
82. How can you ensure that only authorized users can enroll a device?
a. Add a Restrictions payload to the device
b. Configure a Setup Assistant option
c. Select the option to require user authentication during enrollment
83. Which Setup Assistant pane gives additional security to managed devices?
a. Touch ID
b. Siri
c. Apple ID
84. Which payload in the MDM framework allows you to configure Apple ID and iCloud
account settings to prevent users from storing data from managed apps in
iCloud?
a. Settings
b. Restrictions
c. Startup
d. iCloud
85. What is a benefit of preconfiguring Setup Assistant?
a. Users can use personal accounts to load their own apps.
b. Users learn about each setting.
c. Users can personalize every aspect of their device settings.
d. Users become productive sooner.
86. Setup Assistant guides users through setting up their Apple devices after they
access the Home Screen.
a. True
b. False
87. You can manage user devices through your MDM solution and still give users
some freedom to personalize the configuration.
a. True
b. False
88. You downloaded a configuration profile on iPhone from a website or an email
message.
Where on the device do you install it?
a. Install the profile in the Settings app.
b. Delete the attachment, and go to a webpage.
c. Don’t do anything because the profile installs automatically.
89. What happens when the user manually enrolls a device in the MDM solution?
a. Nothing happens until the user restarts the device.
b. The MDM solution records information about the device, such as the serial
number and installed apps.
c. The user receives a web address where they can download the enrollment
profile.
d. The user receives a web address where they can download the configuration
profile.
90. When you run the profiles command in Terminal, in which scenario are you limited
to 10 requests in a 24-hour period?
a. Running profiles renew on a Mac with macOS 12 installed
b. Running profiles show on iPhone with iOS 16 installed
c. Running profiles status on a Mac with macOS 13 installed
d. Running profiles validate on a Mac with macOS 13 installed
91. What’s also removed when a user removes an enrollment profile from their
device?
a. User data
b. The current operating system
c. Organization data
d. Managed Apps based on that configuration profile
92. What is service discovery in the four stages of user enrollment?
a. Users identify themselves to the MDM solution.
b. The MDM solution notifies an enrolled device through APNs that it needs to
contact the server.
c. The device identifies itself to the MDM solution.
d. Users visit a specified self-service site to enroll their devices.
93. What happens when users remove an enrollment profile from their devices?
a. Users can continue to use their apps, but an MDM solution doesn’t manage their
apps anymore.
b. The devices reset and erase all settings.
c. All configuration profiles, their settings, and managed apps based on that
enrollment profile are removed with it.
d. Users are asked to reenroll the devices into the MDM solution.
94. How would you send new settings to user devices?
 a. Send users a self-service URL.
b. Change and send a new updated configuration profile.
c. Remove the configuration profile, and send a new one.
d. Email users a link for a new configuration profile.
95. What MDM enrollment options can you give users if your organization has a BYOD
policy?
a. Send an enrollment profile by email or SMS.
b. Provide a self-service portal if supported.
c. All of the above
96. Which iPad is compatible with Shared iPad?
a. iPad Pro
b. iPad Air
c. iPad 4th generation
d. iPad mini 3
97. Which service can you configure on a Mac to temporarily store iCloud user data
from shared iPad devices?
a. iCloud
b. Content Caching
c. Internet Sharing
98. Where can you find apps that are Optimized for Shared iPad?
a. Apple Configurator
b. Classroom
c. Apps and Books
99. You can ship devices directly to users without touching or preparing the devices if
your organization purchases them directly from a participating Apple Authorized
Reseller or carrier and you automatically enroll them in MDM with Apple Business
Manager, Apple Business Essentials, or Apple School Manager.
a. True
b. False
100. When you set up a device with Setup Assistant, which of the following might
you be required to enter to complete the enrollment in MDM?
a. iCloud account credentials
b. Managed Apple ID credentials
c. Passcode credentials
101. Which of the following is a task that a user can complete with help from a
self-support site or app?
a. Download internal business apps
b. Purchase apps from the App Store
c. Install personalized apps on a device
d. Enroll a device in Apple Business Manager, Apple Business Essentials, or Apple
School Manager
102. What do you use to connect Apple devices to networks that use 802.1X
EAP-TLS authentication?
a. A configuration profile
 b. A PAC file
c. A .plist file
103. Which security type do you use to configure managed Apple devices to
connect to 802.1X networks?
a. WEP
b. WPA3 Enterprise
c. WPA3 Personal
104. You can use WPA2/WPA3 Enterprise authentication at the login window of
macOS.
a. True
b. False
105. You’re using your MDM solution to configure iPhone and iPad devices to
connect to Wi-Fi networks using EAP-TLS. Which of these types of certificates
payloads can you use for authentication?
a. Active Directory Certificate
b. PKCS #12 Certificate
c. S/MIME Certificate
106. How does a PAC file influence the way an Apple device communicates over a
network?
a. The device uses the authentication credentials defined in the PAC file to connect
to servers.
b. The device follows the PAC file rules that define the proxy server’s location and
traffic allowed to connect directly.
c. The device constructs a list of approved websites by using the web addresses
that the PAC file defines
107. Which of these alternatives to a proxy server URL could you use to configure a
payload with proxy settings for an Apple device?
a. A .plist file with allowed websites
b. A domains restriction
c. WPAD using DHCP option 252
108. What must the server identity certificate contain in the SubjectAltName field?
a. The CA name
b. The rest of the trust chain
c. The user’s group name
d. The server’s DNS name or IP address
109. What must users of an MDM solution install so that custom VPN works on
Apple devices?
a. Profile Manager and VPN Manager
b. The appropriate authentication app
c. Configuration profile and VPN Manager
d. VPN Manager and User Authentication Profile
110. Which VPN connection type provides more granular control over which data
goes through VPN?
a. Per-App VPN
 b. VPN On Demand
c. Always-On VPN
111. How do you enable managed distribution?
a. Enroll devices in MDM.
b. Download a spreadsheet of app licenses.
c. Link your MDM solution to at least one location in Apple Business Manager or
Apple School Manager.
d. Purchase content through Apps and Books in Apple Business Manager or Apple
School Manager.
112. Which distribution model permanently transfers apps to users?
a. Custom apps
b. Redemption codes
c. Managed distribution to users
d. Managed distribution to devices
113. Your organization wants developers to read a software architecture book
available in Apps and Books. Funding is limited, so the engineering lead wants to
know if a book can be transferred between developers after they finish reading it.
Who has the authority to revoke a book license after distribution?
a. No one
b. The user
c. The content manager
d. The MDM administrator
114. When you use managed distribution to assign apps directly to devices, your
organization retains full control and ownership of the app licenses.
a. True
b. False
115. How is an app installed on a user’s device after the app is assigned to that
device?
a. The user must accept the app installation.
b. Your MDM solution automatically pushes the app to the supervised device.
c. The user receives an invitation to download and install the app from the App
Store.
116. When does the number of available app licenses for supervised devices
change in your MDM solution apps library?
a. After the user installs or deletes the app
b. After the user accepts or rejects the installation
c. After you assign or revoke an app to a device or device group
117. What must a user do before you can assign apps to them with managed
distribution?
a. Install a managed distribution profile on their device
b. Accept an invitation to enroll in managed distribution
c. Sign in to an MDM solution and create a Managed Apple ID
d. Sign in to Apple Business Manager or Apple School Manager and enroll in Apps
and Books
118. When you assign an app to a group for managed distribution, who must accept
the invitation to enroll in managed distribution?
a. Your MDM solution administrator
b. Each individual user in the group
c. The Apple Business Manager or Apple School Manager administrator
119. What do you use on a managed, user-owned iPhone or iPad to prevent users
from opening unmanaged attachments or documents in managed sources?
a. A restriction
b. A managed domain
c. A managed account
120. What do you use on a managed, user-owned iPhone to prevent managed apps
from storing data in iCloud?
a. A restriction
b. A managed domain
c. A managed account
121. Which condition applies when a Managed Pasteboard restriction is installed on
a managed device?
a. The Paste button is dimmed.
b. The Paste button doesn’t appear.
c. A “Paste Not Allowed” notification displays.
122. Which apps can users use to open the email attachment in the organization
account after Managed Open In restrictions are in place?
a. Only apps that the user installs
b. Any app installed on the device
c. Only apps installed from the App Store
d. Only managed apps that the MDM solution installs
123. Where can you confirm whether iCloud restrictions are active in a managed
Mac?
a. In iCloud Keychain in Keychain Access
b. In System Settings > Privacy & Security
c. In Restrictions in System Information
d. In About This Mac in the Apple menu
124. Which type of payload do you use to prevent a user from removing system
apps on iPhone?
a. Restrictions
b. Privacy & Security
c. Software Updates
125. Where on a Mac with macOS 13.0 or later do you access the options to
configure Gatekeeper?
a. In System Settings > General, below Security settings.
b. In System Settings > Control Center, below Security settings.
c. In System Preferences > Security & Privacy, in the General tab.
d. In System Settings > Privacy & Security, below Security settings.
126. You apply an MDM payload to prevent users from installing apps from the App
Store to a device. Which types of apps are still available to download to the
device?
a. Games and Reader apps
b. All free apps that don’t have in-app purchases
c. Managed apps, MDM-installed apps, system apps, and updates to those apps
127. What is a benefit of enabling FileVault on a Mac startup volume?
a. Additional security by requiring a login password to decrypt data
b. Increased encryption by increasing the number of bits in the key from 0 to 128
c. Enhanced privacy by encrypting all data sent over a Mac computer’s network
connections
128. What is the purpose of a PRK?
a. To initiate an “Erase All Content and Settings” command
b. To unlock the startup disk if the user forgets their login password
c. To authorize the installation of macOS software updates and upgrades
129. When managing FileVault using MDM, which of the following is required?
a. The managed Mac must be supervised.
b. An IRK must be installed on the managed Mac.
c. A user must log in on the managed Mac using an administrator account.
130. On a Mac, which type of account is required to perform software upgrades?
a. Local administrator
b. Network
c. Shared
d. Standard
131. Why would you defer software updates on Apple devices?
a. To roll back an update if it’s unsuccessful
b. To test critical apps and infrastructure before deploying the update
c. To verify that your organization’s iPhone and iPad devices are managed
132. What is the maximum number of days that you can defer software updates on
Apple devices?
a. 30
b. 60
c. 90
d. 99
133. Which payload manages the ability to schedule a scan of a managed Apple
device?
a. Content Filter
b. Restrictions
c. Security & Privacy
d. Software Update
134. How are security fixes distributed to Apple devices in a Rapid Security Response?
a. In minor software updates
b. In major software upgrades
c. In both major upgrades and minor updates
135. Which payload do you use to configure specific rules when users create a
password or passcode on their enrolled device?
a. Passcode
b. Password
c. Restrictions
d. Security & Privacy
136. What is the purpose of configuring a Passcode payload?
a. It helps retrieve a user’s passcode if the user can’t sign in for some reason.
b. It requires that users set passcodes for all apps that they use on their devices.
c. It enables your organization to change a user’s passcode remotely if a device is lost
or stolen.
d. It enforces passcode rules that help prevent unauthorized access to your
organization’s devices and data.
137. The Passcode payload configures passcode rules for iPhone and iPad devices,
whereas the Password payload configures password rules for Mac computers.
a. True
b. False
138. What must a user do when you install the Passcode payload on the user’s iPhone?
a. The user must enter a passcode using the specified settings within 60 minutes.
b. The user must accept the payload to permit the specified settings to take effect.
c. The user must restart the device to install the payload, then enter a new passcode.
139. How can you tell if a restriction applies only to a supervised device?
a. The restriction description contains “(supervised only).”
b. The restriction displays only if a device is supervised.
c. The restriction is dimmed on unsupervised devices.
d. The restriction appears in the group named Supervised Restrictions.
140. What is the purpose of configuring a Restrictions payload for Apple devices?
a. Restrictions prevent users from unenrolling a device from MDM.
b. Restrictions prevent unauthorized users from accessing a device.
c. Restrictions prevent users from accessing a specific app, service, or function of a
device.
141. What happens if you select “(supervised only)” restriction settings for an
unsupervised device?
a. The “(supervised only)” settings don’t take effect unless you have previously
supervised the device.
b. The “(supervised only)” settings override any configuration that the user sets on the
unsupervised device.
c. The “(supervised only)” settings require you to turn on device supervision before you
can save the payload.
142. Which MDM restriction lets you manage a user’s ability to connect Thunderbolt or
USB devices to a Mac?
a. Allow connected accessories while locked
b. Automatically enable accessory connections
c. Allow Thunderbolt or USB device connections
143. What happens when you select the “Allow connected accessories while locked”
restriction and an iPhone or iPad device is connected to a computer with a compatible
Ethernet adapter?
a. The device maintains a data connection to a connected network only when a user
unlocks it.
b. The device maintains a data connection to a connected network before a user
unlocks it.
c. The device automatically unlocks after an hour so that you can refresh it using MDM.
144. What’s required before you can restrict accessory connections on iPhone or iPad?
a. Device supervision
b. A Managed Apple ID
c. An unsupervised Apple device
145. How do you ensure that only trusted host computers can pair with your
organization’s iPhone and iPad devices?
a. Allow pairing with only Mac computers.
b. Distribute the correct digital certificate to users’ groups and devices.
c. Distribute the correct supervision identities to users’ devices.
146. Which of the following can you use to distribute a certificate identity to a device in
a configuration profile?
a. A .p12 file
b. A PKI token
c. An MD5 hash file
147. When you compose a Mail message on a managed Apple device, what happens
when Mail finds the certificate for a recipient email?
a. The user is asked to choose a certificate to sign the message.
b. A “Sign this message” option appears left of the “To:” field.
c. A padlock icon appears to the right of the recipient’s contact name, and the address
text is blue.
148. What do managed Apple devices require to send signed messages in Mail using
S/MIME?
a. Your email address must be in the recipient’s GAL.
b. You must have your identity’s private key in your keychain.
c. Recipients must have your identity’s private key in their keychains.
149. What do managed Apple devices require to send encrypted messages in Mail
using S/MIME?
a. The public key from the recipient’s certificate
b. An encryption extension in the recipient’s certificate
c. A restriction payload with the “Allow sending encrypted messages using S/MIME”
setting selected
150. What happens when you use Safari on iPhone or iPad to visit a site with a revoked
certificate?
a. You are asked to delete the certificate.
b. You are directed to the CA’s website to update the certificate.
c. “This Connection Is Not Private” appears instead of the contents of the site.
151. Which type of query can you use to list all installed apps on a device?
a. Security
 b. Installed app
c. Device information
d. Operating system
152. Which type of query can you use to find information about Find My and FileVault
settings?
a. Security
b. Installed app
c. Device information
d. Operating system
153. Which type of query can you use to list all devices that need to be updated to new
system software?
a. Security
b. Installed app
c. Device information
d. Operating system
154. Which prioritization method ensures that the most important app data always gets
the best possible bandwidth, even if the network is congested with other traffic?
a. Proxies
b. Restrictions
c. Fastlane QoS marking
155. What is the main benefit of using a proxy server on your network?
a. The ability to encrypt content
b. The ability to specify how managed apps use cellular data
c. The ability to filter content or manage available bandwidth
156. Which MDM payload contains the settings that specify how managed apps use
cellular data?
a. Cellular
b. Proxy server
c. Content Caching
d. Network Usage Rules
157. Which MDM payload contains the settings that enable QoS support on your
managed devices?
a. Wi-Fi
b. Proxy
c. Content Caching
d. Network Usage Rules
158. What is QoS marking?
a. QoS marking determines how much network data an app can use.
b. QoS classification or marking refers to the process of classifying the type of IP
packets or traffic.
c. QoS marking determines how quickly app data reaches devices
159. What is a requirement for QoS prioritization?
a. The network service type
b. Accurate proxy settings
c. The QoS app
160. Which payload do you use to set QoS priorities?
 a. Wi-Fi
b. Network
c. Certificate
d. Restrictions
161. Which statement about Managed Lost Mode is true?
a. Managed Lost Mode requires Find My to be turned on.
b. You can use MDM to put an unsupervised iPhone or iPad device into Managed Lost
Mode.
c. MDM remotely queries a lost device for its location the last time that the device was
online.
162. What can you do when you use your MDM solution to enable Managed Lost Mode
on a device?
a. You can customize the Lock Screen with a message, add a contact phone number,
and include a note.
b. You can customize the Lock Screen with a bypass code, add a contact phone
number, and include a note.
c. You can customize the Lock Screen with only a contact phone number and a
message.
163. Which of these statements is true?
a. When an MDM solution remotely disables Managed Lost Mode, it locks the device. It
also notifies the user upon locking the device screen that the MDM solution enabled
Managed Lost Mode and collected the device’s location.
b. You can use your MDM solution to issue commands to disable Lost Mode on an
unmanaged iPhone or iPad device.
c. You can disable Managed Lost Mode if it’s erroneously enabled or enabled on a
retrieved device.
164. Using your MDM solution, you enabled Lost Mode for a lost iPad. The next day, the
verified user recovered the device, and you disabled Lost Mode. Which message
appeared when the user unlocked their iPad?
a. MDM enabled Managed Lost Mode and collected the device location.
b. MDM disabled Managed Lost Mode and Activation Lock.
c. MDM enabled recovery mode and restored the device data and settings.
165. What happens when you use an MDM solution to wipe iPhone or iPad?
a. Wiping iPhone or iPad automatically backs up user data and settings to iCloud
before restoring factory settings.
b. Wiping iPhone or iPad puts the device in recovery mode, and you must reinstall iOS.
c. Wiping iPhone or iPad restores the device to its factory settings while preserving the
last installed iOS or iPadOS version.
166. What happens when you use an MDM solution to enable Lost Mode on iPhone or
iPad?
a. MDM wipes the device remotely.
b. MDM locks the device.
c. MDM issues a bypass code.
167. What happens if Find My is turned on for a managed device and your MDM
solution allows Activation Lock?
a. Activation Lock is enabled.
 b. The device is locked, and its location is collected.
c. The user is notified that Activation Lock is enabled.
168. What happens if Find My is turned off for a managed device when your MDM
solution allows Activation Lock?
a. Activation Lock is enabled at that point.
b. The device is locked, and its location is collected.
c. The user is notified that Activation Lock is disabled.
d. Activation Lock is enabled the next time the user enables Find My.
169. Your Mac has been wiped and Activation Lock has been enabled. Where do you
enter the bypass code?
a. Start up in recoveryOS, then enter the bypass code in the password field on the
Activation Lock Screen.
b. Start up in recoveryOS, then click the Recovery Assistant menu, choose “Activate
with MDM key,” and enter the bypass code in the field.
c. On the Sign In with Your Apple ID screen in Setup Assistant, enter the bypass code
in the password field.
d. On the Create a Computer Account screen in Setup Assistant, enter the bypass code
in the password field.
170. Which Mac models support Activation Lock?
a. Mac computers with Intel processors only
b. Mac computers with A12 Bionic
c. Mac computers with Apple silicon and the T2 chip
171. Someone turns in a managed iPhone device that was purchased from a reseller
other than Apple or participating Apple Authorized Resellers or carriers. Which tool
do you use to add it to your organization’s Apple Business Manager, Apple Business
Essentials, or Apple School Manager account?
a. Apple Configurator for Mac
b. Apple Business Manager or Apple School Manager
c. Startosinstall
172. A user turns in an iPhone device and a Mac. Both have managed apps installed.
You use your MDM solution to erase the content and settings, disable Activation Lock,
and then revoke the app licenses. Can you immediately reassign the app licenses?
a. Yes
b. No
173. Where can you find the startosinstall tool?
a. In the App Store
b. In Apple Configurator
c. In the macOS Installer package bundle
d. In /Applications/Utilities on your Mac
174. You’re writing a startosinstall script to prepare Mac computers for
redeployment and you need to install multiple packages. Some packages depend on
other packages already being installed.What’s the best way to ensure that the
packages are installed in a specific order with --installpackage?
a. Use a loop, and call startosinstall multiple times with different
--installpackage arguments for each package in order.
 b. Write separate startosinstall commands with --installpackage for each
package, and specify a --rebootdelay.
c. Determine the necessary sequence, and call startosinstall with multiple
--installpackage arguments for each package in order.
175. Your organization retires six iPhone devices and turns them in for credit toward
new devices through the Apple Trade In program. Three of the iPhone devices aren’t
eligible for credit. What happens to those devices?
a. Apple recycles the devices.
b. Apple ships the devices back to you.
c. Apple deducts a recycling fee from your credit.
d. Apple ships the devices to the recycling facility of your choice.
176. What happens to trade-in devices that Apple receives through the Apple Trade In
program?
a. Apple refurbishes and resells all devices.
b. Apple sends all devices to its recycling partners.
c. Apple refurbishes devices that are in good condition and recycles the rest.
177. You should first back up devices and erase all content and settings before
redeploying or recycling them. If you are recycling devices, you must then release
them from management in Apple Business Manager or Apple School Manager and
remove them from your MDM solution.
a. True
b. False

Answers:
1. D
2. A
3. C
4. B
5. A
6. C
7. C
8. B
9. B
10. C
11. A
12. C
13. A
14. C
15. B
16. B
17. C
18. A
19. B
20. C
21. C
22. C
23. A
24. C
25. B
26. C
27. B
28. C
29. A
30. A
31. A
32. C
33. B
34. B
35. A
36. B
37. A
38. A
39. B
40. C
41. A
42. C
43. C
44. C
45. A
46. D
47. A
48. B
49. A
50. D
51. A
52. B
53. A
54. B
55. D
56. A
57. B
58. A
59. C
60. B
61. A
62. D
63. A
64. B
65. B
66. A
67. A
68. C
69. C
70. B
71. C
72. B
73. A
74. D
75. C
76. A
77. B
78. B
79. C
80. C
81. B
82. C
83. A
84. B
85. D
86. B
87. A
88. A
89. B
90. D
91. D
92. C
93. C
94. B
95. C
96. A
97. B
98. C
99. A
100. B
101. A
102. A
103. B
104. A
105. B
106. B
107. C
108. D
109. A
110. A
111. C
112. B
113. A
114. A
115. B
116. C
117. B
118. B
119. A
120. A
121. C
122. D
123. B
124. A
125. D
126. C
127. A
128. B
129. A
130. A
131. B
132. C
133. D
134. A
135. A
136. D
137. B
138. A
139. A
140. C
141. A
142. C
143. B
144. A
145. C
146. A
147. C
148. B
149. A
150. C
151. C
152. A
153. D
154. C
155. C
156. D
157. A
158. B
159. A
160. B
161. C
162. A
163. C
164. A
165. C
166. B
167. A
168. D
169. B
170. C
171. A
172. A
173. C
174. C
175. A
176. C
177. A