Android Enterprise Professional Answers
Which of the following statements is correct in relation to Testing Tracks for private apps?
Internal Track: Quickly distribute your app for internal testing and quality assurance checks. This is applicable for Public and Private Apps.
Open Track: Surface your app's test version on Google Play. This is applicable for Public and Private Apps. All of these
Closed Track: Test pre-release versions of your app with a larger set of testers. You can assign this track to organization(s) for Google hosted private apps and publish it to managed Google Play. This is applicable for Public and Private Apps.
Phone Ltd. is building a new device with Android 11. Which of the following accurately describes the steps needed for them to obtain a GMS license from Google?
Download source code from android.com/security,adhere to AER requirements, pass GMS test, Deploy GMS apps. Download source code from source.android.com, adhere to CDD, pass CTS, sideload GMS servers into the system. Download source code from source.android.com, adhere to AER requirements, pass CTS, apply for GMS license.
Download the source code from source.android.com, adhere to CDD, pass CTS, apply for GMS license.
What are the steps to setup Managed Google Play? Select All Correct Responses
Identity and User Mapping: During operation, EMM will automatically send commands to ESA to create Managed Google Play Accounts and map them to EMM user Accounts.
Binding Enterprise: An Organization ID is created automatically and bounded with EMM and Enterprise Service Account.
SSO Integration: IT integrates the local infrastructure with Managed Google Play Account service.
Registration/Creation of Enterprise: IT creates a Gmail account (firstname.lastname@example.org) and uses it to register and create enterprise.
Which of the following is a network consideration when deploying Android Enterprise?
Traffic to Google endpoints should also bypass SSL inspection. SSL intercepted traffic to Google services are often interpreted to be man-in-the-middle attacks and are blocked.
Enable only port 443 to ensure all of the data transaction are running through secured connection.
As long as the device and EMM can go to https://www.google.com it should be enough to satisfy the network requirements. Enable an inbound traffic connection to the EMM server, because Google needs to verify the EMM environment and its availability.
After an internal review of a potentially compromised BYOD device, its determined that the user
side-loaded a malicious app on the personal proﬁle that harvested their contacts. Why was none of the data in the work proﬁle accessible?
The user detected unusual activity before the app had time to infect the work profile and turned off the phone. The IT admin noticed unusual activity in the personal profile and asked the user to bring IT the phone for review. The device had a weak 4 digit device passcode policy so the app was able to access all information.
Work profile sandboxing and app isolation prevented any access to the work data
What are the beneﬁts of Google-Hosted applications as opposed to Self-Hosted Applications?
All of these
Supports sharing private apps up to 1000 domains/Enterprises and Silent push feature.
Global infrastructure with cached repository and Reduced Data consumption with delta update.
Enables managed security and infrastructure, including SSL/TLS implementation, prevent poor coding practice, no clear text password, Trademark infringement, and PHA detection.
Android devices with an implementation of the Keymaster HAL that resides in a hardware security module use true random number generators (TRNG). What is one of the advantages TRNG has over pseudo-random number generators (PRNG)?
TRNGs are more efficient and use less battery power. This can help extend battery life considerably.
TRNGs are better because they use external sources of information for entropy, such as electrical circuit noise.
TRNGs uses strong mathematical functions to secure key generation
Pseudo-random number generators are actually the best, but too expensive to put in mobile devices.
Who can use Managed Google Accounts?
Organizations that are on the allow list for Google Play Organizations that use Cloud Identity or Google Workspace Organizations that use Google Workspace
Organizations that use Cloud Identity
Which of the following could potentially be a Managed Google Account?
email@example.com it admin
Which of the following ﬁles do you upload to Managed Google Play while publishing a self-hosted application?
.csv file that contains application's metadata
App's JSON metadata file
.txt file that contains Application's metadata
.apk file - Google will read application metadata, then will delete the actual .apk file
Which is NOT an Android Enterprise Recommended program core requirement?
It validates advanced features across multiple management sets. It demonstrates technical leadership.
It ensures support for Device Admin support remains in tact for customers.
It ensures enterprise level support.
What are the provisioning options supported for company-owned devices during initial setup? Select All Correct Responses
None of these DPC Identifier Zero Touch QR Code
Anthony is approaching Customs in a foreign country and and is immediately asked for his Android phone. What can Mike do very quickly to help secure his phone?
Enable Lockdown Mode Smash the phone on the floor Perform a factory reset
Hide his phone
When can you use Managed Google Account? Select All Correct Responses
You are an existing Google Workspace user.
You want it simple, easy, and immediately available.
You need employees to have access to other Google services.
You don't have any preference (prefered/default choice).
Which of the following features in Managed Google Play conﬁrms users can only install apps you approve, ensuring a secure app deployment strategy? (Select 2) Select All Correct Responses
Use only the package installer API and avoid managed Google Play. Allow unknown sources so admins can install security monitoring tools Use only allow lists in managed Google Play
Use strict verify apps to ensure users cannot install apps from an SD card or Web download.
How do you perform an Enterprise Binding?
Send an email to the Google Technical Support team in your region and verify your company.
Contact your EMM provider or EMM reseller and ask them to open an Enterprise Account request with Google. Call 1-800-google and verify your company ID.
Login into your Android Enterprise Supported EMM and bind your enterprise from the EMM console.
What is AOSP?
AOSP ensures Android Enterprise API's are present in all OEM Android implementations. AOSP is the Android Often Supported Platform that is used by many OEMs to build devices. AOSP is an open source OS that Google does not own.
AOSP is an open source software stack owned by Google and supplied to the ecosystem for a wide array of devices with different form factors.
A very popular public app on Google Play is perfect for your inventory use case. You want to use the camera function to read bar codes, but do not want the users to annotate via the voice function in the app. Is there a way to turn off the voice feature?
Yes, you can disallow the mic permission on the app via a policy from the EMM.
No, the admin will need to accept the risk or find another suitable application. Yes, deploy the app into the work profile where it's safe.
Yes, you can use a Terms of Service notice to inform users not to use the feature.
What are the three ways to publish your company private applications in Managed Google Play? Select All Correct Responses
From Managed Play console: Accessible from https://play.google.com/work From Managed Play iframe: Accessible from your EMM console
From Play Publishing console: Accessible from https://play.google.com/console
From Custom App Publishing API: Accessible from your own internal system upon integration
Which deployment method is not supported for work proﬁle company owned devices during initial setup?
Zero Touch DPC Identifier QR Code
Which two statements given here are correct regarding the Compatibility Test Suite (CTS)? Select All Correct Responses
A valid CTS result must be maintained in order for a device to move to the next level, obtaining a Google Mobile Service (GMS) Certification and License.
The CTS is only valid for modern Android devices and was designed to help ensure all devices were able to use Android Enterprise APIs.
The Compatibility Test Suite is a free, commercial-grade test suite that is used during device development and is designed to evaluate and reveal incompatibilities with the CDD.
The Compatibility Test Suite is for application developers building financial apps to ensure they use approved SSL modules for connecting to servers.
Which of the following enrollment methods are not considered secure when deploying Android Enterprise devices?
SMS Enrollment Code
QR Code NFC bump Zero Touch
An Admin wants to setup a policy to check devices for known PHAs during the enrollment process to prevent enrollment of devices with malware. What Google Security Service would the Admin use to accomplish this?
Chrome Safe Browsing Verified Boot
Clean Cache Detection
Veriﬁed Boot has been on Android devices since version 4.4. Mark, an attacker, installs a custom bootloader on a stolen device with Android version 8. When it boots up, Mark sees an error on the screen that the device cannot boot. What is preventing the device from booting up?
Mark simply just needs to restart the bootloader one more time after installing.
The root of trust stored in hardware does not match the newly installed bootloader.
Mark needs to boot the device from safeboot by using hard buttons at boot time. Rate limiting has prevented mark from being able to enter in a passcode.
What are the three update modes available for Enterprise? Select All Correct Responses
High Priority Postponed Partial
The Source and Distribution platforms are the important aspects in deploying trusted applications. What aspects should you consider while deploying apps? Select All Correct Responses
Review the source-code: Reviewing the application source-code helps to check the details and identify what's under the hood (what the application does).
Test your Applications on a trusted Platform: Google Play provides comprehensive Testing Track feature to ensure the app is working properly before it goes into production.
Recognize the developers: Google Play identifies every single developer that publishes their apps through Google Play Store.
Install/distribute your applications only from trusted sources like Google Play: Installing an application from an unknown sources or sideloading leads into a serious security issue as such an application is vulnerable to compromise.
Which statement most accurately describes the CDD?
The CDD is an optional guide that contains best practices around building a device with Android.
The CDD provides guidance on how to add Google Apps to an Android device and defines an easy path for application management.
The CDD represents the ‘policy’ aspect of Android compatibility set by Google that outlines the requirements a device must meet to be considered compatible.
The CDD was developed by Google when Android was originally released and gets updated every 4 years.
Which of the following are suitable for the QR code provisioning method? Select All Correct Responses
Devices that don't support NFC
Any device where users can log in using Gmail account information
Scenarios where devices are distributed remotely and a programmer device is not available
What process provides strong proof that a certiﬁcate being presented to a server for authentication from an Android device was stored in hardware and has not been compromised or spoofed?
Certificate Capacitive Filtering Verify Apps
Network Access Control services
Android uses Security Enhanced Linux (SELinux). What component of the SELinux kernel conﬁnes and reduces the impact of an exploited vulnerability to a single area?
System on a Chip (SoC) Secure memory blocks (SMB) Security Domains
The Hardware Abstraction Layer (HAL)
A customer tells you they are concerned their custom app could be tricked to use a fraudulent certiﬁcate that gets installed on their Android devices. What technology would you discuss with them?
Certificate Pinning File-Based Encryption DNS over TLS Certificate Binding
Which of the following is correct for Default update behaviour?
Apps are updated when the device is: a) Connected to a Wi-Fi network b) Charging c) Not actively used
Apps are updated when the device is: a) Connected to a Wi-Fi network b) Charging c) At night time
Apps are updated when the device is: a) At home based on GPS location b) Charging c) Not actively used
Apps are updated when the device is: a) Connected to a Wi-Fi network c) User manually press update d) Not actively used
Which interface can you use to create and publish web apps into Managed Google Play?
Managed Play iframe Accessible from your EMM console
Play Publishing console Accessible from https://play.google.com/console
Custom App Publishing API, accessible from your own internal system upon integration
Which of the following statements is incorrect about Private Applications?
You can test private applications with Closed Testing Track. However, it is only applicable for Google Hosted private apps. You can publish both Self-Hosted and Google Hosted private applications from Play Publishing console.
The easiest way to publish private application is from Managed Play iframe - upload .apk file and give it a title.
You can publish self-hosted private applications from Managed Play iframe or Custom App Publishing API.
Which of the following types of applications can you push to users from Managed Google Play? Select All Correct Responses
Web Applications Private Applications Public Applications Debug Applications
You are deploying Android devices into your retail stores to be shared amongst employees. You want to make sure no user data is on the devices when the users turn in their devices at the end of the day. How can you accomplish this?
Use an automated script at midnight to send a device wipe and then to begin an automated enrollment so users will have fresh devices in the morning.
Simply ask the users to do a factory reset at the end of the day.
You will have to purchase additional devices and assign each employee their own device.
Deploy the devices as dedicated devices to ensure each session and associated user's data is deleted when the user logs out.
Its September 1st, start of the holiday season, and a customer wants to prevent an OTA update from being installed and potentially causing issues. Is there any help for the customer?
Setup the policy that will allow the OS updates to be postponed until Dec 1 of the same year.
Setup a policy to delay the update until March of the next year.
Instruct the user to not install the update on devices if they see a notification. Implement firewall rules on your network to prevent connections to the carrier.
A customer has 5,000 Android 10 devices in warehouses that are not connected to the internet. How can the customer get an OTA update to the device if they are only on a closed network?
Since the devices are off the internet and safer, you do not need to keep the devices updated. Send the devices to the OEM for updating.
Use the manual update process combined with your EMM to push updates from a local server on the network.
Use only devices that are flashed with AOSP versions of Android so that you can get updates directly from the OEM.
A customer has a requirement to enroll Android tablets with no Carrier connectivity. Additionally, they do not want use an open WiFi with a simple pre-shared password for the enrollment. Is there a solution to help the customer?
Provide SD card's with the certificate.
Tell the customer to upload their WiFi certificates to the Zero-Touch portal for automatic delivery during enrollment. Tell the customer that they must set up an open WiFi due to restrictions on how enrollment works.
Tell the customer to use a QR code based provisioning method that can pass WIFI EAP credentials including Certificates.
Which of the following best describes Managed Conﬁguration, one of the features introduced in Managed Google Play?
Managed Configuration allows end-users to manage 'the approved' applications' configurations by themselves without asking for the IT Admin permits.
Managed Configuration is a set of configuration available in Managed Google Play for the IT Admin to control. Managed Configuration is not a feature in Managed Google Play.
Managed Configuration allows the IT Admin to set (and enforce) specific parameters in certain applications automatically. The configurable parameters are defined by the app developers.
What is managed Google Play?
It is an online gaming platform, where you can blocklist people you don't like to play with.
It is an application distribution platform in Android for Enterprise, where the IT admin can manage and distribute public and private enterprise applications.
It is the largest application distribution platform, where you can download and install an application on your Android devices.
It is a generic application distribution platfrom that is available on any modern OS to distribute Enterprise Applications to any devices.
What are the steps to setup Closed Testing track for your Enterprise applications? Select All Correct Responses
Assign it to countries/regions.
Assign your applications to your organization(s) for it to appear in Managed Google Play. Create a closed testing release, upload your APK file, and rollout.
Use the EMM to assign the testing app to the users.
Identify the features that are related to Managed Google Play accounts. Select All Correct Responses
Auto Account provisioning upon EMM enrollment Easy to register and available immediately
Only for Managed Google Play, and cannot be used for other Google services
What are the identities that you can use for Managed Google Play? Select All Correct Responses
Managed Google Account Managed Google Play Account My Company Account
The mobility admin is nervous about DNS queries allowing enumeration of host systems on his network. What feature does Android have that can help the admin?
DNS over TLS Certificate Pinning Chrome safe browsing
A new vulnerability has been reported and the IT admin of a company checks with his Mobile Operator to see if there is a Security Update. The Mobile Operator says they do not have one ready yet but it will be available soon. What other update mechanism can the Admin check? (Select 1)
Download the patch right from the security bulletin on Google's Website Search for an open source update on the web
Deploy new devices that are not affected
Check for updates via Google Play System Updates
What are some of the advantages of TLS 1.3 over previous versions? (Select 2) Select All Correct Responses
It's up to 40% faster
Prevents certificates signed with SHA1 hashes
It allows users to change their devices DNS settings It prevents a user from browsing known bad websites
Which of the following is NOT a category of a PHA?
Hostile downloader Denial of Service
You deployed an app that transmits sensitive data and you require the app to use the VPN. In testing, you see that the app tries to connect without the VPN. How could you ﬁx this?
Do not allow the user to connect to public WiFi
Ask the developer to hard code a clear text token connection string in the app to use for authentication You must configure the VPN policy to deny app access to the network if the VPN is unavailable. Educate the users to not use the app if they do not see the VPN is running.
A malicious application developer has decided to target Android users by creating a small puzzle app ﬁlled with malware. The goal is to get it on as many Android devices as possible using the Google Play Store. What are some of the reasons this developer will not be successful? (Select 2) Select All Correct Responses
All apps are reviewed by a Google security analyst
Google Play Protect would scan the app and detect the malware
The attacker will use known spyware to infect the devices
All apps uploaded to Google Play are scanned for malware
Gomer has found a vulnerability in an application and has written an exploit to attack the app. What Android platform hardening technology helps prevent Gomers attack from working?
Android Enterprise copy/paste prevention APIs
Once the exploit gets onto the phone, Gomer would be able to execute his attack with ease. Fortify Source
Address Space Layout Randomization (ASLR)
Android devices used in the US Federal Gov't and many other Gov'ts around the world must go through the NIAP validation process. What security assurances does this provide? (Select 2) Select All Correct Responses
Instructions are provided on how to configure the device so that it is consistent with the evaluated configuration as a reference.
There is a publicly available document issued by NIAP as proof of passing a strict testing process by a lab
The NIAP process does not provide assurances, it only assumes that OEM's have used the best practices set forth by standards NIAP supplies assurances for only special purpose devices that are not available commercially off the shelf.
You have just completed a security presentation with Games Inc. The CIO appreciates your time but is asking for 3rd party validations that Android is, in fact, as secure as you are promoting it to be. What are some 3rd party validations and initiatives you can share with the Games Inc team to further boost their conﬁdence around Android security? (Select 3) Select All Correct Responses
Have the customer search the internet for "Android Malware" to see there are not many articles on the topic.
Instruct the customer to read the 2020 Omdia survey on how Android comes out on top for mobile security
Share information about the vulnerability rewards programs and the metrics. Google has the confidence to offer payments that surpass other platforms alluding to the fact they are hard to find.
Share the Gartner Device Security Report that compare security features between Android and other mobile platforms.
You have been in conversations with a U.S Federal agency around Android device security. The agency's security team has just started to refer to a document called the STIG. What document are they referring to?
Security Technical Implementation Guide that provides guidance on how to deploy a mobile device It's the Sample Template Instruction Guide used to deploy Android and iOS devices for government agencies Standard Template of Information Guidance for agencies to use for deploying only Android devices
Simple Technical Instruction Guide that provides guidance on how to deploy devices
Sales Ltd is trying to enroll brand new devices using Android Enterprise and none of the devices will enroll. Helen, the IT manager, suspects the devices that were procured by a separate department might not have the right API's. What are the right set of API's Helen needs to conﬁrm?
Treble hardware abstraction layer (HAL) Google Apps
Google supplies security updates for Android every______ days.
When an OEM needs Google to build one
A forensics analyst has successfully rooted an Android 10 device and is trying to extract keys from the keystore with sophisticated tools. Why is she unable to extract the keys?
Her computer does not have the latest Android SDK tools to access the device over ADB The key was revoked
Android 7+ devices with mandated hardware-backed keystores prevent key extraction on rooted devices.
She needs to put the device into airplane mode
Mary leaves her Android phone in a Cab. John, the cab driver, is a nefarious character and tries to break into the phone versus returning it. He tries to install a custom version of Android on the device to gain access to Mary's data. What security principal would prevent this from instance?
Factory Reset Protection
A work profile passcode (work challenge)
Using Android Protected Confirmation
Choose two security services that come standard as part of GMS. Select All Correct Responses
Google Play Protect
Google Play secure keyboard
Google One Active Enterprise (GOAT) protection
The public health department of Google Town wants to use managed Google Play to deploy critical city applications that store public health records. Nina, the head of security has asked you to validate managed Google Play as a secure solution. What are some of the certiﬁcations the managed Play store has received that you could promote to reassure Nina? Select All Correct Responses
Glenn, the CIO of Bank Ltd. is convinced that Google Play is full of malware and he chooses not to deploy Android for that reason. What are some talking points you can use to educate Glenn on Google Play security? Select All Correct Responses
Review the App scanning technology that Google uses and show him the Android Security Transparency Report website. Educate Glenn on the App Defense Alliance and that getting malware from Google Play is unlikely
Ask the CIO to prove why he feels this way
Explain the benefits of managed devices and how managed Google Play mitigates this risk
What encryption algorithm is required by Google for all modern Android devices?
AES 128 HMAC
Google mandates that Android 10 devices and higher to use File-Based encryption versus Full-Disk encryption. Why did Google set this requirement? (Select 2) Select All Correct Responses
Supports Direct Boot aware apps
A work profile can have its own encryption key
File-Based Encryption integrates with managed Google Play Allows the Encryption keys to be stored with Google for safety
Jake has conﬁgured SCEP to deploy certiﬁcates during enrollment of all Android devices. He wants to use a public app called "SalesEng". How can he check to see if the app supports managed conﬁgurations?
Public apps do not support managed configurations, so Jake will have to develop a private app. Search Play.google.com/saleseng to see if the app supports managed configurations
Search play.google.com/work to see if the app supports managed configurations
Call Google support to see if the app supports managed Configurations
Jana, the IT manager for Bank Corp informs during sales conversation that they will not allow any Google identities on the their devices because they are concerned about Google collecting user information from the devices. They would rather side-load all required applications manually. How do you proceed in this conversation?
Advise Jana that they can simply disable Google Play services with an EMM policy to keep information on the device Inform Jana that they simply do not have to use the BYOD model
Inform Jana that managed Google Play accounts are obfuscated so Google is unaware of the user’s identity.
Inform Jana that a work-profile challenge can prevent this from happening and walk them through the benefits of work profile
Excerpt from Helpdesk/User Chat:
User: I was searching for information about a project and a weird error in Chrome came up "Your device has Malware".
Helpdesk: Do you see this error on a webpage in Chrome? User: Yes
Helpdesk: Did you get see a RED warning page in Chrome that it was not safe to continue? User: Yes, I thought it was ﬁne since it gave me the option to proceed anyway.
Assuming the user is using a work proﬁle, what are some of the Chrome policies that an admin can set to prevent this from happening in the future? Select All Correct Responses
Set a managed configuration on Chrome to prevent users from disabling Safe Browsing.
Create a Terms of Service banner that tells users not to open suspicious websites.
Disable Chrome in the work profile.
Set a managed configuration on Chrome to prevent users from disabling incognito mode.
Acme Printing developed an app for their custom printers. A new developer joined the company to maintain the app. He made an update to the original APK and created a new app signing key for the update. What is the reason the APK will fail to be updated in the Google Play Console?
The Developer needs to delete the APK from Google Play and redeploy
APK must be signed with the same key as the original APK.
The APK gets flagged for impersonation since its uploaded by a new developer at the company The APK file size exceeds 1.0 GB
What are the two beneﬁts that you would highlight for a customer looking to deploy applications via Managed Google Play? Select All Correct Responses
Prevents Admins from setting permissions to ensure app safety. Allows Admins to create allow and block lists for public apps. Removes the need for App wrapping
Safeguards devices by preventing private app deployment.
Mike, Head of Mobility Security at Bank Ltd, wants to disable all ﬁngerprint authentication from devices. He believes that an image of the biometric data is extracted from the devices and stored in Google Cloud. Which of the following facts would you use to easy Mikes concern? (Select 2) Select All Correct Responses
The device does not take an image of the print but a biometric model that then uses an algorithm to create a mathematical template
A biometric template cannot be copied to another device because it is signed with a device specific key when stored in the TEE
You assure Mike that its a common practice for all cloud companies to store biometric data for compliance. Fingerprint images are stored in a database on the users filesystem. That makes them inaccessible to Google.
What type of keystore implementation would prevent complicated forensic data extractions and analysis of lost or stolen devices for example, leaking information via power, timing, electromagnetic radiation, and thermal radiation examination?
StongBuilt HeavyChip SQLite SB StrongBox
What kernel protection mechanism helps prevent hijacking functions and pieces of code from apps and using those apps and their permissions to perform malicious actions.
PIE - Position Independent Execution Secure Computing or SECComp
CFI - Control Flow Integrity
ASLR - Address Space Layout Randomization
Which of the following are NOT processes that the TEE performs (Select 2)? Select All Correct Responses
Biometric template matching
Lock screen passcode verification
Data loss protection
DRM - Dedicated RAM Monitoring
The Acme Wizard Phone using Android 8.0 was stolen by an attacker and even though the device was encrypted, the attacker was able to read the names of the encrypted ﬁles. Why?
They can see the file names because metadata encryption which would prevent this was introduced in Android 9.0 and above.
The OEM did not implement encryption on this version of their device The user disabled encryption on their device
They can see the file names because the device had the TEE encryption turned off
Phone Ltd. wants to make sure their device offers the best in class security right out of the box. Which services do they need to make sure are built right into the device?
Google Mobile Services (GMS)
Chrome Browser Google Play Store Default OEM Phone app
Which of the following features is not supported by Managed Google Play?
All of the above Private Applications Web Applications Paid Applications
What are some of the App management features of Managed Google Play? Select All Correct Responses
Web app distribution App approval
App permissions approval
Identify the best practices for using Managed Google Play Accounts for administrative purposes. Select All Correct Responses
Create a new Gmail account and set a backup email on this account to a group in your IT department.
Setup security questions.
Setup two-factor authentication for increased security. Add additional owners to maintain redundancy.
Which deployment method is not supported for work proﬁle company owned devices during inital setup?
Zero Touch QR Code
How can an organisation ensure applications are only installed from known trusted sources?
Enforce Google Play Protect.
Inform their employees not to install applications from locations other than the Google Play Store. Specify device unlock or work profile security challenge.
Disallow unknown sources via policy using an EMM.
What are the steps to submit apps from Managed Google Play iFrame? Select All Correct Responses
Give a “Title” to your custom app. Upload your custom app.
Log in to EMM Console.
Open the Managed Google Play iFrame.
Identify the steps to publish an app from the Google Play Publishing Console. Select All Correct Responses
Upload your custom app.
Select the checkbox that denotes the app is for private distribution. Login to the Google Play Console.
Create seperate distribution channels for development and production.
What are the provisioning options supported for company-owned devices during inital setup? Select All Correct Responses
None of the above
Zero Touch DPC Identifier
In order for a device to be considered Android Enterprise compatible, it must comply with the Android Compatibility Deﬁnition Document (CDD), pass the Compatibility Test Suite (CTS) and______________________________________________________________ _.
Select the correct answer, then submit.
Not use the AOSP code.
Have a minimum of 8 GB RAM.
Have been awarded a Google Mobile Services license, permitting the pre-installation of GMS applications and services.
Have a minimum processing speed of 2.2 GHz.
The Android Enterprise Recommended program is reliable and consistent due to 3 core elements: Conﬁdence in selection. Consistency in deployment _. Select the correct answer, then
Zero-touch enrollment. Every six months.
Up-to-date security and platform enhancements.
As long as a device passes the Compatibility Test Suite, it can join the Android Enterprise Recommended program. Select the correct answer, then submit.
What is Veriﬁed Boot? Select the correct answer, then submit.
The process of verifying the user while the device is starting up.
The process of authenticating the correct keys are present for a device to boot up. The process a prince needs to follow to find Cinderella.
The process that ensures the integrity and authenticity of the next stage before execution when a device is starting up.
How can you be sure that a device’s bootloader and system integrity has not been compromised? Select the correct answer, then submit.
Check the device Serial Number against the label on the box it came with to make sure it matches. Wait for the device to boot up completely to the passcode prompt.
Google provides an attestation key that signs statements in the hardware and uses key attestation.
Manually check the version of Android your device is running with what the Carrier website states.
How is ﬁngerprint data kept safe? Select three correct answers, then submit.
Fingerprint data is a template derived from sensor data and an algorithm.
An app cannot see fingerprint data, just a ‘passed’ or ‘failed’ message from the TEE.
Fingerprint data is sent to Google for safe and secure storage.
Fingerprint data is stored in the TEE, a secure part of the processor.
Key attestation ensures that device properties, such as the serial number and OS patch level, are prevented from being altered. Select the correct answer, then submit.
How does sandboxing limit the effect of an exploit? Select the two correct answers, then submit.
A secured intent system only allows intended communication between apps.
Sandboxing makes sure that the OS is kept secure from sideloaded apps.
Sandboxing keeps apps and data isolated from one another.
Exploits don’t like sand, it’s coarse, rough and gets everywhere.
How has Project Treble contributed to device security? Select the correct answer, then submit.
Project Treble reduces the number of processes that can access the SoC to three so that they are checked for integrity carefully before executing.
Project Treble is a form of encryption for work profiles.
Project Treble randomizes key locations in memory meaning that exploits cannot be reused.
Project Treble separates device specific software from the OS, making it easier to update the OS, meaning that devices benefit from security updates quicker.
Why is having a work proﬁle more secure? Select the three correct answers, then submit.
Work profiles can be encrypted with a different key.
Work profiles are not required to make use of Mandatory Access Controls in SELinux.
When a phone is in lockdown mode, the key for work data is deleted so it cannot be accessed by unauthorized users. Work data is kept separate from the user's personal data.
Project Treble is a major re-architecting of the Android OS framework designed to make it easier, faster and less costly for manufacturers to update devices to a new version of Android. Select the correct answer, then submit.
Which of these is the correct way to describe SafetyNet: Select the correct answer, then submit.
SafetyNet isolates your tabs and apps so that malware cannot spread across your device. SafetyNet scans all apps on the Google Play Store to make sure they’re safe.
SafetyNet protects your device by catching it before it hits the ground.
SafetyNet is an anti-abuse service to assess the status of Android devices.
Which of these is not a partner in the Android ecosystem? Select the correct answer, then submit.
Zimperium Mobile Threat Defense. ESET.
To ensure apps are not potentially harmful, a Google engineer rigorously tests each one before it is listed on Google Play. Select the correct answer, then submit.
Domain Name System (DNS) security is used to protect information on__________ ? Select the correct
answer, then submit.
The Linux kernel. The TEE.
The operating system.
Which of these statements is not true of Certiﬁcate services on Android Enterprise devices? Select the correct answer, then submit.
Prevents unencrypted connections by default (Android 9.0+).
Apps cannot choose to trust CAs.
Devices only trust system CAs by default.
All devices have the same Certificate Authorities (CAs) store as of Android 7.0, updated via OTA only.
True or false. A managed VPN can be enforced for all connections or made for speciﬁc apps. Select the correct answer, then submit.
Let’s see what you know about backups. Select each box and choose the correct option, then submit.
Since Android 6+, can be backed up. Select... “Apps”
End-to-end encryption has been available since Android 9 with generated on the device using a hash of the user password. Select... “Keys”
Backups are stored in Google’s cloud, encrypted using the chip. Select... “Titan”
They cannot be decrypted without the credentials and even Google cannot read the data stored. Select... “user”
Admins can lock a phone using full disk encryption by deleting keys. Select the correct answer, then submit.
How are backups kept secure? Select two correct answers, then submit.
Encrypted with the Titan chip and cannot be read by Google. Backups are end-to-end encrypted.
Backups are delivered to the enterprise server. Backups are kept in separate secure memory.
What are the advantages of using manual updates in enterprise? Select three correct answers, then submit.
Manual updates allow end users to pick updates they need and ignore ones they don’t.
Manual updates use less bandwidth as they come from a local server. Internal apps can be tested with an update before it is rolled out.
Updates can be rolled out to groups of people before everyone gets them.
True or false. Backups are end-to-end encrypted. Select the correct answer, then submit.
With BYOD devices, IT admins are able to delete an encryption key and remove the work proﬁle remotely. Select the correct answer, then submit.
What hosting options are available for apps on managed devices? Select the three correct answers, then submit.
Managed Google Play.
Self hosted on a business server. Hosted by EMM.
Side-loaded by a business website.
True or false. Dedicated devices do not store any user data and are designed for single tasks only. Select the correct answer, then submit.
Let’s see how much you’ve learned. What are the components of NIAP? Match each description to the appropriate component of NIAP.
This is the first stage of the validation process. Select... “COTS.”
An implementation independent set of security requirements for a category of IT products that meet specific customer needs. Select... “Protection Profile.”
Instructions to users on how to configure the product so that it is consistent with the evaluated configuration. Select... “Administrative Guidance.”
Summarized assurance activities of the product evaluation. Select... “Assurance Activity Report.”
Specification of the security functions against which the IT product (ToE, Target of Evaluation), will be evaluated and as a description relating the product to the environment in which it will operate.
Select... “Security Target.”
A publically available document issued by the NIAP validation body that summarizes the evaluation results and confirms the overall results are acceptable.
Select... “Validation Report.”
Which of these statements could you use to respond to a customer with the following objection? ‘Google Play is full of malware.’ Select the correct answer, then submit.
App Defense Alliance partners scan apps on Google Play. Google Play Protect scans over 100 billion apps per day.
The application review process for Android apps is a thorough and trusted method for confirming the security of apps.
All of these.
Which of these statements could you say to a customer with the following objection? ‘Android is an open source operating system which is full of vulnerabilities.’ Select the two correct answers, then submit.
Ecosystem Validation proves Android is secure. This is verified by Gartner and Omdia reports.
Android is not an open source operating system.
Due to its open source OS, Android is less secure than other operating systems, but that is not to say that it isn’t safe.
Certifications such as FIPS-140-2 and NIAP prove that Android has been vetted by the same labs as iOS.
True or false: Google can always see individual managed Google Play accounts and their data. Select the correct answer, then submit.
Which of these statements might you use to respond to a customer with the following objection? ‘Using managed Google Play is not enough to protect my device from PHAs.’ Select the correct answer, then submit.
Google Play has a proven track record of minimizing the risk of PHAs being installed on Android devices.
Devices that install apps exclusively from Google Play, rather than sideload apps, are at much lower risk of installing PHAs. Google Play ensures that app updates are always signed by the original developer, avoiding app hijacking.
Is the following customer objection true or false? ‘Work will be able to track my personal messaging app if I use my own phone at work.’ Select the correct answer, then submit.
True or False. Managed Google Play Accounts cannot be used to identify a person. Select the correct answer, then submit.
Select each box and choose the correct option, then submit.
The provisioning method describes the way the EMM Device Policy Controller (DPC) is downloaded onto an Android device and is chosen based on:
Select... “All of the above”
Zero-touch enrollment is recommended because:
Select... “There is no need for IT admins to physically handle the managed devices making this the easiest deployment method in most cases.”
The QR code provisioning allows passing along configuration parameters to other devices but requires only what part on the device being provisioned to work?
Which method requires the most manual steps and should be used when other methods are not readily available? Select... “DPC Identifier”
Work proﬁle and fully managed device are the two Android Enterprise management modes. The management mode chosen determines the Android Enterprise features available for management, provisioning methods that can be used, and how devices can be enrolled. Take a look at the use case below and decide which management mode it belongs to: Work proﬁle or Fully managed device. Drag and drop each ﬁle into the correct section.
Fully managed device
A situation where IT admins want control over an extended range of device settings and additional policy controls.
A situation where employees will be bringing their own devices for both work and personal use.
Ability for corporate apps, data, and management policies to be kept secure and separate from personal data while maintaining user privacy.
The Google Play Developer Console is used to upload which type of apps that can be marked as private and set to be available only to speciﬁc enterprises? Select the correct answer, then submit.
Custom Sandboxed Enterprise Secure
With the Google Play Developer Console, prior to wider distribution, users can manage multiple development channels to enable what kind of testing of apps? Select the correct answer, then submit.
Charlie Acceptance Functional Beta
Which of these statements about the managed Google Play store are true? Select the correct answer, then submit.
Every app that is allowed to be installed by users must individually be chosen by the admin. Managed Google Play does not support paid applications.
IT admins can approve any app that is available in public Google Play or private apps that have been shared with their enterprise. IT admins can choose to enable access to all applications available on Google Play.
All of the above.
By default, corporate contacts from the work proﬁle are available to personal applications as what kind of setting? Select an option, then submit.
read-only share-only modify-only edit-only
More certification answers: