New Android Enterprise Professional certification program questions and answersGet familiar with the latest Android Enterprise Professional Certification Exam Questions and Answers to prepare for a exam faster. Of course, you can download all answers to the latest Android Enterprise associate certification program and get certified in minutes. Including answers to a test out exam (you can skip all activities and only do this test to get certified). Download Android Enterprise Professional Certification Answers
Which of the following statements is correct in relation to Testing Tracks for private apps?
Internal Track: Quickly distribute your app for internal testing and quality assurance checks. This is applicable for Public and Private Apps.
Open Track: Surface your app’s test version on Google Play. This is applicable for Public and Private Apps.
All of these
Closed Track: Test pre-release versions of your app with a larger set of testers. You can assign this track to organization(s) for Google hosted private apps and publish it to managed Google Play. This is applicable for Public and Private Apps.
Phone Ltd. is building a new device with Android 11. Which of the following accurately describes the steps needed for them to obtain a GMS license from Google?
Download source code from android.com/security,adhere to AER requirements, pass GMS test, Deploy GMS apps.
Download source code from source.android.com, adhere to CDD, pass CTS, sideload GMS servers into the system.
Download source code from source.android.com, adhere to AER requirements, pass CTS, apply for GMS license.
Download the source code from source.android.com, adhere to CDD, pass CTS, apply for GMS license.
What are the steps to setup Managed Google Play? Select All Correct Responses
Identity and User Mapping: During operation, EMM will automatically send commands to ESA to create Managed Google Play Accounts and map them to EMM user Accounts.
Binding Enterprise: An Organization ID is created automatically and bounded with EMM and Enterprise Service Account.
SSO Integration: IT integrates the local infrastructure with Managed Google Play Account service.
Registration/Creation of Enterprise: IT creates a Gmail account (firstname.lastname@example.org) and uses it to register and create enterprise.
Which of the following is a network consideration when deploying Android Enterprise?
Traffic to Google endpoints should also bypass SSL inspection. SSL intercepted traffic to Google services are often interpreted to be man-in-the-middle attacks and are blocked.
Enable only port 443 to ensure all of the data transaction are running through secured connection.
As long as the device and EMM can go to https://www.google.com it should be enough to satisfy the network requirements.
Enable an inbound traffic connection to the EMM server, because Google needs to verify the EMM environment and its availability.
After an internal review of a potentially compromised BYOD device, its determined that the user side-loaded a malicious app on the personal profile that harvested their contacts. Why was none of the data in the work profile accessible?
The user detected unusual activity before the app had time to infect the work profile and turned off the phone.
The IT admin noticed unusual activity in the personal profile and asked the user to bring IT the phone for review.
The device had a weak 4 digit device passcode policy so the app was able to access all information.
Work profile sandboxing and app isolation prevented any access to the work data
What are the benefits of Google-Hosted applications as opposed to Self-Hosted Applications?
All of these
Supports sharing private apps up to 1000 domains/Enterprises and Silent push feature.
Global infrastructure with cached repository and Reduced Data consumption with delta update.
Enables managed security and infrastructure, including SSL/TLS implementation, prevent poor coding practice, no clear text password, Trademark infringement, and PHA detection.
Android devices with an implementation of the Keymaster HAL that resides in a hardware security module use true random number generators (TRNG). What is one of the advantages TRNG has over pseudo-random number generators (PRNG)?
TRNGs are more efficient and use less battery power. This can help extend battery life considerably.
TRNGs are better because they use external sources of information for entropy, such as electrical circuit noise.
TRNGs uses strong mathematical functions to secure key generation
Pseudo-random number generators are actually the best, but too expensive to put in mobile devices.
Who can use Managed Google Accounts?
Organizations that are on the allow list for Google Play
Organizations that use Cloud Identity or Google Workspace
Organizations that use Google Workspace
Organizations that use Cloud Identity
Which of the following could potentially be a Managed Google Account?
Which of the following files do you upload to Managed Google Play while publishing a self-hosted application?
.csv file that contains application’s metadata
App’s JSON metadata file
.txt file that contains Application’s metadata
.apk file – Google will read application metadata, then will delete the actual .apk file
Which is NOT an Android Enterprise Recommended program core requirement?
It validates advanced features across multiple management sets.
It demonstrates technical leadership.
It ensures support for Device Admin support remains in tact for customers.
It ensures enterprise level support.
What are the provisioning options supported for company-owned devices during initial setup? Select All Correct Responses
None of these
Anthony is approaching Customs in a foreign country and and is immediately asked for his Android phone. What can Mike do very quickly to help secure his phone?
Enable Lockdown Mode
Smash the phone on the floor
Perform a factory reset
Hide his phone
When can you use Managed Google Account? Select All Correct Responses
You are an existing Google Workspace user.
You want it simple, easy, and immediately available.
You need employees to have access to other Google services.
You don’t have any preference (prefered/default choice).
Which of the following features in Managed Google Play confirms users can only install apps you approve, ensuring a secure app deployment strategy? (Select 2) Select All Correct Responses
Use only the package installer API and avoid managed Google Play.
Allow unknown sources so admins can install security monitoring tools
Use only allow lists in managed Google Play
Use strict verify apps to ensure users cannot install apps from an SD card or Web download.
How do you perform an Enterprise Binding?
Send an email to the Google Technical Support team in your region and verify your company.
Contact your EMM provider or EMM reseller and ask them to open an Enterprise Account request with Google.
Call 1-800-google and verify your company ID.
Login into your Android Enterprise Supported EMM and bind your enterprise from the EMM console.
What is AOSP?
AOSP ensures Android Enterprise API’s are present in all OEM Android implementations.
AOSP is the Android Often Supported Platform that is used by many OEMs to build devices.
AOSP is an open source OS that Google does not own.
AOSP is an open source software stack owned by Google and supplied to the ecosystem for a wide array of devices with different form factors.
A very popular public app on Google Play is perfect for your inventory use case. You want to use the camera function to read bar codes, but do not want the users to annotate via the voice function in the app. Is there a way to turn off the voice feature?
Yes, you can disallow the mic permission on the app via a policy from the EMM.
No, the admin will need to accept the risk or find another suitable application.
Yes, deploy the app into the work profile where it’s safe.
Yes, you can use a Terms of Service notice to inform users not to use the feature.
What are the three ways to publish your company private applications in Managed Google Play? Select All Correct Responses
From Managed Play console: Accessible from https://play.google.com/work
From Managed Play iframe: Accessible from your EMM console
From Play Publishing console: Accessible from https://play.google.com/console
From Custom App Publishing API: Accessible from your own internal system upon integration
Which deployment method is not supported for work profile company owned devices during initial setup?
Which two statements given here are correct regarding the Compatibility Test Suite (CTS)? Select All Correct Responses
A valid CTS result must be maintained in order for a device to move to the next level, obtaining a Google Mobile Service (GMS) Certification and License.
The CTS is only valid for modern Android devices and was designed to help ensure all devices were able to use Android Enterprise APIs.
The Compatibility Test Suite is a free, commercial-grade test suite that is used during device development and is designed to evaluate and reveal incompatibilities with the CDD.
The Compatibility Test Suite is for application developers building financial apps to ensure they use approved SSL modules for connecting to servers.
Which of the following enrollment methods are not considered secure when deploying Android Enterprise devices?
SMS Enrollment Code
An Admin wants to setup a policy to check devices for known PHAs during the enrollment process to prevent enrollment of devices with malware. What Google Security Service would the Admin use to accomplish this?
Chrome Safe Browsing
Clean Cache Detection
Verified Boot has been on Android devices since version 4.4. Mark, an attacker, installs a custom bootloader on a stolen device with Android version 8. When it boots up, Mark sees an error on the screen that the device cannot boot. What is preventing the device from booting up?
Mark simply just needs to restart the bootloader one more time after installing.
The root of trust stored in hardware does not match the newly installed bootloader.
Mark needs to boot the device from safeboot by using hard buttons at boot time.
Rate limiting has prevented mark from being able to enter in a passcode.
What are the three update modes available for Enterprise? Select All Correct Responses
The Source and Distribution platforms are the important aspects in deploying trusted applications. What aspects should you consider while deploying apps? Select All Correct Responses
Review the source-code: Reviewing the application source-code helps to check the details and identify what’s under the hood (what the application does).
Test your Applications on a trusted Platform: Google Play provides comprehensive Testing Track feature to ensure the app is working properly before it goes into production.
Recognize the developers: Google Play identifies every single developer that publishes their apps through Google Play Store.
Install/distribute your applications only from trusted sources like Google Play: Installing an application from an unknown sources or sideloading leads into a serious security issue as such an application is vulnerable to compromise.
Which statement most accurately describes the CDD?
The CDD is an optional guide that contains best practices around building a device with Android.
The CDD provides guidance on how to add Google Apps to an Android device and defines an easy path for application management.
The CDD represents the ‘policy’ aspect of Android compatibility set by Google that outlines the requirements a device must meet to be considered compatible.
The CDD was developed by Google when Android was originally released and gets updated every 4 years.
Which of the following are suitable for the QR code provisioning method? Select All Correct Responses
All of these
Devices that don’t support NFC
Any device where users can log in using Gmail account information
Scenarios where devices are distributed remotely and a programmer device is not available
What process provides strong proof that a certificate being presented to a server for authentication from an Android device was stored in hardware and has not been compromised or spoofed?
Certificate Capacitive Filtering
Network Access Control services
Android uses Security Enhanced Linux (SELinux). What component of the SELinux kernel confines and reduces the impact of an exploited vulnerability to a single area?
System on a Chip (SoC)
Secure memory blocks (SMB)
The Hardware Abstraction Layer (HAL)
A customer tells you they are concerned their custom app could be tricked to use a fraudulent certificate that gets installed on their Android devices. What technology would you discuss with them?
DNS over TLS
Which of the following is correct for Default update behaviour?
Apps are updated when the device is: a) Connected to a Wi-Fi network b) Charging c) Not actively used
Apps are updated when the device is: a) Connected to a Wi-Fi network b) Charging c) At night time
Apps are updated when the device is: a) At home based on GPS location b) Charging c) Not actively used
Apps are updated when the device is: a) Connected to a Wi-Fi network c) User manually press update d) Not actively used
Which interface can you use to create and publish web apps into Managed Google Play?
All of these
Managed Play iframe Accessible from your EMM console
Play Publishing console Accessible from https://play.google.com/console
Custom App Publishing API, accessible from your own internal system upon integration
Which of the following statements is incorrect about Private Applications?
You can test private applications with Closed Testing Track. However, it is only applicable for Google Hosted private apps.
You can publish both Self-Hosted and Google Hosted private applications from Play Publishing console.
The easiest way to publish private application is from Managed Play iframe – upload .apk file and give it a title.
You can publish self-hosted private applications from Managed Play iframe or Custom App Publishing API.
Which of the following types of applications can you push to users from Managed Google Play? Select All Correct Responses
Use an automated script at midnight to send a device wipe and then to begin an automated enrollment so users will have fresh devices in the morning.
Simply ask the users to do a factory reset at the end of the day.
You will have to purchase additional devices and assign each employee their own device.
Deploy the devices as dedicated devices to ensure each session and associated user’s data is deleted when the user logs out.
Its September 1st, start of the holiday season, and a customer wants to prevent an OTA update from being installed and potentially causing issues. Is there any help for the customer?
Setup the policy that will allow the OS updates to be postponed until Dec 1 of the same year.
Setup a policy to delay the update until March of the next year.
Instruct the user to not install the update on devices if they see a notification.
Implement firewall rules on your network to prevent connections to the carrier.
A customer has 5,000 Android 10 devices in warehouses that are not connected to the internet. How can the customer get an OTA update to the device if they are only on a closed network?
Since the devices are off the internet and safer, you do not need to keep the devices updated.
Send the devices to the OEM for updating.
Use the manual update process combined with your EMM to push updates from a local server on the network.
Use only devices that are flashed with AOSP versions of Android so that you can get updates directly from the OEM.
Provide SD card’s with the certificate.
Tell the customer to upload their WiFi certificates to the Zero-Touch portal for automatic delivery during enrollment.
Tell the customer that they must set up an open WiFi due to restrictions on how enrollment works.
Tell the customer to use a QR code based provisioning method that can pass WIFI EAP credentials including Certificates.
Which of the following best describes Managed Configuration, one of the features introduced in Managed Google Play?
Managed Configuration allows end-users to manage ‘the approved’ applications’ configurations by themselves without asking for the IT Admin permits.
Managed Configuration is a set of configuration available in Managed Google Play for the IT Admin to control.
Managed Configuration is not a feature in Managed Google Play.
Managed Configuration allows the IT Admin to set (and enforce) specific parameters in certain applications automatically. The configurable parameters are defined by the app developers.
What is managed Google Play?
It is an online gaming platform, where you can blocklist people you don’t like to play with.
It is an application distribution platform in Android for Enterprise, where the IT admin can manage and distribute public and private enterprise applications.
It is the largest application distribution platform, where you can download and install an application on your Android devices.
It is a generic application distribution platfrom that is available on any modern OS to distribute Enterprise Applications to any devices.
What are the steps to setup Closed Testing track for your Enterprise applications? Select All Correct Responses
Assign it to countries/regions.
Assign your applications to your organization(s) for it to appear in Managed Google Play.
Create a closed testing release, upload your APK file, and rollout.
Use the EMM to assign the testing app to the users.
Auto Account provisioning upon EMM enrollment
Easy to register and available immediately
Only for Managed Google Play, and cannot be used for other Google services
What are the identities that you can use for Managed Google Play? Select All Correct Responses
Managed Google Account
Managed Google Play Account
My Company Account
The mobility admin is nervous about DNS queries allowing enumeration of host systems on his network. What feature does Android have that can help the admin?
DNS over TLS
Chrome safe browsing
A new vulnerability has been reported and the IT admin of a company checks with his Mobile Operator to see if there is a Security Update. The Mobile Operator says they do not have one ready yet but it will be available soon. What other update mechanism can the Admin check? (Select 1)
Download the patch right from the security bulletin on Google’s Website
Search for an open source update on the web
Deploy new devices that are not affected
Check for updates via Google Play System Updates
What are some of the advantages of TLS 1.3 over previous versions? (Select 2) Select All Correct Responses
It’s up to 40% faster
Prevents certificates signed with SHA1 hashes
It allows users to change their devices DNS settings
It prevents a user from browsing known bad websites
Which of the following is NOT a category of a PHA?
Denial of Service
You deployed an app that transmits sensitive data and you require the app to use the VPN. In testing, you see that the app tries to connect without the VPN. How could you fix this?
Do not allow the user to connect to public WiFi
Ask the developer to hard code a clear text token connection string in the app to use for authentication
You must configure the VPN policy to deny app access to the network if the VPN is unavailable.
Educate the users to not use the app if they do not see the VPN is running.
A malicious application developer has decided to target Android users by creating a small puzzle app filled with malware. The goal is to get it on as many Android devices as possible using the Google Play Store. What are some of the reasons this developer will not be successful? (Select 2) Select All Correct Responses
All apps are reviewed by a Google security analyst
Google Play Protect would scan the app and detect the malware
The attacker will use known spyware to infect the devices
All apps uploaded to Google Play are scanned for malware
Gomer has found a vulnerability in an application and has written an exploit to attack the app. What Android platform hardening technology helps prevent Gomers attack from working?
Android Enterprise copy/paste prevention APIs
Once the exploit gets onto the phone, Gomer would be able to execute his attack with ease.
Address Space Layout Randomization (ASLR)
Android devices used in the US Federal Gov’t and many other Gov’ts around the world must go through the NIAP validation process. What security assurances does this provide? (Select 2) Select All Correct Responses
Instructions are provided on how to configure the device so that it is consistent with the evaluated configuration as a reference.
There is a publicly available document issued by NIAP as proof of passing a strict testing process by a lab
The NIAP process does not provide assurances, it only assumes that OEM’s have used the best practices set forth by standards
NIAP supplies assurances for only special purpose devices that are not available commercially off the shelf.
Have the customer search the internet for “Android Malware” to see there are not many articles on the topic.
Instruct the customer to read the 2020 Omdia survey on how Android comes out on top for mobile security
Share information about the vulnerability rewards programs and the metrics. Google has the confidence to offer payments that surpass other platforms alluding to the fact they are hard to find.
Share the Gartner Device Security Report that compare security features between Android and other mobile platforms.
You have been in conversations with a U.S Federal agency around Android device security. The agency’s security team has just started to refer to a document called the STIG. What document are they referring to?
Security Technical Implementation Guide that provides guidance on how to deploy a mobile device
It’s the Sample Template Instruction Guide used to deploy Android and iOS devices for government agencies
Standard Template of Information Guidance for agencies to use for deploying only Android devices
Simple Technical Instruction Guide that provides guidance on how to deploy devices
Sales Ltd is trying to enroll brand new devices using Android Enterprise and none of the devices will enroll. Helen, the IT manager, suspects the devices that were procured by a separate department might not have the right API’s. What are the right set of API’s Helen needs to confirm?
Treble hardware abstraction layer (HAL)
Google supplies security updates for Android every _____ days.
When an OEM needs Google to build one
A forensics analyst has successfully rooted an Android 10 device and is trying to extract keys from the keystore with sophisticated tools. Why is she unable to extract the keys?
Her computer does not have the latest Android SDK tools to access the device over ADB
The key was revoked
Android 7+ devices with mandated hardware-backed keystores prevent key extraction on rooted devices.
She needs to put the device into airplane mode
Mary leaves her Android phone in a Cab. John, the cab driver, is a nefarious character and tries to break into the phone versus returning it. He tries to install a custom version of Android on the device to gain access to Mary’s data. What security principal would prevent this from instance?
Factory Reset Protection
A work profile passcode (work challenge)
Using Android Protected Confirmation
Choose two security services that come standard as part of GMS. Select All Correct Responses
Google Play Protect
Google Play secure keyboard
Google One Active Enterprise (GOAT) protection
The public health department of Google Town wants to use managed Google Play to deploy critical city applications that store public health records. Nina, the head of security has asked you to validate managed Google Play as a secure solution. What are some of the certifications the managed Play store has received that you could promote to reassure Nina? Select All Correct Responses
Glenn, the CIO of Bank Ltd. is convinced that Google Play is full of malware and he chooses not to deploy Android for that reason. What are some talking points you can use to educate Glenn on Google Play security? Select All Correct Responses
Review the App scanning technology that Google uses and show him the Android Security Transparency Report website.
Educate Glenn on the App Defense Alliance and that getting malware from Google Play is unlikely
Ask the CIO to prove why he feels this way
Explain the benefits of managed devices and how managed Google Play mitigates this risk
What encryption algorithm is required by Google for all modern Android devices?
Google mandates that Android 10 devices and higher to use File-Based encryption versus Full-Disk encryption. Why did Google set this requirement? (Select 2) Select All Correct Responses
Supports Direct Boot aware apps
A work profile can have its own encryption key
File-Based Encryption integrates with managed Google Play
Allows the Encryption keys to be stored with Google for safety
Jake has configured SCEP to deploy certificates during enrollment of all Android devices. He wants to use a public app called “SalesEng”. How can he check to see if the app supports managed configurations?
Public apps do not support managed configurations, so Jake will have to develop a private app.
Search Play.google.com/saleseng to see if the app supports managed configurations
Search play.google.com/work to see if the app supports managed configurations
Call Google support to see if the app supports managed Configurations
Jana, the IT manager for Bank Corp informs during sales conversation that they will not allow any Google identities on the their devices because they are concerned about Google collecting user information from the devices. They would rather side-load all required applications manually. How do you proceed in this conversation?
Advise Jana that they can simply disable Google Play services with an EMM policy to keep information on the device
Inform Jana that they simply do not have to use the BYOD model
Inform Jana that managed Google Play accounts are obfuscated so Google is unaware of the user’s identity.
Inform Jana that a work-profile challenge can prevent this from happening and walk them through the benefits of work profile
Excerpt from Helpdesk/User Chat:
User: I was searching for information about a project and a weird error in Chrome came up “Your device has Malware”.
Helpdesk: Do you see this error on a webpage in Chrome?
Helpdesk: Did you get see a RED warning page in Chrome that it was not safe to continue?
User: Yes, I thought it was fine since it gave me the option to proceed anyway.
Assuming the user is using a work profile, what are some of the Chrome policies that an admin can set to prevent this from happening in the future? Select All Correct Responses
Set a managed configuration on Chrome to prevent users from disabling Safe Browsing.
Create a Terms of Service banner that tells users not to open suspicious websites.
Disable Chrome in the work profile.
Set a managed configuration on Chrome to prevent users from disabling incognito mode.
Acme Printing developed an app for their custom printers. A new developer joined the company to maintain the app. He made an update to the original APK and created a new app signing key for the update. What is the reason the APK will fail to be updated in the Google Play Console?
The Developer needs to delete the APK from Google Play and redeploy
APK must be signed with the same key as the original APK.
The APK gets flagged for impersonation since its uploaded by a new developer at the company
The APK file size exceeds 1.0 GB
What are the two benefits that you would highlight for a customer looking to deploy applications via Managed Google Play? Select All Correct Responses
Prevents Admins from setting permissions to ensure app safety.
Allows Admins to create allow and block lists for public apps.
Removes the need for App wrapping
Safeguards devices by preventing private app deployment.
Mike, Head of Mobility Security at Bank Ltd, wants to disable all fingerprint authentication from devices. He believes that an image of the biometric data is extracted from the devices and stored in Google Cloud. Which of the following facts would you use to easy Mikes concern? (Select 2) Select All Correct Responses
The device does not take an image of the print but a biometric model that then uses an algorithm to create a mathematical template
A biometric template cannot be copied to another device because it is signed with a device specific key when stored in the TEE
You assure Mike that its a common practice for all cloud companies to store biometric data for compliance.
Fingerprint images are stored in a database on the users filesystem. That makes them inaccessible to Google.
What type of keystore implementation would prevent complicated forensic data extractions and analysis of lost or stolen devices for example, leaking information via power, timing, electromagnetic radiation, and thermal radiation examination?
What kernel protection mechanism helps prevent hijacking functions and pieces of code from apps and using those apps and their permissions to perform malicious actions.
PIE – Position Independent Execution
Secure Computing or SECComp
CFI – Control Flow Integrity
ASLR – Address Space Layout Randomization
Which of the following are NOT processes that the TEE performs (Select 2)? Select All Correct Responses
Biometric template matching
Lock screen passcode verification
Data loss protection
DRM – Dedicated RAM Monitoring
The Acme Wizard Phone using Android 8.0 was stolen by an attacker and even though the device was encrypted, the attacker was able to read the names of the encrypted files. Why?
They can see the file names because metadata encryption which would prevent this was introduced in Android 9.0 and above.
The OEM did not implement encryption on this version of their device
The user disabled encryption on their device
They can see the file names because the device had the TEE encryption turned off
Phone Ltd. wants to make sure their device offers the best in class security right out of the box. Which services do they need to make sure are built right into the device?
Google Mobile Services (GMS)
Google Play Store
Default OEM Phone app
Which of the following features is not supported by Managed Google Play?
All of the above
What are some of the App management features of Managed Google Play? Select All Correct Responses
Web app distribution
App permissions approval
Identify the best practices for using Managed Google Play Accounts for administrative purposes. Select All Correct Responses
Create a new Gmail account and set a backup email on this account to a group in your IT department.
Setup security questions.
Setup two-factor authentication for increased security.
Add additional owners to maintain redundancy.
Which deployment method is not supported for work profile company owned devices during inital setup?
How can an organisation ensure applications are only installed from known trusted sources?
Enforce Google Play Protect.
Inform their employees not to install applications from locations other than the Google Play Store.
Specify device unlock or work profile security challenge.
Disallow unknown sources via policy using an EMM.
What are the steps to submit apps from Managed Google Play iFrame? Select All Correct Responses
Give a “Title” to your custom app.
Upload your custom app.
Log in to EMM Console.
Open the Managed Google Play iFrame.
Identify the steps to publish an app from the Google Play Publishing Console. Select All Correct Responses
Upload your custom app.
Select the checkbox that denotes the app is for private distribution.
Login to the Google Play Console.
Create seperate distribution channels for development and production.
What are the provisioning options supported for company-owned devices during inital setup? Select All Correct Responses
None of the above
In order for a device to be considered Android Enterprise compatible, it must comply with the Android Compatibility Definition Document (CDD), pass the Compatibility Test Suite (CTS) and ________________. Select the correct answer, then submit.
Not use the AOSP code.
Have a minimum of 8 GB RAM.
Have been awarded a Google Mobile Services license, permitting the pre-installation of GMS applications and services.
Have a minimum processing speed of 2.2 GHz.