Which API can EMMs use to deploy apps via Managed Google Play? Select the two answers that apply.
- (A) Firebase Management API
- (B) App Engine Admin API
- (C) Android Management API
- (D) Google Play EMM API
Home » Android Enterprise Experts Certification Exam Answers » Page 3
Android Enterprise Experts Certification Exam Answers
You can download all answers to the latest Android Enterprise Expert certification program and get certified in minutes.
This pack includes all final certification exam questions and answers. Also, answers to all activities needed to unlock this exam (4 PDF files in one pack):
Questions and Time Limit – 50 Questions and time limit is 120 minutes.
Android Enterprise Experts Certification Exam Answers
Some questions:
Project Treble is a form of encryption for work profiles.
Project Treble reduces the number of processes that can access the SoC to three so that they are checked for integrity before executing.
Project Treble separates device specific software from the OS, making it easier to update the OS, so that devices benefit from security updates quicker.
Project Treble randomizes key locations in memory, meaning that exploits cannot be reused.
From Managed Play iframe, accessible from your supported EMM Console
Sideload before enrolling in EMM
From Managed Play Publishing Console
All of the above
ABC Mobile as an OEM needs to develop this feature with OEM config. With that, their features will be immediately available on every EMMs that supports managed configurations.
ABC Mobile as an OEM needs to build APIs for EMM providers to develop and integrate with their software before Enterprise customers are able to use it. The availability of this feature varies depending on the EMM provider’s integration.
ABC Mobile as an OEM can’t create exclusive features, if they want to create a new feature, they have to submit a feature request to Google. Once it is approved ,Google will make it available in all Android Devices.
ABC Mobile as an OEM has to be part of Android Enterprise Recommended program before they can create any exclusive features. Android Enterprise Recommended allows OEMs to use OEM Config features that Android Enterprise offers.
Side-loaded by a business website.
Self hosted private apps on a business server.
Publish public applications.
Google-hosted private apps.
All of the answers above (A, B and C) are correct.
“File Based Encryption allows different components in Android to be encrypted with different keys. This allows the work profile key to be ejected from memory while the personal profile is still in use.”
File Based Encryption allows IT admin to separate the encryption key from the device. The IT Admin can put the encryption key in their private cloud and let devices access the encryption key in the cloud before they can use the device.
File Based Encryption allows an IT Admin to modify the encryption key and save it in a unique location in the file system, making it difficult for the attacker to find the key.
EMM can use PersonalApplicationPolicy from Google Play EMM API to block applications installation in main profile (personal space), this is only applicable for company owned devices with work profile management mode.
EMM can use PersonalApplicationPolicy from Google Play EMM API to block applications installation in work profile, this is applicable for company owned devices with work profile management mode or BYOD model.
EMM can use PersonalApplicationPolicy from Android Management API to block applications installation in main profile (personal profile), this is only applicable for company owned devices with work profile management mode.
EMM can use PersonalApplicationPolicy from Android Management API to block applications installation in work profile, this is only applicable for company owned devices with work profile management mode or BYOD model.
Bug Report
Application log
Interview the user
Logcat
To further distribute a private app the majority (75%+) of currently targeted devices need to be running the latest version of the app.
They have hit the limit of 1000 customers using one private app.
To further distribute a private app the majority (50%+) of currently targeted devices need to be running the latest version of the app.
They have hit the limit of 75 customers using one private app.
The application not allowed to send SMS
The application is installed in Personal Space but it is hidden
The application is not installed in Work Profile
The package name of the Google Messages application is: com.google.android.apps.dynamite
It is the 10th user account in the device
It is the Main Profile
It is the 11th user account in the device
It is the Work Profile
Android 9
Android 12
Android 11
Android 10
Build: PQ3A.190801.002
Build fingerprint: ‘google/taimen/taimen:9/PQ3A.190801.002/5670241:user/release-keys’
Bootloader: TMZ20r
Radio: g8998-00008-1902121845
Network: (unknown)
Kernel: Linux version 4.4.169-g09a041b17c60 (android-build@abfarm700) (Android clang version 5.0.300080 (based on LLVM 5.0.300080)) #1 SMP PREEMPT Wed Jun 5 22:23:19 UTC 2019
Which of the following statements is CORRECT, based on the log snippet above?”
This device is running Android 5.0.30080
“Network: (unknown) That means: this device is broken”
The device was manufactured in 2019
This device is running Android 9
The model of the device, because it may not support that WiFi network
The EMM being used, because it may not support setting WiFi configurations
The users home SSID to ensure there is no conflict
The WiFi configuration set, because it may be incorrect
NFC
QR Code
Zero-touch
EMM Identifier
ensure_verify_apps, no_user_switch, no_usb_file_transfer
no_uninstall_apps, no_system_error_dialogs, no_sms
no_share_location, no_set_wallpaper, no_safe_boot
no_config_cell_broadcasts, no_add_managed_profile, no_config_wifi
EMM
Reseller/carrier
OEM
Customer’s procurement team
Compatibility Definition Document (CDD)
Enterprise Solutions Directory and Android Enterprise feature list
Android Enterprise terminology documentation and Solutions glossary
developer.android.com
Google Accounts
Managed Google Play Accounts
A 3rd party identity model provider that is compatible with Microsoft 365
Recommend that the end users create their own accounts
The users’ EMM may not support managed configurations
EAS 16 may not be supported on an older device
The QR code used to enroll the device may have an expired enrollment token
The value set for the Exchange server may be wrong
Delete any user identifiable data from the bug report, then share it with your EMM provider
Upload the bug report to a cloud storage provider and share it with individuals who need access to the content
Email the bug report to Google support
Do a screensharing session to show the EMM provider the bug report
Use of the camera has been blocked
Barcode Scanner requires a Google Account, and the device is using a Managed Google Play Account
Barcode Scanner is not installed
The device is not being managed
Upload the app with two different application IDs and share one of them with the test group only
Temporarily change restriction on the devices of the test group to allow them sideloading the app for testing
Ensure you upload the updated application via an EMM that has integrated the iFrame. This will enable version control within the EMM console allowing you to target the device(s) you wish the latest version to be installed to
Create an internal or closed test track in the developer Play Console and invite a subset of users to test this version
In using Device Admin you can leverage app wrapping to push any VPN configuration to your app
There is no fundamental difference in the way that VPN are configured
In Android Enterprise, you can leverage Managed Configurations to push VPN configurations
Device Administrator offers an easier path to integration for EMMs
User ID
Android device ID
Organization ID
IMEI
Externally readable ini file
Managed configurations via managed Google Play
Insert the VPN configuration as part of DPC extras
Configure it within the WiFi details for NFC bump
Zero-touch enrollment
EMM Identifier
NFC provisioning
QR code provisioning
Disable all SSL inspection on the network
Check that all required ports are open in the firewall
Check the ADB logs on one of the affected devices
Check that managed configurations on Google Play services are set up correctly
Add the applications that should go through the VPN to the allowlist
Assign managed application configurations to the applications on the denylist with policies to prevent use of the VPN
Block traffic to and from the app on the local network
Create a work profile on the fully managed device and route all traffic through the whole work profile
DISALLOW_TROUBLESHOOTING_TOOLS
DISALLOW_DEBUGGING_FEATURES
ENABLE_ADB_DEBUG
FREE_THE_LOGS
Verify that the EMM is still bound to the user’s company
Verify that the IT admin has uploaded the company’s apps to the Google Play Developer Console
Ensure that the IT admin has set an application allowlist instead of allowing an open Play Store
Ensure that the IT admin has set the correct managed configuration for the Google Play Store
Android Enterprise only supports company Gmail accounts
Gmail app is not updated to the latest version
Adding personal accounts is disabled as per company policy
Android Enterprise only supports one account per Google application
Raise a feature request with the EMM to support the toggle
Speak to your OEM to bring support for the toggle within their OEM Config application
Raise the request with Google
Create a small app yourself using the developer documentation and toggle it via app config
Recommend the IT Team that they only support BYOD on devices running Android 6.0+
Recommend the organisation instead deploy fully managed devices with work profile, as this Android Enterprise feature is only supported in this management mode
Recommend the IT Team that they only support BYOD on devices running Android 5.1+
Recommend the IT Team that they only support BYOD on devices running Android 7.0+
YouTube, Docs, Chrome
Sheets, Gmail, Files by Google
Dropbox, Translate, Skype
Keep, Slides, Earth
Verified Boot
Rollback Prevention
Application Sandboxing
Trusted Execution Environment
The EMM DPC has a pending update
Device passcode has not been set
The device has a pending update
Device is unable to see the SSID the certificate is trying to validate against
Set device policies
Provision device
Select OS version/device
Set managed config
no_add_user, no_autofill, no_config_credentials
ensure_verify_apps, no_bluetooth_sharing, no_install_unknown_sources
no_config_location, no_config_vpn, no_content_suggestions
no_cross_profile_copy_paste, no_debugging_features, no_unified_password
If you choose Android Enterprise, you get free Google Cloud storage
Android Enterprise offers more flexible provisioning methods over Device Admin
Android Enterprise supports application configuration
Android Enterprise offers customers free technical support direct from Google
OEMConfig allows all OEMs access to vendor APIs
OEMConfig is supported by all EMMs
OEMConfig allows OEMs to address customer needs without requiring 3rd party developer support
OEMConfig can be distributed to devices without having to go through managed Google Play
Select OS version/device
Set managed config
Provision device
Set device policies
Android Management API Colab
Test DPC
Android Management Experience
EMM console
Assuming there are no security issues with the app, it will be allowed on Play and can subsequently be whitelisted for the enterprise
The application will be allowed on Play but will only be displayed for Android 6.0 devices and lower in the Play Store
The application will be rejected because apps uploaded to Google Play need to target a minimum API level 29 from August 2020
The application will be allowed on Google Play but will show a warning about using deprecated APIs on Android 8.0 devices and higher
Google Play will silently replace the old application with the new application
As long as the old app is unlisted, Google Play will allow upload of the new app, which reuses the same Application ID
Google Play will automatically generate a new Application ID and allow the app to be uploaded
The application will be rejected because Google Play only allows a single instance of an Application ID
9.0
8.0
7.0
6.0
Application ID and bug report
Enterprise ID and User ID
Identity model (Google Account vs Managed Google Play Account) and bug report
Enterprise ID and Application name
Devices are charging
Devices on a secure WiFi (WPA2 and above)
Devices are connected to a Wi-Fi network
Location services must be turned on
Always-On VPN
Per-Profile VPN
User-Initiated VPN
Per-App VPN
Check that the DPC extras are correct according to the EMM
Re-upload the devices in the zero-touch console
Go to admin.google.com and remove the domain binding to their EMM
Go to their EMM console, remove and add the binding to the Managed Google Play account
Google Mobile Services (GMS) Certification
Android Enterprise Recommended
Frequent Security Patches
Android Open Source Project (AOSP)
The APK is unsigned
The application ID is incorrect
The APK exceeds the maximum file size limit allowed
Google Play Protect detected this as a potentially harmful app
Firebase Management API
App Engine Admin API
Android Management API
Google Play EMM API
Configure provisioning
Approve/assign apps
Provision device
Create/sync users or groups
Docs, Translate, Keep
Chrome, Gmail, YouTube
Calendar, Quicksearchbox, Camera
Documents UI, Messaging, HTML Viewer
Network bandwidth
Charging points for all of your devices
Devices on the latest version of Android
Location services will be enforced
The customer can use any SSL proxy solution out of the box, as none of them will interfere with their Android deployment
The customer can configure SSL inspection, as long as traffic to Google services bypasses the proxy
The customer should configure traffic on ports other than 443 to bypass the proxy
The customer should configure all traffic to hosts connecting on port 443 to bypass the proxy
Organization ID
Device ID
Company ID
User ID
The application has not been coded towards the correct API level
The application package name is not compatible with Android 11.0
The application has not passed the security checks for Android 11.0
They need to install an older version of the application then upgrade it
Verify that the IMEIs in the zero-touch portal match the phones they are using
Verify that the users have been correctly configured on the EMM console
Verify the DPC Extras are complete and correct
Verify that the device is running Android 7 or above
Download a “log retriever” application, then email the logs to yourself
Plug the device into a computer and retrieve the logs by running adb bugreport in a terminal
Go into developer mode on the device, and download the logs to the device internal storage
Factory reset the device and restore the user configuration to verify if the issue persist
Combined logs
Raw Bug report
DUMP OF SERVICE (account or device_policy)
Packages:
Device Admin is deprecated, and the associated APIs are being progressively removed
Android Enterprise has the ability to push apps to enduser devices, while this cannot be achieved when using Device Admin
Android Enterprise is comparable to Device Admin and there is no reason to choose one over the other
Devices can migrate over to Device Administrator from Android Enterprise in the future should IT Admins change their mind on the management type
API level 30
API level 20
API level 27
API level 34
It is a management mode for Company Owned Device use-case, and the deployment can be done only from Zero-touch enrollment.
It is a management mode for BYOD use-case, and the deployment can be done from one of these methods: QR Code, Zero Touch, DPC Token and NFC
It is a management mode for Company Owned Device use-case, and the deployment can be done from one of these methods: QR Code, Zero Touch, DPC Token and EMM client enrollment from Google Play Store
It is a management mode for Company Owned Device use-case, and the deployment can be done from one of these methods: QR Code, Zero Touch, DPC Token and NFC
No, the Developer should use the closed testing track feature to test their application before promoting it to production.
Yes, there will be two different versions of the application with the same package name, the IT Admin can assign each of the versions to different users accordingly.
No, the Developer should sideload the UAT version of the application into particular devices for UAT testing.
Yes, there will be two different applications with two different package names, the IT Admin can assign each of the applications to different users accordingly.
Disabling camera in the personal profile is only available on Fully Managed device or Dedicated device
User lost connection to the network to receive EMM policy for disabling camera.
User has modified the Android OS so it can bypass EMM policy.
Disabling camera in main profile (personal space) is only works on Android OS 8 and above
Share the organization ID to the ISV and ask the ISV to publish the app to the organization ID in a closed testing track. Later, the IT admin can assign the version of the app uploaded to the testing track to the group of people that need to test from their EMM console
Ask the ISV to develop a separate beta version of the app with a different package name, then publish it through managed Google Play to a certain group of people.
Ask the ISV to share the apk file and sideload it to another device to test
Ask the ISV to develop a separate beta version of the app with a different package name, send the apk file to the tester, and ask them to sideload the app for testing.
Removes the need for app wrapping.
Prevents IT admins from setting applications‘ permissions.
Allows IT admins to approve and publish public applications in Google Play Store.
Safeguards devices by preventing private app deployment.
All of these.
Devices that install apps exclusively from Google Play, rather than sideload apps, are at much lower risk of installing PHAs.
Google Play ensures that app updates are always signed by the original developer, avoiding app hijacking.
Google Play has a proven track record of minimizing the risk of PHAs being installed on Android devices.
DISALLOW_CROSS_PROFILE_COPY_PASTE
DISALLOW_CLIPBOARD_COPY_PASTE
DISALLOW_CROSS_PROFILE_DATA_TRANSFER
DISALLOW_CROSS_PROFILE_CLIPBOARD
Raw Bug report
DUMP OF SERVICE package
Combined logs
Packages
Device is installed with Work Profile
App installation is not allowed
All of the system apps are disabled in the device
User: 0 means there is no Google account provisioned in the device
It separates the HAL from the process to sit in between the process and the drivers and it only communicates with 1 driver in isolation
It works by randomizing the location where the application is loaded, making code reuse attacks more difficult to carry out, especially remotely.
It works by randomizing the location where kernel code is loaded on each boot, making code reuse attacks more difficult to carry out, especially remotely.
It works by randomizing the passcode hash on each boot, making code reuse attacks more difficult to guess the user passcode.
Google ChromeCast
Google Home
Google Chrome
Google Chromebook
Dropbox, Translate, Skype
YouTube, Docs, Chrome
Keep, Slides, Earth
Sheets, Gmail, Files by Google
From Android Debug Bridge (ADB).
Go to Bootloader and turn on safe mode in the device then connect to your laptop.
From Android System file explorer, you need to root the device to access this file.
From Developer Options in the device settings.
Previous questiosn:
Q.3 – What section of a bug report tells you if there is a work profile on the device?
Q.9 – What are the benefits of using Android Enterprise over Device Admin? Select the two correct answers.
http://tiny.cc/occwcz
http://tiny.cc/2dawcz
http://tiny.cc/2dawcz
Q.36 – Which of the following is a reason to choose Android Enterprise over Device Admin?
Q.38 – Which API can EMMs use to deploy apps via Managed Google Play? Select the two answers that apply.
http://tiny.cc/occwcz
Android Enterprise Experts Certification Exam Answers
By vmartinez
Which API can EMMs use to deploy apps via Managed Google Play? Select the two answers that apply.
By vmartinez
An IT Admin notices that enrollment consistently fails when updating Google Play services over Wi-Fi. This issue occurs during deployment, on a variety of different devices. The Admin notes that when the devices are on cellular data, enrollment is successful. What next step would you take to try to resolve this issue?
By vmartinez
Which of the following is a reason to choose Android Enterprise over Device Admin?
By vmartinez
Using the bug report provided, please identify three User Restrictions applied to the work profile. Copy and paste the following link to open bug report 1:
http://tiny.cc/2dawcz
By vmartinez
An OEM is looking to build new devices that will support a large enterprise customer, who wants to be able to leverage Android Enterprise functionality to manage their devices. What is the minimum requirement they need to comply with to support Android Enterprise?
By vmartinez
Your EMM, who uses a Custom DPC, doesn’t have a settings toggle that you notice has been available since 7.0 as per the developer documentation. What is the best next step to get access to that feature?