Android enterprise professional exam answers

This file contains all possible real exam questions with 100% correct and verified answers. Free updates included. Save your time.





Below you’ll find some selected questions from the latest real certification exam. You can get an idea about the exam format and prepare for it smarter. Need all exam questions with answers? Consider downloading our file.

Which of the following statements is correct in relation to Testing Tracks for private apps?

  • Internal Track: Quickly distribute your app for internal testing and quality assurance checks. This is applicable for Public and Private Apps.
  • Open Track: Surface your app’s test version on Google Play. This is applicable for Public and Private Apps.
  • All of these
  • Closed Track: Test pre-release versions of your app with a larger set of testers. You can assign this track to organization(s) for Google hosted private apps and publish it to managed Google Play. This is applicable for Public and Private Apps.

Phone Ltd. is building a new device with Android 11. Which of the following accurately describes the steps needed for them to obtain a GMS license from Google?

  • Download source code from android.com/security,adhere to AER requirements, pass GMS test, Deploy GMS apps.
  • Download source code from source.android.com, adhere to CDD, pass CTS, sideload GMS servers into the system.
  • Download source code from source.android.com, adhere to AER requirements, pass CTS, apply for GMS license.
  • Download the source code from source.android.com, adhere to CDD, pass CTS, apply for GMS license.

What are the steps to setup Managed Google Play? Select All Correct Responses

  • Identity and User Mapping: During operation, EMM will automatically send commands to ESA to create Managed Google Play Accounts and map them to EMM user Accounts.
  • Binding Enterprise: An Organization ID is created automatically and bounded with EMM and Enterprise Service Account.
  • SSO Integration: IT integrates the local infrastructure with Managed Google Play Account service.
  • Registration/Creation of Enterprise: IT creates a Gmail account (corp.it.admin@gmail) and uses it to register and create enterprise.

Which of the following is a network consideration when deploying Android Enterprise?

  • Traffic to Google endpoints should also bypass SSL inspection. SSL intercepted traffic to Google services are often interpreted to be man-in-the-middle attacks and are blocked.
  • Enable only port 443 to ensure all of the data transaction are running through secured connection.
  • As long as the device and EMM can go to google it should be enough to satisfy the network requirements.
  • Enable an inbound traffic connection to the EMM server, because Google needs to verify the EMM environment and its availability.

After an internal review of a potentially compromised BYOD device, its determined that the user side-loaded a malicious app on the personal profile that harvested their contacts. Why was none of the data in the work profile accessible?

  • The user detected unusual activity before the app had time to infect the work profile and turned off the phone.
  • The IT admin noticed unusual activity in the personal profile and asked the user to bring IT the phone for review.
  • The device had a weak 4 digit device passcode policy so the app was able to access all information.
  • Work profile sandboxing and app isolation prevented any access to the work data

What are the benefits of Google-Hosted applications as opposed to Self-Hosted Applications?

  • All of these
  • Supports sharing private apps up to 1000 domains/Enterprises and Silent push feature.
  • Global infrastructure with cached repository and Reduced Data consumption with delta update.
  • Enables managed security and infrastructure, including SSL/TLS implementation, prevent poor coding practice, no clear text password, Trademark infringement, and PHA detection.

Android devices with an implementation of the Keymaster HAL that resides in a hardware security module use true random number generators (TRNG). What is one of the advantages TRNG has over pseudo-random number generators (PRNG)?

  • TRNGs are more efficient and use less battery power. This can help extend battery life considerably.
  • TRNGs are better because they use external sources of information for entropy, such as electrical circuit noise.
  • TRNGs uses strong mathematical functions to secure key generation
  • Pseudo-random number generators are actually the best, but too expensive to put in mobile devices.

Who can use Managed Google Accounts?

  • Organizations that are on the allow list for Google Play
  • Organizations that use Cloud Identity or Google Workspace
  • Organizations that use Google Workspace
  • Organizations that use Cloud Identity

Which of the following could potentially be a Managed Google Account?

  • 807343127731897072334701702@android-for-workgserviceaccount
  • it.admin@company
  • it.admin@gmail
  • ‘it admin

Which of the following files do you upload to Managed Google Play while publishing a self-hosted application?

  • .csv file that contains application’s metadata
  • App’s JSON metadata file
  • .txt file that contains Application’s metadata
  • .apk file - Google will read application metadata, then will delete the actual .apk file


Passing exams is not a workout. Multiple attempts won’t make you stronger.

Save your time with our answer-sheets. Get certified in minutes.



(MGP: Identity Management)

  • Auto account provisioning upon EMM enrollment
  • Only for Managed Google Play, and cannot be used for other Google services
  • Obfuscated
  • Easy to register and available immediately

What are the steps to setup Managed Google Play?

(MGP: Identity Management)

  • Registration/Creation of Enterprise: IT creates a Gmail account (corp.it.admin@gmailcom) and uses it to register and create enterprise.
  • Identity and User Mapping: During operation, EMM will automatically send commands to ESA to create Managed Google Play Accounts and map them to EMM user Accounts.
  • SSO Integration: IT integrates the local infrastructure with Managed Google Play Account service.
  • Binding Enterprise: An Organization ID is created automatically and bounded with EMM and Enterprise Service Account.

Anthony is approaching Customs in a foreign country and and is immediately asked for his Android phone. What can Mike do very quickly to help secure his phone?

(ASP: Android OS & Hardware Security)

  • Smash the phone on the floor
  • Hide his phone
  • Perform a factory reset
  • Enable Lockdown Mode

Mike, Head of Mobility Security at Bank Ltd, wants to disable all fingerprint authentication from devices. He believes that an image of the biometric data is extracted from the devices and stored in Google Cloud. Which of the following facts would you use to ease Mike’s concern?

(ASP: Android OS & Hardware Security)

  • Fingerprint images are stored in a database on the users filesystem. That makes them inaccessible to Google.
  • A biometric template cannot be copied to another device because it is signed with a device specific key when stored in the TEE.
  • The device does not take an image of the print but a biometric model that then uses an algorithm to create a mathematical template
  • You assure Mike that its a common practice for all cloud companies to store biometric data for compliance.

What type of keystore implementation would prevent complicated forensic data extractions and analysis of lost or stolen devices? For example: leaking information via power, timing, electromagnetic radiation, and thermal radiation examination?

(ASP: Android OS & Hardware Security)

  • StongBuilt
  • StrongBox
  • SQLite SB
  • HeavyChip

Verified Boot has been on Android devices since version 4.4. Mark, an attacker, installs a custom bootloader on a stolen device with Android version 8. When he turns on the device, Mark sees an error on the screen that the device cannot boot. What is preventing the device from booting up?

(ASP: Android OS & Hardware Security)

  • Mark needs to boot the device from safeboot by using hard buttons at boot time.
  • Rate limiting has prevented mark from being able to enter in a passcode.
  • The root of trust stored in hardware does not match the newly installed bootloader.
  • Mark simply just needs to restart the bootloader one more time after installing.

Android devices with an implementation of the Keymaster HAL that resides in a hardware security module use True Random Number Generators (TRNG). What is one of the advantages TRNG has over pseudo-random number generators (PRNG)?

(ASP: Android OS & Hardware Security)

  • TRNGs uses strong mathematical functions to secure key generation
  • Pseudo-random number generators are actually the best, but too expensive to put in mobile devices.
  • TRNGs are more efficient and use less battery power. This can help extend battery life considerably.
  • TRNGs are better because they use external sources of information for entropy, such as electrical circuit noise.

A new vulnerability has been reported and the IT admin of a company checks with his Mobile Operator to see if there is a security update. The Mobile Operator says they do not have one ready yet but it will be available soon. What other update mechanism can the Admin check?

(ASP: Android OS & Hardware Security)

  • Check for updates via Google Play System Updates
  • Search for an open source update on the web.
  • Download the patch right from the security bulletin on Google’s Website.
  • Deploy new devices that are not affected.

How can an organization ensure applications are only installed from known trusted sources?

(Deployment: Application Management & Identities)

  • Inform their employees not to install applications from locations other than the Google Play Store.
  • Enforce Google Play Protect.
  • Specify device unlock or work profile security challenge.
  • Disallow unknown sources via policy using an EMM.

Who can use Managed Google Accounts?

(Deployment: Application Management & Identities)

  • Organizations that use Cloud Identity or Google Workspace
  • Organizations that use Google Workspace
  • Organizations that are on the allow list for Google Play
  • Organizations that use Cloud Identity

What are some of the App management features of Managed Google Play?

(Deployment: Application Management & Identities)

  • Web app distribution
  • App permissions approval
  • App approval
  • App distribution

Which of the following best describes Managed Configuration, one of the features introduced in Managed Google Play?

(MGP: General)

  • Managed Configuration allows end-users to manage ’the approved’ applications’ configurations by themselves without asking for the IT Admin permits.
  • Managed Configuration is a set of configuration available in Managed Google Play for the IT Admin to control.
  • Managed Configuration is not a feature in Managed Google Play.
  • Managed Configuration allows the IT Admin to set (and enforce) specific parameters in certain applications automatically. The configurable parameters are defined by the app developers.

What is Managed Google Play?

(MGP: General)

  • It is an application distribution platform where the IT admin can manage and distribute public and private enterprise applications.
  • It is an online gaming platform, where you can blacklisted people you don’t like to play with.
  • It is the largest application distribution platform, where you can download and install an application on your Android devices.
  • It is a generic application distribution platform that is available on any modern OS to distribute Enterprise Applications to any devices.

A customer has 5,000 Android 10 devices in warehouses that are not connected to the internet. How can the customer get an OTA update to the device if they are only on a closed network?

(ASP: Security Enforcement via Android Enterprise)

  • Since the devices are off the internet and safer, you do not need to keep the devices updated.
  • Use the manual update process combined with your EMM to push updates from a local server on the network.
  • Send the devices to the OEM for updating.
  • Use only devices that are flashed with AOSP versions of Android so that you can get updates directly from the OEM.

Jake has configured Simple Certificate Enrollment Protocol (SCEP) to deploy certificates during enrollment of all Android devices. He wants to use a public app called “SalesEng”. How can he check to see if the app supports managed configurations?

(ASP: Security Enforcement via Android Enterprise)

  • Call Google support to see if the app supports managed configurations.
  • Search Play.google.com/saleseng to see if the app supports managed configurations.
  • Public apps do not support managed configurations, so Jake will have to develop a private app.
  • Search play.google.com/work to see if the app supports managed configurations.

(ASP: Security Enforcement via Android Enterprise)

  • Yes, you can disallow the mic permission on the app via a policy from the EMM.
  • Yes, deploy the app into the work profile where it’s safe.
  • No, the admin will need to accept the risk or find another suitable application.
  • Yes, you can use a Terms of Service notice to inform users not to use the feature.

Jana, the IT manager for Bank Corp, informs during sales conversation that they will not allow any Google identities on the their devices because they are concerned about Google collecting user information from the devices. They would rather side-load all required applications manually. How do you proceed in this conversation?

(ASP: Security Enforcement via Android Enterprise)

  • Advise Jana that they can simply disable Google Play services with an EMM policy to keep information on the device.
  • Search play.google.com/work to see if the app supports managed configurations.
  • Inform Jana that they simply do not have to use the BYOD model.
  • Inform Jana that managed Google Play accounts are obfuscated so Google is unaware of the user’s identity.

You have just completed a security presentation with Games Inc. The CIO appreciates your time but is asking for 3rd party validations that Android is, in fact, as secure as you are promoting it to be. What are some 3rd party validations and initiatives you can share with the Games Inc team to further boost their confidence around Android security?

(ASP: Industry Validations)

  • Share information about the vulnerability rewards programs and the metrics. Google has the confidence to offer payments that surpass other platforms alluding to the fact they are hard to find.
  • Instruct the customer to read the 2020 Omdia survey on how Android comes out on top for mobile security
  • Share the Gartner Device Security Report that compare security features between Android and other mobile platforms.
  • Have the customer search the internet for “Android Malware” to see there are not many articles on the topic.

Which of the following is NOT a category of a Potentially Harmful App (PHA)?

(ASP: Application Security)

  • Hostile downloader
  • Denial of Service
  • Backdoor
  • Jailbreaking

How do you perform an Enterprise Binding?

(Deployment: Device Enrollment)

  • Login into your Android Enterprise Supported EMM and bind your enterprise from the EMM console.
  • Contact your EMM provider or EMM reseller and ask them to open an Enterprise Account request with Google.
  • Send an email to the Google Technical Support team in your region and verify your company.
  • Call 1-800-google and verify your company ID.

Which of the following is a network consideration when deploying Android Enterprise?

(Deployment: Device Enrollment)

  • Enable only port 443 to ensure all of the data transaction are running through secured connection.
  • Traffic to Google endpoints should also bypass SSL inspection. SSL intercepted traffic to Google services are often interpreted to be man-in-the-middle attacks and are blocked.
  • Enable an inbound traffic connection to the EMM server, because Google needs to verify the EMM environment and its availability.
  • As long as the device and EMM can go to https:www.google.com it should be enough to satisfy the network requirements.

Which of the following are suitable for the QR code provisioning method?

(Deployment: Device Enrollment)

  • Scenarios where devices are distributed remotely and a programmer device is not available
  • Devices that don’t support NFC
  • Any device where users can log in using Gmail account information
  • All of these

Which deployment method for devices running Android 11+ is not supported for work profile on a company-owned device?

(Deployment: Device Enrollment)

  • QR Code
  • NFC
  • Zero Touch
  • DPC Identifier

The mobility admin is nervous about DNS queries allowing enumeration of host systems on his network. What feature does Android have that can help the admin?

(ASP: Network Security)

  • Certificate Pinning
  • DNS over TLS
  • Direct Boot
  • Chrome safe browsing

There are few applications types in Android, and Managed Google Play can publish almost all types of applications. What are the exceptions?

(MGP: Application Publishing & Distribution)

  • Public Applications
  • Web Applications
  • Debug Applications
  • Private Applications

Which of the following options list the default app updating conditions?

(MGP: Application Publishing & Distribution)

  • Apps are updated when the device is: a) Connected to a Wi-Fi network b) Charging c) Not actively used
  • Apps are updated when the device is: a) Connected to a Wi-Fi network b) Charging c) At night time
  • Apps are updated when the device is: a) At home based on GPS location b) Charging c) Not actively used
  • Apps are updated when the device is: a) Connected to a Wi-Fi network c) User manually press update d) Not actively used

The source and distribution platforms are the important aspects in deploying trusted applications. What aspects should you consider while deploying apps?

(MGP: Application Publishing & Distribution)

  • Recognize the developers: Google Play identifies every single developer that publishes their apps through Google Play Store.
  • Test your Applications on a trusted Platform: Google Play provides comprehensive Testing Track feature to ensure the app is working properly before it goes into production.
  • Review the source-code: Reviewing the application source-code helps to check the details and identify what’s under the hood (what the application does).
  • Install/distribute your applications only from trusted sources like Google Play: Installing an application from an unknown sources or sideloading leads into a serious security issue as such an application is vulnerable to compromise.

Which statement most accurately describes the CDD?

(ASP: General Android Security)

  • The CDD was developed by Google when Android was originally released and gets updated every 4 years.
  • The CDD provides guidance on how to add Google Apps to an Android device and defines an easy path for application management.
  • The CDD represents the ‘policy’ aspect of Android compatibility set by Google that outlines the requirements a device must meet to be considered compatible.
  • The CDD is an optional guide that contains best practices around building a device with Android.

Phone Ltd. is building a new device with Android 11. Which of the following accurately describes the steps needed for them to obtain a GMS license from Google?

(ASP: General Android Security)

  • Download source code from source.android.com, adhere to CDD, pass CTS, sideload GMS servers into the system.
  • Download the source code from source.android.com, adhere to CDD, pass CTS, apply for GMS license.
  • Download source code from android.com/security,adhere to AER requirements, pass GMS test, Deploy GMS apps.
  • Download source code from source.android.com, adhere to AER requirements, pass CTS, apply for GMS license.

What is the correct testing track to test private apps?

(MGP: Private/In-house Applications)

  • Internal Track: Quickly distribute your app for internal testing and quality assurance checks. This is applicable for Public and Private Apps.
  • Closed Track: Test pre-release versions of your app with a larger set of testers. You can assign this track to organization(s) for Google hosted private apps and publish it to managed Google Play. This is applicable for Public and Private Apps.
  • Open Track: Surface your app’s test version on Google Play. This is applicable for Public and Private Apps.
  • All of these

Which file type do you upload to Managed Google Play while publishing a self-hosted application?

(MGP: Private/In-house Applications)

  • .apk file - Google will read application metadata, then will delete the actual .apk file
  • .csv file that contains application’s metadata
  • .txt file that contains Application’s metadata
  • App’s JSON metadata file

Which of the following could potentially be a Managed Google Account?

(Deployment: Application Management & Identities)

Which of the following features is not supported by Managed Google Play?

(Deployment: Application Management & Identities)

  • All of these
  • Web Applications
  • Private Applications
  • Paid Applications

After an internal review of a potentially compromised BYOD device, it is determined that the user side-loaded a malicious app on the personal profile that harvested their contacts. Why was none of the data in the work profile accessible?

(ASP: Android OS & Hardware Security)

  • The IT admin noticed unusual activity in the personal profile and asked the user to bring IT the phone for review.
  • The user detected unusual activity before the app had time to infect the work profile and turned off the phone.
  • Work profile sandboxing and app isolation prevented any access to the work data
  • The device had a weak 4 digit device passcode policy so the app was able to access all information.

What process provides strong proof that a certificate being presented to a server for authentication from an Android device was stored in hardware and has not been compromised or spoofed?

(ASP: Android OS & Hardware Security)

  • Verify Apps
  • Certificate Capacitive Filtering
  • Network Access Control services
  • Key Attestation

Which of the following enrollment methods are not considered secure when deploying Android Enterprise devices?

(ASP: Security Enforcement via Android Enterprise)

  • Zero Touch
  • SMS Enrollment Code
  • QR Code
  • NFC bump

A customer has a requirement to enroll Android tablets with no Carrier connectivity. Additionally, they do not want use an open WiFi with a simple pre-shared password for the enrollment. Is there a solution to help the customer?

(ASP: Security Enforcement via Android Enterprise)

  • Tell the customer that they must set up an open WiFi due to restrictions on how enrollment works.
  • Tell the customer to upload their WiFi certificates to the Zero-Touch portal for automatic delivery during enrollment.
  • Provide SD card’s with the certificate.
  • Tell the customer to use a QR code based provisioning method that can pass WIFI EAP credentials including Certificates.

What are the identities that you can use for Managed Google Play?

(MGP: Identity Management)

  • Managed Google Account
  • Google Account
  • My Company Account
  • Managed Google Play Account

What are the three update modes available for Enterprise?

(MGP: Application Publishing & Distribution)

  • High Priority
  • Postponed
  • Partial
  • Default

A malicious application developer has decided to target Android users by creating a small puzzle app filled with malware. The goal is to get it on as many Android devices as possible using the Google Play Store. What are some of the reasons this developer will not be successful?

(ASP: Application Security)

  • Google Play Protect would scan the app and detect the malware.
  • The attacker will use known spyware to infect the devices.
  • All apps are reviewed by a Google security analyst.
  • All apps uploaded to Google Play are scanned for malware.

You deployed an app that transmits sensitive data and you require the app to use the VPN. In testing, you see that the app tries to connect without the VPN. How could you fix this?

(ASP: Network Security)

  • Educate the users to not use the app if they do not see the VPN is running.
  • Do not allow the user to connect to public WiFi.
  • You must configure the VPN policy to deny app access to the network if the VPN is unavailable.
  • Ask the developer to hard code a clear text token connection string in the app to use for authentication.

You have been in conversations with a U.S Federal agency around Android device security. The agency’s security team has just started to refer to a document called the STIG. What document are they referring to?

(ASP: Industry Validations)

  • It’s the Sample Template Instruction Guide used to deploy Android and iOS devices for government agencies
  • Standard Template of Information Guidance for agencies to use for deploying only Android devices
  • Simple Technical Instruction Guide that provides guidance on how to deploy devices
  • Security Technical Implementation Guide that provides guidance on how to deploy a mobile device

What are the two security services that come standard as part of GMS? Select 2 options.

(ASP: General Android Security)

  • Google One Active Enterprise (GOAT) protection
  • Google Play secure keyboard
  • Google Play Protect
  • SafetyNet

You are deploying Android devices into your retail stores to be shared amongst employees. You want to make sure no user data is on the devices when the users turn in their devices at the end of the day. How can you accomplish this?

(ASP: Security Enforcement via Android Enterprise)

  • Deploy the devices as dedicated devices to ensure each session and associated user’s data is deleted when the user logs out.
  • You will have to purchase additional devices and assign each employee their own device.
  • Use an automated script at midnight to send a device wipe and then to begin an automated enrollment so users will have fresh devices in the morning.
  • Simply ask the users to do a factory reset at the end of the day.