ChromeOS-Administrator Google Exam Questions and Free Practice Test

Question 31

Your customer is deploying ChromeOS devices in their environment and requires those ChromeOS devices to adhere to web filtering via TLS (or SSL) Inspection. What recommendations should you make to your customer in setting up the requirements for ChromeOS devices?

A. Configure a hostname allowlist, set up a TLS (or SSL) certificate, then verify TLS (or SSL) inspection is working

B. Reach out lo Google Workspace Security and Compliance for tailored configurations for your customer

C. Configure a transparent proxy, set up your allowlist to use * google co

D. then verify TLS (or SSL) inspection is working

E. ChromeOS devices are preconfigured to adhere to company TLS (or SSL) inspection by default and can therefore be deployed with no additional configuration

Correct Answer:A
To set up TLS (or SSL) inspection for web filtering on ChromeOS devices, you need to follow these steps:
✑ Configure Hostname Allowlist: Create an allowlist of hostnames
(e.g., *.google.com, *[invalid URL removed]) that should bypass TLS
inspection. This ensures that essential services like Google services and your own domain can function properly.
✑ Set up TLS Certificate: Obtain the required TLS/SSL certificate from your web filter
provider and install it on your web filter. ChromeOS devices need this certificate to establish a secure connection with the web filter for TLS inspection.
✑ Verify TLS Inspection: Once the configuration is in place, test and verify that TLS
inspection is working as expected. This involves checking if the web filter can correctly intercept and decrypt HTTPS traffic for websites not on the allowlist.
Why other options are not correct:
✑ Option B: While reaching out to Google Workspace Security and Compliance can be helpful, it's not the primary step in setting up TLS inspection. The configuration needs to be done on the web filter and ChromeOS devices.
✑ Option C: Transparent proxies are generally not recommended for ChromeOS devices as they can interfere with certain functionalities. While it might work with an allowlist for Google domains, it's not the best practice.
✑ Option D: ChromeOS devices do not come preconfigured to adhere to company TLS inspection. This configuration needs to be set up explicitly by the administrator.
References:
About TLS (or SSL) inspection on ChromeOS devices:
https://support.google.com/chrome/a/answer/3504942
Verify TLS (or SSL) inspection works:
https://support.google.com/chrome/a/answer/3504943

Question 32

A large marketing company hires interns in the IT department. The interns should see only info from ChromeOS devices but should not be able to manage or update any device.
How should an admin assign this role to Interns? How should an admin assign this role to interns?

A. Create a custom services admin role and enable 2FA

B. Create Custom role under Chrome management and assign Telemetry API role

C. Create Custom role under Chrome management and assign Settings rote

D. Create Custom role under Chrome management and assign Manage ChromeOS devices role K.

Correct Answer:B
To grant interns read-only access to ChromeOS device information without management or update capabilities, you should:
✑ Create Custom Role:In the Google Admin console, navigate to "Device
management" -> "Chrome management" -> "User settings" -> "Roles."
✑ Assign Telemetry API Role:Within the custom role, assign the "Telemetry API" role. This allows interns to view device information collected through the API but not make changes.
✑ Exclude Other Roles:Ensure no other roles are assigned that grant management or update permissions.
Option A is incorrectbecause it involves service admin roles, which typically have broader administrative access.
Option C is incorrectbecause the "Settings" role might grant more permissions than intended.
Option D is incorrectbecause the "Manage ChromeOS devices" role grants full management capabilities, which is not suitable for interns.
Chrome Browser Cloud Management API:https://developers.google.com/chrome/policy

Question 33

You want to enterprise-enroll a device that has previously been signed in to. What should you do first?

A. Delete all consumer accounts, and then follow the same steps for enrolling a brand new device

B. Follow the same steps for enrolling a brand new device

C. Contact Google support to convert the device into an enterprise device

D. Wipe the device

Correct Answer:D
If a ChromeOS device has previously been signed in to, you mustwipe the device (Powerwash)before enrolling it into the enterprise. This ensures that any existing user data and previous configurations are removed, allowing the device to start the enrollment process as new.
Verified Answer from Official Source:
The correct answer is verified from theGoogle ChromeOS Device Enrollment Guide, which specifies that devices must be wiped to remove any previous user associations before enterprise enrollment.
"To enroll a previously used device, perform a factory reset (Powerwash) to ensure it is in a clean state, ready for enterprise enrollment."
Wiping the device ensures that it is free from personal settings or residual user data, which might conflict with enterprise policies.
Objectives:
✑ Enroll ChromeOS devices in an enterprise environment.
✑ Maintain compliance with managed device policies.
References:
Google ChromeOS Device Enrollment Guide

Question 34

Due to security threats, your security team would like to immediately prevent any apps on a ChromeOS device from being able to use USB devices. How can you as the admin implement this security practice as quickly and efficiently as possible?

A. Create an allowlist and add apps that do not need USB permissions

B. Create a blocklist and add apps that use USB permissions

C. Create a blocklist, add apps that use USB permissions, and allow users to 'request' apps that are not approved

D. Block apps by using the "Block apps by permissions settings" which will allow you to select "USB" as permission type to block

Correct Answer:D
To quickly block apps from accessing USB devices on ChromeOS, use the"Block apps by permissions" settingsin the Admin console. Selecting"USB"as the permission type ensures that no application on the device can interact with USB peripherals, mitigating potential security threats.
Verified Answer from Official Source:
The correct answer is verified from theGoogle ChromeOS Application and Device Management Guide, which details using permission-based blocking for enhanced security.
"To block applications from using USB devices, configure the 'Block apps by permissions' setting in the Admin console and select 'USB' as the restricted permission."
This method provides a comprehensive and quick way to mitigate USB-based threats without individually managing each application.
Objectives:
✑ Strengthen ChromeOS device security.
✑ Manage app permissions effectively.
References:
Google ChromeOS Application and Device Management Guide

START ChromeOS-Administrator EXAM