Your customer is deploying ChromeOS devices in their environment and requires those ChromeOS devices to adhere to web filtering via TLS (or SSL) Inspection. What recommendations should you make to your customer in setting up the requirements for ChromeOS devices?

1. A. Configure a hostname allowlist, set up a TLS (or SSL) certificate, then verify TLS (or SSL) inspection is working
2. B. Reach out lo Google Workspace Security and Compliance for tailored configurations for your customer
3. C. Configure a transparent proxy, set up your allowlist to use * google co
4. D. then verify TLS (or SSL) inspection is working
5. E. ChromeOS devices are preconfigured to adhere to company TLS (or SSL) inspection by default and can therefore be deployed with no additional configuration

Correct Answer: A
To set up TLS (or SSL) inspection for web filtering on ChromeOS devices, you need to follow these steps:
✑ Configure Hostname Allowlist: Create an allowlist of hostnames
(e.g., *.google.com, *[invalid URL removed]) that should bypass TLS
inspection. This ensures that essential services like Google services and your own domain can function properly.
✑ Set up TLS Certificate: Obtain the required TLS/SSL certificate from your web filter
provider and install it on your web filter. ChromeOS devices need this certificate to establish a secure connection with the web filter for TLS inspection.
✑ Verify TLS Inspection: Once the configuration is in place, test and verify that TLS
inspection is working as expected. This involves checking if the web filter can correctly intercept and decrypt HTTPS traffic for websites not on the allowlist.
Why other options are not correct:
✑ Option B: While reaching out to Google Workspace Security and Compliance can be helpful, it's not the primary step in setting up TLS inspection. The configuration needs to be done on the web filter and ChromeOS devices.
✑ Option C: Transparent proxies are generally not recommended for ChromeOS devices as they can interfere with certain functionalities. While it might work with an allowlist for Google domains, it's not the best practice.
✑ Option D: ChromeOS devices do not come preconfigured to adhere to company TLS inspection. This configuration needs to be set up explicitly by the administrator.
References:
About TLS (or SSL) inspection on ChromeOS devices:
https://support.google.com/chrome/a/answer/3504942
Verify TLS (or SSL) inspection works:
https://support.google.com/chrome/a/answer/3504943

You have found a possible security issue with an app that your users are using. The severity of this issue requires you to quickly see who is using this app. You have enabled the Chrome Reporting setting. What is the most efficient way to see what users are using the app?

1. A. Under "Reports" -> "Token", download the entire results and place those results into a Google Shee
2. B. Search for the app and note who is using it.
3. C. Under "Security" -> "Access" and "Data Control" -> "API Controls", select "Manage third- party apps access". After the list of connected apps appears, you can now search for the app in question.
4. D. Under "Devices" -> "Chrome" -> "Reports", use the "Apps and Extension" report to show all used apps in your domai
5. E. Click the app in question to get the list of devices that are using the app.
6. F. Under "Devices" -> "Chrome" -> "Devices" you can manually check each devic
7. G. Select the device in question, click "Remote Desktop" and audit the device.

Correct Answer: C
The most efficient way to find users who are using a specific app is to navigate toDevices
> Chrome > Reportsand utilize the"Apps and Extension"report. This report lists all apps being used within the domain and allows you to filter the results to find the specific app and see associated devices.
Verified Answer from Official Source:
The correct answer is verified from theGoogle Admin Console Reporting Guide, which highlights using the Apps and Extensions report for tracking app usage.
"To identify users of a specific app, go to Devices > Chrome > Reports and select 'Apps and Extensions' to generate a list of devices using the specified application."
This method is the quickest and most organized way to gather usage data, especially when time-sensitive security issues arise.
Objectives:
✑ Track app usage efficiently.
✑ Identify devices using potentially compromised apps.
References:
Google Admin Console Reporting Guide

You want users to sign in to ChromeOS devices via SAML Single Sign-On and be able to access websites and cloud services that rely on the same identity provider without having to re-enter credentials. How should you configure SAML?

1. A. Enable SAML identity provider-initialed login for Google authentication
2. B. Enable SAML-based Single Sign-On for ChromeOS devices and set the Single Sign-On cookie behavior to enable transfer of SAML SSO cookies into user sessions during login
3. C. Enable SAML-based Single Sign-On for each application via Chrome App Management
4. D. Use Chrome App Builder to enable SSO for application and force-install the application using ChromeOS user policies

Correct Answer: B
To achieve seamless SSO between ChromeOS devices and other web services using the same identity provider, you need to configure SAML SSO in the Google Admin console:
✑ Enable SAML-based SSO for ChromeOS devices.
✑ In the SSO settings, find theSingle Sign-On cookie behaviorand set it to "Enable transfer of SAML SSO cookies into user sessions during login." This allows the SAML authentication cookie to be passed between the ChromeOS login and other web services, eliminating the need for re-authentication.
Option A is incorrect because it relates to the initial login method, not cookie transfer for subsequent SSO.
Options C and D are incorrect because they involve application-specific SSO configurations, not the general SAML SSO setup for the device.

Due to security threats, your security team would like to immediately prevent any apps on a ChromeOS device from being able to use USB devices. How can you as the admin implement this security practice as quickly and efficiently as possible?

1. A. Create an allowlist and add apps that do not need USB permissions
2. B. Create a blocklist and add apps that use USB permissions
3. C. Create a blocklist, add apps that use USB permissions, and allow users to 'request' apps that are not approved
4. D. Block apps by using the "Block apps by permissions settings" which will allow you to select "USB" as permission type to block

Correct Answer: D
To quickly block apps from accessing USB devices on ChromeOS, use the"Block apps by permissions" settingsin the Admin console. Selecting"USB"as the permission type ensures that no application on the device can interact with USB peripherals, mitigating potential security threats.
Verified Answer from Official Source:
The correct answer is verified from theGoogle ChromeOS Application and Device Management Guide, which details using permission-based blocking for enhanced security.
"To block applications from using USB devices, configure the 'Block apps by permissions' setting in the Admin console and select 'USB' as the restricted permission."
This method provides a comprehensive and quick way to mitigate USB-based threats without individually managing each application.
Objectives:
✑ Strengthen ChromeOS device security.
✑ Manage app permissions effectively.
References:
Google ChromeOS Application and Device Management Guide

As a ChromeOS Administrator, you have been asked to enroll all of your devices into a specific device OU using Zero-Touch Enrollment (ZTE). What are the next steps?

1. A. Generate a ZTE pre-provision enrollment token for your specified device OU
2. B. Give the company domain name to your Chrome Partner to enable ZTF
3. C. Generate a ZTE pre-provision enrollment token directly for your domain root OU
4. D. Generate a ZTE pre-provision enrollment token for your specified user OU
5. E. Use a dedicated ZTE Admin account for device enrollment

Correct Answer: AB
✑ Generate a ZTE pre-provision enrollment token for your specified device OU:This token associates devices with the specific organizational unit (OU) during enrollment, allowing for easier management and policy application.
✑ Give the company domain name to your Chrome Partner to enable ZTF:This enables the Zero-Touch Framework, allowing devices to be automatically enrolled as soon as they connect to the internet.
Why other options are incorrect:
✑ C (Generate token for root OU):While possible, it's not ideal as it doesn't allow for granular control over different device groups.
✑ D (Generate token for user OU):Zero-Touch Enrollment is specifically for devices, not users.
✑ E (Use dedicated admin account):While recommended for security, it's not a mandatory step for ZTE.