Exam SY0-601 topic 1 question 219 discussion

A. Block access to application stores - in my opinion it is the most effective way to prevent standatd users form installing unknown software if they are using corporte owned mobile phones

From my understanding and previous experience managing MDM, I believe the "non-verified" part of the question is referring to the company itself not verifying. For example, someone installs Facebook from the app store and allows it access to the photos app that contains company images. Facebook is a verified app in all app stores but would be considered a non verified application to the company because they didn't approve of the install. Therefor blocking access to the app store will keep them from installed applications they haven't approved. Assuming the device is a personal device and user can go online and download applications outside of the app store is reading too much into the question. Look at what it asked specifically.

Key word, "MOST"

The most effective security control to mitigate the risk of users granting non-verified software access to corporate data is: A. Block access to application stores. By blocking access to application stores, the company can prevent users from downloading and installing unauthorized or non-verified software on their devices. This helps reduce the risk of malware, data breaches, and other security incidents associated with unapproved applications accessing corporate data.

Chatgpt makes a great argument on why option A and C are incomplete.

These questions are so incredibly dumb. It doesn't mention ownership of the mobile device because it actually affects the answer. A,B,D makes sense if it's company owned and C if it's user owned

C: Because blocking access to application stores would block all software from being installed (even signed corporate apps) and can be bypassed. You need a policy setting in the MDM system that can selectively allow only certain apps - regardless of whether the come from an app store or somewhere else.

C - key words "granted access" not downloaded. Also when using MDM, they are already on their own profile which would not allow this to occur. Logical answer is C, update the policy so they know not to do this.

Has to be A. On our devices we have two stores we can download applications from. A work "store" with approved applications and one that is the regular consumer store. It would be most effective to block the regular store while the "work" store still has access.

If the question doesn't explicitly say the users are using their own devices, we should assume they're the company's property. That's why I think it is A rather than C.

C. Update the BYOD Policy. It is common to a BYOD policy to mandate that MDM software be installed on the device. It is not only common, but it is a BYOD policy Best Practice. Through the MDM policy you can segment, containerize and encrypt the Corporate data. MDM software also has the ability to block or restrict applications from being installed. This risk can be entirely resolved through updating the BYOD policy which would mandate the installation of MDM on mobile devices.

A seems like the best one, but it's really poor question - most phones are android, so you can easily install apps even without stores. In fact, when using stores, these apps are at least verified by vendor, and disabling them will encourage users to download apps from internet, which is much more risky.

I will choose Option B. Blocking access to application stores may limit users' ability to download apps, but it's a highly restrictive approach that may not be practical or desirable in a Bring Your Own Device (BYOD) environment. It may also hinder legitimate software updates and app installations.

We're mitigating the risk, not correcting it. Blocking applications may not be feasible. Different people have different jobs. Updating the policy is good, but doesn't provide any technical controls. Uniform firmware updates may not prevent non-verified software. OTA updates ensure that devices are running the latest and most secure software. This will mitigate the risks from older software versions.

Blocking access to application stores would be the most effective security control to mitigate the risk of users granting non-verified software access to corporate data. By preventing users from accessing application stores, the company can limit the installation of unapproved or potentially malicious applications on mobile devices. This measure helps reduce the risk of sensitive corporate data being exposed to unauthorized or insecure software.

I would go with A. I think non-verified is referring to the IT department and not the app store. Also, the question made no mention that these devices were BYOD. Lastly, most people do not even read BYOD policies entirely.

I went with A as well.