Exam MD-101 topic 4 question 15 discussion

This Should be No, Yes, No Policy 1 - Priority 1 (Andriod, IOS, Windows) Applied to None Policy 2 - Priority 2 (Windows) Applied to Group 2 Policy 3 - Priority 3 (Android) Applied to Group 1 User 1 is in G1, so they cannot enroll Windows devices. User 2 is in both G1 & G2, G2 has P2 with a Pri.2 which means, even though they are in G1, G1 has a pri.3, so P3 will not apply User 3 Is not a member of any group so the Default will apply. Policy 1 is assigned to NONE, default is assigned to All users, therefore they can NOT enroll iOS as default is only Android & Win.

It is: User 1 - NO User 2 - YES User 3 - YES (DEM)

no, yes, no "DEM isn't compatible with Apple Automated Device Enrollment (ADE)."

N,Y,N.

Great success!

STATEMENT1: User1 can enroll a Windows device in Intune > NO User1 is part of Group1 which only allows enrollment of Android, iOS devices (NOT Windows devices) STATEMENT2: User2 can enroll a Windows device in Intune > YES User2 is part of 2x Groups (Group1 & Group2) but Group2 = Priority 2 which is higher priority than Group 1 = Priority 3, so only Priority 2 = Policy2 applies Policy2 allows enrollment of Windows devices (and also happens to have the highest priority) STATEMENT3: User3 can enroll an iOS device in Intune > NO User3 is not part of any created group and therefore ends up in "All users" The "All users" Device Restriction Types only allow Android, Windows (MDM) and not iOS I would make an assumption that if "All Users" has "No iOS Device Type" enrollments allowed, then even DEM accounts could not enroll them (would not make sense if thought as a security admin)

Priority is used when a user exists in multiple groups that are assigned restrictions. Users are subject only to the highest priority restriction assigned to a group that they are in. For example, Joe is in group A assigned to priority 5 restrictions and also in group B assigned to priority 2 restrictions. Joe is subject only to the priority 2 restrictions.

No Yes No User 3 is DEM and cannot enroll IOS devices.

I think DEM just has a higher limit to the number of devices, here the defalult rule does not include IOS so No, Yes , No

Restrictions with a higher priority always overwrite the default restriction or the ones with a lower priority. Given answer is right. NO NO YES(DEM)

A device must comply with the highest priority enrollment restrictions assigned to its user. User2 is in two groups User2 can enroll Windows as is in Group 2 User2 can enroll Android and IOS as is in Group 1

User 1 - Group 1 - (Android & iOS) - Answer NO User 2 - Group 1 and group 2 - (Group 1 allow Android & iOS) + group 2 allow Windows OS)- Answer Yes User 3 - is a device enrollment manager (DEM) - Answer Yes - Can enrol up to 1000 devices, the only restrictions are: * DEM user accounts cannot use Apple Volume Purchase Program (VPP) apps with Apple VPP user licenses because of per-user Apple ID requirements for app management. * DEM accounts cannot be used when enrolling devices via Apple's Automated Device Enrollment (ADE). * Devices can install VPP apps if they have Apple VPP device licenses. * Enrolling Android Enterprise fully managed devices with DEM accounts isn't supported.

DEM just means the user can enroll large numbers of devices. You can also restrict who can enroll devices but that is not covered here. If each user can enroll devices, then: User1: member of Group 1 & All Users can enroll Android, iOS and Windows devices. Yes. User2/Group 1&2/All Users can enroll Windows, Android and iOS devices. Yes. User3 is the DEM, so group membership is irrelevant. Yes. The gotcha wasn't whether the other 2 could enroll devices. It was whether 3 could and the fact that all three users are members of All Users.

Change enrollment restriction priority Priority is used when a user exists in multiple groups that are assigned restrictions. Users are subject only to the highest priority restriction assigned to a group that they are in. For example, Joe is in group A assigned to priority 5 restrictions and also in group B assigned to priority 2 restrictions. Joe is subject only to the priority 2 restrictions. When you create a restriction, it's added to the list just above the default. Device enrollment includes default restrictions for both device type and device limit restrictions. These two restrictions apply to all users unless they're overridden by higher-priority restrictions.

Ok, so it is NO, YES, NO. But what would be the correct answer in the real exam? Is it the once this site shows that are OK or is it something else? Looks like the answer on this site is very often wrong?

Was intrigued so I tested this in test lab environment by the all settings provided, finally result is as expected No Yes No

It is: User 1 - NO User 2 - YES User 3 - YES (DEM)