ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MD-101 All Questions

View all questions & answers for the MD-101 exam
Go to Exam

Exam MD-101 topic 3 question 7 discussion

Actual exam question from Microsoft's MD-101
Question #: 7
Topic #: 3
[All MD-101 Questions]

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.

Contoso.com contains the devices shown in the following table.

In Intune, you create the app protection policies shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy
by petir at May 5, 2021, 6:51 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
petir
Highly Voted 3 years, 11 months ago
looks right, had to pay attention to enrollment state
upvoted 18 times
RodrigoT
3 years ago
App protection policies are assigned to users, not devices. For devices you just choose the platform (3 options, Windows, IOS, Android). If in the Windows policy you left the default "Enrollment state > Without enrollment" then the policy applies anyway by MAM, not MDM. Check the point 3 of this link: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure#create-a-wip-policy Using the "Enrollment state > Without enrollment" is also the recommendation of Microsoft because is the more restrictive. Check the source: https://docs.microsoft.com/en-us/mem/intune/apps/windows-information-protection-policy-create#to-add-a-wip-policy
upvoted 6 times
RodrigoT
3 years ago
The app is always protected by its policy. It doesn't matter if the device is not enrolled because the policy is for the app. Otherwise you are saying that the app is not protected just because the device is not enrolled. That doesn't make sense. If you say Y N Y then in the Question #8 in this same page the second answer would be "Minimum 4 policies", Android, IOS, Windows with enrollment e Windows without enrollment. So, for me the answer is Y Y Y.
upvoted 9 times
RodrigoT
3 years ago
"because the device1 is enrolled" I meant.
upvoted 1 times
51007
2 years, 11 months ago
Ok I think I've got it. https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure#create-a-wip-policy "If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD."" So for the second item you are right in the sense that the app will not go policy-less just bc the device is enrolled. BUT the MDM device policy will take precedent over the MAM user policy.. MAMPolicy2 is assigned to Group2/User2.. MDMPolicy3 is assigned to Device1. The question asks will Policy2 apply when User2 signs into Device1 and my answer is NO.. Policy3 would apply. Y-N-Y
upvoted 6 times
...
...
MitchF
2 years, 9 months ago
I agree Y, Y, Y -- It doesn't matter if the devices are enrolled or not. The app protection policy still protects your data anyways. This is the proof: "You can use Intune app protection policies independent of any mobile-device management (MDM) solution. This independence helps you protect your company's data with or without enrolling devices in a device management solution" Source (near the top of page): https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy
upvoted 2 times
...
...
...
...
Merma
Highly Voted 3 years, 11 months ago
Box 1: Yes - User1 is a member of Group1, Device1 is Intune managed, Policy1 is enrolled and assigned to Group1. Box 2: No - User2 is a member of Group2, Device1 is Intune managed, Policy2 is not enrolled & is assigned to Group2. Box 3: Yes - User2 is a member of Group2,Device2 is not Intune managed, Policy2 is assigned to Group2
upvoted 11 times
RodrigoT
2 years, 11 months ago
When an app protection policy is created for Windows 10 "without enrollment" it will be applied anyway by MAM.
upvoted 3 times
...
...
NoursBear
Most Recent 1 year, 3 months ago
Could it just be, why the second option is No, because "MAM policies don't support multiple users on the same device" ? So User 1 is the first user of this device, then the policy won't work when getting on Device 1 as well. Just a thought. Another one of those tricky questions
upvoted 1 times
...
AliNadheer
2 years, 1 month ago
guys, reading the comments here is i feel things have been lost in translation, for user2 on device1 we all agree that apps will be protected regardless of enrollment, but the question has two policies for each scenario so in my opinion policy1 wont take effect but perhaps policy3 will. that's why the answer is Y, N ,Y. appreciate your thoughts about this because i am confused.
upvoted 1 times
...
raduM
2 years, 5 months ago
no more without enrollment
upvoted 1 times
...
raduM
2 years, 5 months ago
Yes no yes. get your facts straight. without enrollment applies to devices that are not enrolled and with enrollment applies to the devices that are enrolled
upvoted 1 times
...
AK4U_111
2 years, 6 months ago
Are Policy3+4 there just to try and throw us off? It seems they dont have anything to do with the question/answer
upvoted 1 times
...
BRoald
2 years, 7 months ago
I would say Y Y Y " Because mobile app management doesn't require device management, you can protect company data on both managed and unmanaged devices" https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy
upvoted 1 times
...
bensrayan
2 years, 7 months ago
we can apply a app protection policies to windows 10 devices ( with or without enrollement ), so the answer is YES YES YES
upvoted 1 times
...
Whatsamattr81
2 years, 10 months ago
Answer is Y Y Y
upvoted 3 times
...
Whatsamattr81
2 years, 10 months ago
App protection policies apply security at the app level and do not require device enrollment. You can use them with devices enrolled into Intune or not. Additionally, you can apply them to devices enrolled into a third-party MDM provider. They also only apply to users (not devices) so basically whatever group the user is in, they will get the policy applied to that group - regardless of device group or enrollment status.
upvoted 1 times
...
hawkens
3 years, 4 months ago
@nkg123, isn't that only for mobile devices? https://xenit.se/tech-blog/app-protection-policies-for-managed-and-unmanaged-devices-in-intune/
upvoted 1 times
NKG123
3 years, 3 months ago
You are wrong. When you create it you specify with or without enrollment.
upvoted 1 times
RodrigoT
3 years ago
But "with" or "without enrollment" is available just for Windows (tested in lab). If you choose the default "without enrollment" the policy is more restrictive and applies anyway by MAM, independently if the device is enrolled or not. But if you choose "with enrollment" then i doesn't apply if the device is not enrolled. I don't know why this 2 options even exist if it's just for Windows.
upvoted 3 times
...
...
...
tf444
3 years, 6 months ago
Yes, No, No. Box 1: Yes - User1 is a member of Group1, Device1 is Intune managed, Policy1 is enrolled and assigned to Group1. Box 2: No - User2 is a member of Group2, Device1 is Intune managed, Policy2 is not enrolled & is assigned to Group2. Box 3: Yes - User2 is a member of Group2, Device2 is not Intune managed, Policy2 is not enrolled assigned to Group2.
upvoted 2 times
rajpatel007
3 years ago
so Yes No No or Yes No Yes
upvoted 3 times
...
...
Layer8
3 years, 11 months ago
App protection policies should effect regardless of intune enrollment then?
upvoted 1 times
NKG123
3 years, 4 months ago
You are wrong. You can chose to apply on an unmanaged device!
upvoted 1 times
...
Pleebb
3 years, 9 months ago
correct
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago