Chrome-Enterprise-Administrator Professional Chrome Enterprise Administrator Certification Exam Question and Answers

Among the Safe Browsing options, **Enhanced Protection** offers the most robust security. It proactively checks URLs, downloads, and extensions against Google's Safe Browsing database in real time, and it can also share more data with Google to improve detection and provide personalized warnings. This level of protection is best suited for environments with high security requirements. The other options might represent different levels of Safe Browsing with varying degrees of protection.

===========

When both Group Policy (local machine policy) and Chrome Enterprise Core (cloud policy) are configured on a Windows device, the effective policy is determined by a defined order of precedence. Generally, cloud policies for managed browsers will override conflicting local policies. The specific precedence order is configurable, but it follows a hierarchical structure where certain policy sources take priority over others. Options C and D present a simplified view that might not always be the case depending on the configuration. Option B is a general principle of conflict resolution but doesn't describe the specific order in Chrome policy application.

===========

To ensure timely patching, the engineering team should adjust the "Auto-update check period" policy. By shortening this period, Chrome browsers will check for updates more frequently, increasing the likelihood of applying security patches sooner and improving compliance with patching SLAs. "Chrome browser updates" is a general category, "Relaunch notification" affects when users are prompted to restart, and "Google updater policy precedence" deals with the order of policy application, not the frequency of checks.

===========

To combat cookie theft from infostealer malware, requiring "Enhanced Safe Browsing" provides proactive protection against malicious websites and downloads that might distribute such malware. Enabling "Application Bound Encryption" adds an extra layer of security to cookies and other sensitive data stored by Chrome, making them harder for malware to use even if stolen. Blocking third-party cookies (option A) can improve privacy but doesn't directly prevent malware from stealing first-party session cookies. Invalidating existing cookies (option C) is a reactive measure and doesn't prevent future theft. Disallowing Chrome Sync and requiring Incognito mode (option D) changes user behavior but doesn't inherently protect against malware on the local machine.

===========

To prevent extensions from modifying the internal homepage, the administrator should add `*.acme.com` to the "Runtime blocked hosts" list. The wildcard `*` ensures that any attempt to access or modify this domain by an extension will be blocked at runtime. Additionally, to disable access to storage and history, the administrator needs to explicitly disable the "Storage" and "History" permissions within the extension management settings. Therefore, the correct combination is to block the host and disable the permissions.

===========

The study guide emphasizes using enrollment tokens generated in the Google Admin console for enrolling browsers. When using an MDM solution, the most efficient and recommended method is to generate a single enrollment token and then deploy it to the devices through the MDM software. This allows for automated and scalable enrollment. Bulk enrollment features in the Admin console are typically for direct enrollment, not through MDM. Individual tokens or keys would be inefficient for a large deployment.

===========

To pin Chrome to a specific working version and prevent upgrades beyond it while still allowing updates within that major version for security patches, the "Target version and rollback" policy is the appropriate choice. This allows administrators to specify a target version and potentially roll back if issues arise, while still receiving critical security updates within that targeted version.

===========

The "Managed browsers detail" page in the Google Admin console provides specific information about individual managed Chrome browser instances. This includes details about the profiles associated with that browser, such as the signed-in users and their management status. Chrome log events might contain some profile-related information but are more focused on actions. The"Managed devices" section primarily focuses on ChromeOS devices. The "Chrome Insights report" provides a high-level overview rather than detailed profile information for a specific browser instance.

===========

Given that the MV2 extensions are not critical, and the requirement is to either block or upgrade, the most direct and efficient approach is to configure the "Manifest V2 availability" policy. This policy allows administrators to control the usage of Manifest V2 extensions, including blocking them entirely or allowing them until a specified date. Option A involves manually collecting and blocking each extension, which is less efficient. Option C ("removed") is not a standard installation mode policy. Option D is not a policy that an administrator can directly configure; the upgrade to MV3 is a developer-driven process.

===========

When Chrome's Safe Browsing feature identifies a website as potentially risky and displays a warning page that the user might bypass to visit the site, this interaction is typically logged in the Audit and Investigation Report as a "Site Warning Unsafe Site Visit" event. This allows administrators to track instances where users might be exposed to potentially malicious content despite browser warnings. SSL errors relate to certificate issues, untrusted site visit is a more general term, and site isolation violation refers to a different security mechanism.

===========

For macOS devices without MDM, the enrollment token can be embedded in the base image. The correct path for placing the cloud management enrollment token on macOS is `/Library/Google/Chrome/CloudManagementEnrollmentToken`. The other paths listed are for Windows Registry (A), a non-standard Linux path (C), and a potentially incorrect macOS path (D).

===========

The Chrome Insights Report in the Google Admin console provides visibility into the managed Chrome browser environment. Key report types available here include "Browsers pending updates" to identify devices needing patching, "Browsers without activity in the past 28 days" to understand browser usage, and "Browsers that have been recently enrolled" for monitoring onboarding. The other options list reports that are either not specific to Chrome Insights or related to device hardware rather than browser status.

===========