Chrome-Enterprise-Administrator Professional Chrome Enterprise Administrator Certification Exam Questions and Answers

The **Enrollment Token** is the key to associating a Chrome browser instance with a specific organizational unit (OU) in the Google Admin console during the enrollment process. By applying the correct enrollment token during setup, the browser will be placed in the designated OU and inherit the policies configured for that OU. Device Management Tokens are more relevant for ChromeOS devices. Browser Policy Tokens are not a standard term for OU assignment during enrollment. Cloud Management Token is a general term encompassing the enrollment process.

===========

The Google Admin console allows administrators to control extension permissions. By configuring the "Permissions and URL access" policy, the administrator can block extensions that request specific permissions, such as the ability to set a proxy. This is a centralized and effective way toenforce the security policy. Remotely connecting to each device (option B) is not scalable. Blocking all extensions (option C) might be too restrictive. Relying on users to uninstall (option D) is not enforceable.

===========

A "warning conflict" in `chrome://policy` indicates that multiple policy sources are trying to control the same setting. Since the browsers were previously managed by Group Policy, there's likely a conflict between the cloud policy and the local Group Policy. The best way to resolve this is to **check and configure the precedence order** of policy sources. Ensure that Cloud Policy is set to have the desired precedence over Group Policy if that's the intention. Restarting the computer might apply existing policies but won't resolve the conflict in precedence. Adjusting a "policy merge list setting" is not a standard term for resolving this type of conflict. Re-enrolling might give a fresh start but doesn't address the underlying conflict in policy sources.

===========

When a managed browser is deleted from the Google Admin console, it needs to be re-enrolled to receive policies again. The process for re-enrollment typically involves deleting the **device management token** from the local machine. Upon relaunching Chrome, the browser will detect the absence of the token and attempt to re-enroll with the cloud management service, at which point it will receive a new token and the latest policies. Deleting the enrollment token (option B) might disrupt the initial enrollment if it still existed. Deleting Chrome policies (option C) might not trigger re-enrollment. Clearing the cache and signing back in (option D) addresses user profile data, not device enrollment.

===========

To prevent a child OU from inheriting a policy set at a parent OU, the administrator needs to configure the policy within the child OU itself and set its inheritance status to "Locally applied." This explicitly overrides the inherited policy from the parent with a specific setting for the child OU. Setting it to locally applied at the parent would not prevent inheritance. Turning off inheritance entirely might not be desired for other policies, and "Child > Parent" is the default precedence when inheritance is enabled.

===========

For machines with no internet connectivity, automatic updates will not work. The only way to update Chrome in this scenario is to manually run the Chrome installer with an updated version obtained through an alternative method (e.g., downloaded on a connected machine and transferred). Auto-update requires internet access, setting a target version only dictates the desired version for automatic updates, and force relaunch requires an update to be downloaded first.

===========

Chrome's Safe Browsing feature actively scans web pages, downloads, and extensions for known malware. When malware is detected, it is reported as a security event. While unauthorized file downloads could be a consequence of a security issue, Chrome's direct detection focuses on the malware itself. Password complexity is a setting for password management, and user inactivity is a system or application-level event, not a direct security event captured by Chrome in the same way as malware detection.

===========

The Chrome Insights Report in the Google Admin console provides visibility into the managed Chrome browser environment. Key report types available here include "Browsers pending updates" to identify devices needing patching, "Browsers without activity in the past 28 days" to understand browser usage, and "Browsers that have been recently enrolled" for monitoring onboarding. The other options list reports that are either not specific to Chrome Insights or related to device hardware rather than browser status.

===========

To prevent extensions from modifying the internal homepage, the administrator should add `*.acme.com` to the "Runtime blocked hosts" list. The wildcard `*` ensures that any attempt to access or modify this domain by an extension will be blocked at runtime. Additionally, to disable access to storage and history, the administrator needs to explicitly disable the "Storage" and "History" permissions within the extension management settings. Therefore, the correct combination is to block the host and disable the permissions.

===========

For macOS devices without MDM, the enrollment token can be embedded in the base image. The correct path for placing the cloud management enrollment token on macOS is `/Library/Google/Chrome/CloudManagementEnrollmentToken`. The other paths listed are for Windows Registry (A), a non-standard Linux path (C), and a potentially incorrect macOS path (D).

===========

Policy conflicts can arise if the same policy is configured at multiple levels with different values. User group policies have a higher precedence than OU policies. Therefore, if a user within the Finance OU is also a member of a group with a conflicting policy setting, the group policy will override the OU policy. Policies at the same hierarchical level do not typically conflict in this way.If the Finance OU has "Locally applied," it would mean it's not inheriting, but it wouldn't explain a *discrepancy* within the OU itself unless multiple local settings were applied. A sub-OU inheriting from Finance wouldn't cause a discrepancy at the Finance OU level.

===========

Setting the **Safe Browsing policy to Enhanced mode** provides the most direct and comprehensive protection against malicious websites by leveraging Google's real-time threat intelligence. Allowing users to bypass warnings (option A) defeats the purpose of Safe Browsing. While site isolation (options C and D) protects against cross-site data leakage, it doesn't directly prevent users from accessing malicious sites in the first place. Enhanced Safe Browsing actively warns and blocks access to dangerous websites.

===========