Your company has numerous locations throughout the world. Each of these locations has multiple office managers that field questions from employees through an email alias. Some questions have not been answered by an office manager.
How can you create a system to assign conversations to different receptionists using Workspace?
- A . Create a Google Groups Collaborative Inbox.
- B . Use App Script to design a ticketing system that marks conversation ownership.
- C . Contract with a third-party solution, such as ServiceNow.
- D . Create Google Tasks and assign them to receptionists to address unanswered questions.
The company’s ten most senior executives are to have their offices outfitted with dedicated, standardized video conference cameras, microphones, and screens. The goal is to reduce the amount of technical support they require due to frequent, habitual switching between various mobile and PC devices throughout their busy days. You must ensure that it is easier for the executives to join Meet video conferences with the dedicated equipment instead of whatever device they happen to have available.
What should you do?
- A . Set up unmanaged Chromeboxes and set the executives’ homepage to meet.google.com via Chrome settings.
- B . Set up the executive offices as reservable Calendar Resources, deploy Hangouts Meet Hardware Kits, and associate the Meet hardware with the room calendars.
- C . Deploy Hangouts Meet Hardware Kits to each executive office, and associate the Meet hardware with the executives’ calendars.
- D . Provision managed Chromeboxes and set the executives’ Chrome homepage to meet. google.com via device policy.
B
Explanation:
Option B is the most suitable answer because it allows for the integration of hardware specifically designed for Google Meet with the room resources in the calendar. This will enable executives to easily book and use their office space for meetings, with the Meet hardware automatically integrated into the room’s calendar resource, streamlining the process of setting up and joining video conferences.
Let’s look at the other options:
You have configured SSO using a third-party IDP with your Google Workspace domain. An end user has reported that they cannot sign in to Google Workspace after their username was changed in the third-party SSO product. They can sign in to their other internal applications that use SSO. and no other users are experiencing issues signing in.
What could be causing the sign-in issue?
- A . The SAML assertion provided by the third-party IDP is presenting a username that conflicts with the current username configured in Google Workspace.
- B . The user’s Google password was changed administratively, which is causing a sign-in failure.
- C . The issued certificate for that user has been revoked and must be updated before the user can have another successful sign in.
- D . The SAML assertion is providing the user’s previous password attached to their old username.
You recently started an engagement with an organization that is also using Google Workspace. The engagement will involve highly sensitive data, and the data needs to be protected from being shared with unauthorized parties both internally and externally. You need to ensure that this data is properly secured.
Which configuration should you implement?
- A . Turn on external sharing with whitelisted domains, and add the external organization to the whitelist.
- B . Provision accounts within your domain for the external users, and turn off external sharing for that Org.
- C . Configure the Drive DLP rules to prevent the sharing of PII and PHI outside of your domain.
- D . Create a Team Drive for this engagement, and limit the memberships and sharing
settings.
D
Explanation:
https://support.google.com/a/users/answer/9310352#1.1
Your cyber security team has requested that all email destined for external domains be scanned for credit card numbers, and if found, the email must be encrypted using your cloud-based third-party encryption provider. You are responsible for configuring to meet this request.
What should you do?
- A . Create a content compliance rule on outbound mail and internal-sending mail using the predefined rule for credit card numbers, and add a custom header that your third-party encryption provider can scan for and encrypt.
- B . Create a content compliance rule on outbound mail using the predefined rule for credit card numbers, and check “Encrypt message if not encrypted”.
- C . Create a content compliance rule on outbound mail using the predefined rule for credit card numbers, and add a custom header that your third-party encryption provider can scan for and encrypt.
- D . Create a content compliance rule on outbound mail using the predefined rule for credit card numbers, and check “Change route” to send to your third-party encryption provider to encrypt.
A
Explanation:
In this scenario, the goal is to ensure that all email, both sent externally and internally, which contains credit card numbers, is encrypted using a third-party encryption provider.
Option A allows you to create a content compliance rule that scans both outbound and internal-sending mails for credit card numbers. When a credit card number is detected, a custom header is added to the email which the third-party encryption provider can identify and encrypt the email accordingly.
Let’s analyze other options:
B. This option only encrypts the message if it is not encrypted already, but it doesn’t necessarily interface with the specific third-party encryption provider that has been mentioned in the question.
C. This option is similar to A but only focuses on outbound mail and not on internal-sending mail. It misses the part about scanning internal emails, which may still contain sensitive data like credit card numbers.
D. Changing the route to send to the third-party encryption provider seems like a viable option but would be more about rerouting the entire email to the provider rather than adding a specific header that the provider can scan for, which might not align perfectly with the encryption process required by the third-party provider.
Therefore, option A provides a more comprehensive solution that complies with the requirements set by the cybersecurity team. It allows for scanning of both outbound and internal emails, adding a custom header for the third-party provider to encrypt the mail, ensuring better security and compliance with the request.
A user joined your organization and is reporting that every time they start their computer they are asked to sign in. This behavior differs from what other users within the organization experience. Others are prompted to sign in biweekly.
What is the first step you should take to troubleshoot this issue for the individual user?
- A . Reset the user’s sign-in cookies
- B . Confirm that this user has their employee ID populated as a sign-in challenge.
- C . Check the session length duration for the organizational unit the user is provisioned in.
- D . Verify that 2-Step Verification is enforced for this user.
After making a recent migration to Google Workspace, you updated your Google Cloud Directory Sync configuration to synchronize the global address list. Users are now seeing duplicate contacts in their global directory in Google Workspace. You need to resolve this issue.
What should you do?
- A . Train users to use Google Workspace’s merge contacts feature.
- B . Enable directory contact deduplication in the Google Workspace Admin panel.
- C . Update shared contact search rules to exclude internal users.
- D . Create a new global directory, and delete the original.
C
Explanation:
https://support.google.com/a/answer/3075991#duplicatecontacts
"To resolve this issue, correct your shared contact search rules to exclude users in your own domain. On the next sync, GCDS attempts to delete the redundant contacts. You might need to adjust the shared contact deletion limit for that first sync.
All Human Resources employees at your company are members of the “HR Department” Team Drive. The HR Director wants to enact a new policy to restrict access to the “Employee Compensation” subfolder stored on that Team Drive to a small subset of the team.
What should you do?
- A . Use the Drive API to modify the permissions of the Employee Compensation subfolder.
- B . Use the Drive API to modify the permissions of the individual files contained within the subfolder.
- C . Move the contents of the subfolder to a new Team Drive with only the relevant team members.
- D . Move the subfolder to the HR Director’s MyDrive and share it with the relevant team members.
C
Explanation:
"Inherited permissions can’t be removed from a file or folder in a shared drive".
ref: https://developers.google.com/drive/api/v3/manage-sharing
Your company frequently hires from five to ten interns for short contract engagements and makes use of the same generically named Google Workspace accounts (e.g., user1@your-company.com, user2@your-company.com, user3@your-company.com). The manager of this program wants all email to these accounts routed to the manager’s mailbox account also.
What should you do?
- A . Setup address forwarding in each account’s GMail setting menu.
- B . Set up recipient address mapping in GMail Advanced Settings.
- C . Configure an Inbound Gateway route.
- D . Give the manager delegated access to the mailboxes.
B
Explanation:
https://support.google.com/a/answer/6297084#address
Your corporate LDAP contains the email addresses of several hundred non-employee business partners. You want to sync these contacts to Google Workspace so they appear in Gmail’s address autocomplete for all users in the domain.
What are two options to meet this requirement? (Choose two.)
- A . Use the Directory API to upload a .csv file containing the contacts.
- B . Configure GCDS to populate a Group with external members.
- C . Use the People API to upload a .csv file containing the contacts.
- D . Develop a custom application to call the Domain Shared Contacts API.
- E . Configure GCDS to synchronize shared contacts.
D,E
Explanation:
https://support.google.com/a/answer/9281635?hl=en&ref_topic=20016
Your organization’s information security team has asked you to determine and remediate if a user (user1@example.com) has shared any sensitive documents outside of your organization.
How would you audit access to documents that the user shared inappropriately?
- A . Open Security Investigation Tool-> Drive Log Events. Add two conditions: Visibility Is External, and Actor Is user1@example.com.
- B . Have the super administrator use the Security API to audit Drive access.
- C . As a super administrator, change the access on externally shared Drive files manually under user1@example.com.
- D . Open Security Dashboard-> File Exposure Report-> Export to Sheet, and filter for user1@example.com.
A
Explanation:
https://support.google.com/a/answer/11480192?hl=en&ref_topic=11479095#:~:text=View%20files%20shared,Click%20Search.
Your company has a broad, granular IT administration team, and you are in charge of ensuring proper administrative control. One of those teams, the security team, requires access to the Security Investigation Tool.
What should you do?
- A . Assign the pre-built security admin role to the security team members.
- B . Create a Custom Admin Role with the Security Center privileges, and then assign the role to each of the security team members.
- C . Assign the Super Admin Role to the security team members.
- D . Create a Custom Admin Role with the security settings privilege, and then assign the role to each of the security team members.
B
Explanation:
https://support.google.com/a/answer/9043255#:~:text=To%20give%20access%20only%20to%20the%20investigation%20tool%2C%20check%20the%20individual%20boxes%20for%C2%A0Investigation%20Tool%20privileges.%20You%20can%20add%20specific%20privileges%20for%20access%20to%20different%20types%20of%20data%20(for%20example%2C%20Gmail%2C%20Drive%2C%20Device%2C%20and%20User)%3A
A disgruntled employee has left your company and deleted all their email messages and files in Google Drive. The security team is aware that some intellectual property may have surfaced on a public social media site.
What is the first step to start an investigation into this leak?
- A . Delete the user’s account in the Admin Console.
- B . Transfer data between end user Workspace accounts.
- C . Instruct a Google Vault admin to create a matter, and place all the user data on ‘hold.’
- D . Use Google Vault to export all the user data and share among the security team.
Your organization has just completed migrating users to Workspace. Many employees are concerned about their legacy Microsoft Office documents, including issues of access, editing, and viewing.
Which two practices should you use to alleviate user concerns without limiting Workspace collaboration features? (Choose two.)
- A . Configure Context-Aware Access policies to block access to Microsoft Office applications.
- B . Demonstrate the ability to convert Office documents to native Google file format from Drive.
- C . Demonstrate and train users to use the Workspace Migrate tool.
- D . Deliver training sessions that show the methods to access and edit native Office files in Drive, the Workspace file editors, and Drive for Desktop.
- E . Continue to use installed Office applications along with Google Drive for Desktop.
Your organization is preparing to deploy Workspace and will continue using your company’s existing identity provider for authentication and single sign-on (SSO). In order to migrate data from an external system, you were required to provision each user’s account in advance. Your IT team and select users (~5% of the organization) have been using Workspace for configuration and testing purposes. The remainder of the organization can technically access their accounts now, but the IT team wants to block their access until the migrations are complete.
What should your organization do?
- A . Remove Google Workspace license to prevent users from accessing their accounts now.
- B . Suspend users that the organization does not wish to have access.
- C . Add the users to the OU with all services disabled.
- D . Use Context-Aware Access to simultaneously block access to all services for all users and allow access to all services for the allowed users.
D
Explanation:
Context-Aware Access allows you to enforce granular access controls based on a variety of conditions like user identity, device security status, and more. In this scenario, Context-Aware Access can be configured to block access to Google Workspace services for all users except the IT team and those select users involved in configuration and testing. This way, you can ensure that only authorized personnel have access to Google Workspace while the migrations are in progress.
Let’s examine the other options:
A user is reporting that after they sign in to Gmail, their labels are not loading and buttons are not responsive.
What action should you take to troubleshoot this issue with the user?
- A . Collect full message headers for examination.
- B . Check whether the issue occurs when the user authenticates on a different device or a new incognito window.
- C . Check whether a ping test to service.gmail.com (pop.gmail.com or imap.gmail.com) is successful.
- D . Check whether traceroute to service.gmail.com (pop.gmail.com or imap.gmail.com) is successful.
Your CISO is concerned about third party applications becoming compromised and exposing Google Workspace data you have made available to them.
How could you provide granular insight into what data third party applications are accessing?
What should you do?
- A . Create a report using the OAuth Token Audit Activity logs.
- B . Create a report using the Calendar Audit Activity logs.
- C . Create a report using the Drive Audit Activity logs.
- D . Create a reporting using the API Permissions logs for Installed Apps.
A
Explanation:
https://support.google.com/a/answer/6124308?hl=en
Your company uses a whitelisting approach to manage third-party apps and add-ons. The Senior VP of Sales & Marketing has urgently requested access to a new Marketplace app that has not previously been vetted.
The company’s Information Security policy empowers you, as a Google Workspace admin, to grant provisional access immediately if all of the following conditions are met:
✑ Access to the app is restricted to specific individuals by request only.
✑ The app does not have the ability to read or manage emails.
✑ Immediate notice is given to the Infosec team, followed by the submission of a security risk analysis report within 14 days.
Which actions should you take first to ensure that you are compliant with Infosec policy?
- A . Move the Senior VP to a sub-OU before enabling Marketplace Settings > “Allow Users to Install Any App from Google Workspace Marketplace.”
- B . Confirm that the Senior VP’s OU has the following Gmail setting disabled before whitelisting the app: “Let users delegate access to their mailbox.”
- C . Add the Marketplace app, then review the authorized scopes in Security > Manage API client access.
- D . Search the Google Workspace support forum for feedback about the app to include in the risk analysis report.
C
Explanation:
https://support.google.com/a/answer/7281227?hl=en
A company using Google Workspace has reports of cyber criminals trying to steal usernames and passwords to access critical business data. You need to protect the highly sensitive user accounts from unauthorized access.
What should you do?
- A . Turn on password expiration.
- B . Enforce 2FA with a physical security key.
- C . Use a third-party identity provider.
- D . Enforce 2FA with Google Authenticator app.
B
Explanation:
https://support.google.com/a/answer/175197?hl=en#keys&prompt&authentic&codes&phone&2sv&security
Reference: https://support.google.com/a/answer/175197?hl=en
Your organization wants to grant Google Vault access to an external regulatory authority. In an effort to comply with an investigation, the external group needs the ability to view reports in Google Vault.
What should you do?
- A . Create accounts for external users and assign Vault privileges.
- B . Share Vault access with external users.
- C . Assign an Archived User license to the external users.
- D . Temporarily assign the super admin role to the users
Your organization has decided to enforce 2-Step Verification for a subset of users. Some of these users are now locked out of their accounts because they did not set up 2-Step Verification by the enforcement date.
What corrective action should you take to allow the users to sign in again?
- A . Disable 2-Step Verification per organizational unit so the affected users can sign in.
- B . Move the affected users into the exception group temporarily so they can set up 2-Step
Verification, and then remove them from the exception group after successful sign-in is confirmed. - C . Disable 2-Step Verification organization-wide so all users can successfully sign in.
- D . Move the affected users into the exception group permanently so they do not have to use 2-Step Verification going forward.
The Director of your Finance department has asked to be alerted if two financial auditors share any files outside the domain. You need to set an Admin Alert on Drive Sharing.
What should you do?
- A . Create a Google Group that has the two auditors as members, and then create a Drive DLP Rule that is assigned to that Group.
- B . Create a Content Compliance rule that looks for outbound share notifications from those two users, and Bcc the Director on those emails.
- C . Create two Drive Audit Alerts, one for each user, where the Visibility is “Shared Externally,” and email them to the Director.
- D . Check the Admin Console Dashboard Insights page periodically for external shares, and notify the Director of any changes.
C
Explanation:
https://support.google.com/a/answer/4579696?hl=en https://support.google.com/a/answer/9725685
Your company has an OU that contains your sales team and an OU that contains your market research team. The sales team is often a target of mass email from legitimate senders, which is distracting to their job duties. The market research team also receives that email content, but they want it because it often contains interesting market analysis or competitive intelligence. Constant Contact is often used as the source of these messages. Your company also uses Constant Contact for your own mass email marketing. You need to set email controls at the Sales OU without affecting your own outgoing email or the market research OU.
What should you do?
- A . Create a blocked senders list as the Sales OU that contains the mass email sender addresses, but bypass this setting for Constant Contact emails.
- B . Create a blocked senders list at the root level, and then an approved senders list at the Market Research OU, both containing the mass email sender addresses.
- C . Create a blocked senders list at the Sales OU that contains the mass email sender addresses.
- D . Create an approved senders list at the Market Research OU that contains the mass email sender addresses.
C
Explanation:
"The sales team is often a target of mass email from legitimate senders, which is distracting to their job duties" and "Constant Contact is often used as the source of these messages". Nowhere in the question did it specify that emails received via Constant Contact should be allowed for the sales OU. It only mentioned that the company uses Constant Contact for its own outgoing emails- which in this case does not affect the answer at all.
The nature of your organization’s business makes your users susceptible to malicious email attachments.
How should you implement a scan of all incoming email attachments?
- A . Configure a safety rule to protect against encrypted attachments from untrusted senders
- B . Configure a safety rule to protect against attachments with scripts from untrusted senders.
- C . In the security sandbox section, enable virtual execution of attachments for (he targeted OU
- D . In the security sandbox section, enable virtual execution of attachments for the entire organization.
A retail company has high employee turnover due to the cyclical nature in the consumer space. The increase in leaked confidential content has created the need for a specific administrative role to monitor ongoing employee security investigations.
What step should you take to increase the visibility of such investigations?
- A . Assign the ‘Services Admin’ role to an administrator with ‘Super Admin’ privileges.
- B . Create a ‘Custom Role’ and add all the Google Vault privileges for a new administrator.
- C . Validate that the new administrator has access to Google Vault.
- D . Create a ‘Custom Role’ and add the ability to manage Google Vault matters, holds, searches, and exports.
Your organization has recently gone Google, but you are not syncing Groups yet. You plan to sync all of your Active Directory group objects to Google Groups with a single GCDS configuration.
Which scenario could require an alternative deployment strategy?
- A . Some of your Active Directory groups have sensitive group membership.
- B . Some of the Active Directory groups do not have owners.
- C . Some of the Active Directory groups have members external to organization.
- D . Some of the Active Directory groups do not have email addresses.
A
Explanation:
As the Workspace Administrator, you have been asked to delete a temporary Google Workspace user account in the marketing department. This user has created Drive documents in My Documents that the marketing manager wants to keep after the user is gone and removed from Workspace. The data should be visible only to the marketing manager. As the Workspace Administrator, what should you do to preserve this user’s Drive data?
- A . In the user deletion process, select “Transfer” in the data in other apps section and add the manager’s email address.
- B . Use Google Vault to set a retention period on the OU where the users reside.
- C . Before deleting the user, add the user to the marketing shared drive as a contributor and move the documents into the new location.
- D . Ask the user to create a folder under MyDrive, move the documents to be shared, and then share that folder with the marketing team manager.
A
Explanation:
https://support.google.com/a/answer/6223444?hl=en#zippy=%2Ctransfer-user-drive-or-google-data:~:text=You%20can%20transfer,Tap%20Transfer.
A subset of users from the finance and human resources (HR) teams need to share documents with an external vendor. However, external content sharing is prohibited for the entire finance team.
What would be the most secure method to enable external sharing for this set of users?
- A . Download and attach the documents to a Gmail message, and send them to the external vendor.
- B . Move all users from the finance org unit to the HR org unit.
- C . Enable ‘Visitor Sharing’ for the entire finance org unit.
- D . Create a group with the finance and HR users who need to share externally.
As the newly hired Admin in charge of Google Workspace, you learn that the organization has been using Google Workspace for months and has configured several security rules for accessing Google Drive. A week after you start your role, users start to complain that they cannot access Google Drive anymore from one satellite office and that they receive an error message that “a company policy is blocking access to this app.” The users have no issue with Gmail or Google Calendar. While investigating, you learn that both this office’s Internet Service Provider (ISP) and the global IP address when accessing the internet were changed over the weekend.
What is the most logical reason for this issue?
- A . An access level was defined based on the IP range and applied to Google Drive via Context-Aware Access.
- B . Under Drive and Docs > Sharing Settings, the “Whitelisted domains” list needs to be updated to add the new ISP domain.
- C . The Network Mask defined in Security > Settings > SSO with 3rd Party IdPs should be updated to reflect the new IP range.
- D . You need to raise a ticket to Google Cloud Support to have your new IP ranges registered for Drive API access.
Your organization is on Google Workspace Enterprise and allows for external sharing of Google Drive files to facilitate collaboration with other Google Workspace customers. Recently you have had several incidents of files and folders being broadly shared with external users and groups. Your chief security officer needs data on the scope of external sharing and ongoing alerting so that external access does not have to be disabled.
What two actions should you take to support the chief security officer’s request? (Choose two.)
- A . Review who has viewed files using the Google Drive Activity Dashboard.
- B . Create an alert from Drive Audit reports to notify of external file sharing.
- C . Review total external sharing in the Aggregate Reports section.
- D . Create a custom Dashboard for external sharing in the Security Investigation Tool.
- E . Automatically block external sharing using DLP rules.
B,D
Explanation:
https://support.google.com/a/answer/7584076?hl=en&ref_topic=7563358
After a recent transition to Google Workspace, helpdesk has received a high volume of password reset requests and cannot respond in a timely manner. Your manager has asked you to determine how to resolve these requests without relying on additional staff.
What should you do?
- A . Create a custom Apps Script to reset passwords.
- B . Use a third-party tool for password recovery.
- C . Enable non-admin password recovery.
- D . Create a Google form to submit reset requests.
C
Explanation:
Reference: https://support.google.com/a/answer/33382?hl=en
You have enabled Automatic Room Replacement for your calendar resources, but it is not working for any instances of a conflict booking.
What could be the issue?
- A . Automatic Room Replacement does not work on recurring events.
- B . This feature requires calendar event owners to have the Buildings and resources administrator privilege
- C . The calendar resources do not have the Resource Category configured as CONFERENCE_ROOM
- D . The events have more than 20 attendees.
Your Accounts Payable department is auditing software license contracts companywide and has asked you to provide a report that shows the number of active and suspended users by organization unit, which has been set up to match the Regions and Departments within your company. You need to produce a Google Sheet that shows a count of all active user accounts and suspended user accounts by Org unit.
What should you do?
- A . From the Admin Console Billing Menu, turn off auto-assign, and then click into Assigned Users and export the data to Sheets.
- B . From the Admin Console Users Menu, download a list of all Users to Google Sheets, and join that with a list of ORGIDs pulled from the Reports API.
- C . From the Google Workspace Reports Menu, run and download the Accounts Aggregate report, and export the data to Google Sheets.
- D . From the Admin Console Users Menu, download a list of all user info columns and currently selected columns.
D
Explanation:
https://support.google.com/a/answer/7348070?hl=it
Reference: https://support.google.com/a/answer/7348070?hl=en
Your company is deploying Chrome devices. You want to make sure the machine assigned to the employee can only be signed in to by that employee and no one else.
What two things should you do? (Choose two.)
- A . Disable Guest Mode and Public Sessions.
- B . Enable a Device Policy of Sign In Screen and add the employee email address.
- C . Enroll a 2-Factor hardware key on the device using the employee email address.
- D . Enable a User Policy of Multiple Sign In Access and add just the employee email address.
- E . Enable a Device Policy of Restrict Sign In to List of Users, and add the employee email address.
A,E
Explanation:
https://support.google.com/chrome/a/answer/1375678?hl=en
An end user informs you that they are having issues receiving mail from a specific sender that is external to your organization. You believe the issue may be caused by the external entity’s SPF record being incorrectly configured.
Which troubleshooting step allows you to examine the full message headers for the offending message to determine why the messages are not being delivered?
- A . Use the Postmaster Tools API to pull the message headers.
- B . Use the Email Log Search to directly review the message headers.
- C . Use the Security Investigation Tool to review the message headers.
- D . Perform an SPF record check on the domain to determine whether their SPF record is valid.
B
Explanation:
The Email Log Search in the Google Workspace Admin Console allows administrators to search email logs for specific messages based on various criteria, including sender, recipient, and time frame. Once you find the specific email in question, you can view its message headers to analyze the SPF and other authentication results. This feature is designed for troubleshooting email delivery issues, making it the most suitable tool for this situation.
Let’s consider the other options:
The human resources (HR) team needs a centralized place to share key documents with the entire organization while protecting confidential documents and mitigating the risk of losing documents when someone leaves. These documents must be editable by the HR team members.
What is the best way to set this up?
- A . Have the HR lead create a folder in their MyDrive for the non-confidential files, give edit access to the HR team, and give view access to the organization.
- B . Create a shared drive for the non-confidential files, give the HR team manager access, and give contributor access to the entire organization.
- C . Create a shared drive for non-confidential files, give the HR team content manager access, and give view access to the organization.
- D . Create a shared drive for all files, give the HR team content manager access, and give view access to the organization.
Your company is using Google Workspace Business Plus edition, and the security team has reported several unsuccessful attempts to sign in to your Google Workspace domain from countries where you have no local employees. The affected accounts are from several executives in the main office.
You are asked to take measures to mitigate this security risk. Although budget is not a concern, your company prefers a minimal financial outlay to fix the issue, which you are tasked with managing.
Which two solutions would help you mitigate the risk at minimal cost? Choose 2 answers
- A . Deploy 2-Step Verification for all users who have security keys.
- B . Deploy Google Cloud Armor on a dedicated project, and create a rule to allow access to Google Workspace only from specific locations.
- C . Upgrade to Google Workspace Enterprise Plus for all accounts, and define Context-Aware Access levels to only a list of countries where the company has employees.
- D . Subscribe to Cloud Identity Premium for all accounts, and define Context-Aware Access levels to only a list of countries where the company has employees.
- E . For all executives, create new accounts with random characters to match Google best practices, migrate data from the former accounts, and then delete them.
Your-company.com recently started using Google Workspace. The CIO is happy with the deployment, but received notifications that some employees have issues with consumer Google accounts (conflict accounts). You want to put a plan in place to address this concern.
What should you do?
- A . Use the conflict account remove tool to remove the accounts from Google Workspace.
- B . Rename the accounts to temp@your-company.com, and recreate the accounts.
- C . Ask users to request a new Google Workspace account from your local admin.
- D . Use the Transfer tool for unmanaged users to find the conflict accounts.
D
Explanation:
https://gsuiteupdates.googleblog.com/2017/02/resolve-conflicting-accounts-with-new.html#:~:text=Using%20the%20new%20Transfer%20tool,accounts%20to%20G%20Suite%20accounts. https://support.google.com/a/answer/6178640?hl=en
Your organization has a new security requirement around data exfiltration on iOS devices. You have a requirement to prevent users from copying content from a Google app (Gmail, Drive, Docs, Sheets, and Slides) in their work account to a Google app in their personal account or a third-party app.
What steps should you take from the admin panel to prevent users from copying data from work to non-work apps on iOS devices?
- A . Navigate to “Data Protection” setting in Google Admin Console’s Device management section and disable the “Allow users to copy data to personal apps” checkbox.
- B . Disable “Open Docs in Unmanaged Apps” setting in Google Admin Console’s Device management section.
- C . Navigate to Devices > Mobile and endpoints > Universal Settings > General and turn on Basic Mobile Management.
- D . Clear the “Allow items created with managed apps to open in unmanaged apps” checkbox.
A
Explanation:
https://support.google.com/a/answer/6328700?hl=en&ref_topic=6079327#managed_apps& zippy=%2Cdata-actions
Allow users to copy Google Workspace items to personal apps
Allows users to copy content from a Google app (such as Gmail, Drive, Docs, Sheets, Slides, Chat, and Meet) to a Google app in their personal account or a third-party app. Also allows users to drag content between Google apps, for any account.
To prevent users from copying or dragging information from their work account, or using the All inboxes feature (which combines messages from multiple Gmail accounts into one inbox), uncheck the box.
Your organization’s Sales Department uses a generic user account (sales@company.com) to manage requests. With only one employee responsible for managing the departmental account, you are tasked with providing the department with the most efficient means to allow multiple employees various levels of access and manage requests from a common email address.
What should you do?
- A . Configure a Google Group as an email list.
- B . Delegate email access to department employees.
- C . Configure a Google Group as a collaborative inbox.
- D . Configure a Google Group, and set the Access Level to Announcement Only.
C
Explanation:
https://support.google.com/a/answer/167430?hl=en
Your company is using Google Workspace Enterprise Plus, and the Human Resources (HR) department is asking for access to Work Insights to analyze adoption of Google Workspace for all company employees. You assigned a custom role with the work Insights permission set as “view data for all teams” to the HR group, but it is reporting an error when accessing the application.
What should you do?
- A . Allocate the “view data for all teams” permission to all employees of the company.
- B . Confirm that the Work Insights app is turned ON for all employees.
- C . Confirm in Security > API controls > App Access Controls that Work Insights API is set to “unrestricted.”
- D . Confirm in Reports > BigQuery Export that the job is enabled.
Your Security Officer ran the Security Health Check and found the alert that “Installation of mobile applications from unknown sources” was occurring. They have asked you to find a way to prevent that from happening.
Using Mobile Device Management (MDM), you need to configure a policy that will not allow mobile applications to be installed from unknown sources.
What MDM configuration is needed to meet this requirement?
- A . In the Application Management menu, configure the whitelist of apps that Android and iOS devices are allowed to install.
- B . In the Application Management menu, configure the whitelist of apps that Android, iOS devices, and Active Sync devices are allowed to install.
- C . In Android Settings, ensure that “Allow non-Play Store apps from unknown sources installation” is unchecked.
- D . In Device Management > Setup > Device Approvals menu, configure the “Requires Admin approval” option.
C
Explanation:
Reference: https://support.google.com/a/answer/7491893?hl=en
HR informs you that a user has been terminated and their account has been suspended. The user is part of a current legal investigation, and HR requires the user’s email data to remain on hold. The terminated user’s team is actively working on a critical project with files owned by the user. You need to ensure that the terminated user’s content is appropriately kept before provisioning their license to a new user.
What two actions should you take? (Choose two.)
- A . Extend the legal hold on the user’s email data.
- B . Move project files to a Team Drive or transfer ownership.
- C . Rename the account to the new user starting next week.
- D . Delete the account, freeing up a Google Workspace License.
- E . Assign the terminated user account an Archive User license.
A,B
Explanation:
Your company has decided to change SSO providers. Instead of authenticating into Google Workspace and other cloud services with an external SSO system, you will now be using Google as the Identity Provider (IDP) and SSO provider to your other third-party cloud services.
What two features are essential to reconfigure in Google Workspace? (Choose two.)
- A . Apps > add SAML apps to your domain.
- B . Reconfigure user provisioning via Google Cloud Directory Sync.
- C . Replace the third-party IDP verification certificate.
- D . Disable SSO with third party IDP.
- E . Enable API Permissions for Google Cloud Platform.
A,D
Explanation:
Reference: https://support.google.com/a/answer/60224?hl=en
You are a Workspace Administrator with a mix of Business Starter and Standard Licenses for your users. A Business Starter User in your domain mentions that they are running out of Drive Storage Quota. Without deleting data from Drive, what two actions can you take to alleviate the quota concerns for this user? (Choose two.)
- A . Add other users as “Editors” on the Drive object, thus spreading the storage quota debt between all of them.
- B . Manually export and back up the data locally, and delete the affected files from Drive to alleviate the debt.
- C . Make another user the “Owner” of the Drive objects, thus transferring the storage quota debt to them.
- D . Perform an API query for large storage drive objects, and delete them, thus alleviating the quota debt.
- E . Move the affected items to a Shared Drive. Shared Drives transfer ownership of the drive item to the domain itself, which alleviates the quota debt from that user.
Your organization implemented Single Sign-On (SSO) for the multiple cloud-based services it uses. During authentication, one service indicates that access to the SSO provider is not possible due to invalid information.
What should you do?
- A . Update the validation certificate.
- B . Verify that the Audience element in the SAML Response matches the assertion consumer service (ACS) URL
- C . Run nslookup to confirm that the service exists.
- D . Ensure that Microsoft’s Active Directory Federation Services 2.0 sends encrypted SAML Responses in default configurations.
Your organization deployed Google Workspace Enterprise within the last year, with the support of a partner. The deployment was conducted in three stages: Core IT, Google Guides, and full organization. You have been tasked with developing a targeted ongoing adoption plan for your Google Workspace organization.
What should you do?
- A . Use Google Guides to deliver ad-hoc training to all of their co-workers and reports.
- B . Use Work Insights to gather adoption metrics and target your training exercises.
- C . Use Reports APIs to gather adoption metrics and Gmail APIs to deliver training content directly.
- D . Use a script to monitor Email attachment types and target users that aren’t using Drive sharing.
B
Explanation:
Work Insights is a tool designed to measure how Google Workspace is being adopted across an organization. With it, you can get detailed insights into how different teams are using the various Google Workspace apps. This information is invaluable for developing a targeted ongoing adoption plan. You can see which teams are fully utilizing the suite and which ones are lagging, allowing you to target your training and support resources more effectively.
Let’s examine the other options:
Your company has just received a shipment of ten Chromebooks to be deployed across the company, four of which will be used by remote employees. In order to prepare them for use, you need to register them in Google Workspace.
What should you do?
- A . Turn on the Chromebook and press Ctrl+Alt+E at the login screen to begin enterprise enrollment.
- B . In Chrome Management | Device Settings, enable Forced Re-enrollment for all devices.
- C . Turn on the chromebook and log in as a Chrome Device admin. Press Ctrl+Alt+E to begin enterprise enrollment.
- D . Instruct the employees to log in to the Chromebook. Upon login, the auto enrollment process will begin.
A
Explanation:
Reference: https://support.google.com/chrome/a/answer/4600997?hl=en
Your organization recently bought 1.000 licenses for Cloud Identity Premium. The company’s development team created an application in the enterprise service bus (ESB) that will read user data in the human resources information system (HRIS) and create accounts via the Google Directory REST API.
While doing the original test before production use, the team observes a 503 error coming from Google API response after a few users are created The team believes the ESB is not the cause, because it can perform 100 requests per second without any problems.
What advice would you give the development team in order to avoid the issue?
- A . Use the domain-wide delegation API to avoid the limitation per account.
- B . Use an exponential back-off algorithm to retry failed requests.
- C . Switch from REST API to gRPC protocol for performance improvement
- D . Use the batch request architecture, because it can pack 1,000 API calls in one HTTP request.
Security and Compliance has identified secure third-party applications that should have access to Google Workspace data. You need to restrict third-party access to only approved applications
What two actions should you take? (Choose two.)
- A . Whitelist Trusted Apps
- B . Disable the Drive SDK
- C . Restrict API scopes
- D . Disable add-ons for Gmail
- E . Whitelist Google Workspace Marketplace apps
Your company recently decided to use a cloud-based ticketing system for your customer care needs. You are tasked with rerouting email coming into your customer care address, customercare@your-company.com to the cloud platform’s email address, your-company@cloudprovider.com. As a security measure, you have mail forwarding disabled at the domain level.
What should you do?
- A . Create a mail contact in the Google Workspace directory that has an email address of your- company@cloudprovider.com
- B . Create a rule to forward mail in the customercare@your-company.com mailbox to your-company@cloudprovider.com
- C . Create a recipient map in the Google Workspace Admin console that maps customercare@your-company.com to your-company@cloudprovider.com
- D . Create a content compliance rule in the Google Workspace Admin console to change route to your- company@cloudprovider.com
C
Explanation:
Disable automatic forwarding
https://support.google.com/a/answer/2491924?hl=en Redirect incoming messages to another email address https://support.google.com/a/answer/4524505?hl=en (Optional) To send the message to the original recipient as well as the new address, under Routing options, check the Also route to original destination box.
You need to protect your users from untrusted senders sending encrypted attachments via email. You must ensure that these messages are not delivered to users’ mailboxes.
What step should be taken?
- A . Use the security center to remove the messages from users’ mailboxes
- B . Use Google Vault to remove these messages from users mailboxes.
- C . Enable a safety rule to send these types of messages to spam.
- D . Enable a safety rule to send these types of messages to a quarantine.
Your admin quarantine is becoming a burden to manage due to a consistently high influx of messages that match the content compliance rule Your security team will not allow you to remove or relax this rule, and as a result, you need assistance processing the messages in the quarantine.
What is the first step you should take to enable others to help manage the quarantine, while maintaining security?
- A . Give the users super admin rights to view the admin quarantine.
- B . Give the users Services > Gmail > Access Admin Quarantine admin privileges.
- C . Configure the admin quarantine to allow end users to release messages.
- D . Give the users Services > Security Center admin privileges.
Your organization is concerned with the increasing threat of phishing attacks that may impact users.
Leadership has declined to force-enable 2-Step verification. You need to apply a security measure to prevent unauthorized access to user accounts.
What should you do?
- A . Enable Enforce Strong Password policy.
- B . Enable Employee ID Login Challenge.
- C . Decrease the Maximum User Session Length.
- D . Revoke token authorizations to external applications.
A
Explanation:
If leadership has declined to force-enable 2-Step Verification, the next best step for enhancing account security against unauthorized access would be to enforce a strong password policy. This would require users to create complex passwords, making it more challenging for attackers to compromise accounts through techniques like brute-force attacks or password guessing.
Other options:
B. Enable Employee ID Login Challenge: While this could add an additional layer of security, it would also create a user experience barrier that might be comparable to 2-Step Verification, which leadership has already declined to implement.
C. Decrease the Maximum User Session Length: This would require users to sign in more frequently, which could add a minimal layer of security but could also lead to user frustration without significantly enhancing security against unauthorized access.
D. Revoke token authorizations to external applications: While revoking tokens can improve security, it doesn’t directly address the concern of unauthorized account access due to phishing attacks. It’s more about limiting what external applications can do once they have access and doesn’t improve the security of the login process itself.
Therefore, enforcing a strong password policy (Option A) is the most straightforward method to increase account security without implementing 2-Step Verification.
Your company (your-company.com) just acquired a new business (new-company.com) that is running their email on-premises. It is close to their peak season, so any major changes need to be postponed. However, you need to ensure that the users at the new business can receive email addressed to them using your- company.com into their on-premises email server. You need to set up an email routing policy to accomplish this.
What steps should you take?
- A . Set up an Outbound Mail Gateway to route all outbound email to the on-premises server.
- B . Set up accounts for the new employees, and use mail forwarding rules to send to the on-premises server.
- C . Set up an Inbound Mail Gateway to reroute all inbound email to the on-premises server.
- D . Set up a Default route with split delivery to route email to the on-premises server.
D
Explanation:
https://support.google.com/a/answer/2685650?hl=en
"…If you’re migrating to Gmail from a legacy server, use split delivery to test Gmail with a subset of users. During the testing, the MX records for your domain point to Gmail. Users who have been added in the Admin console get messages in their Gmail inboxes. Set up a catch-all routing rule for unregistered users who need to get messages from the legacy mail server."
As a Google Workspace administrator for your organization, you are tasked with identifying how users are reporting their messages―whether spam, not spam, or phishing―for a specific time period.
How do you find this information?
- A . Open Admin Console > Security > Dashboard > User Reports.
- B . Open Admin Console > Security > Dashboard > Spam Filter- Phishing.
- C . Use Reports API to query user Gmail activity.
- D . Open Admin Console > Reporting > Email Log Search.
Your company is using Google Workspace Enterprise Standard. They have 200 meeting rooms defined for the main building and used daily by the 12,000 employees. Users are complaining they have difficulties finding a room available when searching within Google Calendar, even if several rooms are available (no one attending meetings in these rooms at that time). You have been asked to find a solution while minimizing the operational effort and avoiding any new expenses due to budget constraints.
What should you do?
- A . Implement a third-party solution that will detect presence in the room and release it if nobody appears after a few minutes.
- B . Create a Google App Script that will inspect each room calendar for the next 12 hours, check attendees status, and send the room administrator an alert email for releasing the room if all attendees have declined but the room has not.
- C . Set the option "Allow calendar-based room release" for all targeted rooms.
- D . Upgrade to Google Workspace Enterprise Plus edition to benefit from additional features for automated machine learning (ML) based resources management.
Your organization is using Password Sync to sync passwords from Active Directory to Google Workspace. A user changed their network password and cannot log in to Google Workspace with the new password.
What steps should you take to troubleshoot this issue?
- A . Reinstall Password Sync on all domain controllers.
- B . Reauthorize the Password Sync tool in the Google Workspace Admin Console.
- C . Confirm that the Password Sync service is running on all domain controllers.
- D . Reset the user’s password in Active Directory.
C
Explanation:
https://support.google.com/a/answer/11237847?hl=en&ref_topic=4498019 The network password is determined to be with AD. In this case, you must verify that password sync is installed on all domain controllers. This is the initial troubleshooting. After this troubleshooting, the logs of these connectors are taken https://www.youtube.com/watch?v=P-r8bvivZuM
Multiple users across the organization are experiencing video degradation in Meet video calls.
As an administrator, what steps should you take to start troubleshooting?
- A . Troubleshoot network bandwidth for the organizer of the meeting.
- B . Push the Meet quality tool to end user devices and run local reports to determine connectivity issues.
- C . Locate the Meet quality tool, and review the output for issues with quality.
- D . Update the Admin Console Meet settings to disable streaming.
As a Google Workspace administrator for your organization, you are tasked with controlling which third-party apps can access Google Workspace data. Before implementing controls, as a first step in this process, you want to review all the third-party apps that have been authorized to access Workspace data.
What should you do?
- A . Open Admin Console > Security > API Controls > App Access Control > Manage Third Party App Access.
- B . Open Admin Console > Security > API Controls > App Access Control > Manage Google Services.
- C . Open Admin Console > Security > Less Secure Apps.
- D . Open Admin Console > Security > API Controls > App Access Control > Settings.
A
Explanation:
https://support.google.com/a/answer/7281227?hl=en#zippy=%2Cstep-manage-third-party-app-access-to-google-services-add-apps:~:text=In%20the%20Admin,App%20Access.
After migrating to Google Workspace, your legal team requests access to search all email and create litigation holds for employees who are involved with active litigation. You need to help the legal team meet this request.
What should you do?
- A . Add the legal team to the User Management Admin system role.
- B . Add the legal team to the Google Vault Google Group.
- C . Create a custom role with Google Vault access, and add the legal team.
- D . Create a matter in Google Vault, and share with the legal team.
C
Explanation:
Reference: https://gsuite.google.com/products/vault/
Your Finance team has to share quarterly financial reports in Sheets with an external auditor. The external company is not a Workspace customer and allows employees to access public sites such as Gmail and Facebook.
How can you provide the ability to securely share content to collaborators that do not have a Google Workspace or consumer (Gmail) account?
- A . Allow external sharing with the auditor using the ‘Trusted Domains’ feature.
- B . Enable the ‘Visitor Sharing’ feature, and demonstrate it to the Finance team.
- C . Use the ‘Publish’ feature in the Sheets editor to share the contents externally.
- D . Attach the Sheet file to an email message, and send to the external auditor.
B
Explanation:
https://support.google.com/drive/answer/9195194?hl=en#:~:text=Share%20with%20visitors, with%20one%20visitor.
You are in the middle of migrating email from on-premises Microsoft Exchange to Google Workspace. Users that you have already migrated are complaining of messages from internal users going into spam folders.
What should you do to ensure that internal messages do not go into Gmail spam while blocking spoofing attempts?
- A . Train users to click on Not Spam button for emails.
- B . Add all users of your domain to an approved sender list.
- C . Force TLS for your domain.
- D . Ensure that your inbound gateway is configured with all of your Exchange server IP addresses.
D
Explanation:
When you are in the process of migrating from an on-premises Exchange server to Google Workspace, it’s essential to configure your inbound gateway settings correctly to ensure that emails from internal users do not get marked as spam. By adding the IP addresses of your Exchange servers to the inbound gateway configuration in Google Workspace, you help Gmail recognize those emails as legitimate and internal to the organization.
Other options:
You are configuring a shared drive for the financial department of your organization. The financial team wants to allow members of the shared drive to add. edit, and move documents into the shared drive. It’s important that the same users cannot remove or delete files.
How can you configure access for these users to match the team’s request?
- A . Set up the shared drive, and add the users as Content Managers of the drive.
- B . Set up the shared drive, and add the users as editors of the drive.
- C . Set up the shared drive, and add the users as Contributors of the drive.
- D . Set up the shared drive, and add the users as Managers of the drive.
The credentials of several individuals within your organization have recently been stolen. Using the Google Workspace login logs, you have determined that in several cases, the stolen credentials have been used in countries other than the ones your organization works in.
What else can you do to increase your organization’s defense-in-depth strategy?
- A . Implement an IP block on the malicious user’s IPs under Security Settings in the Admin Console.
- B . Use Context-Aware Access to deny access to Google services from geo locations other than the ones your organization operates in.
- C . Enforce higher complexity passwords by rolling it out to the affected users.
- D . Use Mobile device management geo-fencing to prevent malicious actors from using
these stolen credentials.
B
Explanation:
https://support.google.com/a/answer/9262032?hl=en#zippy=%2Cdefine-access-levelsbasic-mode:~:text=This%20example%20shows%20an%20access%20level%20called%20%E2%80%9Ccorp_access.%E2%80%9D%20If%20%E2%80%9Ccorp_access%E2%80%9D%20is%20applied%20to%20Gmail%2C%20users%20can%20access%20Gmail%20only%20from%20an%20encrypted%20and%20company%2Downed%20device%2C%20and%20only %20from%20the%20US%20or%20Canada.
Madeupcorp.com is in the process of migrating from a third-party email system to Google Workspace. The VP of Marketing is concerned that her team already administers the corporate AdSense, AdWords, and YouTube channels using their @madeupcorp.com email addresses, but has not tracked which users have access to which service. You need to ensure that there is no disruption.
What should you do?
- A . Run the Transfer Tool for Unmanaged users.
- B . Use a Google Form to survey the Marketing department users.
- C . Assure the VP that there is no action required to configure Google Workspace.
- D . Contact Google Enterprise Support to identify affected users.
A
Explanation:
https://support.google.com/a/answer/7062710
Reference: https://support.google.com/a/answer/6178640?hl=en
The CFO just informed you that one of their team members wire-transferred money to the wrong account because they received an email that appeared to be from the CFO. The CFO has provided a list of all users that may be responsible for sending wire transfers. The CFO also provided a list of banks the company sends wire transfers to. There are no external users that should be requesting wire transfers. The CFO is working with the bank to resolve the issue and needs your help to ensure that this does not happen again.
What two actions should you take? (Choose two.)
- A . Configure objectionable content to reject messages with the words “wire transfer.”
- B . Verify that DMARC, DKIM, and SPF records are configured correctly for your domain.
- C . Create a rule requiring secure transport for all messages regarding wire transfers.
- D . Add the sender of the wire transfer email to the blocked senders list.
- E . Enable all admin settings in Gmail’s safety > spoofing and authentication.
You are the Workspace administrator for an international organization with Enterprise Plus Workspace licensing. A third of your employees are located in the United States, another third in Europe, and the other third geographically dispersed around the world. European employees are required to have their data stored in Europe. The current OU structure for your organization is organized by business unit, with no attention to user location.
How do you configure Workspace for the fastest end user experience while also ensuring that European user data is contained in Europe?
- A . Configure a data region at the top level OU of your organization, and set the value to “Europe”.
- B . Add three additional OU structures to designate location within the current OU structure.
Assign the corresponding data region to each. - C . Configure a configuration group for European users, and set the data region to “Europe”.
- D . Configure three configuration groups within your domain. Assign the appropriate data regions to each corresponding group, but assign no preference to the users outside of the United States and Europe.
C
Explanation:
https://support.google.com/a/answer/7630496?hl=en#zippy=%2Cstep-set-the-organizational-structure "put them in a configuration group (to set for users across or within departments)".
Your company has just acquired a new group of users. They have been provisioned into the Google Workspace environment with your primary domain as their primary email address. These new users still need to receive emails from their previous domain.
What is the best way to achieve this for these new users, without updating the information of pre-existing users?
- A . Add the acquired domain as an alias to the primary Google Workspace domain.
- B . Add the acquired domain as a secondary domain to the primary Google Workspace domain, and then update the email information of all new users with alias emails.
- C . Update the Google-provided test domain to be the domain of the acquired company, and then update the email information of all new users with alias emails.
- D . Without adding a domain, update each user’s email information with the previous domain.
Your organization has been on Google Workspace Enterprise for one year. Recently, an admin turned on public link sharing for Drive files without permission from security. Your CTO wants to get better insight into changes that are made to the Google Workspace environment. The chief security officer wants that data brought into your existing SIEM system.
What are two ways you should accomplish this? (Choose two.)
- A . Use the Data Export Tool to export admin audit data to your existing SIEM system
- B . Use Apps Script and the Reports API to export admin audit data to your existing SIEM system.
- C . Use Apps Script and the Reports API to export drive audit data to the existing SIEM system
- D . Use the BigQuery export to send admin audit data to the existing SIEM system via custom code
- E . Use the BigQuery export to send drive audit data to the existing SIEM system via custom code.