300-715 Question #236: Real Exam Question with Answer & Explanation

Question

An administrator must block access to BYOD endpoints that were onboarded without a certificate and have been reported as stolen in the Cisco ISE My Devices Portal. Which condition must be used when configuring an authorization policy that sets DenyAccess permission?

Options

• AEndpoint Identity Group is Blocklist, and the BYOD state is Registered.
• BEndpoint Identify Group is Blocklist, and the BYOD state is Pending.
• CEndpoint Identity Group is Blocklist, and the BYOD state is Lost.
• DEndpoint Identity Group is Blocklist, and the BYOD state is Reinstate.

Explanation

To block access for stolen BYOD endpoints onboarded without a certificate, an authorization policy should check if the Endpoint Identity Group is 'Blocklist' and the BYOD state is 'Registered'.

Common mistakes.

• B. A 'Pending' BYOD state indicates a device is still in the process of registration, not yet fully onboarded and then reported stolen.
• C. 'Lost' is not a standard BYOD state attribute used in authorization policies for devices marked as stolen; 'Blocklist' is the primary identity group assignment for such cases.
• D. 'Reinstate' is a state indicating a device is being brought back into compliance or re-onboarded, not a state for a stolen device requiring denial of access.

Concept tested. Cisco ISE BYOD authorization policy for stolen devices

Reference. https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_chapter_0110.html

No community discussion yet for this question.