完全版ZDTE練習テスト62特別な問題と解答が待ってます! [Q16-Q37]

Share

完全版ZDTE練習テスト62特別な問題と解答が待ってます!

Digital Transformation Engineer問題集でZDTE試験完全版問題で試験学習ガイド

質問 # 16
Which authorization framework is used by OneAPI to provide secure access to Zscaler Internet Access (ZIA), Zscaler Private Access (ZPA), and Zscaler Client Connector APIs?

  • A. OAuth 2.0
  • B. JSON Web Tokens
  • C. SAML
  • D. API Keys

正解:A

解説:
Zscaler OneAPI provides a unified, programmatic interface to automate configuration and operations across the Zscaler platform, including ZIA, ZPA, and Zscaler Client Connector. Zscaler's OneAPI documentation clearly states that OneAPI uses the OAuth 2.0 authorization framework to secure access to these APIs.
In practice, administrators or automation platforms register an API client in ZIdentity, obtain OAuth 2.0 access tokens, and then use those tokens to call OneAPI endpoints. The use of OAuth 2.0 ensures standardized flows for client authentication, token issuance, and scope-based authorization, aligning with modern security best practices and making it easier to control and audit API access. Zscaler also highlights OAuth 2.0 as one of the three architectural pillars of OneAPI, along with a common endpoint and tight integration with ZIdentity.
While JSON Web Tokens (JWTs) can be used as a token format inside OAuth 2.0, they are not, by themselves, the authorization framework. SAML is typically used for browser-based SSO, not for securing REST APIs in this context. API Keys are simpler credential schemes and are not what Zscaler prescribes for OneAPI. As a result, OAuth 2.0 is the correct and exam-relevant answer.


質問 # 17
Which of the following capabilities is not included in the OneAPI Framework for ZIA?

  • A. Administrator Role Based Access
  • B. SCIM Enable/Disable
  • C. Web Insights Log Retrieval
  • D. Malware Settings

正解:B

解説:
The Zscaler OneAPI framework is presented in the Engineer curriculum as the unified automation layer for ZIA, ZPA, ZDX, Client Connector, and other services. For ZIA specifically, OneAPI introduces OAuth-based authentication, fine-grained administrator role-based access control for API clients, configuration and policy management endpoints, activation controls, and access to Insights and log retrieval APIs. The course material highlights examples such as using OneAPI to manage admin roles, automate malware and advanced-threat settings, and programmatically retrieve Web Insights logs for reporting and SIEM workflows.
In contrast, SCIM (System for Cross-domain Identity Management) is described separately as an identity- provisioning standard used to synchronize users and groups from identity providers like Azure AD or Okta.
Enabling or disabling SCIM and configuring SCIM endpoints is handled through dedicated SCIM configuration, not through the OneAPI framework. While both OneAPI and SCIM are automation-related, they are distinct interfaces in the Zscaler platform. Therefore, among the options provided, SCIM Enable
/Disable is the capability that is not part of the OneAPI Framework for ZIA, whereas administrator RBAC, Web Insights log retrieval, and malware policy settings are all explicitly included.
Top of Form
Bottom of Form


質問 # 18
How does log streaming work in ZIA?

  • A. User access goes through the ZEN (Zscaler Enforcement Node). NSS (Nanolog Streaming Service) opens a secure tunnel to the cloud. ZEN sends the logs to the cloud Nanolog for storage. Cloud Nanolog streams a copy of the log to NSS. NSS sends the log to the SIEM over the network.
  • B. NSS opens a secure tunnel to the cloud. Cloud Nanolog streams a copy of the log to NSS. User access goes through the ZEN. ZEN sends the logs to the cloud Nanolog for storage. NSS sends the log to the SIEM over the network.
  • C. NSS opens a secure tunnel to the cloud. ZEN sends the logs to the cloud Nanolog for storage. User access goes through the ZEN. Cloud Nanolog streams a copy of the log to NSS. NSS sends the log to the SIEM over the network.
  • D. NSS (Nanolog Streaming Service) opens a secure tunnel to the cloud. User access goes through the ZEN (Zscaler Enforcement Node). ZEN sends the logs to the cloud Nanolog for storage. Cloud Nanolog streams a copy of the log to NSS. NSS sends the log to the SIEM over the network.

正解:A

解説:
In ZIA, user traffic is first forwarded to a Zscaler Enforcement Node (ZEN), where security and access policies are enforced and transaction logs are generated. Those logs are then sent from the ZEN to the cloud- based Nanolog cluster, which is the highly scalable logging and storage layer used by Zscaler. Nanolog compresses and stores the logs for reporting, analytics, and long-term retention.
To deliver logs to a customer's SIEM, the Nanolog Streaming Service (NSS) is deployed in the customer environment. NSS establishes a secure, outbound tunnel to the Nanolog service in the Zscaler cloud and subscribes to that customer's log stream. Nanolog then continuously streams a copy of relevant logs over this secure connection to NSS. NSS receives the logs, converts them into the required output format (for example, syslog or CEF), and forwards them on to the configured SIEM or log receiver.
Option C is the only answer that correctly represents the logical sequence: user traffic through ZEN, ZEN to Nanolog, secure tunnel from NSS, Nanolog streaming to NSS, and finally NSS forwarding to the SIEM.


質問 # 19
An IT administrator is reviewing the recently configured ZDX module in their environment and checks the performance data on the dashboard. The administrator notices that no software inventory has populated. What could be a probable reason?

  • A. ZDX client version being used is 4.3
  • B. Zscaler Client Connector needs to be whitelisted on the EDR tool
  • C. ZDX client is not configured to collect inventory data
  • D. ZDX license doesn't have inventory collection entitlement

正解:C

解説:
Zscaler Digital Experience (ZDX) relies on Zscaler Client Connector to collect device and application telemetry from endpoints. Performance metrics (such as device, network, and application scores) are enabled as part of the core ZDX deployment, which explains why the administrator can already see performance data on the dashboard. However, software inventory is an additional inventory feature that must be explicitly enabled in the ZDX administration settings.
ZDX documentation describes an "Inventory Settings" page where administrators must turn on a setting such as "Collect Software Inventory Data." When this option is enabled and the minimum supported versions of Client Connector and the ZDX module are present, Client Connector begins collecting installed software details and sending this inventory to the ZDX cloud for visualization.
If the collection toggle is left disabled, ZDX will continue to show performance metrics but no entries appear under Software Inventory or related views, even though licensing and versions are otherwise correct. The other options listed either relate to licensing, generic EDR conflicts, or a specific client version and do not match the documented dependency on enabling software-inventory collection. Therefore, the most accurate reason is that the ZDX client (via policy) is not configured to collect inventory data.


質問 # 20
What are the valid options as criteria to create an alert rule in ZDX?

  • A. Page Fetch Time and Packet Loss Rate
  • B. DNS Time and Server Response Time
  • C. Server Response Time and Packet Loss Rate
  • D. DNS Time and Network Response Time

正解:B

解説:
Zscaler Digital Experience (ZDX) uses web probes to measure application performance from the user's perspective. Official ZDX reference material and EDU/ZDTE study guides describe the four key web-probe metrics as Page Fetch Time (PFT), DNS Time, Server Response Time (Time to First Byte), and Availability. These same metrics are explicitly called out in training and exam prep as the values that can be used when defining application-level alert rules (for example, "DNS Time > X ms" or "Server Response Time
> Y ms").
ZDX documentation also explains that each alert rule type (Application, Device, Network, or Call Quality) has its own metrics and criteria, and that application alerts are driven by web-probe metrics like DNS Time and Server Response Time, while network alerts use CloudPath metrics such as latency and packet loss. Because both DNS Time and Server Response Time are application-probe metrics, they can legitimately be used together as criteria in an application-type alert rule.
By contrast, combinations that mix web-probe metrics with network-only metrics (like Packet Loss Rate) or vaguely defined "Network Response Time" do not reflect how ZDX structures its alert criteria per type.
Therefore, among the listed options, the pair that correctly represents valid ZDX alert criteria for application monitoring is DNS Time and Server Response Time.


質問 # 21
What are common use cases of Zscaler OneAPI automation?

  • A. Creating App Connector Groups and accessing ZDX Copilot.
  • B. Creating App Connector Groups and enrolling users' device information.
  • C. Creating URL filtering rules and accessing ZDX Copilot.
  • D. Enrolling users' device information and installing antivirus features in Zscaler Client Connector (ZCC).

正解:B

解説:
Zscaler OneAPI is designed as a unified, modern API layer that exposes core objects and workflows from ZIA, ZPA, and Zscaler Client Connector in a consistent way. In the Digital Transformation Engineer and Zero Trust Automation material, common and recommended use cases focus on automating tasks that are frequently repeated, error-prone, or need to scale across large environments.
For ZPA, a typical automation scenario is the creation and lifecycle management of App Connectors and App Connector Groups. These components provide the inside-out connectivity from private applications to the Zscaler cloud. Using OneAPI, administrators can programmatically create, update, and organize App Connector Groups, allowing infrastructure-as-code style deployment and rapid scaling of private access environments.
On the endpoint side, OneAPI also integrates with Zscaler Client Connector and identity-related services to enroll or update device information programmatically. This enables workflows such as onboarding new devices, synchronizing device attributes from external systems, and tying device identity to access policy without manual portal operations.
By contrast, installing "antivirus features" in ZCC or "accessing ZDX Copilot" are not highlighted as core OneAPI automation use cases in the referenced curriculum, which makes option B the correct choice.


質問 # 22
The Zscaler for Users - Engineer (EDU-202) learning path consists of various solutions covered in eleven courses. Which of the following topics is out of scope for the Zscaler for Users - Engineer learning path?

  • A. Configuration of ZDX for applications, call quality monitoring, probes, diagnostics, alerts, and role- based administration to ensure effective SaaS and web application monitoring.
  • B. Exploring Intrusion Prevention System, DNS Control, Tenant Restrictions, and secure application segmentation.
  • C. Enabling versions to control which version (if any) of Zscaler Client Connector is available when end users manually update the app or when you configure automatic app updates.
  • D. In-depth overview of Zscaler's architecture platform, including its global scale, additional capabilities, and API infrastructure.

正解:C

解説:
Official EDU-202 materials describe the Engineer path as focusing on advanced architecture, connectivity, platform, access control, cyberthreat protection, data protection, risk management, ZDX, and Zero Trust Automation. The published learning outcomes explicitly include: discussing the architecture of the Zscaler platform and its API infrastructure; configuring advanced connectivity options; and configuring advanced cybersecurity services and Zscaler Digital Experience (ZDX)-including application monitoring, call quality, probes, diagnostics, alerts, and role-based administration. These map directly to options A, C, and D, which align to Zscaler Architecture, Cyberthreat/Access Control Services (IPS, DNS Control, Tenant Restrictions, segmentation), and ZDX content in the EDU-202 outline.
By contrast, Client Connector App Store "version enablement" and controlling which build is available when users manually or automatically update the app is documented as an administration task in the Client Connector help and is typically taught in the Essentials/Administrator (EDU-200) path, not in the Engineer path. Those materials show how to use the App Store to enable builds and control available versions, positioning it as operational client management rather than an advanced Engineer-level topic.
Consequently, option B is considered out of scope for EDU-202 in the ZDTE context.
Top of Form


質問 # 23
What is Zscaler Deception?

  • A. A set of decoys representing users and server elements used to identify an attacker accessing our infrastructure.
  • B. A set of decoys representing network elements used to identify an attacker accessing our infrastructure.
  • C. An early detection system supported via servers located inside our corporate infrastructure.
  • D. A simple and more effective targeted threat detection solution built on the Zscaler Zero Trust architecture.

正解:D

解説:
In the Zscaler Digital Transformation Engineer material, Zscaler Deception is introduced as an advanced threat-detection capability that is tightly integrated with the Zero Trust Exchange. The official description emphasizes that it is a simple, cloud-delivered, and highly effective targeted threat detection solution built on Zscaler's Zero Trust architecture, which is almost word-for-word reflected in option C.
Deception works by deploying high-fidelity decoys, lures, and credentials-designed to be indistinguishable from real assets-from the attacker's point of view. Any interaction with these decoys is inherently suspicious, yielding high-confidence, low-noise alerts that help security teams quickly identify lateral movement, credential theft, and post-compromise activity. The key point in the training is that this capability is delivered from the Zscaler cloud, leveraging the existing Zero Trust platform; it does not require additional on-premise detection servers or traditional network-centric sensors.
Options A and B reduce the concept to "sets of decoys" and ignore the integrated Zero Trust detection value and cloud-native delivery model. Option D incorrectly suggests on-prem server infrastructure as the foundation. The exam materials clearly frame Zscaler Deception as a Zero Trust-based targeted threat detection solution, making option C the correct choice.


質問 # 24
What is one benefit of OneAPI?

  • A. Repeated authorization messages required for increasing security
  • B. Multiple registration processes
  • C. Multiple token requests
  • D. Simplifies API integration by using a single entry point

正解:D

解説:
Zscaler OneAPI is described in the Digital Transformation Engineer and Zero Trust Automation content as a unified API gateway for the entire Zscaler platform. Official OneAPI overview material explains that it provides "a common API endpoint" and "a single programming interface for the entire Zscaler platform," so automation engineers no longer need to manage different endpoints, authentication patterns, or schemas for each product.
The Zero Trust Automation at-a-glance guide further emphasizes that OneAPI "uses a single API to enable automation as an administrator," which accelerates deployment and reduces human error. Study resources summarizing OneAPI reinforce that it "simplifies integration by providing a single-entry point for accessing multiple APIs," reducing complexity and making it easier to build consistent automation across ZIA, ZPA, ZDX, and ZCC.
The other options contradict this design. OneAPI is specifically intended to avoid multiple registration processes and repeated token or authorization workflows; OAuth 2.0 is centralized via ZIdentity so that API clients authenticate once and then use scoped access across services. Therefore, the clearly documented benefit that matches the Zscaler Digital Transformation Engineer description is that OneAPI simplifies API integration by using a single entry point, making C the correct answer.


質問 # 25
An organization wants to upload internal PII (personally identifiable information) into the Zscaler cloud for blocking without fear of compromise. Which of the following technologies can be used to help with this?

  • A. IDM
  • B. Engines
  • C. Dictionaries
  • D. EDM

正解:D

解説:
Zscaler's advanced data protection stack includes Exact Data Match (EDM), Indexed Document Match (IDM), dictionaries, and predefined DLP engines. Zscaler describes EDM as a technique that "fingerprints" sensitive values-such as PII from structured data sources (databases or spreadsheets)-so the platform can detect and block exact matches to those values while greatly reducing false positives.
With EDM, an on-premises index tool hashes the sensitive fields (for example, names, IDs, or other PII) and then uploads only these hashes-not the readable PII itself-into the Zscaler cloud. Zscaler documentation emphasizes that only hashed fingerprints are sent, allowing organizations to protect internal data "without having to transfer that data to the cloud" in plain form. This directly addresses the requirement to block exfiltration of internal PII without fear of compromise.
Dictionaries and core DLP engines focus on pattern- or keyword-based detection (such as generic PII patterns) rather than matching exact records from an internal dataset. IDM, on the other hand, fingerprints whole documents or forms (for example, templates or high-value documents) rather than row-level PII records. Therefore, for uploading organization-specific PII in a privacy-preserving, hashed form to enable precise blocking, EDM is the correct technology.
Top of Form
Bottom of Form


質問 # 26
Which connectivity service provides branches, on-premises data centers, and public clouds with fast and reliable internet access while enabling private applications with a direct-to-cloud architecture?

  • A. Zscaler App Connector
  • B. Zscaler Browser Access
  • C. Zscaler Zero Trust SD-WAN
  • D. Zscaler Privileged Remote Access

正解:C

解説:
Zscaler Zero Trust SD-WAN is specifically designed to give branches, on-premises data centers, and workloads running in public clouds fast, reliable, and secure access to the internet and private applications using a direct-to-cloud architecture. In the Zscaler Digital Transformation Engineer curriculum, this service is positioned as the connectivity foundation that replaces legacy hub-and-spoke MPLS and VPN designs with cloud-delivered Zero Trust connectivity.
Instead of backhauling traffic to central data centers, branches and sites establish lightweight, policy-driven tunnels directly to the Zscaler cloud, where security inspection and Zero Trust access decisions are applied.
This architecture reduces latency, simplifies routing, and optimizes SaaS and internet performance while simultaneously enabling secure access to private applications without exposing them to the public internet.
App Connectors (option C) are used for application-side connectivity in ZPA, not for full branch or data center connectivity. Browser Access (option B) provides clientless application access for users, not network- level site connectivity. "Zscaler Privileged Remote Access" (option A) is not the term used for this broad connectivity service. Therefore, the only option that matches the described direct-to-cloud, multi-site connectivity role is Zscaler Zero Trust SD-WAN.


質問 # 27
What happens if a provisioning key is deleted in ZPA?

  • A. The key is stored as a backup for reactivation
  • B. All App Connectors enrolled with the key are revoked
  • C. The provisioning key automatically regenerates
  • D. The client loses access to all applications permanently

正解:B

解説:
In Zscaler Private Access, a provisioning key is a unique text string generated for an App Connector (or Private Service Edge) group and is used during enrollment to bind that connector to the correct group and PKI trust chain. The Zscaler Digital Transformation training material emphasizes that the provisioning key acts as the "identity anchor" for connectors in that group: it's what the ZPA cloud uses to authenticate the connector at enrollment and associate it to the right configuration and policy context.
When that key is deleted, ZPA effectively invalidates the trust relationship for any connectors that were enrolled with it. In practice, these connectors are treated as revoked and must be removed and re-enrolled using a new provisioning key to restore a healthy, supportable state. The key is not archived for later reuse, and it does not automatically regenerate. Deletion is intentionally destructive so that, if a key is lost or suspected to be compromised, an administrator can immediately ensure that all connectors tied to that key are no longer trusted and must be re-provisioned, which aligns with zero trust and least-privilege principles.


質問 # 28
When making API calls into a Zscaler environment, which component is the administrator communicating with?

  • A. Logging Plane
  • B. Control Plane
  • C. Enforcement Plane
  • D. Integration Plane

正解:B

解説:
Zscaler's multi-tier cloud architecture is separated into distinct planes: the control plane, enforcement plane, and logging plane. The control plane is implemented by the Central Authority and is described in Zscaler architecture material as the "brains" of the platform, responsible for policy definition, administration, orchestration, and the admin UI. Crucially, this same layer also exposes the API interfaces that automation tools and scripts use. In architecture slides, the control plane is explicitly associated with "Admin UI" and
"API," showing that all administrative programmability terminates there.
The enforcement plane (Public/Private Service Edges) is focused on inspecting and enforcing policy on user traffic, while the logging plane is dedicated to storing and streaming Nanolog data to SIEM or analytics tools.
Neither of these planes provides administrative configuration APIs. Study content for the ZDTE exam reinforces that the API infrastructure enables programmatic access to configure the Zero Trust Exchange and is part of the central management layer, not the traffic or logging tiers.
Therefore, when an administrator makes API calls, they are communicating with the Control Plane.


質問 # 29
Which protocol allows users to configure a passwordless authentication method for their ZIdentity account?

  • A. FIDO2
  • B. OIDC
  • C. SAML
  • D. SCIM

正解:A

解説:
Zscaler Identity (ZIdentity) supports modern, phishing-resistant passwordless authentication using the FIDO2 standard. FIDO2 combines Web Authentication (WebAuthn) and the Client to Authenticator Protocol (CTAP2) to enable users to authenticate with security keys or built-in platform authenticators (such as biometric sensors) without transmitting or storing a reusable password. The Digital Transformation Engineer documentation explains that when a user registers a FIDO2 authenticator with ZIdentity, the service stores a public key tied to that device and account. Future logins are validated using a cryptographic challenge- response, providing strong protection against credential theft and replay attacks.
By contrast, SAML (option B) and OIDC (option C) are federation protocols used for single sign-on (SSO) and identity delegation between an identity provider and service providers; they do not themselves define how passwordless authentication is performed. They can carry assertions from an IdP that might use FIDO2 behind the scenes, but SAML and OIDC are not the passwordless method. SCIM (option D) is a provisioning standard for creating, updating, and deprovisioning identities and groups, not an authentication protocol.
Therefore, the only option that directly represents the protocol enabling passwordless login to a ZIdentity account is FIDO2.


質問 # 30
Customers would like to use a PAC file to forward web traffic to a Subcloud. Which one below uses the correct variables for the required PAC file?

  • A. {GATEWAY.<Subcloud>.<Zscaler cloud>}
  • B. {<Subcloud>.GATEWAY.<Zscaler cloud>}
  • C. {<Subcloud>.REGION.<Zscaler cloud>}
  • D. {REGION.<Subcloud>.<Zscaler cloud>}

正解:A

解説:
In Zscaler's PAC file guidance for directing traffic to specific Subclouds, the fully qualified proxy host name is constructed using the standard gateway label, followed by the subcloud identifier, and then the Zscaler cloud domain. In template form, this is represented as:
{GATEWAY.<Subcloud>.<Zscaler cloud>}
Here, GATEWAY corresponds to the Zscaler gateway label, <Subcloud> is the dynamically assigned subcloud (which helps optimize routing and resiliency), and <Zscaler cloud> represents the customer's Zscaler cloud domain (for example, one of the standard ZIA cloud domains). The Digital Transformation Engineer training emphasizes that using the correct order of these variables ensures that browsers resolve to the appropriate subcloud-specific gateway, enabling optimized performance and regional affinity.
Options B and C incorrectly introduce or misplace a REGION label, which does not match the documented variable order when explicitly targeting a Subcloud. Option D reverses the positions of GATEWAY and
<Subcloud>, which does not align with the hostname structure used by Zscaler for subcloud-aware PAC configurations.
Therefore, the correct PAC variable pattern for forwarding web traffic specifically to a Subcloud is
{GATEWAY.<Subcloud>.<Zscaler cloud>}.


質問 # 31
At which level of the Zscaler Architecture do the Zscaler APIs sit?

  • A. Enforcement Plane
  • B. Data Fabric
  • C. Nanolog Cluster
  • D. Central Authority

正解:D

解説:
Zscaler's core architecture in the Engineer course is explained using three main layers: Central Authority, Enforcement Nodes, and Logging / Nanolog services, supported by a distributed data fabric. The Central Authority is explicitly described as the "brains" or control plane of the Zscaler platform. It is responsible for global policy management, configuration, orchestration, and the API gateway that exposes Zscaler's administrative and automation APIs.
Enforcement nodes (such as ZIA Public Service Edges and ZPA enforcement components) form the data plane, inspecting traffic and applying policy decisions but not hosting the management APIs themselves.
Nanolog clusters handle large-scale log storage and streaming, providing logging and analytics rather than control or configuration interfaces. The data fabric underpins global state and synchronization across the cloud but is not where customers interact with APIs.
In the Digital Transformation Engineer material, when you see references to OneAPI and other programmatic integrations, they are always associated with the Central Authority layer, reinforcing that APIs live in the control plane. Therefore, within the defined Zscaler Architecture levels, the APIs sit at the Central Authority.


質問 # 32
What capabilities within Zscaler External Attack Surface Management (EASM) are specifically designed to uncover and assess domains that are intentionally created to resemble your legitimate brand or websites?

  • A. Mimic Domains
  • B. Lookalike Domains
  • C. Fake Domains
  • D. Spoofing Domains

正解:B

解説:
Zscaler External Attack Surface Management (EASM) includes a dedicated capability called Lookalike Domains. Zscaler defines lookalike domains as fraudulent or fake domains intentionally created by threat actors to mimic your legitimate domains and brand presence, often for phishing, credential theft, or brand abuse.
Within the EASM portal, the Lookalike Domains pages and widgets present a curated list of suspicious domains that closely resemble your seed or official domains. Analysts can review exposure scores, registrar details, hosting information, and other attributes to determine which of these domains pose the highest risk and warrant takedown or additional monitoring.
This feature is specifically designed for external risk and brand-protection use cases: it highlights where attackers are impersonating your organization on the public internet, which is a core component of digital-risk and external-attack-surface management. While words such as "fake," "mimic," or "spoofing" may be used generically in security discussions, "Lookalike Domains" is the exact term and feature name Zscaler uses in the EASM product and documentation. Options A, B, and C do not correspond to a named EASM capability and therefore are not correct in the ZDTE context.


質問 # 33
A contractor is visiting an organization for a maintenance task. The administrator does not have a spare laptop to give them. How will the administrator provide secure access for the contractor?

  • A. Cloud Connector
  • B. Branch Connector
  • C. Privileged Remote Access
  • D. SD-WAN

正解:C

解説:
Zscaler's Digital Transformation material is very clear that third-party admins, vendors, and contractors needing temporary, high-privilege access from unmanaged devices are a primary use case for Privileged Remote Access (PRA). PRA is built on ZPA and delivers a clientless remote desktop gateway: contractors simply use an HTML5-capable browser to reach RDP, SSH, or similar consoles without installing an agent or being placed on the internal network.
The study content explains that PRA enforces least-privilege access on a per-application or per-system basis, with capabilities such as time-bound access windows, credential vaulting/mapping (so credentials are never exposed), and full session recording and monitoring for audit and compliance. This directly matches the scenario of a short-term maintenance task from a contractor's own laptop.
By contrast, SD-WAN, Branch Connector, and Cloud Connector are connectivity constructs for sites and workloads, not for granting interactive, privileged access to individual admins on unmanaged endpoints. They don't solve the governance, session control, and just-in-time access requirements highlighted in the ZDTE content for third-party access. Therefore, Zscaler positions Privileged Remote Access as the correct and recommended approach here.


質問 # 34
What is the default classification for a newly discovered application in the App Inventory in the Third-Party App Governance Admin Portal?

  • A. Sanctioned
  • B. Reviewing
  • C. Unclassified
  • D. Unsanctioned

正解:C

解説:
In Zscaler 3rd-Party App Governance documentation, the App Inventory is where administrators view and manage all discovered third-party apps, add-ons, and extensions. The "Classifying Apps" help article defines the available states: Unclassified, Sanctioned, Reviewing, and Unsanctioned. Crucially, it notes that Unclassified is the default state for any new application before an administrator evaluates it.
"Sanctioned" is used once the organization has explicitly approved an app for use; "Unsanctioned" is used when an app is not allowed; and "Reviewing" indicates it is under investigation. Those labels are the result of governance decisions applied after discovery.
ZDTE study materials on SaaS and app governance mirror this behavior: newly discovered apps enter the inventory without an explicit decision, allowing security teams to triage risk, review permissions, and only then mark them as sanctioned or unsanctioned. Because the default state for a new entry is explicitly documented as Unclassified, the correct answer is D. Unclassified.


質問 # 35
Which feature of Zscaler Private AppProtection provides granular control over user access to specific applications?

  • A. Role-based access control
  • B. User behavior analysis
  • C. Threat Intelligence integration
  • D. Application segmentation

正解:D

解説:
Zscaler's application segmentation is the feature that delivers granular, per-application control over which users can access which private apps. In the ZDTE study material and cyberthreat protection quick reference guides, Zscaler explains that application segmentation makes apps and servers completely invisible to unauthorized users, thereby minimizing the attack surface while allowing authorized users to reach only the specific applications they are entitled to.
Zscaler Private AppProtection builds on this segmentation foundation: policies are defined at the application layer using identity (user, group), context, and app attributes, instead of broad network constructs like IP ranges or subnets. This enables security teams to create fine-grained rules that tightly bind users to individual applications, rather than to entire networks. While Private AppProtection adds inline inspection, virtual patching, and exploit prevention, segmentation is the part that dictates who can talk to what.
Threat intelligence integration (option A) enriches detection but does not itself define access. Role-based access control (option C) applies mainly to admin and management roles in consoles, not to runtime user-to- application paths. User behavior analysis (option D) informs risk but is not the primary enforcement mechanism. The specific feature that provides granular control over user access to particular private applications is application segmentation.


質問 # 36
In the Zscaler Client Connector (ZCC) Admin Portal, which posture element is supported on Windows but not on macOS?

  • A. Client Certificate
  • B. Domain Joined
  • C. Full Disk Encryption
  • D. CrowdStrike ZTA Sensor Setting Score

正解:D

解説:
Zscaler's Device Posture framework in Client Connector supports a broad set of posture checks on both Windows and macOS, such as Certificate Trust, Client Certificate, Firewall status, Full Disk Encryption, Domain Joined, and multiple EDR detections. These are listed in Zscaler technical training material as common capabilities for "Windows und macOS." However, Zscaler's advanced integration with CrowdStrike introduces additional posture signals based on Zero Trust Assessment (ZTA). In the same material, CrowdStrike ZTA Score is explicitly annotated with a Windows-specific minimum version ("CrowdStrike ZTA Score (Win v.3.4.0+)"), highlighting that this ZTA- based posture is implemented for Windows only in the current releases, while the shared list for macOS does not include its own ZTA-specific version.
The newer ZTE/EDU-202 engineer materials build on this by describing separate ZTA Device OS and Sensor scores, and the exam maps this Windows-only ZTA enforcement to the CrowdStrike ZTA Sensor Setting Score option. In contrast, Client Certificate, Full Disk Encryption, and Domain Joined are documented as cross-platform posture types, not restricted to Windows.


質問 # 37
......

ZDTE正真正銘のベスト資料、オンライン練習試験:https://www.jpntest.com/shiken/ZDTE-mondaishu

優れもの良質なZDTE問題集が待ってます:https://drive.google.com/open?id=10O3uaEifXkb8sNN4rtTshLLg4R77aUM7

弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

オンラインサポート時間:( UTC+9 ) 9:00-24:00
月曜日から土曜日まで

サポート:現在連絡