A financial services firm is implementing a stringent access policy for its traders. The policy requires that any login attempt to the trading platform from outside the corporate network (defined by a specific IP range) must be challenged with a FIDO2 hardware key. However, logins from within the corporate network should only require a password. Which CyberArk Identity feature should be used to configure this conditional logic?
A healthcare organization has deployed the CyberArk Identity Windows Device Trust agent to all corporate laptops to enforce certificate-based access to applications handling patient data. A clinician reports they are unable to access a critical application from their domain-joined laptop, receiving an access denied error. The administrator has confirmed the user is in the correct role and the laptop has a valid certificate. What is the most likely misconfiguration preventing access?
A company's security policy mandates that all administrative access to cloud infrastructure management consoles (like AWS, Azure) requires Multi-Factor Authentication. Which TWO of the following mechanisms in CyberArk Identity can be used to enforce this policy specifically for users in the 'Cloud Admins' role? (Select TWO)
True or False: When using the 'MFA Unlock' command for a user in the CyberArk Identity Admin Portal, the suspension of MFA challenges is permanent until the administrator manually re-enables it.
A manufacturing company is setting up a SAML-based SSO integration for a new cloud-based inventory management system. During testing, users receive a SAML error indicating an 'Invalid NameID Format'. The application vendor has specified that they require the user's UPN (User Principal Name) in the NameID field. Where in the CyberArk Identity application configuration would an administrator modify the SAML response to send the UPN as the NameID?
An administrator is configuring a new Authentication Profile to be used for high-risk applications. The requirement is to challenge the user with any TWO of the following: a push notification, a security question, or an OATH OTP code. How should the 'Challenge Pass-Through Rules' be configured in the profile to achieve this?
A new CyberArk Identity administrator is reviewing the corporate directory structure. They need to synchronize users from a specific Organizational Unit (OU) in Active Directory called 'Salesforce_Users' to a CyberArk role with the same name. What is the first component that must be deployed and configured in the on-premises environment to enable this synchronization?
During a security audit, an organization is required to produce a report of all users who have successfully authenticated to any application via CyberArk Identity over the last 90 days, including the source IP address for each login. Where in the Admin Portal can this report be generated?
A company is using the CyberArk App Gateway to provide secure remote access to an internal legacy web application that does not support SAML. The security team wants to ensure that access to this application is logged and audited. Which component is primarily responsible for generating the audit logs for access events through the App Gateway?
An administrator needs to configure automated user provisioning for Salesforce. The goal is to assign different Salesforce license types (e.g., 'Salesforce Platform', 'Chatter Free') to users based on their department attribute in Active Directory. Which CyberArk Identity feature allows for this conditional license assignment during provisioning?