An administrator needs to enforce access to all applications via Prisma Access Browser (PAB) for unmanaged or non-compliant devices. Configuration of which two enforcement actions will ensure all access to applications only happens through PAB? (Choose two answers)

A. Use Account Protection for non SSO-enabled applications.
B. Use Device Posture to allow or block traffic.
C. Use the PAB Extension to redirect traffic through Prisma Access.
D. For SSO-enabled applications, configure Enforce SSO.

Correct Answer: A,D

Brave-Dump Clients Votes

AD 100%

Comments

Anonymous User 2026-03-01 14:23:12

Selected Answers: A, D

The correct two answers are
A. Use Account Protection for non-SSO-enabled applications
and
D. For SSO-enabled applications, Configure Enforce SSO.

Why A and D Are Correct
Option D — For SSO-enabled applications, Configure Enforce SSO
This is the primary enforcement mechanism for applications integrated with an Identity Provider (IdP). When Enforce SSO is enabled in Prisma Access Browser (Step 4: Enforce SSO Applications in SCM), the browser's Authentication Gateway acts as a forward proxy with dedicated egress IP addresses. The IdP (Okta, Entra ID, OneLogin, etc.) is configured with conditional access rules that deny authentication from any IP except the Prisma Access Browser Authentication Gateway — meaning users cannot access SSO-protected apps from any other browser. This effectively locks SSO-enabled application access exclusively to Prisma Access Browser.

Option A — Use Account Protection for non-SSO-enabled applications
Not all applications support SSO or SAML-based IdP enforcement. Account Protection is the Prisma Access Browser feature that handles these non-SSO apps, detecting and controlling login activity directly within the browser session. Together with Option D, this ensures complete coverage — SSO apps are enforced via IdP conditional access, and non-SSO apps are enforced via Account Protection.

The two options are deliberately complementary — D covers the modern SSO/SAML app landscape and A fills the gap for legacy or non-federated applications, ensuring no access pathway bypasses the Prisma Access Browser.

Ayesha 2026-03-06 23:53:27

Selected Answers: A, D

To ensure all access to applications only happens through Prisma Access Browser (PAB) for unmanaged or non-compliant devices, the following two enforcement actions are applicable:

Use Account Protection for non SSO-enabled applications. Prisma Access Browser offers an "Account Protection" feature specifically designed for non-SSO enabled applications. This feature adds a secret element to user passwords stored within Prisma Access Browser, which prevents access to the account from any other browser or user. This ensures that users can only log into these applications via the Prisma Access Browser (Source: 10, "4.7. Unknown Password Enforcement").

For SSO-enabled applications, configure Enforce SSO. For applications that are integrated with Single Sign-On (SSO), administrators can configure Identity Provider (IdP) authorization using IP-based conditional access policies. This method routes all SSO authentication traffic through the Prisma Access Browser Gateway. By configuring conditional access rules in the IdP, login attempts to SSO applications from any browser other than Prisma Access Browser will fail, thereby requiring users to access these applications exclusively through PAB (Source: 10, "4.1. IdP Authorization (Conditional Access) Enforcement"; Source: 14, "Step 4 - Enforce SSO Applications").