Apply custom security policies
Exception groups augment your organizational structure by allowing you to create custom sets of users that have Google Apps security services configured differently. Exception groups augment the ability to turn on or off services by organizational unit. This additional layer allows you to apply special security settings to select subsets of existing organizations. The rest of the users in your organization are unaffected by these changes.
For instance, you might have an organizational structure resembling:
- Front end
- Back end
To apply a setting change to the entire organization:
- In the Admin console, click Security > Advanced security settings.
- Select the top-level organizational unit (your-domain.com) and make your changes.
- (Optional) To isolate the exception to all of Engineering or Marketing, select that organizational unit instead.
All settings are inherited down through sub-organizations unless otherwise overridden.
To make a custom setting change, (for example, enforce 2-step verification for all of your contractors):
- Create a group that contains all of your contractors.
- Select the top-level organization and also select the group to apply the change to all contractors in the domain.
The settings are applied to the intersection of the organization and group (members of both).
- (Optional) You can further refine this filtering by selecting lower-level organizations (for example, all of Engineering > Production or all of Marketing > Corporate) before selecting the desired group.
This setting would apply to all contractors in those organizations only. Similarly, you can make a custom setting change at a higher-level organization and then override it by navigating to the lower-level organization and altering the settings.
To create and use an exception group:
- Follow the instructions to Create a group in the admin console.
This generates an administrator-managed group. Groups created through Google Groups cannot have exceptions applied to them.
- After saving the group, add the desired users to it.
- Click Security
- Click Basic Settings > Two-step verification. For details, see 2-step verification enforcement.
- Check the Allow users to turn on 2-step verification box.
- Click Save changes.
- Click the Go to advanced settings to enforce 2-step verification link.
- Select the organization to which you want to apply custom 2-step verification enforcement settings.
- Select either Turn on enforcement now, Turn on enforcement from date, or Turn off enforcement.
- As you scroll over the enforcement options, select Use inherited to map the policy from the parent group or domain onto your selected group.
- Click Save changes.
All enforcement changes are prompted for confirmation or cancellation before being executed.
To create and use an Exempt from 2-Step enforcement exception group:
- Follow the instructions in Create a group in the admin console to create an Exempt from 2-Step enforcement group on your domain.
Note: If you use Google Apps Directory Sync (GADS) to synchronize your Active Directory groups, create the group in Active Directory first then add your users to this group, run GADS to sync the group, and skip the next step.
- Add users to the group who will not be required to use 2-step verification to sign in to their Gmail account.
- Click Security > Show more > Advanced Settings.
- Select the domain.
- In the Group filters section, click Select and find the group you created (Exempt from 2-Step enforcement).
- Select Turn off enforcement and click Save.
- In the Group filters section, click No admin groups selected.
- Select Turn on enforcement now and click Save.
- Once each member of this group enables 2-step verification, they can be removed from the Exempt from 2-Step enforcement exception group.