Guard against targeted attacks

Manage Advanced Protection Program user enrollment

This feature is available in all G Suite and Cloud Identity editions.

Use these tasks to track Advanced Protection Program user enrollment and provide support for your users.

For enrolled users, Advanced Protection policies override policies you configure manually. For example, if you haven't enforced 2-Step Verification across your organization, and some users enroll in Advanced Protection, then the 2-Step Verification policy included in Advanced Protection overrides the manually configured 2-Step Verification policy.

Go to Protect Users with the Advanced Protection Program, for a list of included policies.

Verify that users enroll in the Advanced Protection Program

See which users have enrolled in Advanced Protection.

Sign in with the privilege Users > Read.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Users.
  3. Select a user and go to Security.
  4. Verify that Advanced Protection displays, and the setting for Advanced Protection is On.

Disable user enrollment

Sign in with the privilege Security > Security Settings.

Tip: If you disable enrollment after previously enabling it, users who are already enrolled in the Advanced Protection Program are still enrolled. To unenroll users, change the user’s individual enrollment in the user profile. See the next section, Unenroll user from Advanced Protection Program.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console home page, go to Security > Advanced Protection Program.
  3. Select Disable user enrollment.
  4. Click Save.

Unenroll user from Advanced Protection Program

You can unenroll users at the user level. When you unenroll users, you prevent them from re-enrolling after they leave the program.

Sign in with the privilege Security > User Security Management.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Users.
  3. Select a user, and go to Security. Click the Security card.
  4. For Advanced Protection, select Off.
  5. Click Save.

View user enrollment reports

View user enrollment in reports.

Sign in with the privilege Reports.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. Go to Audit > Users Accounts.
  4. Filter reports by organizational unit.
  5. Look for entries like Fred Bates has disabled Advanced Protection, or Ellen Yang has enrolled for Advanced Protection.

View admin activity reports

View admin activity in the audit log.

Sign in with the privilege Reports.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. Go to Audit > Admin.
  4. Filter reports by organizational unit.
  5. Look for entries under Event Name like Application Setting Creation, or Application Setting Change. The Event Description shows Advanced Protection Program for these entries.

Allow enrolled users to generate security codes

Users can generate security codes for use with applications and platforms that do not support security keys.

Before allowing users to generate security codes, carefully evaluate if your organization needs them. Using security keys with security codes increases the risk of phishing. However, if your organization has important workflows where security keys can’t be used directly, enabling security codes for those situations may help improve your security posture overall.

Go to Enable user enrollment in the Advanced Protection Program for details.

How do users unenroll?

Users navigate to their Google account and click Security. Under Advanced Protection Program, they select Unenroll.

Was this helpful?
How can we improve it?