Guard against targeted attacks

Beta: Enable user enrollment in the Advanced Protection Program

This feature is available in all G Suite and Cloud Identity editions.

Enable users so they can self-enroll in the Advanced Protection Program.

Step 1: Identify users who are vulnerable to attack and select them for enrollment

Survey your organization for vulnerable users
  1. Identify vulnerable users that you want to be in scope for the Advanced Protection Program. Think about uses in your organization, and consider who might be the most vulnerable to attack.
    • Super admins are often targets due to their wide privileges.
    • Users who work in billing or production can have many privileges and be at risk.
    • Executives and other senior company officials can be targets.
    • Groups of users who might have been targeted in the past, or who were even subjected to state-sponsored attacks. Also, you may have received notifications regarding users who could be vulnerable to attacks. Consider your entire organization.
  2. Group users in organizational units.
  3. Get two security keys for each user in scope for the Advanced Protection Program. These keys can be shared across services (for example consumer Gmail and G Suite accounts) without a loss of privacy.

Step 2: Whitelist third-party apps trusted for Advanced Protection

Whitelist trusted apps

Set up an apps whitelist to specify which apps you trust with your organization’s data, including the data of your users in the Advanced Protection Program. The whitelist applies to your entire organization. By default, Google native apps, Apple Native iOS apps, and Mozilla Thunderbird are whitelisted for Advanced Protection users. You must explicitly whitelist other apps required for your business.

  1. Sign in to your super administrator account or as a delegated admin with the privilege Security > Security Settings.
  2. From the Admin console home page, go to Security > API Permissions.
  3. Go to Whitelist connected apps for details on whitelisting.

Step 3: Set up top-level organization access for 2-Step Verification

Access 2-Step Verification

The Advanced Protection Program uses 2-Step Verification. You must select a setting in the Google Admin console that allows users to turn on 2SV. This setting applies to your entire top-level organization, which might consist of multiple domains.

  1. Go to Deploy 2-Step Verification, Step 2: Set up basic 2-Step Verification (required).
  2. Follow the steps to enable 2-Step Verification for your entire organization (all domains).

Step 4: Enable user enrollment

Enable users to enroll

You must enable users to enroll in the Advanced Protection Program.

  1. Sign in to your super administrator account or as a delegated admin with the privilege Security > Security Settings.
  2. From the Admin console home page, go to Security > Advanced Protection Program.
  3. Select the organization unit containing users you need to enable for enrollment.
  4. Select Enable user enrollment.
  5. Click the Allow users with Advanced Protection to generate security codes checkbox only if your users must use security codes. This option reduces security, so enable it only if needed. See Protect users with the Advanced Protection Program for security policies.

Step 5: Notify identified high-risk users that they can enroll in Advanced Protection

Notify users to enroll

After you enable Advanced Protection enrollment, users can self-enroll. Users visit a web page to set up security keys. They also get information regarding changes that occur when they enable Advanced Protection.

Communicate your company’s plans to your users, including:

  • Describe Advanced Protection and why your company is using it.
  • Indicate whether Advanced Protection is optional or required.
  • If required, provide the date by which users must self-enroll in Advanced Protection.
  • Mention that after they enroll, users are signed out of all devices and third-party apps and must sign in.
  • Distribute security keys to users.
  • Indicate the link to the web page for self-enrollment:  Advanced Protection Program.

Related information

Was this helpful?
How can we improve it?