Guard against targeted attacks

Enable user enrollment in the Advanced Protection Program

Enable users so they can self-enroll in the Advanced Protection Program.

Step 1: Identify users who are vulnerable to attack and select them for enrollment

Survey your organization for vulnerable users
  1. Identify vulnerable users that you want to be in scope for the Advanced Protection Program.
    Many attacks start by compromising what might be considered low value targets within an organization and spread from there. We recommend you plan to include more roles and people to include over time. Listed below are some high value targets you will want to protect. However keep in mind that attacks can start with other targets and spread. You may want to expand this list over time:
    • Super admins are often targets due to their wide privileges.
    • Users who work in billing or production can have many privileges and be at risk.
    • Executives and other senior company officials can be targets.
    • Groups of users who might have been targeted in the past, or who were even subjected to state-sponsored attacks. Also, you may have received notifications regarding users who could be vulnerable to attacks. Consider your entire organization. 
  2. Group users in organizational units.

Step 2: Order security keys

Get two security keys for each user

Your users need security keys to enroll in the Advanced Protection Program. They may be able to use a security key built into their phone, with a physical key for backup, or two physical security keys if their phone does not have a built-in security key.

Go to Order your security keys for details on security keys.

Step 3: Control which third-party apps are trusted for Advanced Protection

Control access to trusted apps

Set up a list of trusted apps to specify which apps you trust with your organization’s data, including the data of your users in the Advanced Protection Program. The trusted apps list applies to your entire organization. By default, Google native apps, Apple Native iOS apps, and Mozilla Thunderbird are trusted for Advanced Protection users. You must explicitly add any other apps to the list of trusted apps required for your business.

  1. Sign in to your super administrator account or as a delegated admin with the privilege Security > Security Settings.
  2. From the Admin console home page, go to Security > API Permissions.
  3. Go to Control which third-party and internal apps access Google Workspace data for details.

Step 4: Set up top-level organization access for 2-Step Verification

Access 2-Step Verification

The Advanced Protection Program uses 2-Step Verification. You must select a setting in the Google Admin console that allows users to turn on 2SV. This setting applies to your entire top-level organization, which might consist of multiple domains.

  1. Go to Deploy 2-Step Verification, Step 2: Set up basic 2-Step Verification (required).
  2. Follow the steps to enable 2-Step Verification for your entire organization (all domains).

Step 5: Enable user enrollment

Enable users to enroll

By default users can enroll themselves in Advanced Protection. If needed, you can disable this user capability.

Sign in with the privilege Security > Security Settings.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenAdvanced Protection Program.

    To see Security, you might have to click More controls at the bottom.

  3. Select the organization unit containing users you need to enable for enrollment.
  4. Enable user enrollment is the default setting. Select it if it is not selected.
  5. Specify the type of security code your users can generate.  Use of security codes reduces security, so allow users to generate security codes only if your users must use them. Go to Protect users with the Advanced Protection Program for security policies.

    Choose one of these security code options for your users:

    • Don’t allow users to generate security codes—Users can’t generate security codes. This option provides the strongest security. Use this option if all users are using Google Chrome and have modern applications.
    • Allow security codes without remote access—Users can generate security codes and use them on the same device or local network (NAT or LAN). This is the default. This option provides less security than having no security code, but more security than security codes with remote access, described below. This option works for:
      • iOS apps
      • Macs
      • Internet Explorer
      • Safari
      • Legacy desktop applications and mobile apps that use WebViews for authentication instead of using Chrome
    • Allow security codes with remote access—Users can generate security codes and use them on other devices or networks, such as when accessing a remote server or a virtual machine.

Go to the Google Workspace Updates Blog for details.

Step 6: Notify identified high-risk users that they can enroll in Advanced Protection

Notify users to enroll

After you enable Advanced Protection enrollment, users can self-enroll. Users visit a web page to set up security keys. They also get information regarding changes that occur when they enable Advanced Protection.

Communicate your company’s plans to your users, including:

  • Describe Advanced Protection and why your company is using it.
  • Indicate whether Advanced Protection is optional or required.
  • If required, provide the date by which users must self-enroll in Advanced Protection.
  • Mention that after they enroll, users are signed out of all devices and third-party apps and must sign in.
  • Distribute security keys to users.
  • Indicate the link to the web page for self-enrollment:  Advanced Protection Program.

Related information

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue