Guard against targeted attacks

Enable user enrollment in the Advanced Protection Program

This feature is available in all G Suite and Cloud Identity editions.

Enable users so they can self-enroll in the Advanced Protection Program.

Step 1: Identify users who are vulnerable to attack and select them for enrollment

Survey your organization for vulnerable users
  1. Identify vulnerable users that you want to be in scope for the Advanced Protection Program. Think about users in your organization, and consider who might be the most vulnerable to attack.
    • Super admins are often targets due to their wide privileges.
    • Users who work in billing or production can have many privileges and be at risk.
    • Executives and other senior company officials can be targets.
    • Groups of users who might have been targeted in the past, or who were even subjected to state-sponsored attacks. Also, you may have received notifications regarding users who could be vulnerable to attacks. Consider your entire organization.
  2. Group users in organizational units.
  3. Get two security keys for each user in scope for the Advanced Protection Program. These keys can be shared across services (for example consumer Gmail and G Suite accounts) without a loss of privacy.

Step 2: Obtain security keys

Get keys for each user

Get two security keys for each user in scope for the Advanced Protection Program. These keys can be shared across services (for example consumer Gmail and G Suite accounts) without a loss of privacy.

Step 3: Whitelist third-party apps trusted for Advanced Protection

Whitelist trusted apps

Set up an apps whitelist to specify which apps you trust with your organization’s data, including the data of your users in the Advanced Protection Program. The whitelist applies to your entire organization. By default, Google native apps, Apple Native iOS apps, and Mozilla Thunderbird are whitelisted for Advanced Protection users. You must explicitly whitelist other apps required for your business.

  1. Sign in to your super administrator account or as a delegated admin with the privilege Security > Security Settings.
  2. From the Admin console home page, go to Security > API Permissions.
  3. Go to Whitelist connected apps for details on whitelisting.

Step 4: Set up top-level organization access for 2-Step Verification

Access 2-Step Verification

The Advanced Protection Program uses 2-Step Verification. You must select a setting in the Google Admin console that allows users to turn on 2SV. This setting applies to your entire top-level organization, which might consist of multiple domains.

  1. Go to Deploy 2-Step Verification, Step 2: Set up basic 2-Step Verification (required).
  2. Follow the steps to enable 2-Step Verification for your entire organization (all domains).

Step 5: Enable user enrollment

Enable users to enroll

You must enable users to enroll in the Advanced Protection Program.

Sign in with the privilege Security > Security Settings.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Security > Advanced Protection Program.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Select the organization unit containing users you need to enable for enrollment.
  4. Enable user enrollment is the default setting. Select it if it is not selected.
  5. Specify the type of security code your users can generate.  Use of security codes reduces security, so allow users to generate security codes only if your users must use them. Go to Protect users with the Advanced Protection Program for security policies.

    Choose one of these security code options for your users:

    • Don’t allow users to generate security codes—Users can’t generate security codes. This option provides the strongest security. Use this option if all users are using Google Chrome and have modern applications.
    • Allow security codes without remote access—Users can generate security codes and use them on the same device or local network (NAT or LAN). This is the default. This option provides less security than having no security code, but more security than security codes with remote access, described below. This option works for:
      • iOS apps
      • Macs
      • Internet Explorer
      • Safari
      • Legacy desktop applications and mobile apps that use WebViews for authentication instead of using Chrome
    • Allow security codes with remote access—Users can generate security codes and use them on other devices or networks, such as when accessing a remote server or a virtual machine.

Go to the G Suite Updates Blog for details.

Step 6: Notify identified high-risk users that they can enroll in Advanced Protection

Notify users to enroll

After you enable Advanced Protection enrollment, users can self-enroll. Users visit a web page to set up security keys. They also get information regarding changes that occur when they enable Advanced Protection.

Communicate your company’s plans to your users, including:

  • Describe Advanced Protection and why your company is using it.
  • Indicate whether Advanced Protection is optional or required.
  • If required, provide the date by which users must self-enroll in Advanced Protection.
  • Mention that after they enroll, users are signed out of all devices and third-party apps and must sign in.
  • Distribute security keys to users.
  • Indicate the link to the web page for self-enrollment:  Advanced Protection Program.

Related information

Was this helpful?
How can we improve it?