Enable user enrollment in the Advanced Protection Program

1. Identify vulnerable users that you want to be in scope for the Advanced Protection Program.
   Many attacks start by compromising what might be considered low value targets within an organization and spread from there. We recommend that you plan to include more roles and people to include over time. The following list contains some high value targets you will want to protect. However keep in mind that attacks can start with other targets and spread. You may want to expand this list over time:
   • Super admins are often targets due to their wide privileges.
   • Users who work in billing or production can have many privileges and be at risk.
   • Executives and other senior company officials can be targets.
   • Groups of users who might have been targeted in the past, or who were even subjected to state-sponsored attacks can be targets. Also, you may have received notifications regarding users who could be vulnerable to attacks. Consider your entire organization. 
2. Group users in organizational units.

Your users need security keys or passkeys to enroll in the Advanced Protection Program. To ensure account access, a backup recovery factor is also necessary to enroll. Users have to either add a recovery phone number and email address or a backup passkey or a physical security key to store in a safe place.

Go to Order your security keys for details on security keys.

For details on passkeys, go to Sign in with a passkey instead of a password?

Set up a list of trusted apps to specify which apps you trust with your organization’s data, including the data of your users in the Advanced Protection Program. The trusted apps list applies to your entire organization. By default, Google native apps, Apple Native iOS apps, and Mozilla Thunderbird are trusted for Advanced Protection users. You must explicitly add any other apps to the list of trusted apps required for your business.

1. Sign in with a super administrator account to the Google Admin console.

   If you aren’t using a super administrator account, you can’t complete these steps.

2. Go to Menu  Security > Access and data control > API controls > Manage Third-Party App Access.

   You must be signed in as a super administrator for this task.

3. For detailed instructions on managing third-party app access, see Control which third-party and internal apps access Google Workspace data.

The Advanced Protection Program uses 2-Step Verification. You must select a setting in the Google Admin console that allows users to turn on 2SV. This setting applies to your entire top-level organization, which might consist of multiple domains.

1. Go to Deploy 2-Step Verification, Step 2: Set up basic 2-Step Verification (required).
2. Follow the steps to enable 2-Step Verification for your entire organization (all domains).

By default users can enroll themselves in Advanced Protection. If needed, you can disable this user capability.

1. Sign in with a super administrator account to the Google Admin console.

   If you aren’t using a super administrator account, you can’t complete these steps.

2. Go to Menu   Security > Authentication > Advanced Protection Program.
3. Select the organizational unit containing users you need to enable for enrollment.
4. Enable user enrollment is the default setting. Select it if it is not selected.
5. Specify the type of security code your users can generate.  Use of security codes reduces security, so allow users to generate security codes only if your users must use them. Go to Protect users with the Advanced Protection Program for security policies.

   Choose one of these security code options for your users:

   • Don’t allow users to generate security codes—Users can’t generate security codes. This option provides the strongest security. Use this option if all users are using Google Chrome and have modern applications.
   • Allow security codes without remote access—Users can generate security codes and use them on the same device or local network (NAT or LAN). This is the default. This option provides less security than having no security code, but more security than security codes with remote access, described below. This option works for:
     • iOS apps
     • Macs
     • Internet Explorer
     • Safari
     • Legacy desktop applications and mobile apps that use WebViews for authentication instead of using Chrome
   • Allow security codes with remote access—Users can generate security codes and use them on other devices or networks, such as when accessing a remote server or a virtual machine.

Go to the Google Workspace Updates Blog for details.

After you enable Advanced Protection enrollment, users can self-enroll. Users visit a web page to set up security keys or passkeys. They also get information regarding changes that occur when they enable Advanced Protection.

Communicate your company’s plans to your users, including:

• Describe Advanced Protection and why your company is using it.
• Indicate whether Advanced Protection is optional or required.
• If required, provide the date by which users must self-enroll in Advanced Protection.
• Mention that after they enroll, users are signed out of all devices and third-party apps and must sign in.
• Distribute security keys to users or advise them to set up passkeys on their devices.
• Indicate the link to the web page for self-enrollment:  Advanced Protection Program.