Advanced Protection Program for the enterprise generally available to help protect high-risk users

This announcement was made at Google Cloud Next ‘19 UK. Check out Next OnAir to tune into the livestream or watch session recordings following the event.


What’s changing 

The Advanced Protection Program for the enterprise is now generally available. It was previously available in beta.

Who’s impacted 

Admins and end users

Why you’d use it 

The Advanced Protection Program for the enterprise enforces a specific set of high security policies for employees in your organization that are most at risk for targeted attacks. Targeted attacks describe sophisticated, low volume handcrafted attacks that are often carried out by highly motivated professional or government backed groups. Employees at risk of targeted attacks that may benefit from the program include, for example, IT admins, executives, and employees in regulated industries such as finance or government.

The individual policies currently included in the Advanced Protection Program are also available to G Suite admins and users outside of the program. However, the Advanced Protection Program for the enterprise offers a simple bundle of our strongest account security settings for your organization’s high-risk users, and the program is constantly evolving to ensure these users continue to have Google’s strongest account security in place.

How to get started 


  • Admins: 
    • By default, all users will be able to enroll in the program. Admins can turn it off for users on a per-OU basis at Admin Console > Security > Advanced Protection Program. 
    • For beta users: During the beta, the feature was off by default unless admins specifically turned it on. Now, it will be on by default for all users. If you turned it on and then off again for some users during the beta, the setting will remain off for those users and they will not be able to enroll unless you turn it on. 
    • Use our Help Center to find out more about the Advanced Protection Program for enterprise
  • End users: Once enabled, users can complete their self-enrollment by visiting g.co/advancedprotection and clicking on ‘Get Started’. 


Additional details 

Policies enforced for users in the Advanced Protection Program 

Policies enforced for users in the program include:

  • Requiring the use of security keys (such as the Titan Security Key) for maximum protection against phishing. 
  • Automatically blocking access of most third party apps to Drive and Gmail data if those apps are not explicitly trusted by the admin. 
  • Enhanced email scanning for threats. 
  • Download protections from Google Safe Browsing for certain file types when signed into Google Chrome with the same identity. 


Use our Help Center to find out more details about these policies.

Requirements for users in the Advanced Protection Program 

The Advanced Protection Program is available for all users in all G Suite and Cloud Identity organizations unless admins turn it off for some or all users. When users enroll in the Advanced Protection program, they will need:

  • To register two security keys (one as a backup) 
  • To re-sign in on all their devices using a password and security key. They’ll be signed out of all devices when they enroll. 


Details and requirements will be explained to users as they enroll themselves in the program at g.co/advancedprotection.

New default: Allow security codes without remote access 

In the beta, you had an option to allow or not allow the use of security codes for your users who sign up for the Advanced Protection Program. Now, we’re adding a new option in addition to the previous two. The new option, allow security codes without remote access, will mean users can only use security codes they generate on the same device or local network.

This new option, allow security codes without remote access, will be the default for new and existing users. So any users who were not allowed to use security codes during the beta will be allowed to use security codes without remote access when general availability rolls out to your domain. Note that if you chose ‘allow security codes’ in the beta, that choice will persist when the GA version rolls out to your domain.

If you want to change this for all or some users, go to Admin Console > Security > Advanced Protection Program and choose between:

  • Don't allow users to generate security codes. 
  • Allow security codes without remote access (default). 
  • Allow security codes with remote access. 


See our Help Center for more information on the new Security Code options.


Admins can allow or prevent their users from being able to opt-in to Advanced Protection 

Helpful links 

Advanced Protection Program overview and sign up: g.co/advancedprotection 
Help Center: Protect users with the Advanced Protection Program

Availability 

Rollout details 

  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on November 20, 2019 
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility)] starting on November 20, 2019 
  • Note: If you see “Beta” when you go to Admin Console > Security > Advanced Protection Program, then the rollout has not yet reached your domain. 

G Suite editions 
Available to all G Suite editions

On/off by default? 
This feature will be ON by default and can be controlled at the OU level