Advanced Protection Program for the Enterprise Generally Available to Help Protect High-risk Users

What’s Changing

The Advanced Protection Program for the enterprise is now generally available. It was previously available in beta.

Who’s impacted

Admins and end users

Why you’d use it

The Advanced Protection Program for the enterprise enforces a specific set of high security policies for employees in your organization that are most at risk for targeted attacks. Targeted attacks describe sophisticated, low volume handcrafted attacks that are often carried out by highly motivated professional or government backed groups. Employees at risk of targeted attacks that may benefit from the program include, for example, IT admins, executives, and employees in regulated industries such as finance or government.

The individual policies currently included in the Advanced Protection Program are also available to G Suite admins and users outside of the program. However, the Advanced Protection Program for the enterprise offers a simple bundle of Google’s strongest account security settings for your organization’s high-risk users, and the program is constantly evolving to ensure these users continue to have Google’s strongest account security in place.

How to get started

• Admins: 
  • By default, all users will be able to enroll in the program. Admins can turn it off for users on a per-OU basis at Admin Console > Security > Advanced Protection Program.
  • For beta users: During the beta, the feature was off by default unless admins specifically turned it on. Now, it will be on by default for all users. If you turned it on and then off again for some users during the beta, the setting will remain off for those users and they will not be able to enroll unless you turn it on.
  • Use Google’s Help Center to find out more about the Advanced Protection Program for enterprise.
• End users: Once enabled, users can complete their self-enrollment by visiting g.co/advancedprotection and clicking on ‘Get Started’.

Additional details

Policies enforced for users in the Advanced Protection Program 

Policies enforced for users in the program include:

• Requiring the use of security keys (such as the Titan Security Key) for maximum protection against phishing.
• Automatically blocking access of most third party apps to Drive and Gmail data if those apps are not explicitly trusted by the admin.
• Enhanced email scanning for threats.
• Download protections from Google Safe Browsing for certain file types when signed into Google Chrome with the same identity.

Requirements for users in the Advanced Protection Program 

The Advanced Protection Program is available for all users in all G Suite and Cloud Identity organizations unless admins turn it off for some or all users. When users enroll in the Advanced Protection program, they will need:

• To register two security keys (one as a backup)
• To re-sign in on all their devices using a password and security key. They’ll be signed out of all devices when they enroll.

Details and requirements will be explained to users as they enroll themselves in the program at g.co/advancedprotection.

New default: Allow security codes without remote access 

In the beta, you had an option to allow or not allow the use of security codes for your users who sign up for the Advanced Protection Program. Now, Google is adding a new option in addition to the previous two. The new option, allow security codes without remote access, will mean users can only use security codes they generate on the same device or local network.This new option, allow security codes without remote access, will be the default for new and existing users. So any users who were not allowed to use security codes during the beta will be allowed to use security codes without remote access when general availability rolls out to your domain. Note that if you chose ‘allow security codes’ in the beta, that choice will persist when the GA version rolls out to your domain.

If you want to change this for all or some users, go to Admin Console > Security > Advanced Protection Program and choose between:

• Don’t allow users to generate security codes.
• Allow security codes without remote access (default).
• Allow security codes with remote access.

See Google’s Help Center for more information on the new Security Code options.

Availability

Rollout details 

• Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on November 20, 2019
• Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility)] starting on November 20, 2019
• Note: If you see “Beta” when you go to Admin Console > Security > Advanced Protection Program, then the rollout has not yet reached your domain.

G Suite editions 
Available to all G Suite editions

On/off by default? 
This feature will be ON by default and can be controlled at the OU level