Featured launch: Advanced Protection Program for the enterprise generally available to help protect high-risk users
The Advanced Protection Program for the enterprise is now generally available. It was previously available in beta.
Admins and end users
Why you’d use it
The Advanced Protection Program for the enterprise enforces a specific set of high security policies for employees in your organization that are most at risk for targeted attacks. Targeted attacks describe sophisticated, low volume handcrafted attacks that are often carried out by highly motivated professional or government backed groups. Employees at risk of targeted attacks that may benefit from the program include, for example, IT admins, executives, and employees in regulated industries such as finance or government.
The individual policies currently included in the Advanced Protection Program are also available to G Suite admins and users outside of the program. However, the Advanced Protection Program for the enterprise offers an easy-to-use bundle of our strongest account security settings for your organization’s high-risk users, and the program is constantly evolving to ensure these users continue to have Google’s strongest account security in place.
How to get started
- By default, all users will be able to enroll in the program. Admins can turn it off for users on a per-OU basis at Admin console > Security > Advanced Protection Program.
- For beta users: During the beta, the feature was off by default unless admins specifically turned it on. Now, it will be on by default for all users. If you turned it on and then off again for some users during the beta, the setting will remain off for those users and they will not be able to enroll unless you turn it on.
- Use our Help Center to find out more about the Advanced Protection Program for enterprise.
- End users: Once enabled, users can complete their self-enrollment by visiting g.co/advancedprotection and clicking on ‘Get Started’.
Policies enforced for users in the Advanced Protection Program
Policies enforced for users in the program include:
- Requiring the use of security keys (such as the Titan Security Key) for maximum protection against phishing.
- Automatically blocking access of most third party apps to Drive and Gmail data if those apps are not explicitly trusted by the admin.
- Enhanced email scanning for threats.
- Download protections from Google Safe Browsing for certain file types when signed into Google Chrome with the same identity.
Use Google’s Help Center to find out more details about these policies.
Requirements for users in the Advanced Protection Program
The Advanced Protection Program is available for all users in all G Suite and Cloud Identity organizations unless admins turn it off for some or all users. When users enroll in the Advanced Protection Program, they will need:
- To register two security keys (one as a backup)
- To re-sign in on all their devices using a password and security key. They’ll be signed out of all devices when they enroll.
Details and requirements will be explained to users as they enroll themselves in the program at g.co/advancedprotection.
New default: Allow security codes without remote access
In the beta, you had an option to allow or not allow the use of security codes for your users who sign up for the Advanced Protection Program. Now, we’re adding a new option in addition to the previous two. The new option, allow security codes without remote access, will mean users can only use security codes they generate on the same device or local network.
This new option, allow security codes without remote access, will be the default for new and existing users. So any users who were not allowed to use security codes during the beta will be allowed to use security codes without remote access when general availability rolls out to your domain. Note that if you chose ‘allow security codes’ in the beta, that choice will persist when the GA version rolls out to your domain.
If you want to change this for all or some users, go to Admin console > Security > Advanced Protection Program and choose between:
- Don’t allow users to generate security codes.
- Allow security codes without remote access (default).
- Allow security codes with remote access.
See Google’s Help Center for more information on the new security code options.
Admins can allow or prevent their users from being able to opt-in to Advanced Protection
You may interested:
- Greater protection and control with three Gmail security tools
- Built in protections and controls for Team Drives
- Helping G Suite customers stay secure with new proactive phishing protections and management controls
- Manage apps accessing G Suite data with new app access control
- Web application vulnerability scans for GKE and Compute Engine are generally available
- With new security and intelligent features, the new Gmail means business