Additional details Policies enforced for users in the Advanced Protection Program
Policies currently enforced for users in the program include:
- Requiring the use of security keys (such as the Titan Security Key) for maximum protection against phishing.
- Automatically blocking access of most third party apps to Drive and Gmail data if those apps are not explicitly trusted by the admin.
- Enhanced email scanning for threats.
- Download protections from Google Safe Browsing for certain file types when signed into Google Chrome with the same identity.
Use our Help Center to find out more details about these policies.
Requirements for users in the Advanced Protection Program
The Advanced Protection Program is available for all users in all G Suite and Cloud Identity organizations unless admins turn it off for some or all users. When users enroll in the Advanced Protection Program, they will need:
- To register two security keys (one as a backup)
- To re-sign in on all their devices using a password and security key. They’ll be signed out of all devices when they enroll.
Details and requirements will be explained to users as they enroll themselves in the program at g.co/advancedprotection.
New default: Allow security codes without remote access
In the beta, you had an option to allow or not allow the use of security codes for your users who sign up for the Advanced Protection Program. Now, we’re adding a new option in addition to the previous two. The new option, allow security codes without remote access, will mean users can only use security codes they generate on the same device or local network.
This new option, allow security codes without remote access, will be the default for new and existing users. So any users who were not allowed to use security codes during the beta will be allowed to use security codes without remote access when general availability rolls out to your domain. Note that if you chose ‘allow security codes’ in the beta, that choice will persist when the GA version rolls out to your domain.
If you want to change this for all or some users, go to Admin console > Security > Advanced Protection Program and choose between:
- Don't allow users to generate security codes.
- Allow security codes without remote access (default).
- Allow security codes with remote access.
See our Help Center for more information on the new security code options.
Admins can allow or prevent their users from being able to opt-in to Advanced Protection
Helpful links Advanced Protection Program overview and sign up: g.co/advancedprotection
Help Center: Protect users with the Advanced Protection Program
Availability Rollout details
- Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on November 20, 2019
- Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility)] starting on November 20, 2019
- Note: If you see “Beta” when you go to Admin console > Security > Advanced Protection Program, then the rollout has not yet reached your domain.
G Suite editions
Available to all G Suite editions
On/off by default?
This feature will be ON by default and can be controlled at the OU level
Stay up to date with G Suite launches 
