Use these tasks to track Advanced Protection Program user enrollment and provide support for your users.
For enrolled users, Advanced Protection policies override policies you configure manually. For example, if you haven't enforced 2-Step Verification across your organization, and some users enroll in Advanced Protection, then the 2-Step Verification policy included in Advanced Protection overrides the manually configured 2-Step Verification policy.
Go to Protect Users with the Advanced Protection Program , for a list of included policies.
Verify that users enroll in the Advanced Protection Program
See which users have enrolled in Advanced Protection.
Sign in with the privilege Users > Read.
- Sign in to your Google Admin console .
Sign in using your administrator account (does not end in @gmail.com).
- In the Admin console, go to Menu Directory Users.
- Select a user and go to Security.
- Verify that Advanced Protectiondisplays, and the setting for Advanced Protection is On.
Disable user enrollment
If you disable enrollment after previously enabling it, users who are already enrolled in the Advanced Protection Program are still enrolled. To unenroll users, change the user’s individual enrollment in the user profile. See the next section, Unenroll user from Advanced Protection Program.
- Sign in to your Google Admin console .
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu Security Authentication Advanced Protection Program.
- Select Disable user enrollment.
- Click Save.
Unenroll user from Advanced Protection Program
You can unenroll users at the user level. When you unenroll users, you prevent them from re-enrolling after they leave the program.
Sign in with the privilege Security > User Security Management.
- Sign in to your Google Admin console .
Sign in using your administrator account (does not end in @gmail.com).
- In the Admin console, go to Menu Directory Users.
- Select a user, and go to Security. Click the Security card.
- For Advanced Protection, select Off.
- Click Save.
View user enrollment reports
View user enrollment in reports.
Sign in with the privilege Reports.
- Sign in to your Google Admin console .
Sign in using your administrator account (does not end in @gmail.com).
- In the Admin console, go to Menu Reporting Reports Apps reports User activity .
- Filter reports by organizational unit.
- Look for entries like Fred Bates has disabled Advanced Protection , or Ellen Yang has enrolled for Advanced Protection .
View admin activity reports
View admin activity in the audit log.
Sign in with the privilege Reports.
- Sign in to your Google Admin console .
Sign in using your administrator account (does not end in @gmail.com).
- In the Admin console, go to Menu Reporting Audit and investigation Admin log events .
- Filter reports by organizational unit.
- Look for entries under Event Namelike Application Setting Creation , or Application Setting Change . The Event Descriptionshows Advanced Protection Program for these entries.
Allow enrolled users to generate security codes
Users can generate security codes for use with applications and platforms that do not support security keys.
Before allowing users to generate security codes, carefully evaluate if your organization needs them. Using security keys with security codes increases the risk of phishing. However, if your organization has important workflows where security keys can’t be used directly, enabling security codes for those situations may help improve your security posture overall.
Go to Enable user enrollment in the Advanced Protection Program for details.
How do users unenroll?
Users navigate to their Google account and click Security. Under Advanced Protection Program, they select Unenroll.
