# 21 Advanced Protection Program (high-risk users)

> v0.1.4 · role: Prevent · [policy: #17 · #30](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Google's Advanced Protection Program is the strictest posture Google offers an account: security keys or passkeys only with no weaker fallback, harder download and app-install checks, and third-party apps with high-risk OAuth scopes shut out unless explicitly trusted. The admin toggle only permits enrollment for an OU or group — each user completes the flow themselves at landing.google.com/advancedprotection, and the user's Security panel is where you confirm it took. It is meant for the cohort an attacker will actually spend money on: executives, admins, journalists and other at-risk staff.

Documentation: [Protect users with the Advanced Protection Program](https://knowledge.workspace.google.com/admin/security/protect-users-with-the-advanced-protection-program)

## Caveats

- Enabling enrollment is not enrollment — the toggle only permits it, and until each user completes the flow with two keys, nothing about their account has changed.
- APP will not complete without a phishing-resistant factor plus a backup — order the keys before you flip the toggle, or the rollout stalls at the first user.
- APP blocks most non-Google apps with high-risk scopes — enrolling a user who depends on a third-party mail client breaks them unless that app is trusted in API controls (№8) first.
- 2-Step Verification (№1) must be on at the tenant's top level for APP enrollment to be available at all.

## Setup steps

1. Enable user enrollment is Google's default tenant-wide. Confirm it is enabled for the organizational unit or group holding the high-risk cohort (executives, admins, journalists/at-risk staff), and explicitly disable it for OUs that should not enroll. — `Security › Authentication › Advanced Protection Program`

   Advanced Protection Program enrollment = Enable user enrollment (the default) for the high-risk OU; set Disable user enrollment for OUs outside the cohort

   docs: [Enable user enrollment in the Advanced Protection Program](https://knowledge.workspace.google.com/admin/security/enable-user-enrollment-in-the-advanced-protection-program)

2. Pre-trust the third-party apps the cohort actually needs: APP blocks apps with high-risk OAuth scopes for enrolled users, and the lever is marking each required app Trusted in the API-controls app-access list ([№8](oauth-app-control.md)). Do it before enrollment, or the cohort's mail clients and integrations stop working the day they enrol. — `Security › Access and data control › API controls › App access control`

   App access control (№8): each app the cohort requires = Trusted

   docs: [Control which apps access Google Workspace data](https://knowledge.workspace.google.com/admin/apps/control-which-apps-access-google-workspace-data)

3. Open a user in the target cohort and confirm the Security panel reports Advanced Protection as On after they complete enrollment at landing.google.com/advancedprotection. — `Directory › Users`

   - **User > Security > Advanced Protection** = On

   docs: [Manage a user's security settings](https://knowledge.workspace.google.com/admin/security/manage-a-users-security-settings)

## Ongoing maintenance

- **[requires a human]** On role changes: enrol newly high-risk staff and note leavers.

## How to verify

1. Ask an enrolled user to open their Google account security page — it should show "Advanced Protection: On". Enrolment is user-visible; no admin access needed.

## Settings screens

- Security > Authentication > Advanced Protection Program
  - console: https://admin.google.com/ac/managedsettings/352555445522/titanium
  - screenshot: ../screenshots/admin.google.com/ac/managedsettings/352555445522/titanium.png
- Directory > Users
  - console: https://admin.google.com/ac/users
  - screenshot: ../screenshots/admin.google.com/ac/users.png
