Update docs for ip allow list user level enforcement (#59695)

erikaxu · pndemo · sophietheking · web-flow · commit c2b6f1bb4b79 · 2026-02-23T17:25:27.000Z
Co-authored-by: Paul Ndemo &lt;ndemopaul1@gmail.com&gt;
Co-authored-by: Sophie &lt;29382425+sophietheking@users.noreply.github.com&gt;
Co-authored-by: Joe Clark &lt;31087804+jc-clark@users.noreply.github.com&gt;
diff --git a/content/admin/configuring-settings/hardening-security-for-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md b/content/admin/configuring-settings/hardening-security-for-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md
@@ -126,6 +126,33 @@ To ensure seamless use of the OIDC CAP while still applying the policy to OAuth
 1. Optionally, to allow installed {% data variables.product.company_short %} and {% data variables.product.prodname_oauth_apps %} to access your enterprise from any IP address, select **Skip IdP check for applications**.
 1. Click **Save**.
 
+## Restricting access to user-owned resources with the IP allow list
+
+> [!NOTE]
+> User-level IP allow list enforcement is only available for enterprises that use {% data variables.product.prodname_emus %}.
+
+By default, your enterprise's IP allow list does not restrict access to repositories and other resources owned by {% data variables.enterprise.prodname_managed_users %}. You can enable user-level enforcement to extend IP allow list restrictions to user-owned resources, including:
+
+* User-owned repositories and their forks
+* User profile pages
+
+This ensures that all locations where enterprise code may reside—not just organization-owned repositories—are only accessible from allowed IP addresses.
+
+### Enabling user-level enforcement
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+1. Under "IP allow list", select **Enable IP allow list user-level enforcement**.
+1. Click **Save**.
+
+> [!IMPORTANT]
+> Before enabling user-level enforcement, add all IP addresses that your {% data variables.enterprise.prodname_managed_users %} use to connect to the enterprise IP allow list. If a user connects from an IP address that isn’t on the allow list, they won’t be able to access their user-owned resources.
+
+### Disabling user-level enforcement
+
+To stop enforcing the IP allow list on user-owned resources, follow the same steps above and deselect **Enable IP allow list user-level enforcement**, then click **Save**. Access to user-owned resources will no longer be restricted by the IP allow list.
+
 ## Using {% data variables.product.prodname_actions %} with an IP allow list
 
 {% data reusables.actions.ip-allow-list-self-hosted-runners %}
diff --git a/data/reusables/identity-and-permissions/ip-allow-lists-which-resources-are-protected.md b/data/reusables/identity-and-permissions/ip-allow-lists-which-resources-are-protected.md
@@ -12,10 +12,10 @@ IP allow lists **do** restrict access to:
     > [!NOTE]
     > Excluding installation tokens used by a {% data variables.product.prodname_github_app %} which is installed on a user account.
 * Raw URLs for files in repositories, such as `https://raw.githubusercontent.com/octo-org/octo-repo/main/README.md?token=ABC10001`
+* Repositories, including forks, owned by {% data variables.enterprise.prodname_managed_users %}, when enabled
 
 IP allow lists do **not** restrict access to:
 
-* Repositories, including forks, owned by {% data variables.enterprise.prodname_managed_users %}
 * Public resources, when accessed anonymously
 * A {% data variables.product.prodname_github_app %} (server-to-server) installation token when the {% data variables.product.prodname_github_app %} is installed on a user account.
 * {% data variables.product.prodname_copilot %} features that do not require directly fetching private or organizational data from {% data variables.product.prodname_dotcom %}
