As a Google Workspace admin, you can integrate third-party security and EMM providers with your Google endpoint management. For each device, these providers report a device state.
Under certain conditions, the device state can be unavailable for iOS devices. If you defined Context-Aware Access (CAA) levels that block access to web apps based on that state and the state is unavailable, the CAA levels might inadvertently block devices that should have access. CAA levels don't block access to built-in mobile apps.
Conditions that create an inaccurate device state
When a user on an iOS device signs in to a web app in Safari or Chrome Browser, Google endpoint management assigns the device a unique resource ID. When the device user regularly accesses a Google website with the Safari app while signed in with the Google Account they use for work or school, the sign-in from Safari maintains the single resource ID for the device.
If the user hasn't signed in to a Google app or website for a while, Google endpoint management might assign the device another resource ID. When a third-party provider reports the state attached to the second resource ID, Google endpoint management doesn't recognize the state as belonging to the device and keeps the state as unspecified.
If a user can't access web apps on their iOS device, they can force a refresh of the server-side state of the device:
- Open a Google app other than Chrome Browser and sign out the work or school account.
- Sign in to the Google app again.
- Open an app not created by Google that you use for work or school and sign out your Google Account.
- Sign in to the third-party app again.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.