<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Device Profile Restriction and WebView Authentication in Okta Assurance
May 13, 2026
Devices and Mobility
Okta Identity Engine

Overview

When enabling the Device Profile Restriction condition in Android Device Assurance to ensure users are accessing protected apps from within their Android Work Profile (WP), you may encounter access issues with certain applications. Specifically, enforcing this restriction on applications that utilize a WebView for their authentication user experience will result in access being blocked.

 

What is WebView?

WebView is an embeddable component that allows native mobile applications to display web content directly inside the app, rather than opening a dedicated web browser (like Google Chrome). Some application developers use WebView to render custom login screens for authentication.

 

What Will Happen?

If you enable the Device Profile Restriction condition for an app that uses WebView, access will be completely blocked, even if the user is correctly attempting to log in from inside the managed Work Profile.

This occurs because WebView does not support App Links. Okta relies on App Links to determine if the calling application is securely located within the managed Work Profile. Without this verification, the system cannot confirm the app's location and therefore blocks access to secure the environment.

 

Known Affected Applications

The following commonly used Android applications are known to use WebView for authentication and will be impacted by this restriction:

  • Microsoft Office 365 (M365 / O365) clients
  • Gmail
  • Workday

 

Workarounds and Best Practices

To prevent disruptions to your end users, we recommend taking the following actions:

 

1. Specific Workaround for Gmail

Logging into Gmail is governed by the Google Workspace app in the Okta Integration Network (OIN). If a user needs to sign into Gmail but access is blocked because we cannot detect the Work Profile due to the App Links and WebView limitation, the user can bypass this issue by establishing the session elsewhere.

Users can simply create the Workspace session by logging into their Workspace account through any other Workspace app that does not suffer from this limitation, such as Google Drive or Google Keep. Once the session is established, they can access Gmail.

 

2. Test This Setting for All Apps

Before rolling out the Device Profile Restriction policy to your broader organization, administrators should thoroughly test the setting on all target applications. This will help identify any critical apps that rely on WebView for authentication and fail the Work Profile check.

 

3. Request Developer Updates (Chrome Custom Tabs)

For internal or third-party apps where access is blocked due to WebView, customers should reach out to the respective application developers or vendors.

  • Recommendation: Ask developers to update their authentication flows to use Chrome Custom Tabs instead of WebView. Chrome Custom Tabs securely support App Links, which will allow the authentication flow to properly pass the Work Profile check and grant access.

 

 

Recommended content

Still looking for help?
Loading
Device Profile Restriction and WebView Authentication in Okta Assurance