If users logon through Citrix Gateway and pass EPA but cannot see the client, which policy group governs visibility?

Visibility of an endpoint in Citrix Gateway is controlled by the policy group that handles quarantine behavior. Quarantine Groups are used to isolate devices that require remediation or pose a risk, limiting what the user can see and access. Even when a device passes Endpoint Posture Assessment, the gateway can still assign it to a quarantine group based on policy, which prevents the client from being visible in the usual view until remediation is completed or the device is moved out of quarantine. Endpoints simply represent the device, Compliance Groups track whether posture rules are met, and Access Groups determine which resources the user can reach; but the specific control over whether the client is visible lies with Quarantine Groups.