APM to restrict specific user account from successfully authenticating based on source ip?

in VPE, create an empty box with a branch expression:

expr { [mcget {session.logon.last.username} ] contains "myuser" &&  [IP::addr [mcget {session.user.clientip}] equals "172.20.0.0/16"]}