They have asked me to be able to control Android devices in APM, and I am thinking of doing it in the APM policy using something like this, validating these 2 variables:
expr {[mcget {session.client.unique_id}] contains "57bb1c0b45c96dad" and [mcget {session.client.model}] contains "motorola edge" or [mcget {session.client.unique_id}] contains "fe35849f39188ffa" and [mcget {session.client.model}] contains "SM-A235M"}
How can I automate it for APM with an irule? Does anyone have any ideas?
Deployments using unique IDs on phones are typically done with some kind of mobile device management (MDM) solution such as Microsoft Intune or IBM's maas360. These solutions allow admins to place apps on users' phones along with unique IDs, then APM can grab that unique ID and make an HTTP call to the MDM vendor to make sure they are compliant with your company security policies. Phone vendors typically don't provide unique IDs by themselves because they want to limit information disclosure.
However, if you already have unique IDs that ARE being sent successfully from your mobile devices, you can just add the logic into your access policy flow using an "Empty" policy item and name it something like "check unique id". No irules needed because all of the logic is written directly into branch rules.
If you already have something like this and are looking for a solution where you're not hard-coding these fixed-string UIDs into your config, you could write an irule to check the APM session variables against a data group you set up. As you can imagine this can get complicated, so it's better if you can use some built-in mechanism of an MDM.