Unfortunately, AFAIK in iApps we have no way of telling which firewall mode BIG-IP is running. If we could, the iApp could check for the action on the default rule and not create the dropPackets rule.
Even that would be a problem because that would only check at iApp runtime. If someone went in and changed from firewall to ADC mode outside of the iApp, then we have left you with an insecure config.
That said, you could either edit the iApp, removing this text from the firewall_arr array:
dropPackets \{ \
action drop \
log yes \
ip-protocol tcp \
status enabled \
source \{ addresses replace-all-with \{ any/any \}\} \
\}
You could also just create your own firewall policy outside of the iapp and assign it when you answer the "Do you want to use BIG-IP AFM to protect Lync edge and external web services?" question. Or you could leave it as-is, since there shouldn't be any problem with passing traffic through this config that I can think of.