You want to be able to control iOS and Android Devices according to your AUP (Acceptance Usage Policy) based on group-AD-Policy. 

iOS devices do not support NTLM authentication and thus cannot be authenticated against an IWA realm for group policy-based network access rules.

Android runs on a Linux OS and thus has the same limitation. To work around this issue you can use Form-Based Authentication to authenticate users for network access. 

You must have configured an existing IWA authentication realm before configuring Form Based Authentication. WIth Form-Based Authentication, a user is presented with a form that they must complete so that the ProxySG appliance has the user credentials to authenticate against the AD. iOS and Android devices based on RFC rules do not pass these credentials; thus, with Form-Based Authentication, the ProxySG appliance can request that they be passed, providing adminstrators  with the ability to authenticate users with these types of devices. 

1. Create your IWA realm and ensure that it is able to authenticate users: refer to KB5746 to configure the IWA authentication realm. 
   
   
   In Form Based Authentication, there are already predefined forms which can be used.  You can custom configure this later, but in this article the example uses  the out-of-the-box authentication form:
    
2. Configure your Authentication Layer with a rule which has a source of the iOS and Android devices you are wanting to authenticate.
    
    
3. Create your Authentication action specifying your IWA realm to use the Authentication Form.
   
    
4. Install the policy.
5. Once this is created you are prompted with the authentication form created for these devices. 

 You can now create user group policy for network access rules in your Access Layer.