Following are the rules for onboarding android devices on IAP:
Please note the ".*"
wlan access-rule ONBOARD-PREAUTH
index 10
captive-portal external profile ONBOARD_CP
rule alias gw.symcb.com match any any any permit
rule alias android.clients.google.com match any any any permit
rule alias .*ggpht.com match any any any permit
rule alias .*googleapis.com match any any any permit
rule alias .*gvt1.com match any any any permit
rule alias .*googleusercontent.com match any any any permit
rule any any match any any any deny