The answer to that is an Untangle app for iPhone/Driod/Blackberry, not a manipulation of of mac addresses.
Where am I saying that one should manipulate MAC addresses?
Okey, English isn't my native language so I'll try again.
The Untangle internal interface and the clients are on the same network. In other words, they use layer2 (MAC addresses) to communicate. A MAC address in a unique 12 byte identifier (12 hex digits) where the first 6 are OUI (Organizationally Unique Identifier) which is unique to one manufactor (one manufactor usually have more than one OUI).
The Linux OS holds an ARP table with MAC addresses and IP addresses, so there is a "database" to lookup MAC vs IP. If I where to exclude hosts based on IP, I could (as far as I've read) say 10.0.0.* to exclude all IPs starting with 10.0.0. With MAC addresses I could exclude 00-00-00* and allow all Xerox MAC addresses starting with 00-00-00.
As I've hopefully tried to explain, I'm not trying to manipule MAC addresses. I'm just trying to use them as a way to group simular equiptment.
Right, and Untangle is a layer 7 device with minimal layer 3 features and almost no layer 2 features.
Translation: Untangle's layer 3 features are weak, and by extension it's layer 2 features are all but non-existent.
When you add to that the fact that mac level control is usually a management nightmare... well the drive to add those features isn't on the front burner.
This means you have to use IP addressing to control your devices. And in all likelihood will be forced to do so for the foreseeable future.
The best solution, would be a login app that replaced the windows script and integrated with the CP / Directory connector. That is once the Directory Connector is appropriately enhanced to automatically bypass users that are already logged in. An app that ran on the phones/desktops/laptops to do all that would be simple, but it isn't going to be built over night.
With the features we have now, you have no choice but to do things via IP address. If you have an entire family of devices, I suggest you look into how to configure your DHCP server to pass out a special DHCP scope to a mac range. It's possible using many DHCP services including the DNSMasq service built into Untangle. It's a technique commonly used by VoIP phone provisioning systems, to hand out boot server directives to specific devices.
Instead you're using that to hand out a subset of your DHCP scope to a list of specific hardware devices, then you're free to exempt that scope.
Or you add an interface to Untangle and configure a separate wireless network to be used by only the phones and move on. Personally I don't see your users really using the wireless much, my users all jump over to the cellular connection at the first block page.
Yeah I'm not even sure where to start on MS's DHCP. Untangle's DNSMasq service is just easier in these regards... but I assume it can be done. I know you can have multiple Scopes on a single segment with MS DHCP, and obviously it has to be mac level filtered or it won't know what address to give out where...
A scope per phone mfg doesn't sound too bad to deal with, it's just the learning curve of getting the service to do it.
Of course, we all know what happens when you assume.