In ASDM, go to Configuration, Clientless SSL VPN, Dynamic Acess Policy, Add New.
Choose your AAA method and add new endpoint attributes. Enter the MAC addresses in the list as multiple endpoint IDs of type device, attribute MAC = . After you have them all in, make the logical operation Device "match any".
You will need AnyConnect Premium and Advanced Endpoint Assessment licenses installed and activated to use this feature.
More information on DAP in general can be found in this Cisco white paper.
Int the CLI, what I just described ends up as a simple couple of commands:
dynamic-access-policy-record CiscoSupportcommunity
description "Example showing use of MAC addresses in DAP"
...which rely on the underlying dap.xml file which is modified by the above procedure. If you wanted to put it in more programmatically you could write the dap.xml file directly or script it if you're handy with that sort of thing.
For this example, the relevant dap.xml file section would include a dap.record as follows:
CiscoSupportcommunity
and
match-any
aaa.ldap.memberOf
Domain Users
EQ
caseless
match-any
match-all
endpoint.device.MAC["1234.5678.90ab"]
true
caseless
EQ
match-all
endpoint.device.MAC["2345.6789.0abc"]
true
caseless
EQ