OK I will try to keep it simple and us an OS as the example.
what we are trying to achieve is to allow all win10 devices access via the policies.
But we do not want to add this to all of the policies as there is hundreds of them.
so...
objects/hip object add name win10-check general/host info/OS contains msoft windows 10.
then..
objects/hip profiles add name not-win10 match add NOT win10-check
then..
policy add from sslvpn to private hip not-win10 any any any deny
i hope i got that correct as popping out...
so... if you only allow a certain level in, AV etc. then block those that do not meet the requirement with a NOT hip profile.