OK I will try to keep it simple and us an OS as the example.

what we are trying to achieve is to allow all win10  devices access via the policies.

But we do not want to add this to all of the policies as there is hundreds of them.

so...   

objects/hip object   add name win10-check     general/host info/OS contains msoft windows 10.

then..

objects/hip profiles  add  name not-win10    match add NOT  win10-check

then..

policy add from sslvpn   to private   hip not-win10  any any any deny

i hope i got that correct as popping out...

so...   if you only allow a certain level in, AV etc. then block those that do not meet the requirement with a NOT hip profile.