You would like to control all web traffic from a specific operating system (OS).

To control the traffic from specific operating systems, the ProxySG appliance must be able to detect it. This process depends on the client sending the request. Most browsers include OS in the user-agent field in the HTTP request header.  For example:

https://msdn.microsoft.com/en-us/library/ms537503(v=vs.85).aspx
 

GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: microsoft.com

Windows NT 6.3

The Platform token identifies the operating system and version. The example token indicates Windows 8.1.

To deny all requests from Windows 8.1: 

1. Launch the Visual Policy Manager (VPM) from Configuration > Policy > Visual Policy Manager.
2. Create a new rule in a web access layer.
3. Set the source object as a new Request Header.
4. In the Set Request Header object, set the drop-down menu type to User-agent.
5. Enter Windows NT 6.3 in the regex field.  
6. Set the action to Deny.
7. Install policy.

Once the above steps are complete, all web requests from Windows 8.1 workstations are denied, provided the HTTP header is viewable by the ProxySG appliance, and it contain Windows NT 6.3 in the User-agent field of the request.

Note: This policy will stop most traffic from Windows 8.1 workstations, but any client application that obfuscates or does not send the user-agent string will not trigger the rule in this article.