If you are using the Check OS action you could add a new rule that will check for the session.browser.user_agent variable. Please remember that order does matter when defining rules. (i.e. if the rule session.os.platform is set to allow and the session.browser.user_agent is created below this rule and set to deny, an iPad will be presented with the FirePass logon screen. However if you put the session.browser.user_agent rule above the iPad will be denied)
Yeah, the problem with that is that you have to update the UAS everytime an update occurs. I would recommend placing a wildcard in the new browsers section to get set it to a specific OS and do allow/deny on that.