You can try blocking specific User Agents in the Role options - 

Users -> User Roles -> General -> Restrictions -> Browser 

A list of Browser Agent types for Android can be found at the following locations - 

https://developer.chrome.com/multidevice/user-agent

http://www.useragentstring.com/pages/Mobile%20Browserlist/

This is more of a workaround, as some browsers do allow users to change the UserAgent, thereby bypassing this check, but it should catch most users. 

You should be able to look for *JunosPulseAndroid* to block.

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB24614

Note:  This may change in the future with the migration of SA/MAG to Pulse Secure, LLC.

A Host Checker policy with no rules for Android would effectively block Android if the policy is enforced, would it not?

I tried this on my lab device and it is not possible.  It states you must have one version that is allowed.

One more option is to have a OS Hostchecker policy that allows only Android version 1.6 and lower. 

that will effectively rule out any Android device from connecting ever. 

I guess i'll use that as a temp solution until I can figure out how to configure using the browser names and such.

Is there a doc on how to use custom checks?

What custom checks are you referring to?

In order to use "looks" for  *JunosPulseAndroid* won't I need to make a custom HC check?

Kita, is this something that can be suggested for future versions?  I.e. being able to deny by OS?