Endpoint Security -> Host Checker
Policies -> New
Give it a name: "Windows Version Check" -> Continue
Select rule type -> Predefined: OS CHecks -> Add
And fill in the rest as needed.
Then in User Realms, select the desired login realm. Click on Authentication Policy and then click on the Host Checker tab and set it as desired. Make sure the box at the bottom that allows a login if any of the policies pass is un-checked.
Ok. So the Linux and Mac tabs of the HC policy are empty, but a Linux/Mac machine still evaluates the Windows tab of the HC policy, and it would fail under not being Windows XP or 200, etc?
What about letting in only Windows or Linux, but not Mac, for example?
The the user will never know about a particular Realm. This is because both Relams are set at the sign-in URL, but there is only 1 URL.
The host checks run at the Realm so as soon as you browse to the sign-in URL, the user will be simply left with a login prompt, not knowing that there are two realms and thruogh restrictions, they are only allowed to see 1 of them.
Also, there are HC checks for operating systems that can be utilized here.
I did it by establishing a separate login realm for Macs, which uses the same URL but with a /mac appended. That realm does not enforce any host checks.
The other option is to have the list of realms displayed on the login page, but I prefer a bit of security by obscurity sometimes. :-)