Remove/change user-agent of a client?

I got some idea in my head, and wish to know if this is somewhat possible with today’s uTIK devices:

Let’s say we have hundreds of clients on our subnet, and we wish to hide their browsers’ identities when they access internet.

For example a client happens to use a Firefox browser, and we wish to
a.) remove the user-agent header, or
b.) change it

This can give an extra layer of protection.

(How) is this possible?

This is entirely L7 operation. And ROS can not rewrite L7 information. With encrypted traffic (httpS) ROS even doesn’t see this information, let alone can it manipulate encrypted information.

A decent proxy server (browsers would have to be configured to use one) could rewrite this information … but again only for unencrypted connections.

Thank you @mkx! That was my deep feeling but I needed some confirmation.