Yes, that's the primary use of Smart Groups actually. To automate installs and uninstalls. All you should need to do is set up individual policies for each function, (uninstall/reinstall VPN, and uninstall/reinstall AV) then use the Smart Group "Sierra Computers" as you mentioned as the scope in both of the above policies to specify what computers these policies will run on.
What you'd need to decide on is the trigger. I would suggest the normal check in trigger here since as soon as the Macs run an inventory collection after updating, they will land in the Smart Group and on next check (say 15 minutes later), these same Macs will then run the 2 above policies that should remove and re-install the software in question.
Keep in mind that its possible there could be a lag between when a Mac upgrades the OS and they get the new/updated software titles. For example, a Mac may get upgraded, but unless it runs an inventory collection right after, it could be hours before its next inventory collection cycle. The above policies will never run on those Macs until they land in the Smart Group, which can only happen when inventory is collected.
You can try doing something like having a policy that collects inventory and nothing else scoped to all Managed computers that runs on Login or on Startup.
In the latter, you could run into a login delay in some circumstances, so you'd need to test that out to see how it works for you. Also, unless the Macs are connected to the network at login, its possible they won't be able to connect to your JSS to get the instructions to run the inventory collection (there is always setting it to run in offline mode though)
Same issue is true for Startup triggered policies. In the case of laptops connecting to wireless, they may not have a network connection at startup. So just a few things to consider.
There are more considerations and possible setups than the above.
Hope the above helps a bit.
