Originally Posted by ekrengel
I think setting the BES application loader to false, and using Group Policy "hash rules" should do the trick
For the hash rules, I'm blocking:
There is no way around it now, even if you take yourself off the BES or try to use the web upgrade
They would have to take themselves off the domain, or hack the local admin password, which isn't going to happen.
... or they could remove the IT policy from the device, and then perform the upgrade....
Of course then they would need to re-enterprise activate.