I think setting the BES application loader to false, and using Group Policy "hash rules" should do the trick
For the hash rules, I'm blocking:
loader.exe
application_loader.dll
BBWebSLLauncher.dll
ApploaderWebSL-Upgrade.msi
DesktopMgr.exe
There is no way around it now, even if you take yourself off the BES or try to use the web upgrade
They would have to take themselves off the domain, or hack the local admin password, which isn't going to happen.