On the technical aspect of the request it should be easy to enforce in an Microsoft AD Enviroment as below:
The challenge is on Mac with FireVault. I will look into what I have with Sophos as I use them for this. However you policy should be enough.
While i agree that a policy SHOULD be enough - they specifically said - technical.
FYI - No AD in this environment.
You can still enforce via local group policy for Windows.
yep... though I would/should use something like Salt or some other agent based solution to push out changes for this if for no other reason than consistency.