never tried it, but it could work this way:
1) create a query - list managed systems that not match e.g. VSE 8.8 installed AND DAT not older than 5 versions AND last communication was e.g. today (AND AP enabled e.g., AND...) and save it
2) create a HIPS Firewall policy (not sure with v7) to allow only communication to ePO (and maybe DNS or so).
3) create a server task to run the query from (1) as 1st action and as 2nd action push the policy from (2) to the clients that where listet by the report (maybe by tagging, or moving to a different OU/group etc). 3nd action send wakeup call to the clients.