you can lock the Mac Device from JAMF and provide a message to be displayed. Navigate to the device to be locked from the Management tab Select Lock computer and provide the passcode and the message to be displayed. 

The simplest (short of locking the computer) will be a policy configured to trigger on login, scoped to a static group (where you identify these Macs), that uses jamfHelper to throw up something that would take over the screen(s). There are other options to jamfHelper, swiftDialog is one.

To make the login trigger more reliable, you could install outset (also on GitHub) and trigger jamfHelper, swiftDialog, or other tool, from a script within outset's login-every folder.

As @Shyamsundar said, deploy a remote lock command or better yet a remote wipe command. If the device ever comes online, it will be locked or wiped within a few seconds. I prefer wipe as we have authentication required to enroll devices, and the users AD account would be long disabled leaving the device a DEP brick. (Assuming you are open internet or cloud based)

One thing to be aware of, keeping a device in Jamf for this purpose does burn a license. I suggest getting your security folks involved, and possibly even issuing warrants if former employees refuse to return devices and their managers refuse or are unable to collect devices.

How do I deploy that lock command to a static group of computers? I do not see that option under policies.

Thanks