An MDM Lock command would do it, and it should happen just about immediately. There's absolutely nothing you can do to prevent someone from logging in past FileVault (short of physically removing the machine from them) since the OS isn't really booted at that point and there's no network connection. As @sshort mentioned you would have to address it after they log in.
