It seems it would be easy to add http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml to a mobile pac file and redirect it to a local file I host on one of our servers to block the newest updates but still allow devices to get an update.
I know it's a shot in the dark, but it would be nice if we could still allow devices to update to the second to latest version
