In the past, I'd used the fake installer approach to stop users from upgrading to the newest macOS version.
But with macOS 10.14 (Mojave), you can block using Santa (see Using Santa to block an .app for more details on general Santa use). It's possible this Santa-blocking approach may have worked for High Sierra and Sierra as well—I haven't tested it on those.
Just download Mojave to your Mac, and then run
For 10.14 (this will change for 10.14.1 and later versions), this command should add it to the Santa blacklist:
We were able to test this on two Mojave installers downloaded using two separate Apple IDs, so the binary seems to be the same regardless of which Apple ID is used to download it.
If a user then tries to run the Mojave installer, she or he will see a message like this:
Again, since it's based on binary (and since all Apple certificates are whitelisted, so you have to block by binary), you would have to create a new rule for every new Mojave installer that comes out (10.14.1, 10.14.2, 10.14.3, etc.).