On PCs, the best you could really do is restrict access to certain websites on certain boxes with TPMs the users can't disable. Remote attestation can lock people out of your stuff, but not out of their own stuff. For that you need control of the device. Of course, most mobile phones aren't easy for the user to have control of, but most PCs still are, so long as you scrub the rootkits (e.g. windows) off 'em