One possibility, depending on the size of your environment this may or may not be feasible to deploy or use:
Go to the Access Levels Management view in the client, and drag the "People in my company" and "People in domains connected with my company" down under the Blocked grouping. Then have the managers add all of their subordinates to their client contact list and drag them up into Team or Company.
This configuration will block IM, presence, and all aspects of OCS for users not specifically in the higher access levels. I'm not sure this is a recommended approach though, as you'd be crippling a lot of the product features in the process.