We have a maintenance mode in our application. In all the home pages of our app we check if maintenance mode is active. If so the user is logged out with a java action. When a maintenance window comes up the user is presented with a notification when the maintenance will take place so it get's a headsup when the system will not be available for him. After he clicks it he can use the app normally, unless the timeframe for the maintenance is already there. Then he will be logged out. Works perfect for us.
An idea of what you can do is make a setting like 'blocked', default false. Now, in the homeflow (you can find this in your navigation) you can do a check on this setting (except for the admin). When true, do a show page of the login page. Now the admin can configure if the App is available. To make sure everybody is out, I think you have to restart the app.
AFAIK it isn't possible to change the 5 minute window in which users get unblocked again. What I would suggest is do use the active boolean from System.User. Even though it might not be that logical, it's a lot less complicated than trying to make the blocked boolean fit for purpose.
In the security settings (tab Anonymous if I am right) you can specify which microflow to run when a user logs in. You can check the in-maintenance-mode flag and take appropriate action (reroute to a specific page, show a message and logout, etc.)
And do not forget to include webservices and other interfaces (scheduled import of emails for example) to make sure that all such automated processes adhere to the in-maintenance-mode flag.