We implemented a custom check in policy, and selected it for one of our TFS project. If a TFS client does not have the policy installed, TFS will show an error message with the installation instructions. This is all good.
However we have a problem when there is a new version of the check in policy.
It seems like TFS only enforces the policy name and not its version.
So even if I remove the old policy reference and add the new, all clients who already has the old version installed are still allowed to use it.
I would have expect that TFS would not allow to use the old version of the check in policy.

How could we enforce this?

One possible workaround could be to checkin the latest version number as a file to a project which can be accessed by anyone. The check in policy itself would read that file, compare the version with it's own version and generate a PolicyFailure if the version does not match.

Maybe there is an easier/better way?

Finally I decided to use the workaround originally suggested:

"One possible workaround could be to checkin the latest version number as a file to a project which can be accessed by anyone. The check in policy itself would read that file, compare the version with it's own version and generate a PolicyFailure if the version does not match."

Works well.

You could add policy version number to the end of policy name and introduce the updated version as a new policy.
This solution comes with a little management overhead but makes sure the you get the error with every new policy version.