Ship the device with a non-free bootloader. When the order is placed supply the person doing the ordering with a token. The token must be used by the purchaser to confirm delivery, and the device won't work until delivery has been confirmed (and payment received, if not paid in advance).
If all goes well the purchaser confirms delivery and the delivered device's serial number is OK'ed for re-loading. It goes online, sends its serial number, and is then able to download the code to re-flash itself to contain a freeware boot loader that can in turn load the free software it runs. This is a one-shot. There is no remote disable once it has been remotely enabled.
If the device is not delivered it is never authorised to re-flash itself so it forever remains a brick.
My credit card is delivered in a similar manner. It turns up in the post as a "brick". I have to phone the bank and authorize myself to confirm delivery, they then enable the card. If it's intercepted in the post, it's useless.