We did this by adding a microflow which retrieves all users except the ones with a admin role and set the active boolean on false.
We created another one that activates all inactive users. Before a deployment we deactive the users and do the the deployment. After deployment the admin logs in and do his stuff and after that activate all users again. Simple is that.
You could add a check to the home microflow for all roles, except MxAdmin, that inspects some instance maintenance mode variable/setting that can be altered by the Admin. If enabled, just show a default home page, probably with a customized redirect to a maintenance page.
If you absolutely must shut down the entire system to regular users, you could implement your own login mechanism. For an example on how to do this, check out the License Pool Manager module in the appstore. This will involve java coding though, and you can't show a maintenance page. Michel's idea is probably acceptable too and much easier to implement.