Anton, FYI, v9.5 will reach its end of life next summer; that’s something you can leverage internally for the upgrade.
It’s recommended to upgrade Relays as well, but old clients will continue to report. Also, if you have only 9.5 or newer client, you don’t need to worry about Enhanced Security or minimumSupportedClient.
In BigFix 11, instead, was introduced the support for TLS 1.3 and SHA-384, which is not retro compatible. You can enforce it only when all your infrastructure is v11; if you don’t enforce it, your v10 clients can continue reporting to the server (using TLS 1.2 and SHA-256). V11 Overview