You said it won’t work in your case, but the best bet is definitely to not have admin rights for most users.
Another thing to consider is to lessen the impact of BigFix on laptop battery life using something like: Automatically adjust BESClient settings when on battery power
I also think it might be possible to use ACLs to only allow modification of BigFix stuff with SYSTEM privs, which would make it a tad harder to tamper with.