By default, only fixlets and tasks from the “BES Support” site will execute on a Locked endpoint (so the “Unlock” fixlet can be run from that site only).
There’s an option to use the BESAdminTool to enable one additional custom site to run fixlets/tasks on Locked endpoints. If you don’t want to give operators rights to the BES Support site you could define a custom site to host a copy of the lock/unlock fixlets in this way.
:edit: a bit of detail at Multiple Locked Client Site Exemptions?
I don’t use WebUI though so I’m not sure how that affects things.