So, I thought that the answer to this question was “/Library/Preferences/com.bigfix.BESAgent.plist” in the __LockState key. However, after locking a macOS client, I’ve made that file read-only and immutable and can still unlock the client. The plist still shows -r–r--r- and schg,uchg with a modified date of 30 minutes before my last unlock, so it can’t be stored there, can it? 
Just changed the custom “Department” setting on this client at my desk to “ITSO” through the console. The client logs show “Command succeeded setting “Department”=“ITSO” on “Tue, 24 Oct 2017 19:21:16 +0000” for client (action:85290112)”. Both the Full Console and Web Console show “Department”=“ITSO”.
BUT
The com.bigfix.BESAgent.plist contains no such setting and QnA on the client returns the following:
Q: setting "Department" of client E: Singular expression refers to nonexistent object.
What’s going on here? 
Try stopping the client and see if it writes the settings to disk.
It wrote data to a temp file (com.bigfix.BESAgent.plist.[random string]) that appeared and disappeared pretty quickly, then created a new computer entry in the database upon service restart. I’m calling this effort a failure. No read-only locks on macOS.
Yeah the plist needs to be writable always by the agent so changing it to RRR caused wondrous things to happen including the reset. The __LockState setting is in a dictionary inside 2 other dictionaries inside the plist and can be read by the setting command (as its in one of the readable locations by relevance). The layout is the same as on a Windows registry. The following is done on a Mac running QnA
Q: setting "__LockState" of client
A: __LockState=false
2 Likes