I could have sworn there was a built-in fixlet that did something around making sure the BES Client service was always running, but I can’t seem to dig it up. In any case, check out the solution in this thread: Client Self Health Check
You can push out a PowerShell script via GPO or other method. You could use a similar approach, or maybe a policy action that would run on the machine before a user disabled BigFix, that would create a local task to run a script to make sure the service is started on some interval.