We have our Console locked and have our tech's type in the password to unlock the console. Then they can disable whatever they wish. Only issue is the policy enforcement interval (Default is 5 minutes), it will turn everything back on.
If you want to give your tech's the ability to have it off longer, then you could either change the policy enforcement to longer or change the access protection policy to allow the framework service to be turned off. (Prevent McAfee services from being stopped.) Then the tech's could stop the framework service resulting in no policy enforcement. Then disable any options in the console....
I think those are your options.