It is possible to lock the SaaS agent in such a way that the users cannot be making changes on it. You would need to create a SecurityCenter (www.mcafeeasap.com) policy to configure restrictions. The policy need to be applied to the computers and endpoint agent should be manually updated to effect the changes on the endpoint system.
Please follow the instruction in the below KB to create a policy,
To assign the policy to the endpoint system, follow the below steps,
1, Navigate to the computers list
2, Select the computer that you wish to apply the policy by checking the box just before the computer name
3, Click on the dropdown, Assign Policy and select the policy that you have created.
To update SaaS agent manually, please follow the instruction in the below KB article,