is there a way for the end user to lock his device with a pin/pattern?
A PIN can be set in the Authentication rule. You can set the type of security lock-screen and how each is managed on the device.
To answer your second question, if the device is enrolled onto an instance 13 and below, you can right click on the device and select "unlock". This function can be found on 14+ by selecting the radial button on the device in question and then in the additional actions menu bar at the bottom find the "unlock" function.
If the device is not connected, it may be possible to reset the device assuming the Factory Reset restriction has not been put in place. Furthermore, if the device is ruggedised (Zebra, Honeywell etc.) it is likely there is a Factory Reset file present on the support website of the manufacturer.
The solution depends on your device Android versions and various settings used. It will be more tricky if you allow your end-users to access Settings to make modifications.
If your devices are configured in such a way that the Android system and MobiControl device agent cannot boot up and run without an unlock mechanism, then using Mobicontrol web console to unlock is not possible because the device agent is not yet ready to receive the unlock request if the device is not unlocked.
Factory Reset Protection (FRP) will not be automatically turned on if a PIN/pattern screenlock is used or when there is no Google account added with Devices' Settings. You can do a test on your devices to confirm that. If so, you can safely allow the end-user to use PIN/pattern screenlock without having FRP enabled. Then, as long as your MobiControl agent can get running after boot-up, sending an unlock request from MobiControl server is possible and is the easiest solution.
If end-users are disallowed from making modifications in device Settings, then a corporate-controlled Google account associated with FRP can be enforced and a forced factory reset without any risk of bricking a device is guaranteed. [N.B. your device can be bricked if you don't know the FRP Google account credential AND you cannot show any official proof of device ownership at the service centre of the OEM device vendor]. In this case, you can impose maximum number of failed unlock attempt in the authentication configuration profile, and when required, force a device factory reset by exceeding this failed unlock attempt limit. Then, use the corporate-controlled Google account credential to pass the FRP and reconfigure the device for re-deployment to another user.
It should be noted that for the latest MobiControl v14.3, there is a new "Factory Reset Protection" configuration payload introduced to ease deployment of this corporate-controlled "Google account" on Android Enterprise (but NOT for Android-Plus) devices. I have to test this new feature to see how well it helps with any real FRP deployment in the field.