You may need to re-enroll the Mobile Encryption device because it received a bad policy setting or it is not updating policy settings properly.
The following text was taken from the Symantec Mobile Encryption for iOS Users's Guide, Chapter 2:
Enrollment Guidelines for Symantec Encryption Management Servers running in DMZ Mode, not hosting Private Keys:
Hosting Private Keys is a requirement for Enrollment to succeed, as well as update policies. If users are allowed to enroll to Symantec Encryption Management Server, running in DMZ mode, unexpected consequences can take place. For more information on this behavior, and guidelines for this scenario, see article 165197.
Although Enrollment and Policy updates must not be initiated to/from cluster nodes not hosting private keys, these nodes can still be used to lookup keys with the keyserver service. There is also a preference which can be configured on Symantec Encryption Management Server, which will allow multiple keyservers to be used to do key lookups should one of the nodes not be available.
As per the Symantec Encryption Management Server 3.4.2 Admin Guide, an XML configuration file can be used to add this additional keyserver.
To do so:
Caveat: Currently, this secondaryKeyserver option only works when a specific Encryption Server is always accessed and only fails over to the secondary if the primary node is unavailable. If node 2 is unavailable, there is no option to failover to node 1.