SEPM enrolled to SES cloud.

This is caused by the option "Manage devices from the Cloud" checked in SES Integrations - Enrollment page. 

This option enabled lets the cloud console fully control the organization (groups, moving devices, etc.). 

After you disabling the option, then Symantec Endpoint Protection Manager, or a third-party directory service such as Active Directory, can manage and organize your devices.

Note:

This option enabled or disabled does not have effect on control policy management. The cloud console always manages the policies that are configurable in the cloud.

Disable "Manage devices from the Cloud" in SES or implement different authentication for SEPM users.