iOS or iPadOS devices running SEP Mobile, and enrolled in an Integrated Cloud Defense Manager (ICDm) domain where a Web and Cloud Access Protection (WCAP) policy is being used for full VPN tunneling, show an expired SEP Mobile certificate in the following area of the OS Settings: 

Settings > General > VPN & Device Management > Web Security Service CA > More Details > Signing Certificates

The certificate in question is:

profile.sepmobile.securitycloud.symantec.com 

All functions of the SEP Mobile app appear normal, however the presence of this expired cert may raise a question for administrators or device users.  

iOS or iPadOS devices running SEP Mobile and enrolled into a WCAP-integrated ICDM domain.  

This is expected and does not require any action.  

The profile.sepmobile.securitycloud.symantec.com certificate is a code-signing certificate which is only used during initial enrollment.  This certificate is renewed on a yearly basis, however there is no need for this certificate to be updated on devices post-enrollment.  The presence of this expired cert has no impact on the functionality of the SEP Mobile app.  

Note that the Cloud Services Root CA certificates which are used for the actual WCAP VPN tunneling functionality do not expire until 2036.