The machine's user where SEP is installed can uninstall SEP using the clean wipe tool in case if there is no password protection against uninstall using cleanwipe tool configured in SEPM client group.

SEPM, SEP 14.3 RU5 and later

Supported only on Windows devices that run 14.3 RU5 or later.
The user can download the CleanWipe tool on the client computer but must enter the password to run it.

In order to be able to configure the password for "Require a password to run Cleanwipe on the client" follow below steps:

1. Open SEPM and go to Clients tab.
2. Select the group of clients you want to configure a password for requiring a password to run Cleanwipe 
3. Select Policies tab
4. Click on Password under Settings
5. Configure the password
6. Check the box for "Require a password to run Cleanwip on the client"

Requiring password protection for Symantec Endpoint Protection client modifications