My solution was to create a Cache Invalidator service which plugs into the doctrine onflush event.
If "Always Allow for This Site" is selected, only new enrollments will trigger the invalid certificate warning.
Aside from clicking on "Always allow" during the certificate alert, there are several other options available so that end users are not presented with the invalid certificate alert: Option 1- Import the SSL certificate of Symantec Encryption Management Server to the "Trusted Root Authorities" of the Microsoft Certificate Store.
Mac OS X System Behavior with Self-Signed Certificate Suppression and Symantec Encryption Management Server: Historically, the functionality from Item four listed above has never been a part of the SED client for Mac operating system and even after importing the self-signed certificate, and re-downloading the client, the certificate warning would continue to display.
Starting with Symantec Encryption Desktop 10.3 for Mac OS X, this certificate warning for self-signed certificates will now be suppressed after following option four above.
Ensure that both the Root and Intermediate CA certificates are imported into the list of Trusted Keys on Symantec Encryption Management Server before assigning the certificate to the network interface.
This ensures that the complete certificate chain is generated which is then presented to the client.
Once the CSR process is completed, the certificate can then be assigned to the network interface in order to prevent the invalid cert alert from displaying.
Due the certificate chain model, the client will then transitively trust Symantec Encryption Management Server as the trusted Internal Root CA is already trusted locally or within GPO.
See article TECH200530 for more information on this method.