With Symantec Endpoint Protection (SEP) 14, the option 'disable Symantec Endpoint Protection' on Clients is automatically available.
14.x verisons.
Generic Exploit Mitigation is introduced in intrusion prevention, there is a lock symbol next to Enable Generic Exploit Mitigation, which is default unlocked as below:
Follow the instructions in the links below to block the user's ability to disable SEP:
How to block a user's ability to disable Symantec Endpoint Protection on Clients
Click the lock symbol next to Enable Generic Exploit Mitigation to lock this feature as below:
For 14.2 versions, follow the steps below to lock Memory Exploit Mitigation (Aka GEM).
Repeat the steps above for each MEM policy assigned for the SEPM groups and locations.
After the policy updated to SEP clients, then 'disable Symantec Endpoint Protection' option on clients will become unavailable and turns gray as below: