Ok. Just to clarify, the SEMS does not have any push functionality whatsoever. It does generate installers which can then be pushed via GPO or other third-party endpoint management software.
Basically, the SEMS manages policies per user group, which can be defined manually or by synchronizing with Active Directory. These policies control what features are activated, what features a user has access to, whether or not they have permissions to access/control the features, and whether or not the drive is encrypted automatically when the end user enrolls to the server. It also handles key management and recovery options.
In its simplest (for the end user) form, the user would just enter their AD credentials at an enrollment popup, and the software would handle the rest without any additional user interaction.