Just to confirm, when the issue occurs, this affects new installs only. Is that correct? An existing, working client continues to be in full communications with the SEPM and you can move it between groups and see the existing client reflect the change, yeah?
The reason I ask is that I have seen a similar issue, but it affects all clients and requires a restart of the "Symantec Endpoint Protection Manager WebServer" service (the apache/httpd bit) to resolve.
I've not encountered the selective loss of comms myself, and would look towards the client sylink logs as Brian suggests ("Thumbs Up" as always!) as well as the apache logs on the SEPM to see if the SEPM is actually getting anything from those clients:
http://www.symantec.com/docs/TECH94290