Password of the day for SEP disable or uninstall
The SEP manager could, based on date as a criteria seeded with the encryption key from the site, offer up a limited use password for disable or uninstall. The idea is that the master uninstall password which is also used for stoping the SMC service may not be something you want to propogate, changing it publishes new policy to all clients in that group, also something you may not want to do frequently. In the SEPM in the details for the group would be 1 or two daily generated vaues which could be given to support personel with no concerns that down the road they will use these without authorization. The client would have this criteria when the package was built, so it could calculate this daily password as long as its clock is somewhat correct.