Hello,
SMLatCST is correct, you may use the "AV requirement" template but at the least the SNAC agent should be already installed otherwise the check can't be done.
If a system does not have SEP, it is unlikely there's SNAC (but it is possible, one may have a non-Symantec AV and just SNAC w/o SEP); in such case, you need to use SNAC on-demand, i.e., if an unknown system is plugged in your network, it will get a temporary SNAC agent to perform the host integrity.
"Take the symantec client out of the network." is not that banal task, it can be properly done if you have a complete SNAC solution (LAN enforcers, RADIUS servers, 802.1x switches, etc.), proper expertise is required to design and implement it.
Finally, having the SEP 12.1 clients to use Symantec LU servers after X days w/o defs can be already set in the LiveUpdate policies, within the SEPM console, regardless of SNAC and HI policies.