I don't think there is anyway around it, the users are going to have to re-provision. Having them do just a simple Update Configuration on their device should do the trick.
Can you verify your MDM and Push apple certs are not expired? Certs can just be readded, no recovery needed.
Also does, querying the phone bring it back into compliance?
I updated 10.1 or 10.2 to 10.2.4 and have not had that same experience.