Actually that's not what these devices "are for". They're tools for enforcing company policy. That's it. They are not evil in and of themselves. Do clueless organizations try to use them for "nannying" their employees to death? Every day. And they're so busy making sure Joan in Accounting doesn't spend 15 extra minutes on Facebook that they miss all the PII and company IP going out one of the other many other open transports out of the company network. Any company that is serious about security either doesn't allow this information on the untrusted network (where the users live) in the first place or they lock down internet access to the point that most employees don't even know the company has a connection to the internet. Everyone else is a breach in progress.
And no, you don't need a certificate from a trusted CA to do SSL MITM on on a Bluecoat (but it would come in handy for a government entity spying on its citizens). All you need is a trusted wildcard cert. The Active Directory CA cert would work just as well in a corporate environment.