CLI is in Lockdown by default. It is not controlled via policy, but by a task. Create and assign a run once task to permit CLI access. You can also Recover the CLI locally if you know the password.
NEVER leave CLI in recover mode for extended periods of time, Recover state breaks connection to/from ePO. Check the McAfee KB for the product guide.