The container this client is under has a firewall policy in place. Also, the client itself has the SEP firewall turned on. Why would it continue to say "Disabled by policy?"
Exact version of SEP? Could be a bug if running an older version.
Does the policy on the SEP client match the policy number in SEPM? Has the client check in recently? Has SEPM reflected the client checking in?
right click on the client, select run command -> Enable network threat protection.
Update policy