Why Are My Apple Devices Are Allowed to Update iOS?
Because they're Apple devices ;). Great for personal devices, not ideal for enterprise devices. Have you tried also blocking the update server url(s) in addition to the update delay policy?
What are the version and build numbers of your server?
From the device information tab of each of the 3 devices, have you checked if they all are DEP devices in supervision mode?
From the device configuration/profile tab of each of the 3 devices, have you checked that the status of the profile with the delaying OS updates restriction is "installed"?
For the problematic device, are there more than one profiles with CONFLICTING restrictions payload deployed?
We are on version 18.104.22.16894.
Yes, they are all DEP-supervised devices.
The configuration tab shows that the profile is installed (there aren't any other profiles that could be conflicting). What is strange is that if I administratively remove the profile and then re-install the profile, it will block the update properly. It seems like we have several devices that show the profile is installed when it isn't actually working properly.
If I remember correctly based on my previous tests, this "delay Firmware Update" restriction is guaranteed to be effective only after a soft reset. Probably buggy iOS firmware implementation (by arrogant but incompetent Apple programmers) that cache this restriction setting, and does not update immediately after each modified profile received, and there is nothing Soti agent software can do. Just remember to force a soft reset after deploying such restriction.