Hi@PMH,
As mentioned in the documentation you linked, the access point will use the User-Agent string field of an HTTP GET request packet to determine the operating system of the client when it first associates, and allow or deny access accordingly.
Some clients may misidentify themselves when specifying the User-Agent string field of an HTTP GET request.
did you try to take a packet capture while one of those devices/Clients are trying to connect to the WIFI ?
Can you see if the devices are misidentifying themselves?
you can check what sort of device has been misidentified by looking at the pcket capture and filtering by http to check the http Get request.
If this device is misidentifying itself as another operating system not IOS. then the device type policy enforcement is done on a best-effort basis, dependent upon the information that the client provides.
When needing to enforce security-focused policies based on device type, please leverage solutions such as Meraki Systems Manager, or Cisco ISE.
If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution " so that others can benefit from it.