If you want to enforce SEPM firewall rules, you have to switch to Server Control:
Clients > Group > Policies > Location-specific settings > Client User Interface Control Settings > Server Control
In Server Control mode, SEPM firewall rules will be enforced on the clients. Users cannot create their own rules.
In Client Control mode, SEPM firewall rules will be ignored, only users can create rules.
In Mixed Control mode, rules on SEPM and clients will be, well, mixed. That's the order:
- SEPM rules above the blue line in the rules table
- Client rules
- SEPM rules below the blue line.
In most cases, Server Control is the way to go.