What brand/model is your device?  And the Android version?

Are you using Android+, Generic Android or Android Enterprise device agent?

Hi. Sorry for the late response.

This is a device a client choose.

Symbol TC55, Android 4.1.2. Can't upgrade OS, this is the max. Using Android+.

Did you include any feature control policy or device-side out-of-contact policy with script to disable cellular data under certain condition(s)?

Did you add Settings in a blacklist of an Application-Run-Control payload on top of disabling setting in the kiosk menu?

Is it possible that the device user get to device administrator mode with a leaked device administrator password and change the "Data enabled" status in Settings?  Have you checked the device log to see if it has entered administrator mode unexpectedly?

Is it possible to boot the device into safe-mode and change the Settings there?  (Unfortunately, I don't have this device and cannot verify if it is possible to block booting into safe-made on this Android+ device. )

Sorry for the delayed answers, here you go -

Did you include any feature control policy or device-side out-of-contact policy with script to disable cellular data under certain condition(s)?

 >>No, we only checked off boxes that are used to create lockdown<<

Did you add Settings in a blacklist of an Application-Run-Control payload on top of disabling setting in the kiosk menu?

  >>No, we do not have a blacklist

Is it possible that the device user get to device administrator mode with a leaked device administrator password and change the "Data enabled" status in Settings?  Have you checked the device log to see if it has entered administrator mode unexpectedly?

   >>No, the problems existed before any administrator mode was used.

Is it possible to boot the device into safe-mode and change the Settings there?  (Unfortunately, I don't have this device and cannot verify if it is possible to block booting into safe-made on this Android+ device. )

>>Not that I can see. The lockdown is set up to prevent that behavior.

Based on your second to fourth answers, which does not make much sense,  I think there is some misunderstandings on how and what to configure to provide the required security.   I advise you to open another support ticket with Soti support team to further investigate with real expert.

Firstly, the UI design (hardware/software keys, notification/status bar & shortcut, etc.) of your device and item(s) defined in your lockdown profile can create new loophole(s), which might need to be covered with application run control payload. 

Secondly, device Administrator mode must be configured and enabled before any other payload can function properly in all Android devices.  Set a stronger password and change it regularly, and use alert rule or other means to monitor device log to check for any unexpected change to this mode. 

Thirdly, safe mode of each Android device cannot be blocked by Lockdown menu policy.  Feature control policy is needed.  However, your have to check if your device firmware support such feature control option.