You upgraded the Advanced Threat Protection appliance to ATP 3.0, but it takes an hour or more for the SEP 14 RU1 clients to get enrolled in EDR2. You also notice a long delay for Isolate and Rejoin commands if the clients are configured for Push mode.
The ATP does not immediately begin to enroll clients upon upgrade, the ATP software waits for the next SEPM gatherer job which runs every 60 minutes.
The ATP still relies on the SEP client's heartbeat for the Isolate and Rejoin commands, so depending on that value it can take longer than expected for the commands to complete.
This will be addressed in a future release of ATP. Until then, this is expected behavior.