Totally true.

If devices are enrolled without internet connection as a normal consumer device, as soon as the device is going online and gets detected by ZTP it will get a notification that the device will force a wipe in ~2 hours. 

It could be, that this won't happen if the device is connected to a restricted network where no access to Google-Services is given (just an assumption) but to the rest of internet but never tested that.

Yes I have come to understand how ZTP and the device talk and work with each other.

Though, my question remains:
Isn't this policy / feature (that you MUST connect to a network) by default set to TRUE for all Android Enterprise? Or is it different based on Android version? 

We have over 40 devices uploaded to ZTP six months ago but when started and connected to internet nothing happens. And still my question remains about the mandatory internet connection at the initial startup and set-up of the device.

Isn't this policy / feature (that you MUST connect to a network) by default set to TRUE for all Android Enterprise? Or is it different based on Android version? 

No, as you can use them as a COPE or BYOD if you want. Especially the BYOD won't need a network connection during enrollment.

I believe the issue arises from a mismatch between the data uploaded to the ZT portal and the information present on the device end. For instance, the data uploaded to the ZT portal might be IMEI1, whereas the data retrieved on the device end is IMEI2, which typically indicates an OEM image problem.

Regarding your question, I agree, you can refer to https://support.google.com/work/android/answer/10513641?hl=en"

Okay but after we wipe the device completely and remove it from ZTP it reupload it. It works. I mean the image doesn't change, it's still the same image even after the wipe. 
Also I can't explain why I can skip the network connection on these devices specifically and I couldn't do it with my other test devices. They have the same android version. 

Logically if it's enterprise version you shouldn't be able to skip the network connection, during the first time setup. 

Interesting, i can enroll all our AER devices on first time and after that without any network connection as far as i know but they then bahve as you described: Enrolling like a consumer device (or more likely unconfingured devices without any Google account etc.).

Yes, so on enterprise modell of the device, it should not be possible to skip network connection for the initial device setup. I confirmed this by taking in 4 different models of Android enterprise phones from Samsung and none of them gave me the option to skip network connection at the initial setup.
I had to connect it to Wi-Fi or use cellular data.

But then we have these that are sent to customer exact same model that I test AND they can skip network connection at the initial setup.
As @Sean mentioned maybe misconfigured OEM image from Samsung? I don't know I don't have any answer and I have been working with the issue for over a week now. Done like a 100 tests! 

Tested and you are right (again learned something, thanks!).

But I'm not sure what Google is checking being able to connect to in that step because reachability of the ZTP won't be part of it as companies may not use it and so don't want to grant access to it.

If the Wifi-Network you connect to provides internet access but blocks the relevant Google Services it could be possible to enroll without ZTP detection.

Also sometimes because of a somehow strange issue it could happen that devices are not detected by the ZTP correctly (enrolling as consumer device even if listed in ZTP correctly).

We have seen this on very few devices where it helped to reassign the correct configuration and after a wipe they were detected correctly. Is this maybe the case here as well?

@Arifn 

Isn't this policy / feature (that you MUST connect to a network) by default set to TRUE for all Android Enterprise? Or is it different based on Android version? 

No, this would be configured at the OEM for their build of Android. Most devices don't even know they're for enterprise until after they first connect to the internet where ZT is concerned. Samsung gains the benefit of OEM solutions storing locally a config after first setup to force devices to connect to the internet, though this wouldn't normally apply for ZT, rather KME.

Are you ZT exclusively or have you used other Samsung solutions to date? KME or Configure?

Hello @jasonbayton and @Moombas   Thank you for the reply 🙂 
We are using only ZT for this customer but I am familiar with Samsung's KME too and have used it with other customers. 
But here is another thing that I discovered. I tested four different enterprise model of Samsung phones. A53, A33, XCover6 Pro and S22 and without even uploading them to Knox or ZTP. They behaved exactly the way I want them. Out of the box, I couldn't skip network connection in first setup. This was set to true for all the models above that I tested.

So this could be very much as you say, there could be another build of OEM image on these phones that are sent to our customer.
But then these phones, we have uploaded them to ZTP before we sent to the customer, this is what gives me headache! They don't talk to ZTP, after they are turned on and connected to network, nothing happens. And no there is no network restrictions that could prevent them from talking to Google APIs and services.

And of course we could solve the problem by hard wiping the device, reimport them into ZTP and enroll them because this works. But we are talking about more than 100 phones here.... 

I have double checked and they have a config profile in ZTP and imported correctly.

I just want to know the root cause of the problem (why they aren't talking to ZTP and why we have to hard wipe every device) so I can present it to our customer.

@jasonbayton 

Are you buying enterprise edition models or anything outside of standard off-shelf devices from a normal retailer?
We are buying enterprise edition only.

I haven't tried to update them to the latest build because the customers are using the phones on daily basis but will definitely give it a shot.

I have now opened a ticket with Samsung and they think (not sure) that these phones are missing a GSM update. 

Thank you for all the help replies and info!