So I'm sort of new to PM, but I thought I would offer my advice so far.
First, I don't *think* this could have anything to do with internet/network connection or not having a first communicade. Assuming that your device isn't present in Profile Manager at all, when you enroll it - that's something happening from the client side. The server doesn't know you are applying an Enrollment Profile until the enrolled device reaches out to the server and says "hey enroll me with this!"
Therefore, the fact that even a Placeholder is getting created seems to be evidence that communication is happening between client/server.
I am going to assume that in your 3 scenarios above that all else is equal. For instance all machines are on the same subnet/network etc and that can't be playing a factor. What I would be interested in seeing is for you to do one of two things:
1) Manually run the Trust Profile and Enrollment Profile .mobileconfig that you download from MyDevices. This isn't exactly the same as just clicking on "Enroll" in my devices.
2) Login to the MyDevices portal as an admin user and you should see all the Enrollment Profiles listed there - Enroll from there and see how it goes.
If they are working by manually running, but not via your deployment task, that might be somewhat telling.
I suppose there is a slight possibility that different ports are used when you just click "Enroll" vs use the .MobileConfig files and that somehow there is enough communication to create the Placeholder, but not to fully register it? I think that's a longshot though.
On this same topic, I'm also going to throw a related question in the mix:
When you go to delete a device from within your list is has the options "Unenroll" or "Revert to Placeholder."
If you choose Unenroll, it reaches out to the device and removes the profile and ALSO reverts it to Placeholder.
If you choose "Revert to Placeholder" it seems to leave it in a state where the server thinks its just a Placeholder, but the client still has the policies applied and from the client end all looks well. I can't see a great reason why to use this option?
Update:
So I read a couple other things that may be germane to your situation.
1) I might not be wrong with my suspicion of only some firewall ports being open...so confirm that all the required ones are.
2) I read about a similar problem and the solution was making sure the device was registered to a user. This might make sense because when you login to MyDevices you are doing it as a user account, but when you just Deploy Enroll it is "user-less." I'm not fully sure the full ramifications of this yet, but it is something to try(?)