@rapropos and @Sujan12,
Problem solved now.
The problem was not the plugin… It was the package-lock.json! 
This small patch is the solution.
Then the plugin will be installed directly from package.json and not via package-lock.json.
I don’t know if the integrity hash is wrong or the resolved path. Maybe the version or the name is wrong. I don’t know.
I only know that it is fixed without this line.
package.json
"dependencies": {
"cordova-plugin-device": "^1.1.6"
}
Thank you for your help and ideas!