Encrypting Galaxy Nexus

[mitch1764]

I encrypted my Galaxy Nexus because I thought it would be a good idea but now I can not get access to either the CDMA or LTE networks. I'm still able to access WiFi. Is anyone else having this problem does anyone know how to fix it?

 

[jlongjr27]

I was forced to encrypt my phone because of exchange policies. I don't have any problems, other than longer boot times.

Interestingly, I am the exchange admin here and I never set that policy and I don't see where to change it in exchange. Though honestly I haven't looked into it very deeply. I like the fact it forces encryption and I wonder why exchange doesn't force encryption on 2.X devices or I devices.

 

[tk-093]

I was forced to encrypt my phone because of exchange policies. I don't have any problems, other than longer boot times.

Interestingly, I am the exchange admin here and I never set that policy and I don't see where to change it in exchange. Though honestly I haven't looked into it very deeply. I like the fact it forces encryption and I wonder why exchange doesn't force encryption on 2.X devices or I devices.

The phone actually has to support the exchange encryption policy for it to work. I don't think 2.x versions of Android support that policy. (Now Motorola added encryption themselves to the Droid Pro I think, which can be a curse or a blessing in Android as it's a crap shoot sometimes as what Exchange policies will work on what device.)

As for iDevices, they should be getting encrypted as well. The cool thing about iDevices is that they have a hardware chip that does the encrypting so it is instant and has no impact on the device as opposed to software based encryption which adds overhead. I think the Xoom manual said it could take a few hours to encrypt initially... ick.. no thanks.

We have not moved to the version of Exchange that supports encryption yet so I can't tell you where that policy is, but I think it is called: Require Device Encryption

 

[jlongjr27]

My phone took an hour and a half to encrypt and during the encryption process it was unusable. I like the fact that phones connected to exchange would be encrypted. I'm going to have to look into this further now and try to find that policy setting. I'm also going to verify that Idevices connected to my exhcange server are encrypted automatically. I wonder if all android 4.X devices will have the ability to encrypt via policies?

I honestly can't tell if there was any overhead put on my phone because of encryption other than the longer boot time because as soon as I got my phone I updated to 4.0.2 and connected it to exchange and encrypted it. Now I am curious to see what the overhead might possibly be. Maybe there isn't any because of the more powerful processor.

 

[tk-093]

My phone took an hour and a half to encrypt and during the encryption process it was unusable. I like the fact that phones connected to exchange would be encrypted. I'm going to have to look into this further now and try to find that policy setting. I'm also going to verify that Idevices connected to my exhcange server are encrypted automatically. I wonder if all android 4.X devices will have the ability to encrypt via policies?

I honestly can't tell if there was any overhead put on my phone because of encryption other than the longer boot time because as soon as I got my phone I updated to 4.0.2 and connected it to exchange and encrypted it. Now I am curious to see what the overhead might possibly be. Maybe there isn't any because of the more powerful processor.

Yeah, with modern phones you probably won't notice any overhead. It damn near killed old WinMo phones... ick.. If your Android devices are getting encrypted, I almost gaurentee your iDevices are, but since they use hardware based encryption, you wouldn't even notice it as it is pretty instant.

Now that I think about it, there are two policies you want to look for: (1) Require Device Encryption and (2) Device encryption enabled

The first policy makes it so your device HAS to support the encryption policy or Exchange will not let it sync. The 2nd one will just encrypt a device if it happens to support that policy. If 1 is off, and 2 is on, then a device will sync even if it doesn't support encryption. If you have 1 on, then only encryptable devices will sync. (Again, I'm just basing this off research I've done over the years.)

To complicate it further, when companies like Google, Apple, Motorola, etc, license ActiveSync from Microsoft, (and MS is making a boatload of $$ from those guys for that..) Those companies can support whatever subset of policies they want to. That's why some devices will just do password, while some will do encryption, etc....

They can also "lie" to Exchange. The perfect example is the old iPhone and iPhone 3G. They do not support encryption because they do not have the hardware chip to do it. Originally Apple set it up so when they would sync, those devices would lie to Exchange and say they were encrypted when they were not. Once Apple "fixed" that, they had a whole mess of devices that were working with Exchange that now were reporting correctly and were denied syncing... Exchange support on mobile devices can be "fun" expierence.

And this concludes today's history lesson.

 

[jlongjr27]

Yeah, I forgot about the ability to spoof device settings so you can connect to exchange. I personally haven't done it but I have came across posts where people talk about it.

I guess that's why blackberry is still far superior even today when it comes to corporate email and device security.

I found the settings for encryption and they are greyed out on my server because Require password is not checked. Strange...

 

[tk-093]

Yeah, I forgot about the ability to spoof device settings so you can connect to exchange. I personally haven't done it but I have came across posts where people talk about it.

I guess that's why blackberry is still far superior even today when it comes to corporate email and device security.

I found the settings for encryption and they are greyed out on my server because Require password is not checked. Strange...

Wow, that is weird. Encryption requires a password so if you are not enforcing a password then there is no way encryption should be turning on.

Did you accidently turn it on yourself possibly? In the security settings it is there to manually enable.. Maybe you accidently turned it on?

 

[jlongjr27]

No, I got a popup message when initially adding my exchange account that would not let email sync unless I encrypted my phone. There was a button on the message to start the encryption process.

 

[tk-093]

No, I got a popup message when initially adding my exchange account that would not let email sync unless I encrypted my phone. There was a button on the message to start the encryption process.

I think on 2010 (not sure about 2007) you can have multiple ActiveSync policies. Maybe because you are an Admin your account is in a differnet policy then the one you checked?

 

[jlongjr27]

I'm using exchange 2007. You can create multiple policies and apply them at the user level. I only have 1 exchange server and the default policy. I created another policy and will play with it.