Exchange Did Not Think My Nexus 9 Was Encrypted

Google recently upgraded Gmail for Android so that it now not only works with Gmail but also with POP/IMAP and Exchange. Last night I configured Gmail on my Nexus 9 to work with an Exchange server that enforces a security policy requiring device encryption. I didn't expect the encryption policy to be an issue because the Nexus 9 is encrypted by default, as shipped from the factory. Gmail, or the Exchange server, didn't believe the tablet was encrypted and therefore it refused to synchronize.

When I tap Settings, Security, the Encryption section is as shown below, indicating that the tablet is Encrypted. Clearly there was a disagreement between Exchange and Android on the tablet.

After searching via Google, I found others who have had the same problem. The key piece of information is posted in this issue thread on Google's Android forum.

If you have configured devices running versions of Android earlier than Android 5.0 (Lollipop) to be encrypted, and you have a Nexus 9, you should notice a difference in how the Nexus 9 boots up versus those devices. In prior versions you had to enter your device PIN or password once during the initial startup and then the device boots a second time to decrypt and startup. After the device boots, you have to enter that PIN or password a second time in order to access the device.

The default boot up process of the Nexus 9, with encryption enabled as indicated in the screen shot above, does not have the initial PIN or password prompt. Instead, it starts up just like any other, non-encrypted Android device, although you will have to enter the PIN or password in order to unlock it. Apparently, the Exchange policy that confirms whether the device is encrypted is checking to see whether that startup PIN or password is assigned, but it doesn't provide this specific information.

The encryption policy requirement causes Gmail to force you down the path of encrypting the device, in other words, it acts as if it thinks the device is not encrypted. If the battery has at least an 80% charge, and is plugged into power, you can elect to encrypt the tablet. The encryption process will reboot the device, determine that it is encrypted, and leave you at the screen lock, and you will keep cycling though this process.

To make Exchange, and presumably any other application or process that requires it, recognize that the device is encrypted you need to configure Android to require a PIN or password at device startup. Tap Settings, Security, Screen lock, then enter your PIN or Password. Tap the option you prefer on the screen lock screen, in my case Password, to display the page below and select the option Require Password (or PIN) To Start Device and tap continue. You will be prompted to enter either a Password or PIN and specify how notifications display on the screen lock page.

After configuring my Nexus 9 to require a password at device startup, Gmail and Exchange recognized that the tablet was encrypted and data synchronization began. Assuming that the Nexus 9 is in fact encrypted by default as the settings indicate, Android should be reporting that a device startup Password or PIN is required rather than acting as if the tablet is not encrypted. As it exists right now, the user is sent down an infinite loop of executing the process for encrypting an already encrypted device and returning back to the Gmail Exchange account settings to encounter the Encryption Security policy requirement over and over.


Last built: Wed, Feb 17, 2016 at 3:26 PM

By Frank McPherson, Wednesday, January 7, 2015 at 3:18 PM. Yeah well, that's just, you know, like, your opinion, man.