Shared publicly  - 
This one goes out to my IT pals.

Ice Cream Sandwich (ICS), a.k.a. Android 4.0, makes it even easier for people to bring their personal Android devices to work. In ICS, we’ve remained focused on delivering best-in-class security and encryption, Exchange support, VPN access, and powerful productivity features. Here’s a complete rundown:

Security and encryption
Ice Cream Sandwich provides full internal storage encryption on both phones and tablets. We openly share how we implemented encryption within Android using Linux dm-crypt (see more details at, and we will soon open-source our implementation for further review within the Android community. ICS adds ASLR to Android to protect the system and apps from memory exploits. ICS also has a new public keychain framework to make it easier for applications to manage authentication and secure sessions. And, as with every release, ICS fixes bugs, cleans up permissions, and improves end user insight into security issues. For more information, please check out our recently released Android security overview at

Device management and Exchange ActiveSync
Ice Cream Sandwich updates Exchange support to use the EAS v14.1 protocol. ICS adds EAS policy support for limiting attachment sizes, disabling attachment downloads, enforcing manual sync while roaming, and disabling the camera. That brings the total number of supported EAS policies to 16. ICS additionally enables client certificate authentication to Exchange servers. Many of these device management capabilities, such as remote wipe and password strength enforcement, are also available in Android’s open Device Management APIs for other device management solutions.

VPN support
Ice Cream Sandwich adds out-of-box support for pure IPSec VPNs to support many commonly deployed VPN routers. This complements the pre-existing support for L2TP, L2TP/IPSec PSK, L2TP/IPSec RSA, and PPTP VPNs. ICS also creates a new platform for SSL VPN clients which can be downloaded from the Android Market.

Android continues to make Google Apps and Microsoft Exchange customers more productive with the built in suite of contacts, calendar, and email apps. ICS brings Honeycomb’s improvements to global address list support and email widgets onto phones for the first time. ICS also adds a number of improvements to the email app including server-side search for Exchange and IMAP, nested sub-folder navigation and sync controls, reply/forward indicators, quick responses, and better app navigation.

So with all that, we sincerely hope you get to enjoy Ice Cream Sandwich for work and for pleasure.
Crístian Deives's profile photoIbrahim ALShehri's profile photoKen Fife's profile photoDustin Kirkland's profile photo
Hi Gabe, reading up on the Android + Encryption bits, I'm curious if eCryptfs was considered as an alternative to dmcrypt, and if so, why dmcrypt was chosen? Thanks.
Nope, to google apps account support yet :(
I can hardly wait for update of my Google Nexus S, specially for VPN feature, I hope next morning to see the ICS update pop up on my phone :)
These are some great features! Especially the additional active sync support. Was a method to install an exchange account using device administration added?
is the LEAP wireless authentication method already available on ICS? I can't connect to the network at my job because of this limitation =/
J. roto
I am drooling over when this drops for my Samsung Galaxy IIS -- any news on the "when"?
You are right Steve, that's really a need for us, IT guys, and I thought they already implemented that on ICS...but looks like they didn't...
How about face recognition? Does anybody have a link as to what degree developers can implement the face recognition features of ICS? That's some powerful stuff.

How about application management by the administrator for the end users?
Maybe off topic, but what about memory bloat. I have an HTC Desire and it is out of memory because it synks Gmail "Other contacts" that is stuffed with G+ circle contacts. ICS will probably not fit on my phone and I doubt it will fix the memory problem anyhow. You guys are killing me.
The exchange functionality is definitely improved. One thing that bugs me is that they've gone to the effort of enabling sync for sub folders so mail is pushed but there are no notifications. My server side rules put the majority of my mail in sub folders so I never get notified. Yet I can navigate to the folder and the mail is already there. It seems crazy. Is this going to be fixed?
Here are some thoughts about ICS encryption and suggestions about how it could be improved:

1. Keychain API is actually a secure storage and API (with UI) for PKCS12 and public trusted X.509 certificates, which is not very flexible and doesn't cover many use cases.
Desired Functionality:
a. Make it UI-less, so I could get parameters through custom dialogs.
b. Make it usable for other secrets, e.g. I want to store passwords, access tokens and other sensitive info.

2. Partition encryption - I didn't find a way to encrypt files. Encrypting the whole partition might not be very practical and I think iOS has file level encryption.

I could use PBE and implement a secure vault for any types of secrets of course, but since I don't have an access to device PIN in my applications, I would need to introduce yet another application level password ... and it will completely piss off a user who would need to enter passwords two times: the first time to unlock the devices and the second time to unlock an application's vault.
i still have a problem with Exchange support and accessing the internet with proxy config !
I have Galaxy nexus
What is the complete list of the 16 EAS policies... it is very difficult to find THE definitive list.
... and please don't point me to Wikipedia. :-)
How about the EAS Policy for Password Recovery.  Is this compatible with Exchange 2010 EAS?
Add a comment...