Properly handle unsupported encryption policy

* This fixes the case of:
  * a device that does *not* support device encryption
  * connecting to an account that *does* require device encryption
  * but also supports "non-provisioned devices" (making the encryption
    requirement optional.)
* Added unit test

Bug: 3367191
Change-Id: I894e68c4119a102dad02d2e0815fccdae1e87189
2 files changed