Configure Survey123 Properties in your MDM with AppConfig

Anonymous User · ‎08-06-2020

Starting with ArcGIS Survey123 version 3.10, you can now configure properties via Managed App Configuration (AppConfig) in your Mobile Device Management (MDM) solution or by configuring application property defaults when creating a custom build of Survey123 using ArcGIS AppStudio. By configuring Survey123 properties you can manage how the Survey123 field app is installed on mobile devices and ensure that the properties are standardized and configured according to your company policies in your enterprise environment.

What are EMMs and MDMs?

Enterprise Mobility Management (EMM) is a set of people, processes and technology focused on securely and efficiently managing systems and devices (desktop, server, and mobile). This includes setting policies, pre-configuring settings, applying restrictions, deploying apps, and setting profiles and assignment policies to deliver apps to your managed devices. The management of mobile devices is one of the many components available as part of an EMM solution.

There are a number of Mobile Device Management (MDM) solutions that can help you implement your EMM solution for managing your enterprise mobile devices, and these MDM solutions include support for what is known as Mobile Application Management (MAM). Here are just a few of the available MDM solutions that many of the Esri mobile apps have already been tested and successfully deployed with: VMware Airwatch, Microsoft Intune, MobileIron Cloud, Samsung Knox, Citrix XenMobile, IBM MaaS360, and Cisco Meraki.

What is Managed App Configuration?

Managed app configuration allows apps to be remotely configured through an EMM solution. In order to use managed app configuration, the app must be installed on the device and managed via an MDM solution. While managed app configuration is a feature supported by most of the popular MDM providers, it's best to check with your provider if this feature is supported.

In general, MDM providers support AppConfig using key-value pairs. In Survey123 we follow the guidelines found within the AppConfig community's XML standard specification for iOS, Windows, MacOS and Linux. On Android, we support Android's Restriction Manager XML spec.

Currently, managed app configuration in Survey123 via an MDM is only supported on iOS and Android.

Supported AppConfig Properties

The following properties can be configured for the Survey123 field app via AppConfig key-value pairs set in your MDM provider. These properties can also be configured as application property defaults in a custom build of Survey123 by modifying the application properties found in the settings menu of your custom application in ArcGIS AppStudio.

Property	Description	Type	Default
portalURL	The default portal URL.	String	https://www.arcgis.com
portalName	The default portal display name. If portalURL is configured then this property should also be configured.	String	ArcGIS Online
portalAuthentication	The default portal authentication parameters in a comma-separated string. Accepted values are IWA (Integrated Windows Authentication), and IWA,SSO (single sign-on for Windows clients when using IWA).	String
portalResourceKey	The resource name used for organization-level properties.	String	Survey123Properties
requireSignIn	Require users to sign in to use the field app.	Boolean	false
enablePortalManagement	Allow users to manage ArcGIS connections in Settings > Connections.	Boolean	true
enableDiagnostics	Allow users to log diagnostics information in Settings > Diagnostics.	Boolean	true
enableDataRecovery	Allow users to recover data using the Send Database option in Settings > Storage.	Boolean	false

If your portal uses IWA authentication and you are configuring the default portal connection in your MDM or in an AppStudio custom app using the portalURL property, the following three properties must be set:

portalURL
portalName
portalAuthentication (set as IWA)

Failure to set the portalAuthentication type on an IWA portal will cause an issue in deploying the AppConfig settings when adding the portal to the list of ArcGIS connections in the Survey123 field app.

Adding managed app configuration settings in your MDM provider

Below is an example of how to set the key-value pairs when creating an app assignment for your Survey123 application, in this case using the VMware AirWatch MDM console. Note that the UI and available options will differ in each MDM solution so please check with your MDM provider and relevant documentation about how to set AppConfig properties.

Setting application property defaults via ArcGIS AppStudio

Below is an example of how to set application property defaults via ArcGIS AppStudio for your custom Survey123 application:

For more information on configuring Survey123 properties, please refer to the ArcGIS Survey123 online documentation.

If you would like to know more about Esri's approach to Mobile Application Management, please read the ArcGIS Secure Mobile Implementation Patterns document available from the ArcGIS Trust website.

BirkS · ‎09-14-2020

Hi Philip Wilson,

We are experiencing a problem regarding the new Survey123 update (3.10) that came in August.

We are trying to configure properties in our MDM with AppConfig, as described in this article, to enable single-sign-on (SSO):

When setting the 'portalAuthentication' to 'SSO' authentication is failing. The two other options, ‘Blank’ and ‘IWA’, work perfectly fine. IWA is still a massive improvement in the authentication, this is very good!

Have you had any feedback from other customers that have utilized the ‘SSO’ choice? I would add that if we had been able to add username in AppConfig, ‘IWA’ would be just fine (like ${user.samaccountname}, as Collector and Explorer fetch with SSO Account).

Thanks!

Anonymous User · ‎09-14-2020

Hi Birk,

Are you able to use SSO successfully on Windows when using the field app when you manually add the IWA Portal? If so, if it should work the same when you have configured via the MDM. We have not had any other customers report any issues so far with IWA and SSO properties.

Did you configure the IWA and SSO properties together for portalAuthentication, both must be used together to work correctly. ie enter both values as comma separated: IWA,SSO

Regards,

Phil.

BirkS · ‎09-14-2020

Hi Philip Wilson‌,

To answer the first question: Yes, when adding the portal to the field app on windows it logs you on automatically. After putting in the Portal URL you don’t have to do it again.
We tried to configure AppConfig like you described with "IWA,SSO". We still got the same behavior: You add the Portal URL, then log on with credentials (but the Ipad will remember until it is turned off again).

Kind regards,

Birk

Anonymous User · ‎09-15-2020

Hi Birk,

From you reply, what I understand is that IWA and SSO login is working on Windows as expected?

However on iOS you are having to log in again after you restart the app? Note that SSO only applies to Windows, as it uses the local Windows domain credentials to do the sign in. On iOS and Android, the users credentials will be remembered and auto sign in will occur when you restart the app.

Can you explain further and give detailed steps of exactly where you are not seeing the auto sign in occur?

Regards,

Phil.

BirkS · ‎09-15-2020

Hi Phil,

Thank you for your response.

To answer your first question: on my laptop (Windows) IWA and SSO login is working as expected when using the Survey123 Field App, which also has been the case before this 3.10 update.

We are using iOS devices in field, and this is where the SSO at Survey123 does not work. It can be noted that in our setup iOS devices are using Kerberos (Negotiate) to authenticate to the web server. Meaning that the device is equivalent to a Windows machine that is using domain credentials.

We are now using IWA for PortalAuthentication in the AppConfig, which works as expected (we have to authenticate and write the Portal Url once after turning on iPad and opening the Survey123 Field App). It is implemented like this:

NTLM GET /portal/sharing/rest/info?f=json HTTP/1.1

Negotiate GET /portal/sharing/rest/oauth2/authorize?client_id=survey123&grant_type=code&response_type=code&expiration=-1&locale=en&redirect_uri=urn:ietf:wg:oauth:2.0:oob&hidecancel=true HTTP/1.1

When trying to implement IWA and SSO, it fails. Using only IWA, as described above, is a massive improvement as to before the 3.10 update, still we would like the SSO to work to avoid any authentication at all (as we are able to with Collector and Explorer). We implemented it like this:

SSO = GET /portal/sharing/rest/oauth2/authorize?client_id=survey123&grant_type=code&response_type=code&expiration=-1&locale=en&redirect_uri=urn:ietf:wg:oauth:2.0:oob&hidecancel=true HTTP/1.1

The SSO does not work in this case. It can be noted that SSO works fine at iOS for Collector and Explorer implemented in the same way.

Kind regards,

Birk

Anonymous User · ‎09-15-2020

Hi Birk,

Thanks for the additional information, that all makes sense now. We will look into this further and get back to you with any updates.

In the meantime, can you please log a bug with Esri Support and ensure you provide all the relevant details above and your setup and workflows, including which MDM solution you are using, app versions, device and OS versions etc. This will help us prioritize and continue work on this issue with development team.

Regards,

Phil.

HéctorMeléndez · ‎09-30-2020

Philip Wilson The latest AppStudio and Survey123 Template don't respect the portalURL enablePortalManagement properties when I run the application from AppStudio. Have I set this correctly?

Anonymous User · ‎09-30-2020

Hi Hector,

What version of AppStudio are you using, and what version of the Survey123 template?

With AppStudio 4.3 just being released, the 3.11 template will be the correct one to use with AppStudio 4.3. The 3.10 template was not made available as AppStudio 4.3 was not available at the time Survey123 3.10 was released. The 3.10 template will not work with AppStudio 4.2 either. As we are only a few weeks away from releasing Survey123 3.11, we will make the 3.11 template available for AppStudio 4.3.

Regards,

Phil.

HéctorMeléndez · ‎10-01-2020

I'm using AppStudio 4.3 and the Survey123 3.9 template. If I run the application from AppStudio none of the parameters are enforce but if I build the application the portalURL and portalName parameters are enforced but not the enablePortalManagement=false. I will test against the 3.11 template when it's release.

Anonymous User · ‎10-04-2020

Hi Hector,

Yes, the Survey123 3.9 template will not work with AppStudio 4.3, there are many changes, not just AppConfig that will cause the app to have issues if you build it with the wrong version. I will let you know as soon as the 3.11 template is available.

Regards,

Phil.

DavinWalker2 · ‎11-08-2020

Hi Philip,

Are there any plans to expand the Supported AppConfig Properties that are available in Survey123 to any other ESRI Mobile Applications?

Regards

Davin

Anonymous User · ‎11-08-2020

Hi Davin,

Can you provide more details about which properties you would like to see added to other Esri mobile apps, and which specific apps you are referring to, and what OS you are mostly using? For example do you mean QuickCapture, or the new Field Maps app, or are you referring to Collector, Explorer and other native apps?

There are different development teams and release cycles for all the different mobile apps, so getting an understanding about which properties and apps are important to you and and on which platforms, helps the design, development and prioritization of these types of enhancements.

Regards,

Phil.

DavinWalker2 · ‎11-08-2020

Hi Phil,

Operating System: iOS

I was specifically look at the portalName and enablePortalManagement keys to other apps including:

Collector, Earth, Explorer, Navigator, QuickCapture, Tracker, Workforce.

However having this in the new Field Maps app would also be beneficial as people move to Field Maps.

Regards

Davin

Anonymous User · ‎11-08-2020

Thanks Davin,

I will discuss with the other mobile app dev teams and get back to you if we have any updates or progress.

Regards,

Phil.

Sunil26 · ‎03-12-2021

We are using survey123 on both Windows and IOS with IWA authentication.

On IOS survey123 start fine and user is able to do couple of surveys. After couple of surveys it start showing "error 204 host requires authentication". This happens pretty frequently when user use linked web map with survey to look for a point.

Anonymous User · ‎03-14-2021

Hi @Sunil26,

Can you please raise this issue with Esri Support, so more information can be gathered regarding your MDM and AppConfig set with your Enterprise, and therefore the exact configuration detailed, from which we can follow up for further investigation.

Regards,

Phil.

vpramm · ‎03-08-2022

Hi,

I have used "portalURL" and "portalName" properties for configuring Survey123 to use my ArcGIS Enterprise. I'm using MS Intune to push these application configurations. These settings successfully gets pushed into Survey123 app.

The problem is, it takes away the default connection to ArcGIS Online. I want my end-users to have both, ability to connect to ArcGIS Enterprise and ArcGIS Online. I'm using the latest version of Survey123 (3.14.237) for iOS

Is there a way to configure both ArcGIS Enterprise as well as ArcGIS Online for Survey123? Could someone share details on how to accomplish that or if it is possible?

Thanks,

VJ

Anonymous User · ‎03-08-2022

Hi @vpramm,

No, this is currently not possible with the Survey123 field app. Currently only one portal can be set via the portalURL appconfig property and this replaces the "default" portal connection in the field app. The default is ArcGIS Online, so this is the one that gets replaced by the appconfig property.

You can manually go into Connection settings in the field app and add a new connection back to ArcGIS Online if needed.

Many of our customers have requested that when a portal is configured by appconfig and a MDM, they do not want to see ArcGIS Online, they want the users only to use the configured internal portal. This is why it was designed this way to meet this expectation.

The best approach in future would be to support adding multiple portals via appconfig. I would suggest raising an ArcGIS Idea or enhancement via Esri Support to enhance this in the future.

Regards,

Phil.

Aneel_Kumar_M · ‎07-26-2022

Dear Philip,

We are using ArcGIS Portal, DMZ server, MS Intunes and then using mobile application "Survey123" Please see below work flow diagram.

In this case, do I need to modify application properties in MS Intune ? and also in App Studio?

One more thing, when we change Azure proxy other than "pass-through", survey123 is not able to connect the portal site from the mobile application. it is connecting only with "pass-through" option.

Please advise, thanks in advance.