Configure Survey123 Properties in your MDM with AppConfig

1586
14
08-06-2020 06:37 PM
Philip-Wilson
Esri Frequent Contributor
5 14 1,586

Starting with ArcGIS Survey123 version 3.10, you can now configure properties via Managed App Configuration (AppConfig) in your Mobile Device Management (MDM) solution or by configuring application property defaults when creating a custom build of Survey123 using ArcGIS AppStudio. By configuring Survey123 properties you can manage how the Survey123 field app is installed on mobile devices and ensure that the properties are standardized and configured according to your company policies in your enterprise environment.

What are EMMs and MDMs?

 

Enterprise Mobility Management (EMM) is a set of people, processes and technology focused on securely and efficiently managing systems and devices (desktop, server, and mobile). This includes setting policies, pre-configuring settings, applying restrictions, deploying apps, and setting profiles and assignment policies to deliver apps to your managed devices. The management of mobile devices is one of the many components available as part of an EMM solution.

 

There are a number of Mobile Device Management (MDM) solutions that can help you implement your EMM solution for managing your enterprise mobile devices, and these MDM solutions include support for what is known as Mobile Application Management (MAM). Here are just a few of the available MDM solutions that many of the Esri mobile apps have already been tested and successfully deployed with: VMware Airwatch, Microsoft Intune, MobileIron Cloud, Samsung Knox, Citrix XenMobile, IBM MaaS360, and Cisco Meraki.

 

What is Managed App Configuration?

 

Managed app configuration allows apps to be remotely configured through an EMM solution. In order to use managed app configuration, the app must be installed on the device and managed via an MDM solution. While managed app configuration is a feature supported by most of the popular MDM providers, it's best to check with your provider if this feature is supported.

 

In general, MDM providers support AppConfig using key-value pairs. In Survey123 we follow the guidelines found within the AppConfig community's XML standard specification for iOS, Windows, MacOS and Linux. On Android, we support Android's Restriction Manager XML spec.

 

Currently, managed app configuration in Survey123 via an MDM is only supported on iOS and Android.

 

Supported AppConfig Properties

 

The following properties can be configured for the Survey123 field app via AppConfig key-value pairs set in your MDM provider. These properties can also be configured as application property defaults in a custom build of Survey123 by modifying the application properties found in the settings menu of your custom application in ArcGIS AppStudio.

 

Key Name Type Default Description

portalURLstringhttps://www.arcgis.comDefault portal URL.
portalNamestringArcGIS OnlineDefault portal display name. If portalURL is configured then this property should also be configured.
portalAuthenticationstringN/ADefault portal authentication parameters. Comma separated, case insensitive.
  • Blank for default authentication configuration
  • IWA - Integrated Windows Authentication
  • SSO - Enables single sign on for Windows clients when combined with IWA.
portalResourceKeystringSurvey123PropertiesResource name used for organization level properties.
requireSignInbooleanfalseUsers are required to sign in to continue to gallery page.
enablePortalManagementbooleantrueUser can manage ArcGIS Connections (add or remove portal configurations).
enableDiagnosticsbooleantrueEnable diagnostics options in Settings menu.
enableDataRecoverybooleanfalseEnable data recovery to send survey database and attachments.

 

If your portal uses IWA authentication and you are configuring the default portal connection in your MDM or in an AppStudio custom app using the portalURL property, the following three properties must be set:

 

  • portalURL
  • portalName
  • portalAuthentication (set as IWA)


Failure to set the portalAuthentication type on an IWA portal will cause an issue in deploying the AppConfig settings when adding the portal to the list of ArcGIS connections in the Survey123 field app.

 

Adding managed app configuration settings in your MDM provider

 

Below is an example of how to set the key-value pairs when creating an app assignment for your Survey123 application, in this case using the VMware AirWatch MDM console. Note that the UI and available options will differ in each MDM solution so please check with your MDM provider and relevant documentation about how to set AppConfig properties.

 

VMware AirWatch MDM AppConfig

 

Setting application property defaults via ArcGIS AppStudio

 

Below is an example of how to set application property defaults via ArcGIS AppStudio for your custom Survey123 application:

AppStudio Survey123 Properties

AppStudio Survey123 Properties

 

For more information on configuring Survey123 properties, please refer to the ArcGIS Survey123 online documentation.

 

If you would like to know more about Esri's approach to Mobile Application Management, please read the ArcGIS Secure Mobile Implementation Patterns document available from the ArcGIS Trust website.

14 Comments
BirkSlipersæter
Esri Contributor

Hi Philip Wilson,

We are experiencing a problem regarding the new Survey123 update (3.10) that came in August.

We are trying to configure properties in our MDM with AppConfig, as described in this article, to enable single-sign-on (SSO):

When setting the 'portalAuthentication' to 'SSO' authentication is failing. The two other options, ‘Blank’ and ‘IWA’, work perfectly fine. IWA is still a massive improvement in the authentication, this is very good!

Have you had any feedback from other customers that have utilized the ‘SSO’ choice? I would add that if we had been able to add username in AppConfig, ‘IWA’ would be just fine (like ${user.samaccountname}, as Collector and Explorer fetch with SSO Account).

Thanks! 

Philip-Wilson
Esri Frequent Contributor

Hi Birk,

Are you able to use SSO successfully on Windows when using the field app when you manually add the IWA Portal? If so, if it should work the same when you have configured via the MDM. We have not had any other customers report any issues so far with IWA and SSO properties.

Did you configure the IWA and SSO properties together for portalAuthentication, both must be used together to work correctly. ie enter both values as comma separated: IWA,SSO

Regards,

Phil.

BirkSlipersæter
Esri Contributor

Hi Philip Wilson‌, 

To answer the first question: Yes, when adding the portal to the field app on windows it logs you on automatically. After putting in the Portal URL you don’t have to do it again.
We tried to configure AppConfig like you described with "IWA,SSO". We still got the same behavior: You add the Portal URL, then log on with credentials (but the Ipad will remember until it is turned off again).

Kind regards,

Birk

Philip-Wilson
Esri Frequent Contributor

Hi Birk,

From you reply, what I understand is that IWA and SSO login is working on Windows as expected?

However on iOS you are having to log in again after you restart the app? Note that SSO only applies to Windows, as it uses the local Windows domain credentials to do the sign in. On iOS and Android, the users credentials will be remembered and auto sign in will occur when you restart the app.

Can you explain further and give detailed steps of exactly where you are not seeing the auto sign in occur?

Regards,

Phil.

BirkSlipersæter
Esri Contributor

Hi Phil,

Thank you for your response.
 
To answer your first question: on my laptop (Windows) IWA and SSO login is working as expected when using the Survey123 Field App, which also has been the case before this 3.10 update.
 
We are using iOS devices in field, and this is where the SSO at Survey123 does not work.  It can be noted that in our setup iOS devices are using Kerberos (Negotiate) to authenticate to the web server. Meaning that the device is equivalent to a Windows machine that is using domain credentials.
 
We are now using IWA for PortalAuthentication in the AppConfig, which works as expected (we have to authenticate and write the Portal Url once after turning on iPad and opening the Survey123 Field App). It is implemented like this: 
 
NTLM GET /portal/sharing/rest/info?f=json HTTP/1.1
Negotiate GET /portal/sharing/rest/oauth2/authorize?client_id=survey123&grant_type=code&response_type=code&expiration=-1&locale=en&redirect_uri=urn:ietf:wg:oauth:2.0:oob&hidecancel=true HTTP/1.1
 
When trying to implement IWA and SSO, it fails. Using only IWA, as described above, is a massive improvement as to before the 3.10 update, still we would like the SSO to work to avoid any authentication at all (as we are able to with Collector and Explorer). We implemented it like this:
 
SSO = GET /portal/sharing/rest/oauth2/authorize?client_id=survey123&grant_type=code&response_type=code&expiration=-1&locale=en&redirect_uri=urn:ietf:wg:oauth:2.0:oob&hidecancel=true HTTP/1.1
 
The SSO does not work in this case. It can be noted that SSO works fine at iOS  for Collector and Explorer implemented in the same way. 
Kind regards,
Birk
Philip-Wilson
Esri Frequent Contributor

Hi Birk,

Thanks for the additional information, that all makes sense now. We will look into this further and get back to you with any updates.

In the meantime, can you please log a bug with Esri Support and ensure you provide all the relevant details above and your setup and workflows, including which MDM solution you are using, app versions, device and OS versions etc. This will help us prioritize and continue work on this issue with development team.

Regards,

Phil.

HéctorMeléndez
Esri Contributor

Philip Wilson The latest AppStudio and Survey123 Template don't respect the portalURL enablePortalManagement properties when I run the application from AppStudio. Have I set this correctly?

Philip-Wilson
Esri Frequent Contributor

Hi Hector,

What version of AppStudio are you using, and what version of the Survey123 template?

With AppStudio 4.3 just being released, the 3.11 template will be the correct one to use with AppStudio 4.3. The 3.10 template was not made available as AppStudio 4.3 was not available at the time Survey123 3.10 was released. The 3.10 template will not work with AppStudio 4.2 either. As we are only a few weeks away from releasing Survey123 3.11, we will make the 3.11 template available for AppStudio 4.3.

Regards,

Phil.

HéctorMeléndez
Esri Contributor

I'm using AppStudio 4.3 and the Survey123 3.9 template. If I run the application from AppStudio none of the parameters are enforce but if I build the application the portalURL and portalName parameters are enforced but not the enablePortalManagement=false. I will test against the 3.11 template when it's release.

Philip-Wilson
Esri Frequent Contributor

Hi Hector,

Yes, the Survey123 3.9 template will not work with AppStudio 4.3, there are many changes, not just AppConfig that will cause the app to have issues if you build it with the wrong version. I will let you know as soon as the 3.11 template is available.

Regards,

Phil.

DavinWalker2
Esri Contributor

Hi Philip,

Are there any plans to expand the Supported AppConfig Properties that are available in Survey123 to any other ESRI Mobile Applications?

Regards

Davin

Philip-Wilson
Esri Frequent Contributor

Hi Davin,

Can you provide more details about which properties you would like to see added to other Esri mobile apps, and which specific apps you are referring to, and what OS you are mostly using? For example do you mean QuickCapture, or the new Field Maps app, or are you referring to Collector, Explorer and other native apps?

There are different development teams and release cycles for all the different mobile apps, so getting an understanding about which properties and apps are important to you and and on which platforms, helps the design, development and prioritization of these types of enhancements.

Regards,

Phil.

DavinWalker2
Esri Contributor

Hi Phil,

Operating System: iOS

I was specifically look at the portalName and enablePortalManagement keys to other apps including:

Collector, Earth, Explorer, Navigator, QuickCapture, Tracker, Workforce.

However having this in the new Field Maps app would also be beneficial as people move to Field Maps. 

Regards

Davin

Philip-Wilson
Esri Frequent Contributor

Thanks Davin,

I will discuss with the other mobile app dev teams and get back to you if we have any updates or progress.

Regards,

Phil.