Best practices for configuring and securing enumerator devices

This article expands on the product documentation on this subject.

Thanks to some recent SurveyCTO Collect improvements, it is now possible to set up Android and iOS devices for data collection even faster and more securely than before. These improvements are made possible through a matching server console update, which you can see on the Collect tab (see the new Mobile data collection section). Use the new quick setup and default device configuration features to easily configure any number of devices with identical and far more secure settings. This is useful whether your team is using project-issued or personal devices. 

The Send Settings to Server option you'll see in the embedded presentation below is currently Android-only, so you will have to generate default device configurations on Android for the time being. 

Quickly setting up a number of devices

If you're setting up a single device that's right in front of you, it is simple to open General Settings in SurveyCTO Collect, and fill out the Server name, Username, and Password. However, what if you have 100 devices to set up? What if those devices aren't in front of you? SurveyCTO Collect is also highly customizable - do you want enumerators to have access to every option available?

Thanks to the new quick setup option (discussed one section down), and default device configurations, you can take care of all of these concerns.

Default device configurations

On the main menu of SurveyCTO Collect, tap on the three-dot icon in the upper-right to get into either General Settings or Admin Settings. While General Settings allows you to configure various useful settings which could be useful (or not) depending on the project, Admin Settings governs the visibility of individual General Settings, the options users have while filling out forms, and the main menu options. If you invest any time thinking about what settings work best for your project, you'll want to ensure that every enumerator uses those same settings. 

You can save a SurveyCTO Collect configuration in a default device configuration which is a new feature attached to user roles. Every device configured using quick setup will have their device automatically configured with the default device configuration that you attach to the user's role. If you prefer following bullet points to learn how this is done, see the Managing device settings help topic, under the Default device configurations and quick setup heading. Or for a more visual and user-friendly guide, page through these slides:

Consider clicking on the frame icon for a full screen experience. If you would like to share these slides, click here and make a copy of this file (File > Make a copy) to your Google Drive.

Note that every project can have as many custom user roles as you'd like (even on a server without teams), each with their own default device configuration. Custom user roles can even have identical server permissions, but have different device configurations and default forms that the enumerator starts with.

Quick setup

Device settings via a default device configuration can be distributed through the new quick setup feature. However, you will need to set up a default device configuration first, as above.

The quick setup option provides a URL that can be distributed via email, SMS, WhatsApp, or by scannable QR code. That code redirects users to 1.) install SurveyCTO Collect, and 2.) launch the quick setup process. The URL contains the server name, so once Collect is installed, all that needs to be done is going into General Settings to enter a username and password. Once logged in, the default device configuration will be installed, making the device ready for the enumerator to begin work (or remote training)!

You can also make the quick setup link even more helpful, by including a username as well as the server name. Click on the Customize... button on the right of the QR code, add a username and click Generate guide URL.

With a username included in the quick setup link, users only need a password along with the quick setup link. This can work well for data collection settings where enumerators pick their names in a select_one field in the form to label their work. However, projects using workflows that depend on unique username metadata (for example, for use with case management) won't benefit from this feature.

Maximizing on security

Not only is setting up SurveyCTO Collect now much easier, it is significantly more secure. One of the features of SurveyCTO Collect for Android 2.70.6+ is that it moves forms and data into app-specific storage (this is a big change, follow the link to read more). App-specific storage stores all data inside the app, which is more secure and far safer.

App-specific storage and some other useful security features can also be enforced globally. On the Collect tab, under Mobile data collection, click on Settings. From here you can enforce the use of a.) app-specific storage, and b.) device lock screen security (PIN, pattern, fingerprint).

Admin password

The ability to lock users out of Admin Settings is an old setting, but something to consider for the sake of limiting the need for troubleshooting (e.g., if you enable the Auto install downloaded form update option and your workflow depends on it, turn it on and hide it). As above, if you invested in a specific configuration, think about locking it down.

App passcode

New to SurveyCTO Collect 2.70.2+ for Android, is an App passcode option to be found under Admin Settings. SurveyCTO Collect will require this passcode when it opens in order to provide access, adding another layer of security. Seeing as the App passcode can be reset from Admin Settings, it makes sense to create an admin password if you're using the App passcode feature.

Think about how to distribute app passcodes! If the passcode is discoverable in an email or instant message on the data collection device, it may not be that secure. You might provide instructions to delete an email or SMS once the code is memorized or recorded elsewhere.

Lastly, you can allow for App passcodes to be reset for a brief time under Settings, under the new Mobile data collection section of the Collect tab on the server console.

Both admin passwords and app passcodes can be distributed inside default device configurations.

Recommended settings

As above, SurveyCTO Collect has a lot of settings. To summarize and help guide you, we'll highlight some recommendations:

In General Settings

In SurveyCTO Collect, tap on the three-dot icon and open General Settings.

  1. Enable the auto-send features (this will help prevent data loss; it is better to automatically send data ASAP so that it is available on the server and able to be reviewed and backed up).
  2. Enable all of the auto-download and auto-install features (to ensure that enumerators are always using the latest forms, with any new fixes or data updates; extended in Collect 2.70.1).
  3. Enable Display send/receive status (provides a convenient server synchronisation button, and tells enumerators when they have a network connection or not).
  4. Keep auto-backup set to at least 30 days (to protect against accidental data deletion).

In Admin Settings

In SurveyCTO Collect, tap on the three-dot icon and open Admin Settings.

  1. Secure Admin Settings with an Admin Password only known to trusted supervisors.
  2. Secure the app with an App passcode that all enumerators know (new in Collect 2.70.2).
  3. Set the App storage location to Private app storage (new in Collect 2.70.2, also the new default).
  4. Disable any main-menu items that are unnecessary for enumerators (you could disable Get Blank Form if the right forms are already included in their default device configuration; this would be best-paired with the auto-download and install options enabled).
  5. Disable any settings that enumerators should not be able to edit.

Server settings

On the server console, go to the Collect tab, and under Mobile data collection, click on Settings.

  1. Require all enumerator devices to have a lock screen configured (new in server software 2.70.5+).
  2. Require all enumerator devices to be configured for private storage (new in server software 2.70.5+) and Collect 2.70.2+).

If you have any questions about default device configurations, quick setup options, and deploying SurveyCTO Collect securely, start a support ticket or create a user forum post.

Do you have thoughts on this article? We'd love to hear them! Feel free to fill out this feedback form.


Please sign in to leave a comment.