Managing device security
Whether you collect data using a fleet of your own carefully-configured devices, or your enumerators are each using their own device, you want to make sure the forms and data that end up on those devices stay secure. SurveyCTO has several features designed to help keep your data safe, no matter where your devices end up.
Server settings for enforcing device security
New Collect security features
Your server has the capability to set certain security requirements for devices. To find and configure these requirements, go to your server console's Collect tab, and click on Settings in the Mobile data collection section. If those requirements are not met, your server will refuse to interact with the device, which will prevent the user from getting forms or submitting data. When this occurs, the Collect user will be presented with an error message that explains why they cannot connect to your server, and instructs them on how to update their own settings to comply with the security restrictions.
Require lock screen
Require users of SurveyCTO Collect to secure their device with a lock screen (PIN, pattern, fingerprint). Enabling this setting prevents a device from interacting with your server unless it is currently set to have a lock screen.
Require private workspace storage
Require users of SurveyCTO Collect to use the private storage option for their workspace storage location. Enable this setting to make sure your forms never end up in a location on the device that can be accessed via a file browser. For more information about private storage, and how data is stored on devices, see the topic on finding and safeguarding local device data. Since the public storage option is only available in Android, this setting will have no effect on Collect for iOS (which always stores data privately).
Please note: private workspace storage is a feature that was first introduced in SurveyCTO Collect v2.70.2 for Android (released on May 15, 2020). Enabling this setting will require devices to be running Collect 2.70.2 or newer. If a device is running an older version, the user will be prompted to update the app before they are allowed to connect to your server.
Require device encryption
Most modern devices have full-disk encryption enabled by default, so this setting will have no effect. Enabling this setting will ensure that all devices that connect to your server encrypt their entire filesystem when the device is locked or off. This will prevent someone from being able to, for example, remove a device's SD card and gain access to your data.
Please note: enabling this setting will also require iOS devices to have a device passcode lock.
Don't allow jailbroken or rooted devices
Jailbroken iOS devices and rooted Android devices are much less secure, since the device user is able to alter their device's software to remove all security restrictions set by the original operating system (iOS or Android, respectively). Enable this setting to ensure all devices are running genuine software that has not been tampered with.
Require dedicated workspaces
In SurveyCTO Collect, a "dedicated" workspace is one that contains forms and data for only a single server (rather than, potentially, a mix of forms and data for multiple servers). Once a workspace has been dedicated to a server, that server has more control over the workspace's settings – including the ability to control whether or not the user can "un-dedicate" the workspace later (see option below). It is generally best to keep your server's forms, data, and settings cleanly separated from work for other servers, so you will likely want to require dedicated workspaces.
Don't allow any outside access
When enabled, this setting automatically enables the "require private workspace storage" setting as well. It also requires the "require dedicated workspaces" setting to be enabled.
Enabling this setting ensures that the only way to access forms and data stored within a workspace is via the Collect app itself, or by submitting that data to your server. Specifically, it will prevent the following features from being used for that workspace and all forms within that workspace: public storage, local WiFi, and manually copying forms and/or settings. Since all of these features are only available on Collect for Android, this setting will have no effect for iOS users.
Don't allow un-dedicating
This setting requires the "require dedicated workspaces" setting to be enabled.
Enable this setting to prevent Collect users from un-dedicating a workspace once it has been dedicated to this server. If you require dedicated workspaces but allow un-dedicating, then users will be told that they can't change the server name associated with the workspace – but they won't be stopped from un-dedicating the workspace and then, after that, changing the server name. If there are cases where you need people to be able to start work with one server and then continue with another, then you might need to allow un-dedicating, but generally, if you require a dedicated workspace, you should not allow device users to later un-dedicate the workspace.
Set a workspace passcode to protect your entire workspace from unauthorized access, or just to make switching workspaces a more mindful act. Locking down access to a workspace is particularly important when your case list or your forms themselves contain sensitive information. It can also be important if your device is shared between different users; each user can have their own workspaces with their own workspace passcodes. And when workspaces might have similar-looking forms, you can set different workspace passcodes just to make the act of switching a more mindful act, reducing the chance of using the wrong workspace by accident. See the topic on device settings for more information about workspace passcodes.
Another important tool for controlling device security is an optional password that you can set on the workspace's Admin Settings. While General Settings contain basic settings that control how the app functions, Admin Settings contain more advanced settings that are designed to control what the Collect user is able to access within the app. Once an admin password is set, you will not be able to open Admin Settings without entering the correct password. You can set an admin password either from within Admin Settings (if you have physical access to the device), or by setting one in a default device configuration and then asking your Collect user to run quick setup. See the topic on managing device settings for more information.
Enabling end-to-end encryption on all your forms is the best way to ensure that your form data cannot be accessed by the wrong people. As long as your form is set up to use encryption, the data will be encrypted as soon as the form is finalized, and won't be readable by anyone unless they have the private key. See the topic on encrypting form data for more information.
See the topic on keeping your data secure for a broader discussion of SurveyCTO data security, including a list of best practices.