Secure Print Settings
- Release Methods
- Printer Screen Options
- Cloud Connector
- Proximity Card Options
- Device Logon Experience
- Printer Options
- Document Handling
- Advanced Encryption
- Mobile Deployment
- Purge jobs after
Release Methods
Secure Print provides different ways of releasing print jobs:
Note: Some printers may not support all three methods. For example, a printer may support Mobile Release only, but not Printer screen release.
Cloud Connector
Understanding what Cloud Connector is and how it differs from Local Connector is crucial to configuring Secure Print. The following section outlines the differences between the Local Connector and the Cloud Connector.
Secure Print supports the following network structure:
-
Local Connector – The Local Connector, also known as the “HP Secure Print Service”, is a Windows service that runs within an organization's local environment. It is installed with the Device Scout component and communicates with HP Insights. It provides the functionality needed to secure devices and enables these devices to perform secure printing.
This is ideal for organizations that prefer to secure their devices without using a cloud-based service.
-
Cloud Connector - The Cloud Connector is a software component hosted in the HP Insights. It hosts the web services behind the Secure Print app displayed on the integrated printer. These web services manage essential operations such as user authentication, displaying job lists, and receiving job accounting data.
In this setup, the Device Discovery and Deployment Utility (DDU) is used to secure printers against the Cloud Connector effectively making those printers "cloud-connected devices”. Cloud-connected devices provide a true cloud experience, removing the need for a Local Connector and eliminating the requirement to operate within a local network or have direct line-of-sight access to print devices. Cloud connected devices support internet-only environments (sometimes referred to as zero-trust networks). This means that organizations can eliminate their print infrastructure, including print servers, print drivers, or queue management.
This option is suitable for organizations who do not want to run on-premises Local Connector.
The Cloud Connector setting allows administrators to enable or disable the Cloud Connector. Previously, the Cloud Connector option was hidden in the background and required the Operations team to enable it, but it is now being made visible in the web console.
-
When Cloud Connector is turned ON, devices can be secured against the Cloud Connector. Administrators will need to use the Device Deployment Utility (DDU) to secure printers against the Cloud Connector and make those printers "cloud-connected”.
-
When Cloud Connector is turned OFF, devices won’t be able to be secured against the Cloud Connector. Devices can be secured with the Local Connector to secure devices.
Note: For information on how to configure Cloud Connected Devices, refer to the Configuring Cloud Connected Devices document.
Proximity Card Options
Select a card reader
You can select a card reader from the drop-down menu. The VID: PID values are automatically set for each card reader. Choosing Other allows you to enter the decimal values for the VID and PID of the card reader of your choice.
| Card Reader | VID | PID |
|---|---|---|
| Rf IDEAS Proximity Keystroke | 3111 | 15354 |
| HP Universal Card Reader (MFP 24) | 1008 | 69 |
| HP Legic Card Reader (4QL32A) | 1008 | 69 |
| Omnikey 5427 (Keystroke) | 1899 | 21544 |
| Elatec TWN4 | 2520 | 1040 |
Note: When connecting a Legic card reader to the printer, it's crucial to select the HP Legic Card Reader option from the web console first. Failure to do so can result in the card reader malfunctioning. It's also important to note that Legic card readers currently only support the values 6F03 and 7901. If any other value is added, the card reader will not function properly. Therefore, it's essential to ensure that Supported proximity card type is set to have only the values 6F03 and/or 7901.
Note: HP offers limited support for card authentication via magstripe card readers. HP discourages the use of magstripe card readers since they are prone to bad reads and errors. HP recommends using a supported proximity card reader instead.
Supported MFP24 Proximity Card types (HP only)
Specify the MFP 24 card types that your organization supports. You can enter up to four MFP 24 proximity card read types. The setting includes two of the most common MFP 24 proximity card types: 6F01 and EF04.
Supported Card Types
| Card Type | Card Value |
|---|---|
| 6F01 | HID iClass CSN, ISO 14443A CSN, ISO 15693A CSN |
| 7C02 | Felica |
| 7D01 | HID iClass CSN |
| 7E01 | ISO 15693A CSN, I-Code CSN, my-d CSN, SecuraKey Etag CSN, Texas Instruments Tag-It |
| 7F01 | ISO 14443A CSN, DESFire CSN, I-tag CSN, Legic Advant CSN, Mifare CSN, MiFare Ultralight CSN |
| E902 | Paradox |
| EA01 | Keri NXT UID, Pyramid UID, Farpointe Data NXT UID |
| EA02 | Keri NXT 26 Bit, Pyramid 26 Bit, Farpointe Data 26 Bit |
| EB02 | SecuraKey -02 |
| EC01 | SecuraKey -01 |
| ED02 | Indala ASP + UID (Motorola) |
| ED04 | Indala ASP+ Custom (Motorola) |
| EF04 | HID Prox |
| F004 | ReadyKey Pro UID |
| F201 | HiTag 2 Primary |
| F204 | HiTag 2 Alternate |
| F302 | HiTag 1 and S Primary |
| F304 | HiTag 1 and S Alternate |
| F401 | Deister UID |
| F503 | GProx-II UID |
| F602 | Cardax UID, Russwin UID |
| F702 | 2SmartKey (Honeywell), NexKey, Nexwatch, KeyMate, QuadraKey |
| F801 | Keri UID |
| F802 | Keri 26 Bits |
| F902 | ioProx (Kantech) |
| FA02 | Awid |
| FB01 | Em/Marin ME410x/Rosslaire Primary, DIGITAG |
| FB02 | Em/Marin ME410x/Rosslaire Alternate |
| FC02 | Casi-Rusco |
| FD01 | Indala ASP UID (Motorola) |
| FD02 | Indala ASP 26 Bit (Motorola) |
Enable or disable user card registration
Enable Proximity Card Registration When this setting is turned on, users can register their proximity cards at the secure printers using their email and PIN (for email-based auth), network ID (for Active Directory auth), or passcode (for OpenID auth) . Once a proximity card is registered, users can release documents to any secure printer in the organization.
The proximity card registration setting is turned on by default. If you prefer importing users’ cards into the system, you may want to disable card registration. If card registration is disabled, users with unregistered cards will see a friendly message informing them of the appropriate action to take.
Note: If you have OpenID implementation, card registration is supported only on printers the support passcode authentication only.
Device Logon Experience
Secure Print
This is the default setting. When selected, the user will see the Secure Print screen on authentication. The display may vary depending on the authentication provider configured.
Touchless Printing
Secure Print already offers touchless printing with Mobile Release (employees release their documents by using the HP Secure Print mobile app to scan a QR code attached to the printer).
HP Secure Print provides additional touchless print release methods for businesses that prefer their employees to use proximity cards to authenticate at a printer.
With Touchless Printing enabled, employees simply tap their proximity card at a preferred printer. All documents in their personal queue will begin printing after 5 seconds. An employee can cancel printing before the 5-second timer elapses by simply pressing Cancel.
-
Note: The system supports touchless printing with proximity cards no matter which authentication method or provider the customer is configured for: email authentication, Active Directory, and OpenID.
Authenticate to Device Home
If enabled, when a user logs onto a secure printer, the device shows its Home Screen instead of the Secure Print screen. From the Home Screen, the user has access to such functions as copy/scan.
Note: Authenticate to Device Home applies to Canon, HP, Lexmark, Konica Minolta, Ricoh, Toshiba, and Xerox devices.
Printer Options
Require authentication for all device functions
When set to ON, all device functions (print, copy, fax, scan) require users to authenticate. When set to OFF, authentication is required only for the Secure Print application. Users can use other device functions without having to authenticate.
Note: The Require authentication for all device functions setting is applicable for HP devices only.
Note: You'll need to re-secure all the devices on your print environment for the setting to take effect.
Number of documents displayed on the device
The Number of documents displayed on the device controls the number of documents displayed on a secure printer. The default value is 50 documents and the maximum value is 150 documents.
Network Timeout
The Network Timeout setting controls the time before requests to the Site Service from the secure printers time out. The default is 10 seconds. If a request takes more than 10 seconds to complete, the secure printer shows an error message “Error Releasing Print Jobs. Unable to complete the request due to network issues. Please try again later”. You can change the default in situations where network connectivity is slower than normal, for example.
Document Handling
| Setting | Description |
|---|---|
| Cloud Storage |
This setting determines whether to enable or disable Cloud Storage. Select from these options:
Note: The Cloud Storage setting affects how documents are released with mobile submission. See Mobile Submission setting below for more details. These settings affect delivery of secure print jobs to printers:
Force delivery via print servers This option forces delivery of jobs to Print Servers instead of local workstations. When Force delivery through Print Servers is enabled, all job release activities will be handled by Print Scouts that are in Print Server Mode (also known as virtual print server mode). The user's originating Print Scout will never be used for job release. All jobs will be stored in cloud storage and all job releases will require the job to be retrieved from cloud storage. This option is designed for customers who have printers that operate on a different VLAN than workstations. In this case, the user's workstation will not have access to the printers, therefore a "special" Print Scout is needed within the printer's VLAN to handle all job delivery requests. For this feature to work, the following are required:
Restrict Print Scout Release When Restrict Print Scout Release is enabled, the user’s Print Scout will be the primary point to handle job release. If the user’s Print Scout is not available, a Print Scout in Print server mode will be used to download the backup copy of the print job from the cloud storage and send it to the printer. This has the benefit of using local data when it is available and using cloud backup when the user’s Print Scout is not online. When the user’s Print Scout is not online, the job release will be restricted to Print Scouts in Print Server mode, which prevents one user’s data from being handled by another user’s Print Scout. This enhances security and provides a better known and far more controllable workflow for cloud backup release. Notes:
Note: The Force delivery via Print Servers and the Restrict Print Scout Release options should not be enabled at the same time. They are mutually exclusive operations. Cloud Release Cloud Release is also known as Pull Print. When Cloud Release is enabled, print jobs are pulled by the printer directly from the cloud storage. For this feature to work, the following are required
Refer tot he Cloud Release topics for more information about Cloud Release.
Note: Cloud Release is supported on HP and Ricoh printers only. Note: With Cloud Release enabled, the IPP print driver may not function optimally in that setup. It's advisable to use the HP Universal Print Driver (UPD) instead. In this scenario, the Print Scout has no interaction at all during job release. The IPP print driver requires the Print Scout to establish an IPP connection to the printer, which isn't feasible with Cloud Release. |
| Mobile Submission |
When Mobile Submission is enabled, print users can submit documents using a mobile device (via the HP Secure Print mobile app). Users can download the app from the App Store (iOS) or the Google Play Store (Android). Mobile Submission is disabled by default. The Cloud Storage setting affects how documents are released with mobile submission.
Note: With Mobile Submission, all documents are stored, encrypted in the cloud. |
Advanced Encryption
The Advanced Encryption section allows administrators to decide whether to apply Zero Knowledge Encryption (ZKE) for print job names, providing the flexibility to adjust the setting according to their organization's needs. For example, when the Cloud Connector is disabled, print jobs submitted through Print Scout display encrypted job names in HP Insights, making it hard for users to identify their jobs in the User Portal, Mobile App, or cloud-connected devices. In this scenario, administrators can choose to disable job name encryption. Additionally, the Advanced Encryption section includes a setting that show how the content of the print jobs is encrypted. This encryption is based on a combination of settings, which are outlined in the "Print Job Content" section of the document.
Apply Zero Knowledge Encryption (ZKE) to:
-
Print Job Name – This setting allows you to choose whether to encrypt job names (document names) or leave them visible on the User Portal or Mobile App in plain text.
-
When enabled, job names will be encrypted meaning they will be shown in an encrypted format on the User Portal and Mobile App for Print Scout submitted jobs.
-
When disabled, the job names will not be encrypted meaning they will appear in clear, readable text on both the User Portal and Mobile App for Print Scout submitted jobs.
-
Note: This setting applies to print jobs submitted via Print Scout only.
-
Print Job Content – This read-only setting controls whether the content of a print job (the actual document) will receive advanced encryption.
-
When Print Job Content encryption is enabled, the document content is encrypted using the ZKE within the Print Scout before being uploaded to cloud storage, if enabled. The document will also be encrypted with an AWS managed S3 KMS key while at rest within cloud storage.
-
When Print Job Content encryption is disabled, the document content will not be encrypted using the ZKE within the Print Scout before being uploaded to cloud storage. The document will, however, be encrypted with an AWS managed S3 KMS key while at rest within cloud storage.
-
The Print Job Content setting is read-only and cannot be modified. The status of this settingwhether it is enabled or disabled, depends on the following conditions related to the Cloud Connector and Cloud Release.
-
When the Cloud Connector is OFF (for on-premises setup) or when the Cloud Connector is ON, but Cloud Release is OFF, print job content encryption is automatically enabled and cannot be disabled in both cases.
-
When Cloud Release is ON (indicating that Cloud Connector is also ON), the print job content encryption is automatically disabled. This means that job data sent to the cloud by Print Scouts will not use ZKE (Zero-Knowledge Encryption). However, these jobs will still be encrypted at rest with S3 KMS (Key Management Service).
Note: Cloud Release requires the Cloud Connector to be ON, so you cannot enable Cloud Release without first enabling Cloud Connector.
Mobile Deployment
The Allow manual profile installation option enables IT admins to control whether employees can manually set up the iOS configuration profile. When turned on, employees will have to manually install the configuration profile on their iOS devices. This setting is ON by default for customers without Mobile Device Management (MDM) solutions.
If your organization prefers IT admins to automatically push the configuration profile to users’ devices via MDM, you can turn this setting OFF. IT administrators can download the configuration profile to deploy to users’ iOS devices using their preferred MDM solution.
Note: The Allow manual profile installation setting affects iOS users only.
Note: The download button appears only after clicking the Save button.
See these related topics:
- Downloading the iOS Configuration Profile for use with MDM
- Deploying the iOS Configuration Profile to users' devices using Microsoft Intune
Purge jobs after
The purge jobs after setting controls how long a print job is stored before it is automatically deleted. Unreleased print jobs will automatically be deleted after 48 hours.