HP Insights & Secure Print - July 2020 - V2

HP JetAdvantage
Secure Print & Insights

June 2020 Update
1
What’s the buzz?
Mobile Submission
Cloud Connector Zero Trust Network
Zero Server Infrastructure
Cloud Storage
Driverless IPP Printing
OpenID ConnectCloud Aware Printers
2
Session agenda
Solution options and customer fit
HP JetAdvantage Insights
Readiness guides
Deployment best practices
Troubleshooting tips
3
Solution options and customer fit
4
“I want the works.
I want the whole works.
Don’t care how, I want it now.”
Veruca Salt, Golden ticket holder, Willy Wonka’s Chocolate Factory
5
I want the whole works!
• Zero server infrastructure
• Highly available, elastic & scalable
• Documents are always available
• Cloud connected printers
• Driverless IPP printing
• Mobile printing from iOS and Android
• Easy support for BYOD printing
• Mobile app
• Support for Internet-only sites
• Off-site printing
• True pull printing
• Easy user enrollment
• Proximity badge authentication
6
Will I get the whole works?
Each customer we encounter may have a

different set of requirements.
– Network topology
– Identity providers
– Document storage
HP JetAdvantage Secure Print contains

several configuration options to suit a
variety of environments and use cases.
The choice of these settings will either

expand or contract the feature set
available.
7
Traditional network
• Provides workstations and printers
access to Internet-based resources
• Provides some level of trust and access
(line-of-sight) to peers on the network
• The cloud provides a storage location
from which data will always be
available
• Print data stored in the cloud may be
pulled (downloaded) from the cloud to
the printer
• Print data stored in the cloud or on-
premises may be pushed to the printer
This is a Traditional Network with a

True Cloud implementation.
8
Traditional network with data stored only on-premises
• Provides some level of trust and access
(line-of-sight) to peers on the network
• Print data stored on-premises must be
pushed to the printer
This is a Traditional Network with a

Hybrid Cloud implementation.
9
Internet-only network
• Does not provide trust nor access (line-
of-sight) to peers on the network
• The cloud becomes the “broker” which
handles the movement of data from
workstation to printer
• Print data stored in the cloud must be
pulled (downloaded) from the cloud to
the printer
This is an extreme example of a Zero

Trust Network.
10
Document handling options
1 Cloud storage enabled
2 Cloud storage disabled
11
Document handling: key benefits
Cloud storage enabled Cloud storage disabled
• Documents stored in the cloud are always • Documents will be stored on the user’s
available workstation, never leaving the customer’s
• Provides support for true pull printing environment
• Provides support for Internet-only networks • Reduces reliance on bandwidth to transfer
document data into the cloud
12
Document handling: feature support matrix
Traditional Network  
Internet-only Network  ✗
Documents are Always Available  ✗
Cloud Release (True Pull Printing)  ✗
Scout Release (Push Printing)  
iOS and Android Print Submission Cloud Cloud
Driverless IPP Printing (Cloud Print Queue) Cloud ✗
Driver-based PCL Printing (Local Print Queue)  
13
Document handling
A few more items to remember
• Cloud storage is the keystone component enabling support for true pull printing, Zero Trust and
Internet-only networks.
• Disabling cloud storage will require the user’s Print Scout to be online, with line-of-sight, to send
print document data to the printer
• Documents printed via driverless IPP print clients must be stored in the cloud
• Documents printed from iOS and Android mobile devices must be stored in the cloud
• Documents printed via driver-based PCL clients will be stored on-premises, with an option to send
a backup copy to the cloud
• Driverless IPP printing will leverage server-side encryption (AWS S3 KMS)

• Driver-based PCL printing will leverage client-side encryption (Print Scout)
14
Document handling: customer fit
• Customers who want to take full advantage • Customers who cannot allow document data
of a highly available, elastic and scalable to be stored in the cloud due to export
printing solution restrictions
• Customers with Internet-only work sites • Customers with low bandwidth to the
(Zero Trust) internet
15
Authentication provider options
1 OpenID
2 Email
3 Active Directory
16
Authentication provider: key benefits
OpenID Email Active Directory
• Separates the user’s print identity • Separates the user’s print identity • User print identity is bound to
from the workstation’s login from the workstation’s login directory service identity
identity identity • No user enrollment
• Supports non-AD users • Supports non-AD users
• Supports BYOD • Supports BYOD
• Users are federated through a • Email domains may be open or
chosen 3rd party identity provider restricted
17
Authentication provider: feature support matrix
OpenID Email AD
Local Connector   
Internet-only Network with Cloud Connector   ✗
Traditional Network with Cloud Connector   ✗
Badge Authentication at MFP   
Badge Self-Registration at MFP   
Badge Import within Insights Portal and via API   
Authentication via Keypad at MFP   
18
Authentication provider: customer fit
OpenID Email Active Directory
• Customers with an existing, • A great choice for virtually any • Customers with a single domain,
supported OpenID provider customer who desire to align user identity to
• Customers who are looking for a • Customers who are looking for an an on-premises active directory
user enrollment experience that easy-to-use user enrollment
falls in line with their cloud experience
migration strategy • Customers who are be looking to
extend printing capability to outside
users, i.e. “guest” printing
19
Multiple language support
Secure Print support translations to the
following languages:
• French
• Italian
• German
• Spanish
• English
• Simplified Chinese
• Portuguese (Portugal)
• Portuguese (Brazil)
• Swedish
• Dutch
• Norwegian
20
Touchless printing option
Secure Print’s Mobile Release (QR Code)
feature has long provided a touchless
method of releasing print jobs.
Secure Print now also provides a

touchless print release method for
businesses that prefer their employees to
use proximity cards to authenticate at a
printer.
With Touchless Printing enabled,

employees simply tap their proximity card
to log in to a printer. All documents in
their personal queue will begin printing
after 5 seconds. An employee can cancel
printing before the 5-second timer elapses
by simply pressing Cancel.
21
Mobile submission
Using the HP JetAdvantage Secure Print
mobile app, employees can now submit
documents from their mobile devices.
Previously, the app allowed employees to
only release documents (if using Mobile
Release).
Employees must first download or update

the HP JetAdvantage Secure Print app
from the App Store (iOS) or Google Play
(for Android). The app installs a secure
printer profile that enables driverless
printing using IPP-Everywhere
technology.
iOS Android
22
Secure Print APIs
Integration APIs are available to better
help customers integrate Secure Print into
their ecosystem.
• The Secure Print Card Import API

allows IT administrators to
programmatically import a batch of
card IDs and associate them to user
email addresses via a CSV file.
• The Secure Print User Removal API

allows IT administrators to
programmatically remove a batch of
registered users via a CSV file.
23
Available settings
User
Passcode Proximity Secure Print
Authentication
Settings Card Settings Settings
Providers
24
Available settings
User
Authentication
Providers
25
Available settings
User
Authentication
Providers
26
Available settings
User
Authentication
Providers
* Available only when OpenID has been selected as the identity provider
27
Available settings
User
Authentication
Providers
28
Available settings
User
Authentication
Providers
29
Customer scenario #1  Email enrollment
Professional Services Firm  Restrict email to one trusted domain
We are a professional services firm, employing consultants all

around the US. Our core business is graphic design, with  Internet-only network
virtually all our consultants using macOS and iOS devices. Our
employee’s workspaces, like those in Gotham City and
Metropolis, are located within WeWork locations. Each
employee entering a shared office is issued a facility access
badge from the landlord. We don’t have dedicated IT staff and
are finding it very difficult to provide printing services to our  Driverless IPP print
consultants. How can HP help?
No dedicated IT staff

 Cloud storage enabled
Shared office spaces
Facility access badges provided by landlords
Non-Windows printing
 Badge registration enabled
No directory service
 Email + Pin authentication
30
Customer scenario #2  OpenID Connect
Global Manufacturing Company  Azure AD
We are a global engineering and manufacturing company

headquartered in Gotham City. The safeguarding of our  Traditional Network
intellectual property is highly governed. Each employee is
issued a standardized company badge for access and identity.
We’ve fully integrated Office 365 into our business as our first
step into reducing servers in our infrastructure. We are actively
decommissioning data centers and need to eliminate all print  Cloud connected MFPs
servers hosting our fleet of enterprise class HP multi- and single-
function printers. How can HP help?  Mobile release (QR code) to SFPs
Sensitive data that is likely export controlled

Well governed access and identity badges  Cloud storage disabled
Office 365 likely implies that they’re integrated into Azure AD

Immediate need to remove servers from the infrastructure
 Badge registration disabled
Need support for single function printers
 Import badge data for all users
31
Customer scenario #3  Email enrollment
Construction Company  No restriction on email domains
We are Gotham City’s premiere construction company. We’ve

numerous project sites operating around the clock, with foremen,  Internet-only network
contractors, and partners moving from site to site. Our project
planners and sales force rely heavily on mobile iOS and Android
devices. We need to be able to rapidly deploy print services
within worksites and nearby rally points using ad hoc Wi-Fi
networks based on 5G internet connectivity. How can HP help?
 Driverless iOS and Android printing
No rigid network infrastructure

Highly transient employees  Cloud storage enabled
Heavy use of mobile devices

Print needs to be available to non-employees
 Email + pin authentication
No fixed facilities likely implies no facility access badges
 No badge readers required
32
Customer scenario: recap
True Cloud True Cloud
Internet-only Network Traditional Network
Customers who do not have a traditional Customers with a traditional / corporate

network infrastructure and would like to network who also want to take full advantage
extend printing capability to employees who of all the features and benefits of a true cloud
operate within a Zero Trust environment. solution.
Hybrid cloud
Traditional network
Customers with a traditional / corporate

network who have restrictions regarding
handling and storage of data.
33
HP JetAdvantage Insights
34
You can’t manage what you can’t see
Gain powerful insights into print costs,
printing behaviors and printer utilization
to drive efficiencies with this innovative
cloud-based analytics solution.
HP JetAdvantage Secure Print integrates

seamlessly with HP JetAdvantage
Insights.
This comprehensive print analytics

solution allows you to accurately track
and gather print user data, analyze the
results, and create reports to continually
optimize your print environment and
improve efficiency.
35
Print Analytics - dashboard
Print analytics provides visibility to the
key metrics in the print environment,
including:
• Who is printing and to which devices

• What is being printed and from which
applications
• How printing behaviors compare to
targets
The data behind Print Analytics is

gathered by Print Scout, a required client-
side component of Secure Print.
This means that a customer who invests in

the deployment of Secure Print gets Print
Analytics with no extra effort!
36
Print Analytics - explorer
Explore data by regions, departments, buildings, Fast access to key print metrics for employees,
employees, devices, applications and page size. documents and devices, including job-level detail, all on
demand.
37
Fleet Analytics – dashboard
The Fleet dashboard provides visibility to
the key metrics in the print environment,
including:
• Total operating cost

• Device utilization
• Sustainability information
• Page volume
The data behind Fleet Analytics is

gathered by a client-side component
known as Device Scout.
While Device Scout is no longer required

for Secure Print, it will need to be
installed if the customer wishes to collect
and view Fleet Analytics data.
38
Fleet Analytics – status views
Meter reads are automated and brought to you in a Monitor all device toner levels at once and see exactly
central location. which colors are running low on specific devices.
39
Data export APIs
Data export APIs are available to
customers who wish to utilize 3rd party
reporting tools to build custom
dashboards or billing systems.
• The Device Meter Data API may be

used to export the previous day’s
device meter data.
• The Print Transactions Data API

may be used to export up to the past
365 days of transactional data.
• The Monthly Print Data API may be

used to export up to past 60 months of
aggregated monthly data.
40
Customer readiness
41
Print Scout
Purpose Requirements Network
• Determines / assigns user identity • Supported operating systems are: Outbound (Print Scout connecting to
– Windows: 7 SP1, 8, 8.1, and 10 the cloud API endpoint)
• Collects print and user metadata and
uploads to HP JetAdvantage Insights – macOS: 10.13, 10.14, and 10.15 • 443 TCP (TLSv1.2) connections to
for Print Analytics – RedHat: RHEL 8
https://*.insights.hpondemand.com
• Encrypts & stores secure print jobs – Ubuntu: 18.04 LTS and higher
• Uploads a copy to the cloud – Windows Server: 2008 R2 SP1, 2012,

2012 R2, 2016, and 2019 Outbound (Print Scout connecting to
– when cloud storage is enabled the network printer)
• Email security software must trust:
• Decrypts & delivers secure print jobs • 161 UDP (SNMP v1/v2 or SNMP v3)
to network printers JetAdvantage Insights <no-
– when true pull print is not enabled reply@insights.hpondemand.com> • 631 TCP (IPPS or IPP)
– when using QR code release • Print Scout can communicate with the • 443 TCP (IPPS)
OpenID Connect identity provider
• 9100 TCP (RAW)
42
Print Scout
Three important tips
Print Scouts must be installed onto each users’ workstation
Make sure the web proxy configuration is well known when required to gain access to
the public internet
End point protection (antivirus) applications must trust the Print Scout executable and
dynamic link library files
43
Device Scout
Fleet Analytics • Supported operating systems are: Outbound (Device Scout connecting to
– Windows: 7 SP1, 8, 8.1, and 10 the cloud API endpoint)
• Discovers printers by scanning defined
IP addresses or ranges – Windows Server: 2008 R2 SP1, 2012, • 443 TCP (TLSv1.2) connections to
2012 R2, 2016, and 2019
• Collects device meter, toner and status https://*.insights.hpondemand.com
data • Microsoft .NET Framework 4.6.1 or
newer
• Uploads collected data to HP
JetAdvantage Insights for Fleet Outbound (Device Scout discovery and
Analytics collection)
• 161 UDP (SNMP v1/v2 or SNMP v3)
44
Device Scout
Three important tips
Device Scout is an optional component that gathers data for Fleet Analytics
Device Scout may be installed onto a Windows workstation or server class OS
Device Scout is not required for Secure Print when utilizing the Cloud Connector
45
Secure Print mobile app
• Determines / assigns user identity • Supported operating systems are: Outbound (Secure Print mobile app
– Android 7, 8, 9, and 10 connecting to the cloud API endpoint)
• Scan QR code for mobile release
– iOS 11, 12, and 13 • 443 TCP (TLSv1.2) connections to
• Creates driverless IPP printer profile
• HP JetAdvantage Secure Print app is https://*.insights.hpondemand.com
• Authenticates user for driverless IPP free and must be downloaded using a
printing supported mobile device from: Outbound (iOS and Adroid native
– Google Play Store print connecting to the cloud IPP
endpoint)
– Apple App Store
• 443 TCP (TLSv1.2) connections to
• HP JetAdvantage Secure Print app
can communicate with the cloud API https://*.insights.hpondemand.com
endpoints to release a
print user’s secure print jobs
46
MFP Deployment Tool
• Command line utility to secure and • Must be run from a command prompt Outbound (Deployment Tool
unsecure an HP integrated printer to the from with a Windows OS connecting to the cloud API endpoint)
Cloud Connector
• Must have line-of-sight to the printers • 443 TCP (TLSv1.2) connections to
• The MFP Deployment Tool is an that will be secured / unsecured
interim solution. It will be retired as https://*.insights.hpondemand.com
soon as a cloud native enrollment
solution is available.
Outbound (Deployment Tool
connecting to the HP Integrated
Printer)
• 443 TCP (TLSv1.2)
• 7627 TCP (TLSv1.2)
47
Secured HP printer
• Provides the ability to securely retrieve • Printer is a supported model as Outbound (HP integrated printer
an authenticated user’s print jobs certified by HP connecting to the cloud API endpoint)
• Secures user access to the device • Printer firmware is Futuresmart 4.8 or • 443 TCP (TLSv1.2) connections to
better
• Reports copy and scan transactions to https://*.insights.hpondemand.com
Insights for detailed analytics • Printer readiness requirements have
been completed
– Further detail will be provided in an Inbound (Deployment Tool connecting
upcoming slide
to the HP Integrated Printer)
• QR code label has been printed and
• 443 TCP (TLSv1.2)
attached to the corresponding printer
– When using mobile release • 7627 TCP (TLSv1.2)
48
Network printer with QR code
• Printer that is accessible by network • SNMP v1/v2 and/or SNMP v3 is Inbound (Device Scout connecting to
connection, making it “visible” to other enabled the network printer)
computers connected to the network – SNMP v1/v2 - Read access is enabled • 161 UDP (SNMP v1/v2 or SNMP v3)
and the Get Community Name string is
• An Affixed QR code provides the
known
ability to utilize Mobile Release
– SNMP v3 – Username, Authentication
Protocol & Passphrase, Privacy Protocol Inbound (Print Scout connecting to the
& Passphrase, and Context Name are network printer)
known
• Passphrase – 8-255 characters
• 161 UDP (SNMP v1/v2 or SNMP v3)
• Authentication Protocol – MD5 or SHA1 • 631 TCP (IPPS or IPP)
• Privacy Protocol – DES or AES-128
• 443 TCP (IPPS)
• QR code label has been printed and
attached to the corresponding printer • 9100 TCP (RAW)
– When using mobile print release
49
Network diagrams: true cloud within a traditional network
• All communication from Print Scout to
HP JetAdvantage Secure Print is TLS
over TCP 443
• All communication from an HP
integrated printer to HP JetAdvantage
Secure Print is TLS over TCP 443
• Documents will be pulled from the
cloud by the HP integrated printer using
TLS over TCP 443
Note:
• This is same operation as an Internet
only, zero trust network, but operating
within a traditional customer network
environment
50
Network diagrams: hybrid cloud within a traditional network
over TCP 443
• Documents are pushed to printer using
TLS over TCP 443, or unencrypted over
TCP 631 or 9100
Note:
• Supports on-premises storage
51
Network diagrams: mobile release (QR code) within a traditional network
over TCP 443
• All communication from mobile
devices to HP JetAdvantage Secure
Print is TLS over TCP 443
• Documents are pushed to printer using
TLS over TCP 443, or unencrypted over
TCP 631 or 9100
Note:
• Supported by on-premises and cloud
storage
• Supported on HP and non-HP printers
52
Network diagrams: true cloud within an Internet only network
over TCP 443
• Documents will be pulled from the
cloud by the HP integrated printer using
TLS over TCP 443
Note:
• Requires cloud storage
• Does not support mobile release (QR
code)
53
Network diagrams: Device Scout (Fleet Analytics)
• All communication from Device Scout
to HP JetAdvantage Insights is TLS
over TCP 443
• All communication from Device Scout
to network printers is over UDP 161
• SNMP v1/v2 and SNMP v3
configurations are supported
Note:
• Device Scout is an optional component
that may be installed by customers who
wish to gather Fleet Analytics data
54
Deployment best practices
55
Best practices
Printer readiness and user experience
Proximity badges and choosing the correct reader
Print Scout deployment
56
Properly preparing printers is the key to
assuring successful deployment and
creating a good user experience.
During this section, we will detail the

settings required for successful
deployment, as well as the best practices
that provide a consistent user experience.
57
Firmware
Each printer must be verified to be at a

minimum firmware version.
• Futuresmart 4.8 or greater
58
Administrator Password
Each printer must have an administrator

password set.
The administrator password must be

known to properly secure the printer.
59
Date and Time
Each printer must have accurate date,

time and time zone.
Why?
Each printer will be communicating to

cloud resources over secure TLS
connections. The client and server’s date
and time are an important component in
creating trust. If the times deviate too
greatly, a trust will not be established, and
the TLS connection will fail.
60
Helpful tip!
Synchronize each printer to a network

time server to assure proper date and time.
For internet only sites, use an SNTP

server that is publicly accessible via the
internet.
• nist.time.gov
• pool.ntp.org
61
Energy Settings
Disable sleep after inactivity timers.
Why?
A printer that is in sleep mode creates a

negative user experience each time it is
awakened.
Helpful tip!
Add a wake / sleep schedule. This allows

the printer to enter lower power mode
while not in use and be readily available
for users through the business day.
62
CORS
Cross-Origin Resource Sharing (CORS)

must be enabled.
Helpful tip!
If the list of trusted sites is empty, the

printer will trust all sites.
If the customer would like tighter

security, add
*.insights.hpondemand.com to
the list of trusted sites.
63
DNS
Each printer must be configured with a

valid domain name server.
Helpful tip!
For internet only sites, use a DNS server

that is publicly available via the internet.
Google’s public DNS IP addresses (IPv4)

are:
• 8.8.8.8
• 8.8.4.4
64
Proxy (if required)
Not every environment will require a

proxy server to gain access to the internet.
But when required, a proxy server
address and port will need to be provided
to each printer so that they may connect
to the cloud services.
Helpful tip!
HP firmware only supports basic proxy

authentication. This will be problematic
if a client’s proxy enforces Digest or
NTLM authentication.
65
Enable color
Select the option to Enable Color.
Why?
Custom Color Access, which will restrict

color output for users or applications
without color permissions. This will force
black and white output for documents
printed via driverless IPP and / or Mac
OS.
66
26-bit Weigand, 35-bit Corporate 1000,
37-bit HID Proximity, HID iClass SE /
SEOS, Indala, Keri, Awid, Casi-Rusco…..
Badges, cards, fobs, stickers…..
On and on and on! The technologies,

types and formats of contactless badges
can be overwhelming.
Understanding the client’s situation and

choosing the correct reader will help
prevent confusion and provide better
security.
67
Three questions to discuss with the client
Is there an established process for access and identity management?
Who governs or provides the employee's facility access badge?
Are there other means of facility access?
68
Why is this important?
• Customers leveraging more than one

type or provider of access badge is
opening the door for potential security
risks
• Customers with established access
and identify management, with well
governed RFID badges, will enjoy
high security when leveraging those
same badges with Secure Print
An access badge conveniently gets you An identity badge clearly identifies its Note:
into a door. It does not provide a true owner. It may also contain RFID
identity of the badge holder. elements to provide access, otherwise A cloud-based secure print solution will
known as Access and Identity not mitigate the security implications of
Management. ungoverned access badges.
69
Which card reader to choose?
MFP24 (X3D03A)
• Good for common use formats like 26-
bit HID proximity
• Can be programmed to read multiple
card types while securing the printer
Keystroking (Y7C05A)
• Broader card type support
• Complete control over the format to
decode badge data
• Can be programmed to read and
decode multiple card types or formats
• Must be pre-programmed before
attaching to the printer
70
When choosing the MFP24:
• Use the HP Card Reader Configuration
Utility to evaluate a client’s badge(s)
• Stick to the standard card types and
card data formats
• Card reader data is decoded cloud-
side, without the ability to customize
• The decoded card data shown in the
card reader configuration tool will
match the data decoded within Secure
Print
Note:
Pay attention to the card value (48237)
shown on the left. The same badge will
be used on the next slide.
71
When choosing the keystroking reader:
• Use the RFIdeas pcProx Config utility
as the basis for evaluating a client’s
badge(s)
• Every card type and format supported
by the reader is viable for Secure Print
• Card reader data is decoded within the
reader and sent to the cloud as-is,
meaning any possible data format is
supported
Note:
The card value (0014390375917) shown
on the left is very different than that
decoded by the MFP24 reader. This
customer’s badge required a custom
format to properly decode.
72
The HP Print Scout is a required
component of the HP JetAdvantage
Secure Print solution.
Each user of Secure Print will need to

have the Print Scout installed on his or her
workstation.
Each customer will need to understand

how to distribute the Print Scout
efficiently to all users.
73
The process starts by downloading a Print
Scout from the customer’s Insights portal.
The customer’s site encryption key must

be entered to create a customer-specific
Print Scout installation bundle.
This installation bundle will become the

bases from which a deployable package
may be created.
Helpful tip!
The bundle downloaded from Insights is

not ready for mass deployment. Do not
try to use that “raw” bundle as the
deployment package.
74
The Print Scout that was initially downloaded must be Enter proxy information, if required to connect to the
registered to the customer’s instance of Insights before internet. These settings will be written into the
creating the deployment package. deployment package.
75
After setting configuration settings and verifying that the Click on the hyperlink in the popup message to be taken
Print Scout has been registered, the process of creating a to the location of the deployment files.
deployment settings file may be initiated.
76
These two files are the foundation of a
deployable Print Scout package.
The InstallConfig.ini contains all

the secret sauce for a customer-specific
installation. It will have the client’s ID,
registration ID, encryption key and
configuration settings.
The InstallConfig.ini must reside

in the same folder as the
PrintScoutInstaller.exe.
The client will want to copy these two

files to a safe place from which to build
their deployment package.
77
There are many ways to deploy the Print Scout. Customers with proficient IT deployments will generally be able to
quickly create a deployment package using the SMS tool of their choosing. All they would need are the deployment
files and the command line parameters to invoke the installation. They also need to assure that the installer is invoked
using elevated privilege.
Deployment files:
• InstallConfig.ini
• PrintScoutIntaller.exe
Silent installation command arguments:

PrintScoutIntaller.exe /silent
78
The deployment team may also want to know how to verify installation after deployment. They also may want to know
how to uninstall the Print Scout.
To check installed version:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PharosSystems\InstalledComponents\
Tracker
Version REG_SZ 7.18.3240
(The version shown above is an example and should be expected to change as new scouts are released.)
Silent uninstall and clean-up command arguments:

PrintScoutIntaller.exe /uninstall /clean /silent
79
Indicators that the deployment package has not been built properly:
• The Print Scout Configuration application appears after installation.

– This generally indicates that the deployment package was created using the “raw” Print Scout bundle that was downloaded from
the Insights portal.
• The HP JetAdvantage Secure Printer does not appear shortly after installation.
– This generally indicates that the deployment package includes an InstallConfig.ini file that was generated before the initial Print
Scout was properly registered.
– It could also indicate that the client is unable to access the internet to validate the registration, potentially due to missing proxy
settings.
– If also could indicate that the “raw” package downloaded from the Insights portal was not unblocked before installing.
80
81
PC Load Letter? Well… you know the
rest.
For this next section, we’ll secure a

printer for HP Secure Print without doing
any of the prerequisite steps.
This exercise will allow us to encounter

several real-world issues so that we can
explore how they manifest themselves
and what corrective action to take.
Well start by trying to secure a printer that

has been freshly reset to factory
conditions.
82
This is an important message to fully
understand.
The USB error will appear when a reader

is attached to a printer that does not have
an OXPd Accessories record with a
matching VID : PID.
If the printer has not been secured for

Secure Print, you will certainly see this
message.
If the printer has been secured for Secure

Print and the message persists, it indicates
that the attached reader’s VID : PID does
not match the values used within the MFP
Deployment Tool.
83
Be mindful that one may easily dismiss
the USB Error message from the Message
Center, but it will not “correct” the
condition.
The red error indicator will remain on the

LCD panel’s notification bar and the
status will remain when looking at the
EWS.
Rebooting the printer will cause the USB

Error message to reappear shortly after
bootup.
This message is a very useful tool because

it is an absolute indicator that the printer
does not have a valid OXPd Accessory
record that matches the attached reader.
84
VID PID
HP Common Card Reader (X3D03A) 1008 69

RFIdeas PcProx Plus SP Reader (Y7C05A) 3111 15354
Actual VID : PID values are read in hexadecimal. The values above are converted to decimal, which is the format in which they should be entered into the MFP Deployment tool.
85
When trying to secure a printer, we may
encounter an error, as depicted on the left.
Failed to secure device 192.168.10.162
To determine the nature of the failure, we

will need to look a little deeper.
86
The deployment logs are located within
the MFP deployment tool.
\MfpDeploymentTool\Deployment.log
The HTTP request was

forbidden with client
authentication scheme
“Basic”.
The somewhat cryptic message indicates

that the printer’s admin password has not
been set.
87
Here is another example of an error.
Failed to secure device 10.1.1.153
Once again, to determine the true nature

of the failure, we will need to look a little
deeper.
88
The deployment logs are located within
the MFP deployment tool.
\MfpDeploymentTool\Deployment.log
Unable to install Secure

Print because the firmware
is too old.
That message is self explanatory. The

printer must be upgraded to Futuresmart
firmware 4.8 or better.
89
This SSL certificate error indicates that
the printer is unable to establish a trusted
connection to the server.
There are two primary causes of this

message:
• The date and time of the printer is not
correct.
• The printer is missing root CAs to
complete the full certificate trust.
90
The required root CAs will be installed on
the printer when it is secured.
• DigiCert Global Root CA

• Starfield Class 2 Certification
Authority
If the certificates are removed from the

printer via the EWS, WJA template, or
other means, the printer will produce the
OXPd error as illustrated in the previous
slide.
91
Cross-Origin Resource Sharing is
required for proper operation of Secure
Print.
If it is disabled, the badge reader attached

to a printer will appear as if it does not
work. Any badge swipe will result in no
apparent activity occurring on the printer.
c t
or re
Inc
92
A URL not permitted error is another
manifestation of incorrect CORS settings.
In this case, CORS has been enabled but

the URL is not present in the list of
trusted web sites.
93
The illustration on the left shows the
correct URL added to the list of trusted
web sites.
*.insights.hpondemand.com
94
This error states that the given host was
not resolved.
This is caused by bad or missing DNS

setting within the printer’s Networking
tab.
95
Failed to connect to host or proxy is
another potential manifestation of bad or
missing DNS settings.
96
The illustration on the left shows a printer
with known good public DNS server
addresses that are hosted by Google.
97
At first glance, this looks like it might be
a bad or missing DNS setting, however,
the printer was verified to have good
settings.
In this case, the error was created because

the host entered in the proxy settings was
incorrect.
98
The illustration on the left shows the
printer’s proxy settings. Verify that the
host, port and credentials (if required)
have been entered properly.
99
“I know I printed this in color! Why is it
black and white?”
Before you ask, “are you sure it was a

color printer?,” be sure to verify that the
printer has color printing enabled.
HP printers have the Set Custom Color

Access setting enabled by default. This
will restrict color printing from any user
ID that appears to be a guest, i.e. non-
domain user.
Jobs printed via driverless IPP or Macs

will carry an ID that the printer will
interpret as a guest.
100
101

HP Insights & Secure Print - July 2020 - V2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HP Insights & Secure Print - July 2020 - V2

Uploaded by

Copyright:

Available Formats

HP JetAdvantage

Secure Print & Insights

Deployment best practices

Veruca Salt, Golden ticket holder, Willy Wonka’s Chocolate Factory

Each customer we encounter may have a

HP JetAdvantage Secure Print contains

The choice of these settings will either

This is a Traditional Network with a

This is a Traditional Network with a

This is an extreme example of a Zero

1 Cloud storage enabled

2 Cloud storage disabled

Cloud storage enabled Cloud storage disabled

Cloud storage enabled Cloud storage disabled

• Driverless IPP printing will leverage server-side encryption (AWS S3 KMS)

Cloud storage enabled Cloud storage disabled

OpenID Email Active Directory

OpenID Email Active Directory

Secure Print now also provides a

With Touchless Printing enabled,

Employees must first download or update

• The Secure Print Card Import API

• The Secure Print User Removal API

We are a professional services firm, employing consultants all

No dedicated IT staff

We are a global engineering and manufacturing company

Sensitive data that is likely export controlled

Office 365 likely implies that they’re integrated into Azure AD

We are Gotham City’s premiere construction company. We’ve

No rigid network infrastructure

Heavy use of mobile devices

Customers who do not have a traditional Customers with a traditional / corporate

Customers with a traditional / corporate

HP JetAdvantage Secure Print integrates

This comprehensive print analytics

• Who is printing and to which devices

The data behind Print Analytics is

This means that a customer who invests in

• Total operating cost

The data behind Fleet Analytics is

While Device Scout is no longer required

• The Device Meter Data API may be

• The Print Transactions Data API

• The Monthly Print Data API may be

• Uploads a copy to the cloud – Windows Server: 2008 R2 SP1, 2012,

Print Scouts must be installed onto each users’ workstation

Device Scout may be installed onto a Windows workstation or server class OS

Printer readiness and user experience

Proximity badges and choosing the correct reader

Print Scout deployment

During this section, we will detail the

Each printer must be verified to be at a

Each printer must have an administrator

The administrator password must be

Each printer must have accurate date,

Each printer will be communicating to

Synchronize each printer to a network

For internet only sites, use an SNTP

Disable sleep after inactivity timers.

A printer that is in sleep mode creates a

Add a wake / sleep schedule. This allows

Cross-Origin Resource Sharing (CORS)

If the list of trusted sites is empty, the