Professional Documents
Culture Documents
HP Insights & Secure Print - July 2020 - V2
HP Insights & Secure Print - July 2020 - V2
1
What’s the buzz?
Mobile Submission
Cloud Connector Zero Trust Network
Zero Server Infrastructure
Cloud Storage
Driverless IPP Printing
OpenID ConnectCloud Aware Printers
2
Session agenda
Solution options and customer fit
HP JetAdvantage Insights
Readiness guides
Troubleshooting tips
3
Solution options and customer fit
4
“I want the works.
I want the whole works.
Don’t care how, I want it now.”
5
I want the whole works!
• Zero server infrastructure
• Highly available, elastic & scalable
• Documents are always available
• Cloud connected printers
• Driverless IPP printing
• Mobile printing from iOS and Android
• Easy support for BYOD printing
• Mobile app
• Support for Internet-only sites
• Off-site printing
• True pull printing
• Easy user enrollment
• Proximity badge authentication
6
Will I get the whole works?
7
Traditional network
• Provides workstations and printers
access to Internet-based resources
• Provides some level of trust and access
(line-of-sight) to peers on the network
• The cloud provides a storage location
from which data will always be
available
• Print data stored in the cloud may be
pulled (downloaded) from the cloud to
the printer
• Print data stored in the cloud or on-
premises may be pushed to the printer
8
Traditional network with data stored only on-premises
• Provides workstations and printers
access to Internet-based resources
• Provides some level of trust and access
(line-of-sight) to peers on the network
• Print data stored on-premises must be
pushed to the printer
9
Internet-only network
• Provides workstations and printers
access to Internet-based resources
• Does not provide trust nor access (line-
of-sight) to peers on the network
• The cloud becomes the “broker” which
handles the movement of data from
workstation to printer
• Print data stored in the cloud must be
pulled (downloaded) from the cloud to
the printer
10
Document handling options
11
Document handling: key benefits
• Documents stored in the cloud are always • Documents will be stored on the user’s
available workstation, never leaving the customer’s
• Provides support for true pull printing environment
• Provides support for Internet-only networks • Reduces reliance on bandwidth to transfer
document data into the cloud
12
Document handling: feature support matrix
Traditional Network
Internet-only Network ✗
Documents are Always Available ✗
Cloud Release (True Pull Printing) ✗
Scout Release (Push Printing)
iOS and Android Print Submission Cloud Cloud
Driverless IPP Printing (Cloud Print Queue) Cloud ✗
Driver-based PCL Printing (Local Print Queue)
13
Document handling
A few more items to remember
• Cloud storage is the keystone component enabling support for true pull printing, Zero Trust and
Internet-only networks.
• Disabling cloud storage will require the user’s Print Scout to be online, with line-of-sight, to send
print document data to the printer
• Documents printed via driverless IPP print clients must be stored in the cloud
• Documents printed from iOS and Android mobile devices must be stored in the cloud
• Documents printed via driver-based PCL clients will be stored on-premises, with an option to send
a backup copy to the cloud
14
Document handling: customer fit
• Customers who want to take full advantage • Customers who cannot allow document data
of a highly available, elastic and scalable to be stored in the cloud due to export
printing solution restrictions
• Customers with Internet-only work sites • Customers with low bandwidth to the
(Zero Trust) internet
15
Authentication provider options
1 OpenID
2 Email
3 Active Directory
16
Authentication provider: key benefits
• Separates the user’s print identity • Separates the user’s print identity • User print identity is bound to
from the workstation’s login from the workstation’s login directory service identity
identity identity • No user enrollment
• Supports non-AD users • Supports non-AD users
• Supports BYOD • Supports BYOD
• Users are federated through a • Email domains may be open or
chosen 3rd party identity provider restricted
17
Authentication provider: feature support matrix
OpenID Email AD
Local Connector
Internet-only Network with Cloud Connector ✗
Traditional Network with Cloud Connector ✗
Badge Authentication at MFP
Badge Self-Registration at MFP
Badge Import within Insights Portal and via API
Authentication via Keypad at MFP
18
Authentication provider: customer fit
• Customers with an existing, • A great choice for virtually any • Customers with a single domain,
supported OpenID provider customer who desire to align user identity to
• Customers who are looking for a • Customers who are looking for an an on-premises active directory
user enrollment experience that easy-to-use user enrollment
falls in line with their cloud experience
migration strategy • Customers who are be looking to
extend printing capability to outside
users, i.e. “guest” printing
19
Multiple language support
Secure Print support translations to the
following languages:
• French
• Italian
• German
• Spanish
• English
• Simplified Chinese
• Portuguese (Portugal)
• Portuguese (Brazil)
• Swedish
• Dutch
• Norwegian
20
Touchless printing option
Secure Print’s Mobile Release (QR Code)
feature has long provided a touchless
method of releasing print jobs.
21
Mobile submission
Using the HP JetAdvantage Secure Print
mobile app, employees can now submit
documents from their mobile devices.
Previously, the app allowed employees to
only release documents (if using Mobile
Release).
iOS Android
22
Secure Print APIs
Integration APIs are available to better
help customers integrate Secure Print into
their ecosystem.
23
Available settings
User
Passcode Proximity Secure Print
Authentication
Settings Card Settings Settings
Providers
24
Available settings
User
Passcode Proximity Secure Print
Authentication
Settings Card Settings Settings
Providers
25
Available settings
User
Passcode Proximity Secure Print
Authentication
Settings Card Settings Settings
Providers
26
Available settings
User
Passcode Proximity Secure Print
Authentication
Settings Card Settings Settings
Providers
* Available only when OpenID has been selected as the identity provider
27
Available settings
User
Passcode Proximity Secure Print
Authentication
Settings Card Settings Settings
Providers
28
Available settings
User
Passcode Proximity Secure Print
Authentication
Settings Card Settings Settings
Providers
29
Customer scenario #1 Email enrollment
Professional Services Firm Restrict email to one trusted domain
30
Customer scenario #2 OpenID Connect
Global Manufacturing Company Azure AD
31
Customer scenario #3 Email enrollment
Construction Company No restriction on email domains
32
Customer scenario: recap
True Cloud True Cloud
Internet-only Network Traditional Network
Hybrid cloud
Traditional network
33
HP JetAdvantage Insights
34
You can’t manage what you can’t see
Gain powerful insights into print costs,
printing behaviors and printer utilization
to drive efficiencies with this innovative
cloud-based analytics solution.
35
Print Analytics - dashboard
Print analytics provides visibility to the
key metrics in the print environment,
including:
36
Print Analytics - explorer
Explore data by regions, departments, buildings, Fast access to key print metrics for employees,
employees, devices, applications and page size. documents and devices, including job-level detail, all on
demand.
37
Fleet Analytics – dashboard
The Fleet dashboard provides visibility to
the key metrics in the print environment,
including:
38
Fleet Analytics – status views
Meter reads are automated and brought to you in a Monitor all device toner levels at once and see exactly
central location. which colors are running low on specific devices.
39
Data export APIs
Data export APIs are available to
customers who wish to utilize 3rd party
reporting tools to build custom
dashboards or billing systems.
40
Customer readiness
41
Print Scout
Purpose Requirements Network
• Determines / assigns user identity • Supported operating systems are: Outbound (Print Scout connecting to
– Windows: 7 SP1, 8, 8.1, and 10 the cloud API endpoint)
• Collects print and user metadata and
uploads to HP JetAdvantage Insights – macOS: 10.13, 10.14, and 10.15 • 443 TCP (TLSv1.2) connections to
for Print Analytics – RedHat: RHEL 8
https://*.insights.hpondemand.com
• Encrypts & stores secure print jobs – Ubuntu: 18.04 LTS and higher
42
Print Scout
Three important tips
Make sure the web proxy configuration is well known when required to gain access to
the public internet
End point protection (antivirus) applications must trust the Print Scout executable and
dynamic link library files
43
Device Scout
Purpose Requirements Network
Fleet Analytics • Supported operating systems are: Outbound (Device Scout connecting to
– Windows: 7 SP1, 8, 8.1, and 10 the cloud API endpoint)
• Discovers printers by scanning defined
IP addresses or ranges – Windows Server: 2008 R2 SP1, 2012, • 443 TCP (TLSv1.2) connections to
2012 R2, 2016, and 2019
• Collects device meter, toner and status https://*.insights.hpondemand.com
data • Microsoft .NET Framework 4.6.1 or
newer
• Uploads collected data to HP
JetAdvantage Insights for Fleet Outbound (Device Scout discovery and
Analytics collection)
• 161 UDP (SNMP v1/v2 or SNMP v3)
44
Device Scout
Three important tips
Device Scout is an optional component that gathers data for Fleet Analytics
Device Scout is not required for Secure Print when utilizing the Cloud Connector
45
Secure Print mobile app
Purpose Requirements Network
• Determines / assigns user identity • Supported operating systems are: Outbound (Secure Print mobile app
– Android 7, 8, 9, and 10 connecting to the cloud API endpoint)
• Scan QR code for mobile release
– iOS 11, 12, and 13 • 443 TCP (TLSv1.2) connections to
• Creates driverless IPP printer profile
• HP JetAdvantage Secure Print app is https://*.insights.hpondemand.com
• Authenticates user for driverless IPP free and must be downloaded using a
printing supported mobile device from: Outbound (iOS and Adroid native
– Google Play Store print connecting to the cloud IPP
endpoint)
– Apple App Store
• 443 TCP (TLSv1.2) connections to
• HP JetAdvantage Secure Print app
can communicate with the cloud API https://*.insights.hpondemand.com
endpoints to release a
print user’s secure print jobs
46
MFP Deployment Tool
Purpose Requirements Network
• Command line utility to secure and • Must be run from a command prompt Outbound (Deployment Tool
unsecure an HP integrated printer to the from with a Windows OS connecting to the cloud API endpoint)
Cloud Connector
• Must have line-of-sight to the printers • 443 TCP (TLSv1.2) connections to
• The MFP Deployment Tool is an that will be secured / unsecured
interim solution. It will be retired as https://*.insights.hpondemand.com
soon as a cloud native enrollment
solution is available.
Outbound (Deployment Tool
connecting to the HP Integrated
Printer)
• 443 TCP (TLSv1.2)
• 7627 TCP (TLSv1.2)
47
Secured HP printer
Purpose Requirements Network
• Provides the ability to securely retrieve • Printer is a supported model as Outbound (HP integrated printer
an authenticated user’s print jobs certified by HP connecting to the cloud API endpoint)
• Secures user access to the device • Printer firmware is Futuresmart 4.8 or • 443 TCP (TLSv1.2) connections to
better
• Reports copy and scan transactions to https://*.insights.hpondemand.com
Insights for detailed analytics • Printer readiness requirements have
been completed
– Further detail will be provided in an Inbound (Deployment Tool connecting
upcoming slide
to the HP Integrated Printer)
• QR code label has been printed and
• 443 TCP (TLSv1.2)
attached to the corresponding printer
– When using mobile release • 7627 TCP (TLSv1.2)
48
Network printer with QR code
Purpose Requirements Network
• Printer that is accessible by network • SNMP v1/v2 and/or SNMP v3 is Inbound (Device Scout connecting to
connection, making it “visible” to other enabled the network printer)
computers connected to the network – SNMP v1/v2 - Read access is enabled • 161 UDP (SNMP v1/v2 or SNMP v3)
and the Get Community Name string is
• An Affixed QR code provides the
known
ability to utilize Mobile Release
– SNMP v3 – Username, Authentication
Protocol & Passphrase, Privacy Protocol Inbound (Print Scout connecting to the
& Passphrase, and Context Name are network printer)
known
• Passphrase – 8-255 characters
• 161 UDP (SNMP v1/v2 or SNMP v3)
• Authentication Protocol – MD5 or SHA1 • 631 TCP (IPPS or IPP)
• Privacy Protocol – DES or AES-128
• 443 TCP (IPPS)
• QR code label has been printed and
attached to the corresponding printer • 9100 TCP (RAW)
– When using mobile print release
49
Network diagrams: true cloud within a traditional network
• All communication from Print Scout to
HP JetAdvantage Secure Print is TLS
over TCP 443
• All communication from an HP
integrated printer to HP JetAdvantage
Secure Print is TLS over TCP 443
• Documents will be pulled from the
cloud by the HP integrated printer using
TLS over TCP 443
Note:
• This is same operation as an Internet
only, zero trust network, but operating
within a traditional customer network
environment
50
Network diagrams: hybrid cloud within a traditional network
• All communication from Print Scout to
HP JetAdvantage Secure Print is TLS
over TCP 443
• All communication from an HP
integrated printer to HP JetAdvantage
Secure Print is TLS over TCP 443
• Documents are pushed to printer using
TLS over TCP 443, or unencrypted over
TCP 631 or 9100
Note:
• Supports on-premises storage
51
Network diagrams: mobile release (QR code) within a traditional network
• All communication from Print Scout to
HP JetAdvantage Secure Print is TLS
over TCP 443
• All communication from mobile
devices to HP JetAdvantage Secure
Print is TLS over TCP 443
• Documents are pushed to printer using
TLS over TCP 443, or unencrypted over
TCP 631 or 9100
Note:
• Supported by on-premises and cloud
storage
• Supported on HP and non-HP printers
52
Network diagrams: true cloud within an Internet only network
• All communication from Print Scout to
HP JetAdvantage Secure Print is TLS
over TCP 443
• All communication from an HP
integrated printer to HP JetAdvantage
Secure Print is TLS over TCP 443
• Documents will be pulled from the
cloud by the HP integrated printer using
TLS over TCP 443
Note:
• Requires cloud storage
• Does not support mobile release (QR
code)
53
Network diagrams: Device Scout (Fleet Analytics)
• All communication from Device Scout
to HP JetAdvantage Insights is TLS
over TCP 443
• All communication from Device Scout
to network printers is over UDP 161
• SNMP v1/v2 and SNMP v3
configurations are supported
Note:
• Device Scout is an optional component
that may be installed by customers who
wish to gather Fleet Analytics data
54
Deployment best practices
55
Best practices
56
Printer readiness and user experience
Properly preparing printers is the key to
assuring successful deployment and
creating a good user experience.
57
Printer readiness and user experience
Firmware
58
Printer readiness and user experience
Administrator Password
59
Printer readiness and user experience
Date and Time
Why?
60
Printer readiness and user experience
Helpful tip!
• nist.time.gov
• pool.ntp.org
61
Printer readiness and user experience
Energy Settings
Why?
Helpful tip!
62
Printer readiness and user experience
CORS
Helpful tip!
63
Printer readiness and user experience
DNS
Helpful tip!
64
Printer readiness and user experience
Proxy (if required)
Helpful tip!
65
Printer readiness and user experience
Enable color
Why?
66
Proximity badges and choosing the correct reader
26-bit Weigand, 35-bit Corporate 1000,
37-bit HID Proximity, HID iClass SE /
SEOS, Indala, Keri, Awid, Casi-Rusco…..
67
Proximity badges and choosing the correct reader
Three questions to discuss with the client
68
Proximity badges and choosing the correct reader
Why is this important?
An access badge conveniently gets you An identity badge clearly identifies its Note:
into a door. It does not provide a true owner. It may also contain RFID
identity of the badge holder. elements to provide access, otherwise A cloud-based secure print solution will
known as Access and Identity not mitigate the security implications of
Management. ungoverned access badges.
69
Proximity badges and choosing the correct reader
Which card reader to choose?
MFP24 (X3D03A)
• Good for common use formats like 26-
bit HID proximity
• Can be programmed to read multiple
card types while securing the printer
Keystroking (Y7C05A)
• Broader card type support
• Complete control over the format to
decode badge data
• Can be programmed to read and
decode multiple card types or formats
• Must be pre-programmed before
attaching to the printer
70
Proximity badges and choosing the correct reader
When choosing the MFP24:
• Use the HP Card Reader Configuration
Utility to evaluate a client’s badge(s)
• Stick to the standard card types and
card data formats
• Card reader data is decoded cloud-
side, without the ability to customize
• The decoded card data shown in the
card reader configuration tool will
match the data decoded within Secure
Print
Note:
Pay attention to the card value (48237)
shown on the left. The same badge will
be used on the next slide.
71
Proximity badges and choosing the correct reader
When choosing the keystroking reader:
• Use the RFIdeas pcProx Config utility
as the basis for evaluating a client’s
badge(s)
• Every card type and format supported
by the reader is viable for Secure Print
• Card reader data is decoded within the
reader and sent to the cloud as-is,
meaning any possible data format is
supported
Note:
The card value (0014390375917) shown
on the left is very different than that
decoded by the MFP24 reader. This
customer’s badge required a custom
format to properly decode.
72
Print Scout deployment
The HP Print Scout is a required
component of the HP JetAdvantage
Secure Print solution.
73
Print Scout deployment
The process starts by downloading a Print
Scout from the customer’s Insights portal.
Helpful tip!
74
Print Scout deployment
The Print Scout that was initially downloaded must be Enter proxy information, if required to connect to the
registered to the customer’s instance of Insights before internet. These settings will be written into the
creating the deployment package. deployment package.
75
Print Scout deployment
After setting configuration settings and verifying that the Click on the hyperlink in the popup message to be taken
Print Scout has been registered, the process of creating a to the location of the deployment files.
deployment settings file may be initiated.
76
Print Scout deployment
These two files are the foundation of a
deployable Print Scout package.
77
Print Scout deployment
There are many ways to deploy the Print Scout. Customers with proficient IT deployments will generally be able to
quickly create a deployment package using the SMS tool of their choosing. All they would need are the deployment
files and the command line parameters to invoke the installation. They also need to assure that the installer is invoked
using elevated privilege.
Deployment files:
• InstallConfig.ini
• PrintScoutIntaller.exe
78
Print Scout deployment
The deployment team may also want to know how to verify installation after deployment. They also may want to know
how to uninstall the Print Scout.
(The version shown above is an example and should be expected to change as new scouts are released.)
79
Print Scout deployment
Indicators that the deployment package has not been built properly:
80
Troubleshooting tips
81
Troubleshooting tips
PC Load Letter? Well… you know the
rest.
82
Troubleshooting tips
This is an important message to fully
understand.
83
Troubleshooting tips
Be mindful that one may easily dismiss
the USB Error message from the Message
Center, but it will not “correct” the
condition.
84
Troubleshooting tips
VID PID
Actual VID : PID values are read in hexadecimal. The values above are converted to decimal, which is the format in which they should be entered into the MFP Deployment tool.
85
Troubleshooting tips
When trying to secure a printer, we may
encounter an error, as depicted on the left.
86
Troubleshooting tips
The deployment logs are located within
the MFP deployment tool.
\MfpDeploymentTool\Deployment.log
87
Troubleshooting tips
Here is another example of an error.
88
Troubleshooting tips
The deployment logs are located within
the MFP deployment tool.
\MfpDeploymentTool\Deployment.log
89
Troubleshooting tips
This SSL certificate error indicates that
the printer is unable to establish a trusted
connection to the server.
90
Troubleshooting tips
The required root CAs will be installed on
the printer when it is secured.
91
Troubleshooting tips
Cross-Origin Resource Sharing is
required for proper operation of Secure
Print.
c t
or re
Inc
92
Troubleshooting tips
A URL not permitted error is another
manifestation of incorrect CORS settings.
93
Troubleshooting tips
The illustration on the left shows the
correct URL added to the list of trusted
web sites.
*.insights.hpondemand.com
94
Troubleshooting tips
This error states that the given host was
not resolved.
95
Troubleshooting tips
Failed to connect to host or proxy is
another potential manifestation of bad or
missing DNS settings.
96
Troubleshooting tips
The illustration on the left shows a printer
with known good public DNS server
addresses that are hosted by Google.
97
Troubleshooting tips
At first glance, this looks like it might be
a bad or missing DNS setting, however,
the printer was verified to have good
settings.
98
Troubleshooting tips
The illustration on the left shows the
printer’s proxy settings. Verify that the
host, port and credentials (if required)
have been entered properly.
99
Troubleshooting tips
“I know I printed this in color! Why is it
black and white?”
100
101