A common query we receive is what measures can be taken to prevent users from bypassing PaperCut NG and PaperCut MF. In such situations, users allow themselves to print for free by connecting to printers directly from their workstation or laptop. The following steps can be taken to limit or prevent this from happening.
Most modern print devices will allow an administrator to block or allow a certain range of IP addresses under the web interface, usually in the Security section. You should be able to “white-list” the Print Server IP address, authorizing printing to the device from just those addresses. All other IPs would be blocked, and this ensures users cannot print to this device directly and will be required to connect through the authorized and PaperCut-managed print server in order to print.
VLAN / MPLS / Subnet / Layer 3
If the above is not possible, a Network Administrator with the use of appropriate VLAN, MPLS, Subnetting or Layer 3 network configuration can set a routing rule to block all IPs from seeing the printer except for the Print Server. This will ensure that all direct connections to the printer are blocked, but users will still be able to print via the PaperCut Print Server.
Disable Physical Printing
This step is essential along with one or both of the above approaches to ensure users cannot print directly. You will need to disable functionality such as support for USB, Infrared, Bluetooth, onboard direct-WiFi printing, and any other direct connection that the device may support. You can either disable these modules within the printer’s configuration interface, or talk with your device vendor to discuss possibilities on how to control these.
Disable protocols which are not used by the print server
WSD and Bonjour are protocols designed to make printer discovery easy on local subnets. Disable these protocols within the device administrative Network configuration setting.
With WSD disabled, Windows cannot discovery and automatically add the printer. With Bonjour disabled, Mac and iOS devices cannot locate the device broadcast.
Categories: Security, Administration
Keywords: direct, restricting, restriction, printer, MFD, MFP, Access, ip, block, layer3, subnets, bypass, mapping, map