Choose your language

Choose your login

Support

How can we help?

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Conversation bubbles

Contact us

Comprehensive guide to end-to-end print security

THE PAGE APPLIES TO:

It doesn’t take much to convince organizations nowadays on the importance of security and protecting sensitive information that is stored digitally, in mid-transit, or being printed from the printer. Just take a moment and think about all the security measures you’ve put in place in the last 10 years, and then compare that to how much you know about the security of your print jobs.

This article specifically focuses on securing print jobs in transit, and how they can be protected from snooping eyes. In other words, end-to-end encryption of print jobs on the network. For additional information about securing your print environment in general, refer to our security whitepaper.

The complete guide to Windows Protected Print Mode

A comprehensive overview of WPP, its timeline, and how your organization can prepare for (and benefit from) this powerful security feature.

Hero image for Windows Protected Print Mode page

Security is not a set-and-forget activity. To ensure protection for today and for the future, we’ll guide you through how to:

  • Apply,
  • Validate, and
  • Maintain encryption of print jobs on your network.

Apply

This article promised to be a “comprehensive guide” so let’s get into the detail and get your print jobs secure. Here is a quick summary of areas that we’ll be covering, so you can jump to a specific one if you wish to:

Client to print server

Print server to printers

 

Client to print server

Windows clients

Out of the box, Windows printing system uses Server Message Block (SMB) to print spool files to the server, which is the same protocol used for file sharing. Traffic is encrypted since SMB2, which was improved upon in SMB3.

Recommended practice: Consider switching off SMB1 on your server if you need to continue using Server Message Block as this still may be in use on older Windows clients. You can switch off SMB1 with this command: Set-SmbServerConfiguration –EnableSMB1Protocol $false.

Unfortunately, due to the Print Nightmare mitigations included in every Windows release since mid-2021, SMB printing is not as simple to implement as end-users will be prompted for local admin rights to install Type-3 print drivers.

Because of those changes, our recommendation is to consider using PaperCut Mobility Print instead.

Using Mobility Print for Windows clients

One way to get around the challenges posed by Print Nightmare is to use our BYOD print-enablement solution, PaperCut Mobility Print .

To ensure print jobs are sent securely by Windows clients using PaperCut Mobility Print, there are a few different options:

  • Use Mobility Cloud Print: You can share the printer via the Mobility Print cloud connection so all jobs travel through a secure tunnel established via WebRTC. No trusted certificate required. You can read more about Mobility Print’s cloud print in Cloud Print Security in Mobility Print .
  • Install a certificate on the Mobility Print server: follow the specific steps outlined in our article Configure Mobility Print to use a trusted TLS/SSL Certificate . This will ensure that when using the Known Host discovery option to share printers Windows Mobility Print clients will now automatically set up secure connections using the new certificate. (When using the DNS discovery method some additional steps are required, documented in that article).
  • Use Print Deploy to deploy the Mobility Print queue: This allows you to use either the standard generic driver or a manufacturer-specific driver if you need. All Mobility Print jobs submitted to queues deployed with Print Deploy will be encrypted. You can find out how to set this up in our Print Deploy manual .

MacOS clients

MacOS computers print to Windows print servers on one of the following protocols:

  • LPR/LPD
  • SMB
  • IPPS (recommended)

LPR/LPD
LPR/LPD is not encrypted, and if you’ve made it this far through this article, it would appear that security is important to you so let’s just skip this one and not use it.

SMB
In all honesty, managing SMB printers on a Mac, whether it is BYOD or a managed device is often not worth it. I recommend you go straight for IPPS. But, if you do go for SMB, at least your print jobs will be encrypted over the network.

IPPS
IPPS is IPP over an HTTPS connection. Inherently it uses the same level of encryption you would get on an HTTPS web page. MacOS computers do accept self-signed certificates, read more about considerations under iOS clients .

You have two options to deploy IPPS:

  1. Deploy Mobility Print. Mobility Print works extremely well in a mixed environment where some devices are managed, and others are BYOD or even mobile devices. Both are able to connect to the Mobility Print server and authenticate securely.

    Mobility Print can be deployed on a Windows server, so an additional MacOS server is not required. Mobility Print will use HTTPS for client connections.

  2. Deploy a MacOS server. With a MacOS server, you can deploy additional tools such as Kerberos if you want your users to avoid entering their credentials when printing. The additional overhead and cost required to configure and manage the additional server and clients often prompts organizations to use Mobility Print instead.

 

iOS clients

Mobility Print is the answer to encryption for both iOS and MacOS, as IPPS is used as the printing protocol.

Note however, that both iOS and MacOS devices accept self-signed certificates. On the open internet, where there are many hops between you and the server, a self-signed certificate is not secure because any of these hops can introduce a man-in-the-middle attack. On a local network however, the risk is considerably less, especially in a switched network environment.

Best practice: If you want to minimize the risk of man-in-the-middle attacks , make sure you use secure wifi protocols, and consider using security tools that actively monitor for address spoofing attempts.

 

Android clients

PaperCut’s Android Mobility Print app uses encrypted printing for Android devices out of the box. Print jobs are sent to the Mobility Print server over HTTPS. Similar to iOS and MacOS, self-signed certificates are accepted.

 

ChromeOS clients

When using Mobility Print, 256-bit level AES encryption is applied to all print jobs.

 

Firstly, you need to check whether your printer supports IPPS. Check your printer specification.

If your printers support IPPS, you are in luck, as you can set up an encrypted connection between your print server and the printer. If your printers only support LPD, then there are still a few things you can do to avoid someone snooping and capturing the print jobs, which will be explained below.

IPPS between the server and printers PaperCut MF and NG can securely forward print jobs to printers over IPPS. Follow this guide on how to configure IPPS printers and PaperCut MF and NG.

How to secure printers that do not support IPPS As print jobs won’t be encrypted, your only defence is to separate network traffic between your server and printers from the rest of the network.

Firstly, configure your printers on a different VLAN. Secondly, to ensure someone can’t access the private VLAN by pulling out a network cable from a printer, follow the user manual of your switch to configure port security to only accept your printer’s MAC address.

Validate

Checking whether encryption to a website is configured, is pretty easy. Simply open a browser and see whether it complains about the security.

Checking the encryption of print jobs is slightly more involved, and a little bit more fun. You’ll need Wireshark to analyse network protocols and for instructions on how to use Wireshark to validate that your jobs are secure, follow this guide.

Maintain

As mentioned earlier, an important part of security is maintenance. All too often, vulnerabilities occur through lack of maintenance. This is often a forgotten step so here are our top tips on making your print environment more secure:

  1. Document your security policies and design. If you leave one day, someone should be able to pick up from where you left off.
  2. Keep your printers on a different VLAN or dedicated IP range, and disable all protocols except IPPS.
  3. Switch on auto updates to get the latest security updates for software and operating systems.
  4. Sign up for security notifications from Microsoft.
  5. Create Google Alerts for:
    • MacOS security alert
    • iOS security alert
    • ChromeOS security alert
    • Android security alert
    • IPPS security alert
  6. Share your practices and document within your organization. Don’t be surprised when your next pay review includes a nice raise.

Conclusion

Well done! You have not only secured your organisation for the present, but you’ve put in place practices that will keep your organisation secure far into the future. Through all of this, you might have picked up a salary raise. You can now feel good going on a weekend away, knowing that you’ve got your organisation’s back. Proceed to work towards an Apply, Validate and Maintain approach for the other areas of your IT infrastructure!


Categories: How-to Articles , Security and Privacy


Keywords: security , encryption , end-to-end encryption

Comments

Last updated January 30, 2025