11.1 iPrint Appliance Configuration

The iPrint Appliance Configuration page displays the following options:

11.1.1 Printers

The Printers page lists all printers currently managed by iPrint Appliance. You can enable a printer for AirPrint, Email printing, and IPP printing.

Advertising a Printer as AirPrint

  1. Select a printer or printers, click the AirPrint drop-down menu, then click Enable Advertising.

    Only Apple certified AirPrint printers are supported for AirPrint printing. On enabling the printer for AirPrint, the printer is advertized as an AirPrint-enabled printer.

Enabling Mobile Printing for a Printer

  1. Select a printer or printers, click the Mobile drop-down menu, then click Enable.

    On enabling the printer for mobile, you can print to that printer from your mobile devices.

Enabling Email Printing

Using email printing, you can print documents from any device capable of sending emails. You can print emails by specifying email printing commands in the subject line of the email. You can also print documents by emailing them to your printer as attachments. When configured for email printing, iPrint Appliance becomes a client to an email server.

To enable email printing, you must ensure to meet the following:

After configuring the global email settings, do the following:

  1. Select a printer or printers, click the Email drop-down menu, then click Enable.

    On enabling the printer for email, you can print to that printer by using the email printing feature.

Enabling Private Email Printing

You can configure a printer for private email printing by providing a specific email address to each printer.

To enable private email printing, you must ensure to meet the following:

To enable a private email address for the printer, do the following:

  1. Select a printer, click the Configure drop-down menu, then click Printer Email Settings.

  2. Specify the values as follows:

    Account

    • Email Address: Specify the full email address of the mailbox to be polled for the print jobs. When an email-based job arrives, the print job is processed to the printer. For example, print@example.com.

    • Username: Specify the user name to be used by iPrint Appliance to log in to the email server to access the private printer email account. For example, iprint.

    • Password: Specify the password for iPrint Appliance to log in to the email server to access the private printer email account.

    Server

    • Incoming Mail Server: Specify the address of the incoming email server for the email account. For example, imap.example.com.

    • Incoming Mail Server Port: Specify the port of the incoming email server for the email account.

    • Outgoing Mail Server: Specify the address of the outgoing email server for the email account. For example, smtp.example.com.

    • Outgoing Mail Server Port: Specify the port of the outgoing email server for the email account.

    • Access Method: iPrint Appliance supports two different protocols to poll for incoming print jobs. Select POP or IMAP depending on the protocol your email server supports.

Caveats For Email Printing

  • An email address used for a particular printer (per-printer email configuration) cannot be shared for any other printer or mobile service.

  • Secure printers cannot be configured for email printing.

Editing a Printer

  1. To view and modify the details of a printer, click the printer name.

  2. You can modify the details as follows:

    • AirPrint Advertising: An option is available to enable or disable AirPrint advertising. This option is displayed for only Apple certified AirPrint printers. For all other printers the message will be “Not Applicable”.

    • Bonjour Service Name: Displays the name with which the printer will be advertised as AirPrint printer.

    • Address: Displays the IP address or host name of the printer.

    • Geo-location: (Optional) Geographical location of the printer.

    • Device Location: (Optional) Local location of the printer.

    • Description: (Optional) Specific description related to the printer.

    • Web upload using iPrint Portal: This option enables the QuickPrint button in the iPrint Portal. Using any web browser, the user selects a file and prints. The user no longer requires client or driver installations.

    • Visible to all users in iPrint Portal: By default, all printers are listed in iPrint Portal when a user is not logged in. If you want to hide some printers from the user who is not-logged in, then you can deselect this option.

    • Printer Status: Displays the health monitoring GUI to monitor the printer status.

    • Manage Printer: Displays the iManager GUI to manage the print environment.

    • Manage Certificates: Displays the Certificates page. The certificates are managed from this location.

    • Tags: Specify a label for the printer. Multiple printers can be grouped under same label. In the iPrint Portal, it will be easier for the users to find a specific set of printers. For example, if you specify a tag as Color Printer. In the iPrint Portal, a user can easily locate specific printers by selecting the Color Printer tag.

  3. Click Save.

Printer Rename and Printer Refresh

You can rename a printer from the Printers page. Select a printer you want to rename, click the Configure menu, then click Rename Printer.

To refresh the printers list, click the Refresh button in the upper right of the Available Printers window.

Bulk Printer Creation Using a CSV File

You can create multiple printers using a csv file. You can create or use the sample csv file, then upload the csv file into iPrint Appliance by clicking the Bulk Printer Creation button in the upper-right corner of the Printers Configuration page.

The csv file contains the following fields:

PrinterName,PrinterIP,Location,Description,Win95_98_Driver,Winnt_Driver,Win2k_Driver,Winxp_Driver,Linux_Driver,Mac_Driver,Vista32_Driver,Vista64_Driver,Win732_Driver,Win764_Driver,Win832_Driver,Win864_Driver,Win1032_Driver,Win1064_Driver,Enable DirectPrinting,Secure Printing,Enable Auditing,LPR/RAW,Raw Port

Uploading the CSV File

  1. On a Web browser, specify either the host name or the IP address. For example, https://10.0.0.1:9443 or https://iprint.example.com:9443.

  2. Specify the Username and Password, then click Log in.

  3. Click Manage iPrint Appliance.

  4. Click Printers.

  5. Click the Bulk Printer Creation button in the upper-right corner of the window.

    1. To download the sample csv file, click Download Sample CSV.

  6. Navigate to the .csv file, select it, then click OK to begin the printer import process.

For more information on the parameters in the csv file, see Bulk Printer Import Using a CSV File.

11.1.2 WalkUp Printers

WalkUp printer is a virtual print queue that includes group of physical printers. The print jobs sent to the WalkUp printer are put on hold by the iPrint Appliance server and released to a desirable printer. The jobs can be released using identity cards or Release Portal.

You must associate drivers for printers when performing desktop printing.

Figure 11-1 WalkUp Flow

Prerequisites

  • Ensure that the physical printers are available before creating a WalkUp printer.

  • All the WalkUp jobs are stored on the secondary disk. Depending on the usage of the print service, decide the space required on the secondary disk.

  • The users releases the jobs by using a Release Portal or a mobile app. Ensure that the user is aware of the printer location and printer names.

  • By default, only the WalkUp administrator and the users created in the iPrintAppliance container will have access to the WalkUp printer. To provide access to all the imported users or users in other containers use iManager.

In the Management Console, WalkUp Printers page, you can create, edit, and delete a WalkUp printer. You can modify the job hold duration for a printer and also enable it for Mobile printing.

Creating a WalkUp Printer

  1. Under Configuration, click WalkUp Printers.

  2. Click New.

  3. Specify the name of the WalkUp (virtual) printer. This name will be exposed to the user when they install printers on their desktop or mobile devices.

  4. (Optional) Specify description for the printer.

  5. To enable mobile users to use this printer, select Mobile Printing.

  6. By default, the Web upload using iPrint Portal option is enabled. This enables the QuickPrint feature in the iPrint Portal and user can print files using any web browser. The user no longer requires client or driver installations.

  7. By default, the Visible to all users in iPrint Portal option is enabled. This option lists all the printers in iPrint Portal. If you want to hide some printers from the user who is not-logged in, then you can deselect this option.

  8. From the list of printers, select the printers to group under the WalkUp printer. The jobs sent to the WalkUp printer will be put on hold and the user will have control to release those jobs to one of the grouped printer.

    You must select at least one printer.

  9. Click Next.

  10. Assign platform-specific drivers for the WalkUp printer.

    If Windows drivers are selected, then bi-directional communication can be set for the WalkUp printer.

    1. Specify the IP Address or host name from the pool of the printer that you have selected for WalkUp.

  11. Click Finish.

    WalkUp printer object is created that includes group of printers. The jobs on hold can only be released to these printers.

Editing a WalkUp Printer

  1. Under Configuration, click WalkUp Printers.

  2. Click the printer name.

    Displays the details of the printer and its drivers.

  3. In the Printer Details tab, modify the details of the printer.

  4. Click the Drivers tab, then reassign the drivers for the selected printers. You can also modify the IP address or host name for bi-di communication.

  5. Click Save.

    The modified settings are applicable to all jobs sent to the selected WalkUp printer.

Deleting a WalkUp Printer

Ensure all the jobs are completed before deleting the printer. On deleting this printer, all the held jobs will be automatically cancelled.

  1. Under Configuration, click WalkUp Printers.

  2. Select a printer or printers, then click Delete.

Enabling Mobile Printing for a WalkUp Printer

  1. Under Configuration, click WalkUp Printers.

  2. Select a printer or printers, click the Mobile drop-down menu, then click Enable.

Modifying the Job Hold Time

By default, the job is put on hold for four hours, after which the job will be cancelled. You can modify the time duration to put the job on hold as follows:

  1. Under Configuration, click WalkUp Printers.

  2. Click Settings.

  3. Modify the duration to hold a job. This change is applicable only for the jobs put on hold after the setting is modified. The existing jobs will continue to be on hold as per the earlier set duration.

Caveats for Implementing WalkUp Printing

This section lists a few pointers for avoiding common WalkUp implementation problems.

  • Using iManager: The following management tasks for the WalkUp printer are only managed by iManager:

    • Enable auto driver or profile update

    • Assign driver profiles

    • Set Access Control

    • Enable auditing

    • Delete held jobs

  • Using iPrint status (iPrint Health Monitoring page): The following tasks of the WalkUp printers are monitored using the iPrint Health Monitoring tool:

    • Delete held jobs

    • Enable auditing

  • Job hold time: By default, the job is put on hold for four hours, after which the job is cancelled. If a job is cancelled it is no longer available in the Release Portal. The job hold time can be modified from the Management Console. For more information, see Modifying the Job Hold Time.

  • Insufficient balance when printing in PaperCut setup: If the user prints in spite of having insufficient balance in his account, the job is canceled even though the Release Portal displays a success message.

Release Portal for Users

The iPrint Release Portal displays the jobs that are put on hold, the time the job was submitted to the WalkUp printer, and the expiry time of the job. By default, the job is put on hold for four hours, after which the job will be cancelled. If a job is canceled it is no longer available in the Release Portal.

To launch the Release Portal in a web browser, specify the Appliance server’s address (<https://<Appliance_IPaddress or host_name>/user> or <https://<Appliance_IPaddress or host_name>:9443/release-portal).

Printing a WalkUp Job

  1. Using a web browser, specify the server address (https://<Appliance_IPaddress or host_name>/user) or (https://<Appliance_IPaddress or host_name>:9443/release-portal).

  2. Specify the user authentication details.

    On successful authentication, jobs are displayed.

  3. Select the document, then click Print.

  4. Select the printer, then click OK.

    The document is printed by the selected printer.

Deleting a WalkUp Job

  1. Using a web browser, specify the server address (https://<Appliance_IPaddress or host_name>/user) or (https://<Appliance_IPaddress or host_name>:9443/release-portal).

  2. Specify the user authentication details.

    On successful authentication, jobs are displayed.

  3. Select the document or multiple documents, then click Delete.

    The selected jobs are deleted and no longer available to print.

Identity Card Release for Users

A user can now print the WalkUp jobs by using their identity card. A card reader is placed adjacent to the printer and the user swipes his/her identity card to print the jobs.The held WalkUp jobs are printed using the user’s identity card as follows:

  1. The administrator configures the Ethernet 241 switch and card reader.

  2. The card reader is attached to the printer.

  3. The user prints to a WalkUp queue and job is put on hold.

  4. The user swipes his/her identity card on the card reader.

  5. The iPrint Appliance server validates the user credentials.

  6. All the jobs in the WalkUp queue submitted by the user for that printer are printed.

iPrint Appliance works with RF IDeas Ethernet 241 devices. For more information on supported card types, see the RF IDeas product page.

How to configure identity Cards for iPrint Appliance?

  1. Configure the Card (Ethernet 241) devices as per the instructions of the vendor.

  2. Launch the Ethernet 241 Web portal (http://<ethernet241 device’s IP)

    1. In Server’s tab, specify the Data Server IP as the iPrint Appliance IP

    2. The Data Server URl as the iPrint Appliance’s URL (http://hostname or IP of iPrint Appliance)

    3. In the Data Server Str, specify the exact value given below:

      /iprint/users/release?csn=$1&mac=$2&luid=$3&seq=$4&ip=$5&devmac=$6&devip=$7&rdr=$8&fwver=$9

    4. Click on Update to configure the device with the iPrint Appliance details.

  3. Launch the iPrint Appliance Management Console:

    1. In the Directory Servers page, select the directory server to use for Card Release.

    2. In the Server Information tab, select Use Card Release for printing jobs and provide the name of the attribute to which the value of the card is mapped. iPrint Appliance uses this attribute to authenticate the user when he/she swipes the card.

11.1.3 Manage Printers (iManager)

This page displays the iManager interface.

Using iManager, you can manage the print environment such as create printers, printer drivers, profiles, and users. You can also manage workstations. For more information, see iPrint Printer Configuration (iManager).

11.1.4 Printer Status

This page displays a global view of your print system. The tool displays the current status of Printer Agents, and lets you configure settings and generate reports about your print system.

For more information about the iPrint Printer Status tool, see the Micro Focus iPrint Appliance 3.2: Micro Focus iPrint Appliance Health Monitoring Guide.

11.1.5 Mobile

On the Mobile configuration page, you can configure default options for mobile printing and email printing.

Global Mobile Settings

Following are the default settings for all the printers when printing from the mobile app. When performing print, these settings can be modified for an individual printer.

Paper Size: Select Letter or A4.

Orientation: Select between Landscape or Portrait printing.

Enable Duplex Printing: Duplex printing allows printing on both the sides of a paper. Print devices without this capability can only print on a single side of paper (simplex printing).

Enable Color Printing: Color printing prints the documents in color, as opposed to monochrome (black and white) printing.

Global Email Settings

iPrint Appliance can be configured to accept print jobs through email messages and attachments. Using email printing, you can print documents from any device capable of sending emails. You can print emails by specifying email printing commands in the subject line of the email. You can also print documents by emailing them to your printer as attachments. When configured for email printing, iPrint Appliance becomes a client to an email server. Email account inbox is polled for incoming print jobs, which are routed to the intended printer.

Ensure email accounts are created and functional prior to their association with the iPrint Appliance.

Enable email-based printing: Select this option to enable email printing. A global email address is assigned for all the printers.

The following fields are used by iPrint Appliance to describe and access the global email account:

Email address: Specify the full email address for global print jobs. For example, print@example.com. Ensure to use an exclusive email account for iPrint Appliance. Do not use an existing email account.

iPrint Appliance polls the inbox of this email address looking for print jobs. When an email-based job arrives, the subject line is parsed to determine the printer to which the job is sent.

IMPORTANT:If an existing email account is used, the mails in that account might get deleted, auto-replied, and so on.

Account Username: Specify the user name for iPrint Appliance to log in to the email server to access the global email account. For example, iprint.

Account Password: Specify the password for iPrint Appliance to log in to the email server to access the global email account.

NOTE:When you are modifying any global email settings, ensure to provide the account password. An error occurs if password is not provided.

Incoming Mail Server: Specify the address of the incoming mail server for the email account. For example, imap.example.com.

Incoming Mail Server Port: Specify the port number of the incoming mail server for the email account. For more information, see Incoming Mail Server Parameters.

Incoming Server Type: iPrint Appliance supports POP and IMAP protocols to poll for incoming print jobs. Select POP or IMAP depending on the protocol that your email server supports.

Outgoing (SMTP) Mail Server: Specify the address of the outgoing mail server for the email account. For example, smtp.example.com. iPrint Appliance uses the SMTP protocol to send email back to users who submit email-based print jobs to report their job status. In order to support iPrint Appliance, the email server you select must support the SMTP protocol.

Outgoing (SMTP) Mail Server Port: Specify the port of the outgoing mail server for the email account. For more information, see Outgoing Mail Server Parameters.

Message body Printing: With email-based printing, attachments are always printed. This option allows the email message body to also be printed. It is enabled by default.

Polling Interval: Configures the interval (in seconds) at which emails are fetched from the mail servers.

IMPORTANT:When using email printing, the print command in the subject line might trigger spam filters. To avoid this issue, configure your email system to allow print-specific emails. Include the approved print users in the spam filter of your email system to prevent unwanted print requests.

You can also configure a printer for private email printing by providing a specific email address to each printer. For more information, see Enabling Private Email Printing.

11.1.6 Renderers

The Renderers Configuration page allows you to download the remote renderer and also manage all the renderers. For more information about installing and configuring a remote renderer, see Installing and Configuring a Remote Renderer.

On the Renderers page, you can perform the following actions:

Add a Renderer

  1. Under Configuration, click Renderers.

  2. Click New.

  3. In the Renderer Host/IP address box, specify the host name or IP address of the renderer system, then click Connect.

  4. Under Options, specify a name for the renderer in the Renderer Name box.

  5. Select the document formats you want the remote renderer to render.

    NOTE:The Build-in PDF renderer is selected by default. If you want to use Adobe Acrobat, you must ensure that Adobe Acrobat Pro is installed on the renderer machine before selecting the Adobe Acrobat option. Similarly, if you want to enable the remote renderer to render Microsoft Office formats, you must ensure that Microsoft Office is installed on the renderer machine before selecting the Office Support option.

  6. Choose the Default Printer Driver, then click Register.

Edit a Renderer

You can change a remote renderer’s name, the document rendering options, and the default printer driver using the Edit feature on the Renderers page.

  1. Under Configuration, click Renderers.

  2. Select a renderer which you want to edit, then click Edit.

  3. Modify the details, then click Commit.

Delete a Renderer

  1. Under Configuration, click Renderers.

  2. Select a renderer that you want to delete, then click Delete.

Deleting a renderer unregisters the renderer from the iPrint Appliance.

Activate or Deactivate a Renderer

  1. Under Configuration, click Renderers.

  2. Select a renderer that you want to activate, then click Activate.

    The renderer is now in an active state.

If the renderer is in an Inactive state, it will not render any jobs. Deactivating a renderer does not unregister the renderer from the iPrint Appliance.

11.1.7 Driver Store

You can change the Drive Store post the initial configuration.

Changing from local to remote driver store or vice versa: After initial configuration, if you change the local driver store to remote driver store or vice versa, you must again set the default driver for the local renderer.

The Driver Store Configuration page contains the following options:

Local: Select this option to use the Driver Store of the local machine.

Remote: Select this option to change the location of the Remote Driver Store. Specify the host name/Address, Username (FDN format - for example, cn=admin,o=companyname), and the Password of the new Remote Driver Store, then click Save.

11.1.8 AirPrint

AirPrint is a framework that facilitates driverless printing that allows users to send print jobs to AirPrint enabled printers. This page displays the status of the AirPrint service. You can start or stop the AirPrint service.

11.1.9 Directory Servers

To create an iPrint Appliance user account, you can synchronize initial user information from your network directory service (NetIQ eDirectory or Microsoft Active Directory service) after you have installed the iPrint Appliance software. Over time, you can continue to synchronize user information from the LDAP directory to your iPrint Appliance.

IMPORTANT:

  • iPrint Appliance performs one-way synchronization from the LDAP directory. If you change user information on iPrint Appliance, the changes are not synchronized back to your LDAP directory. It is recommended not to change the LDAP information for the synced user on iPrint Appliance.

  • iPrint Appliance does not support multi-value attributes. If your LDAP directory contains multi-value attributes, iPrint Appliance recognizes only the first attribute. For example, if your LDAP directory contains multiple email addresses for a given user, only the first email address is synchronized to iPrint Appliance.

  • LDAP import does not sync user passwords to iPrint Appliance. Authentication requests from the mobile app are redirected to the defined LDAP source. If a user password is changed on the LDAP source, you do not need to update the same password on iPrint Appliance.

  • The LDAP source IP or host name must be always active for iPrint Appliance to authenticate users.

Configuring an LDAP Server

You can configure multiple LDAP connections. You should never configure multiple LDAP connections to point to the same location on the same LDAP directory. If you need a failover solution, you should use a load balancer.

If your LDAP directory service requires a secure LDAP connection (LDAPS), see Securing LDAP Synchronization and then configure the LDAP server.

To configure an LDAP connection:

  1. On the Directory Servers Configuration page, click Add.

    or

    To modify an existing LDAP connection, click the URL of the connection in the table.

    IMPORTANT:When modifying an existing LDAP connection, do not modify the LDAP server URL. Doing so can lead to synchronized users being disabled or deleted.

  2. On the New Directory Server page, specify the required information.

    LDAP Server URL: In order to synchronize initial user information, iPrint Appliance must access an LDAP server where your directory service is running. You must provide the hostname of the server, using a URL with the following format:

    ldap://hostname

    If the LDAP server requires a secure SSL connection, use the following format:

    ldaps://hostname

    If the LDAP server is configured with a default port number (389 for non-secure connections or 636 for secure SSL connections), the port number is not required in the URL. If the LDAP server uses a different port number, use the following format for the LDAP URL:

    ldap://hostname:port_number
ldaps://hostname:port_number

    If the LDAP server requires a secure SSL connection, additional setup is required. You must import the root certificate for your LDAP directory into the Java KeyStore (JVM Certificates) from Directory Servers > Upload Certificate on the iPrint server, before you configure iPrint Appliance for LDAP synchronization. After importing the certificate, you must restart the iPrint Appliance.

    Alias Name for URL (Optional): You can specify an alternative name for the LDAP server instead of the IP or hostname.

    User DN (Proxy User for Synchronizing Users and Groups) To sync users into iPrint Appliance, you must provide the user name and password of a user who has sufficient rights to access the user information on the LDAP server.

    Directory Service

    Required Rights

    eDirectory

    • [All Attribute Rights] - Compare & Read

    • [Entry Rights] - Browse (on the container containing the users that need to be imported into iPrint)

    Active Directory

    Any authenticated user can be used as the proxy user as long as there are no read restrictions in place on the Organizational Unit (OU) that contains the users.

    Required rights if OU read restrictions are in place:

    • Read (on the Organizational Unit containing the users that need to be imported into iPrint)

      Ensure that This object & all descendant objects is selected in the Security tab under the advanced options

    In your LDAP directory tree, you must provide the fully qualified, comma-delimited user name, along with its context, in the format expected by your directory service.

    Directory Service

    Format for the User Name

    eDirectory

    cn=username,ou=organizational_unit,o=organization

    Active Directory

    cn=username,cn=organizational_unit,dc=domain_component

    Password: Password for the User DN.

    Directory Type: The directory type that you are connecting to. Select eDirectory, Active Directory, or Other.

    Unique Attribute for User or Group: The LDAP attribute that uniquely identifies a user or group helps facilitate renaming and moving iPrint users and groups in the LDAP directory. If this attribute is not set and you rename or move a user in the LDAP source directory, iPrint Appliance assumes that the new name (or the new location of the same name) represents a new user rather than a modified user, and creates a new iPrint Appliance user.

    For example, you have an iPrint user with a given name of William Jones. If William changes his name to Bill and you make that change in the LDAP directory, iPrint Appliance creates a new user named Bill Jones.

    To ensure that iPrint Appliance modifies the existing user instead of creating a new user when the user is renamed or moved in the LDAP directory, you must specify the name of the LDAP attribute that uniquely identifies the user. For eDirectory, this value is GUID. For Active Directory, this value is objectGUID. This attribute always has a unique value that does not change when you rename or move a user in the LDAP directory. If you want to map users to a different attribute, you must ensure that the attribute that you use is a binary attribute. For example, the cn attribute cannot be used because it is not a binary attribute.

    Account Name Attribute: This setting is used for two purposes:

    • The value is used as the iPrint Appliance user name when the user is first provisioned from LDAP. The value of this attribute must be unique.

    • During iPrint Appliance login, iPrint Appliance uses this attribute to locate the user in the LDAP directory, and then tries to authenticate as that user.

    LDAP directories differ in the LDAP attribute used to identify a User object. Both eDirectory and Active Directory might use the cn (common name) attribute. A more sure alternative for Active Directory is to use the sAMAccountName attribute. Other LDAP directories might use the uid (unique ID) attribute, depending on the structure and configuration of the directory tree.

    Consult with your directory administrator in order to determine the best attribute to use. In some cases where not all users are being imported successfully, you must set up two LDAP sources pointing to the same LDAP server and have each source use a different value for the Account Name Attribute. For example, set up one LDAP source and use cn as the Account Name Attribute, and then set up a separate source to the same LDAP server and use sAMAccountName as the Account Name Attribute.

    In addition to the attributes already mentioned in this section, other LDAP attributes can be used for the Account Name Attribute, as long as the attribute is unique for each User object. For example, the mail LDAP attribute on User objects can be used to enable iPrint Appliance users to log in by using their email addresses.

    Use Card Release for printing jobs: Select this option to release WalkUp jobs by using the identity cards.

    Specify the attribute that maps the user to their identity card. When releasing the WalkUp job, iPrint Appliance maps this attribute to the one specified in the eDirectory or Active directory database and on receiving the user details, authenticates the user. On successful authentication, the jobs are released.

  3. Click OK.

  4. In the Add Search Context, select Users or Groups.

    Base DN: iPrint Appliance can find and synchronize initial user information from user or group objects located in one or more containers in the LDAP directory tree. A container under which user or group objects are located is called a base DN (distinguished name). The format you use to specify a base DN depends on your directory service.

    When you synchronize user information into iPrint Appliance from a source LDAP directory service, the entire Base DN on the source is imported into iPrint Appliance. For example, if you sync the context o=users from an LDAP source, the same o=users context is created in iPrint Appliance.

    Directory Service

    Format for the User Container

    eDirectory

    ou=organizational_unit,o=organization

    Active Directory

    cn=organizational_unit,dc=domain_component

    Container names cannot exceed 128 characters. If the container name exceeds 128 characters, users are not provisioned.

    Filter: To import potential iPrint users, iPrint Appliance by default filters on the following LDAP directory object attributes:

    • Person

    • orgPerson

    • inetOrgPerson

    To import groups based on information in your LDAP directory, iPrint Appliance filters on the following LDAP directory object attributes:

    • group

    • groupOfNames

    • groupOfUniqueNames

    You can add attributes to the user or group filter list if necessary. You can use the following operators in the filter:

    • | OR (the default)

    • & AND

    • ! NOT

    You might find it convenient to create a group that consists of all the users that you want to set up in iPrint Appliance, regardless of where they are located in your LDAP directory. After you create the group, you can use the following filter to search for User objects that have the specified group membership attribute:

    (groupMembership=cn=group_name,ou=organizational_unit,o=organization)

    IMPORTANT:If you create a filter to search for a specific group to find users, users that are located in any sub-groups to that group are not synchronized.

    When synchronizing against Active Directory, you can create a filter that synchronizes users in sub-groups by using the following rule object identifier (OID):

    <attribute name>:<matching rule OID>:=<value>

    Ensure that you include parentheses in your filter.

    Directory Service

    Filter to search for User objects

    eDirectory

    (groupMembership=cn=group_name,ou=organizational_unit,o=organization)

    Active Directory

    (memberOf=cn=group_name,ou=organizational_unit,dc=domain_component)

    Search Subtree: Select whether you want iPrint Appliance to search for users or groups in containers below the base DN (that is, in subtrees).

  5. Click Add. This adds the user or group.

    1. To add another user or group, click Add Search Context, then select Users or Group.

    2. Specify the Base DN and other details, then click Add.

  6. Click OK to save the directory server configuration.

Deleting an LDAP Configuration

If you delete users that are synced from a particular LDAP source, you must delete the LDAP source connection then run an LDAP sync. When you delete an LDAP source, the users and groups from that context are deleted while the context itself is retained.

  1. On the Directory Servers Configuration page, select the LDAP configuration that you want to delete, then click Delete.

Configuring Synchronization Schedule

When planning the schedule, take into account how often your LDAP directory user (and, optionally, group) information changes and the server resources required to perform the synchronization for the number of users (and, optionally, groups) that you have.

NOTE:Because the synchronization options apply to all LDAP configurations for the iPrint Appliance, you cannot have customized synchronization settings for each LDAP configuration.

  1. On the Directory Servers Configuration page, click Synchronization.

  2. Click Schedule.

    1. Select whether to run the LDAP synchronization every day, or on specific days of the week. You can also perform a sync once a day at a specified time, or multiple times each day.

    2. Click Save.

To synchronize users and groups immediately, click Synchronize Now. The summary of users/groups that are synchronized is available in the Results section.

Securing LDAP Synchronization

If your LDAP directory service requires a secure LDAP connection (LDAPS), you must configure iPrint Appliance with a root certificate. The root certificate identifies the root certificate authority (CA) for your appliance, which enables you to export a self-signed root certificate based on your eDirectory or Active Directory tree.

Exporting a Root Certificate

Exporting a Root Certificate for eDirectory

  1. Launch and log in to iManager for your tree.

  2. Click Directory Administration.

  3. Click Modify Object.

  4. Click the magnifying glass icon to browse to and select the “Tree Name CA” object in the Security container of the eDirectory tree.

  5. Click OK.

  6. Click the Certificates tab.

  7. Select the check box for the root certificate (this is not the certificate titled Self Signed Certificate, but rather the root certificate), then click Validate.

  8. Select the check box for the root certificate, then click Export.

  9. Deselect Export private key, then click Next.

  10. Click Save the exported certificate, then select File in binary DER format.

  11. Save the file to a location where it can be accessed later and with a file name that you can remember, such as SelfSignCert.der.

  12. Click Close > OK.

  13. Continue with Importing the Root Certificate into the Java Keystore.

Exporting the Root Certificate for Active Directory

  1. On the Windows server, click Start > Run, then enter mmc.

  2. In MMC, type Ctrl+M.

  3. If the Internet Information Services (IIS) Manager snap-in is not installed on your Windows server, install it.

  4. With IIS selected, click Add, then click OK.

  5. In the left frame, click Internet Information Services, then click a Windows server that iPrint Appliance can connect to for synchronizing users.

  6. In the Filter list, scroll down to Server Certificates and double-click the icon.

  7. In the Actions list, click Create Self-Signed Certificate.

  8. Name the certificate with a name you can remember, such as the server name, then click OK.

  9. Type Ctrl+M, select the Certificates plug-in, then click Add.

  10. Select Computer account, then click Next.

  11. Click Finish.

  12. In the Snap-ins dialog, click OK.

  13. In MMC, expand the Certificates plug-in, expand Personal, then click Certificates.

  14. Right-click the certificate you created, select All Tasks, then click Export....

  15. In the Certificate Export wizard, click Next.

  16. Ensure that No, do not export the private key is selected, then click Next.

  17. Ensure that DER encoded binary is selected, then click Next.

  18. Name the certificate, then click Next.

  19. Click Finish > OK.

    The certificate is saved in C:\Users\Your-User-Name.

  20. Ensure that the certificate is accessible from your management browser.

  21. Continue with Importing the Root Certificate into the Java Keystore.

Importing the Root Certificate into the Java Keystore

  1. On a Web browser, use either the host name or the IP address to access the Management Console. For example, https://10.0.0.1:9443 or https://iprint.example.com:9443.

  2. Click Upload Certificate.

  3. Drag and drop the root certificate for your LDAP directory.

  4. Click Upload to import the root certificate into the Java KeyStore (JVM Certificates).

  5. Restart iPrint Appliance so that Tomcat rereads the updated Java keystore file.

    You can restart the iPrint Appliance service as described in System Services.

You are now ready to configure iPrint Appliance for secure LDAP synchronization, as described in Configuring an LDAP Server.

11.1.10 Advanced Authentication

iPrint Appliance supports Advanced Authentication for the users releasing the WalkUp jobs. iPrint Appliance uses only Card or combination of a Card and a Smartphone for multi-factor authentication. The Smartphone method is used for authentication through your Smartphone that uses an app to perform the out-of-band authentication. The authentication method must be in order of Card and Smartphone. We do not support only Smartphone or changing the order to Smarphone and Card.

For more information about using the Advanced Authentication Framework, see the Advanced Authentication - Administration documentation website.

The following steps describe the authentication flow for Card and a Smartphone authentication:

  1. To release a print job, when a user swipes the identity card, the authentication request is initiated and iPrint Appliance contacts the Advanced Authentication server.

  2. The Advanced Authentication server validates the user’s card data.

  3. After validating the data, the Advanced Authentication server sends a push message to the user’s Smartphone to inform that an authentication request has been initiated.

  4. When the user opens the Smartphone app, the app reaches the Advanced Authentication server to validate if there is an authentication needed. The authentication is indicated by the Accept and Reject options. The user’s selection is then sent to the server.

  5. The server validates the authentication and iPrint Appliance releases all the print jobs of the user for that printer.

Prerequisites

  • Ensure that the iPrint Appliance users are available in the Advanced Authentication server. If the users are not available on both the servers, authentication will fail.

  • Configure the Advanced Authentication server with the following:

    • Authentication Chain with the authentication method as Card and Smartphone or only Card

    • Authentication Event with the event type as Generic

    • Endpoint with type as Other

      NOTE:Ensure that a Owner is not set for the Endpoint that is configured for the iPrint Appliance.

  • Endpoint ID and Endpoint Secret should be available before configuring Advanced Authentication in the iPrint Management Console

Configuring Advanced Authentication

Ensure all the prerequisites are met before configuring Advanced Authentication in the iPrint Management Console.

Enable Advanced Authentication: Select this to enable advanced authentication for iPrint users when releasing the WalkUp jobs by using their identity cards.

Option, Field, or Button

Information and/or Action

Advanced Authentication Server Address

The hostname or IP address of the Advanced Authentication server that you want to use for authentication.

Event Name

Specify the name that you created in the Advanced Authentication Administrative Portal. If inaccurate name is provided, the users will be unable to release their WalkUp jobs.

Endpoint Name

Specify the name that you created in the Advanced Authentication Administrative Portal.

Endpoint ID

Specify the value that is automatically generated when you use the Advanced Authentication Administrative Portal to create a Endpoint. You can copy the ID from the portal and paste it here.

Endpoint Secret

Specify the value that is automatically generated when you use the Advanced Authentication Administrative Portal to create a Endpoint. You can copy the secret key from the portal and paste it here.

Save

Click this to save your changes.

Reset

Click this to clear the changes you have made.

11.1.11 Certificate Management

The Certificates page displays details of self-signed certificates. You can also manage the third party certificate. A work flow is available for renewing the certificates on expiry. Certificate Management helps you to upload the CA signed certificates and apply them to all the relevant services used by iPrint Appliance.

Micro Focus iPrint Appliance ships with a self-signed server certificate. You can choose to use the self-signed certificate or use a trusted third party certificate. All the inbound and outbound communications to the iPrint Appliance uses server certificate. The server certificate works for both Micro Focus iPrint Appliance and the iPrint remote renderer (ports 9443 and 8443).

All certificates that are included with the IBM Java package that is bundled with the version of SLES that iPrint Appliance ships with, are installed when you install iPrint Appliance.

Terminology

Server Certificate: This is a certificate that is used for all secure communications with iPrint Appliance. You can either use the self-signed certificate or trusted CA signed certificate (or third party certificate). iPrint Appliance supports the certificates in.crt, .cer, .der, .pem, .p12, or .pfx format.

  • Self-signed Certificate: This is the default certificate (self-signed_cert) that is shipped with iPrint Appliance. The validity of the certificate is two years. To view details of the self-signed certificate, click .

  • Trusted CA Signed Certificate: You can use trusted server certificate that is signed by a trusted certificate authority (CA) such as VeriSign or Equifax, instead of the default self-signed certificate. Click Options to generate Certificate Signing Request (CSR) or Upload certificates that are received from CA.

Private Key: This key is generated when creating CSR.

Chain Certificate: The chain certificate is a list of SSL certificates, from the root certificate to the end-user certificate. Ensure all the chain certificates are available.

Generating a Certificate Signing Request

To request for a third party certificate, you must have a Certificate Signing Request (CSR). On generating a CSR, send it to a Certification Authority (CA). The CA authority provides a digital certificate that must be uploaded through the iPrint Appliance.

To generate a CSR, do the following:

  1. Click Options adjacent to Trusted CA Signed Certificate.

  2. Click Generate Certificate Signing request (CSR).

  3. Specify the following information:

    Common Name (CN): This is auto-populated with the appliance's hostname. If the appliance is configured with transferable DNS, the CN should match the Print Manager DNS name mentioned in Print Manager configuration file or the name specified during the initial configuration of appliance. Else the print service will be down.

    Organization (O): (Optional) Large organization name. For example, Micro Focus, Inc.

    Organizational Unit (OU): (Optional) Small organization name, such as a department or division. For example, Purchasing.

    Two-letter Country Code (C): (Optional) Two-letter country code. For example, US

    State or Province (ST): (Optional) State or province name. For example, Utah.

    City or Locality (L): (Optional) City name. For example, Provo.

    Key Size: Select the desired algorithm and key size.

  4. Click Generate.

    This generates the CSR file. You can delete the file, if you need a new CSR.

  5. To download the CSR, click Download.

    Send the CSR to a certificate authority (CA). The CA takes the CSR and generates an official certificate based on the information in the CSR. The CA then mails the new certificate and chain certificates back to you.

  6. Click Upload to import the CA reply to the iPrint Appliance.

    or

    1. If you have not generated the CSR from iPrint Appliance, then to import the certificates click Trusted CA Signed Certificate > Options > Upload Certificates.

    2. To apply the certificate, drag and drop all the files received from the CA. Specify the Passphrase and click Upload.

  7. Click OK to apply the certificates. The session expires due to restart of services, you must relogin to the appliance.

  8. The Certificates tab displays the active certificate.

  9. (Conditional) If you need to update the chain certificates for the active certificate, click Update Chain and upload the chain certificates.

  10. (Conditional) If you want to apply the certificate to another iPrint appliance, click Download. The downloaded file is in .p12 format. When you upload this certificate (.p12 format) to another appliance, you must specify the passphrase as changeit.

  11. (Conditional) If you delete the third party certificate, a new self-signed certificate is generated and applied to the appliance.

Additional Options

The Certificate Management screen displays options to repair the certificates, upload new certificates, and create a CSR.

  • Repair: Repairs any issues with the certificates.

    Click OK to repair the certificates. If certificates are repaired, then the session expires due to restart of services, you must relogin to the appliance.

  • Upload Certificates: The uploaded certificate will overwrite the existing active certificate.

  • Certificate request: Provides options to create a new CSR, download the CSR, or delete the CSR.

Certificate Expiry

When there are 30 days left for expiry of the self-signed or third party certificate, a warning message displays number of pending days for expiry.

IMPORTANT:On expiry of the certificate, iPrint server starts to display warnings and all the print functionality might not be available.

Click Regenerate the self-signed certificate to renew the self-signed certificate.

Click Manage third-party certificates using Certificates page to upload the third party certificate.

11.1.12 Printer Map (iPrint Map Designer Tool)

You can create a printer map using the iPrint Map Designer tool or HTML pages.

Use the iPrint Map Designer tool to create a map showing printer locations. The tool lets you import floor plans as background images that can be used to drag and drop printers onto actual locations. These maps are then published on a Web server, so users can install printers that are closest to their location.

The iPrint map pages now display browser-specific user instructions during printer installation. If you have upgraded to iPrint Client 6.0.0 or later for Windows, it is recommended that you recreate your map pages.

After the map is created, you must use the iPrint Map Designer to modify or update it. Changes to a map file that are made outside of the iPrint Map Designer are not supported. If you need to add links to a map, you should create a frameset file and then display the map file in one frame and display your links in a different frame.

Prerequisites

  • Windows 10/8.1/8/7/Vista operating systems

  • Microsoft Internet Explorer 6.0 or later (run as administrator)

  • Micro Focus iPrint Client installed on the workstation

  • All of the background images (maps) are copied to the /var/opt/novell/iprint/htdocs/images/maps folder on the iPrint Appliance server.

    You can use JPEG, GIF, and BMP images for backgrounds and printer icon images. These files are detected by iPrint Map Designer at startup. A default set of printer icons are included.

  • All of the custom printer icons are copied to the /var/opt/novell/iprint/htdocs/images/printers folder on the iPrint Appliance server.

Creating a Printer Map

  1. To launch the iPrint Map Designer tool, go to https://server_address/maptool.htm in Internet Explorer, where server_address is the server’s IP address or host name of the server where the iPrint Manager is running.

  2. Select a map from the Background > image drop-down list.

  3. Add a printer to the map:

    1. From the Printer image field, select the type of printer and icon size you want.

      Sizes range from 1 to 6, with 1 being the largest. Icons with a C indicate color printers.

    2. Click the Printer icon and drag the printer to the desired location on the map.

    3. Select a printer from the Printer list.

      Next to the Printer list field, click the Browse icon and specify the IP address or host name of the server where the Print Manager is running.

    4. From the Printer list, select the printer that you want to associate with the printer icon.

      On selection of the printer, the Printer agent and Print Manager information is populated. By default, Mouse over text displays the Printer Agent’s name.

      You can add printers from different Print Managers to the same map. Click the Browse icon adjacent to the Printer list field, specify the IP address or host name of the server where the Print Manager is running.

    5. (Optional) In the Printer Caption field, specify the title for the printer.

    6. (Optional) From the menu bar, click Edit > Font to change the base font, color, and size for text on the map.

  4. Click File > Save As to save the map in an HTML format. For example, filename.html. You can upload this HTML file to a Web server and use an HTML editor to customize the page.

    IMPORTANT:Do not click Refresh or exit Internet Explorer without saving the map.

To retrieve and modify an existing map file, click Open and browse to the directory where the map is located.

Copy Maps to the iPrint Appliance

On successful creation of maps, you must copy the maps to the location /var/opt/novell/iprint/htdocs on the iPrint Appliance.

Users can access the maps by specifying the URL http://server_DNS_or_IP_address/ippdocs/filename.html in their browsers.

Customizing HTML Interface for Installing Printers

You can edit the HTML files provided in var/opt/novell/iprint/htdocs/examples/ or create HTML files to customize iPrint printer list for your environment.

  1. Create a HTML file (sample1.html) to customize iPrint for your environment.

    You can associate a printer with the printers’s IPP URL.This URL is displayed when you enable IPP for a printer.

    1. In iManager, click iPrint > Manage Printer.

    2. Browse to and select the printer you want.

    3. Click Client Support > iPrint Support.

      The printer’s URL is displayed under Current iPrint URL.

  2. Copy the HTML file (sample1.html) to the var/opt/novell/iprint/htdocs folder.

  3. Use the web browser to view the map https://server_address/ippdocs/sample1.html

Web Page Samples

The iPrint Appliance includes some sample HTML files in the var/opt/novell/iprint/htdocs/examples/folder.

  • In the examples directory, Example 1 shows a fully graphical interface for locating and installing printers using standard HTML. This type of approach can also be created using the iPrint Map Designer.

    Use the web browser to view the sample map https://server_address/ippdocs/examples/example1/innerweb.html

  • In the examples directory, Example 2 shows a lower-maintenance approach for locating and installing printers using standard HTML.

    Use the web browser to view the sample map https://server_address/ippdocs/examples/example2/innerweb.htm

11.1.13 Backup

The backup process creates a password-protected zip file with the configuration settings of the appliance. From iPrint Appliance 2 onwards, an automatic backup is triggered every day at midnight. However, you can also trigger a manual backup and download the file. A single backup file is maintained and the existing file is overwritten with the latest backed up information.

You can download the file and use the configuration settings to create a new iPrint Appliance. The existing Appliance’s iManager administrator credentials (cn=admin,o=iPrintAppliance) are required when migrating to a new appliance.

The driver store setting is applicable for both automatic and manual backup.

  1. Under Configuration, click Backup.

  2. Disk Space Required: Displays the minimum space required on Primary and Secondary disk to store the backed up file.

  3. Include Local Driver Store: Selecting this option backs up drivers when performing automatic or manual backup. Because backing up drivers consumes more disk space ensure that enough space is available in the secondary disk (vastorage).

  4. To trigger a manual backup, click Backup Now.

  5. Click Download Backup File to download the backed up file.

  6. The Status field displays the status of automatic or manual backup along with the time stamp.

Any configuration change in the iPrint Appliance takes at least 20 minutes to get updated to the configuration file. We recommend that you wait at least 20 minutes after the last configuration change before you backup the configuration file.

11.1.14 Product Improvement

Telemetry enables Micro Focus to collect statistical data about your usage of iPrint service. This data will enable us to ensure that you have the best possible experience with Micro Focus iPrint. Weekly once the data is sent to the Micro Focus server.

Data That is Collected for Product Improvement

Statistical Data

Table 11-1 Telemetry Attributes

Telemetry Attribute

Description

Total Printers

Number of printers configured for iPrint

Mobile Enabled Printers

Number of printers that are enabled for mobile

AirPrint Enabled Printers

Number of printers that are enabled for AirPrint

AirPrint Capable Printers

Number of printers that have AirPrint capability

eDirectory Users

Number of eDirectory users migrated to iPrint Appliance

Secure Printers

Number of printers that are secure

WalkUp Printers

Number of iPrint printers configured for WalkUp functionality

Mobile Enabled WalkUp Printers

Number of WalkUp printers that are enabled for mobile

WalkUp Job Hold Duration (Minutes)

Job hold time for all WalkUp jobs

Remote Renderers

Number of Remote Renderers

Remote Driver Store

Displays whether the configured driver store is local or remote.

Secure Remote Renderers

Number of secure Remote Renderers

Non Secure Remote Renderers

Number of unsecure Remote Renderers

Secondary Disk Size (GB)

Size of the secondary disk in GB

Upgraded Appliance

Displays whether the iPrint Appliance is new or upgraded from an earlier version.

Global Email Configured

Displays if a global email was configured for printers.

Private Email Configured For Printers

Number of printers configured with private email

Direct Printers

Number of direct printers

Audit Enabled Printers

Number of printers enabled for auditing

Accounting Enabled Printers

Number of printers enabled for accounting

IPP Enabled Printers

Number of printers enabled for IPP protocol

LPR Enabled Printers

Number of printers enabled for LPR protocol

Feature Information

We are collecting the frequency of operations performed for the following features:

  • Download Backup File: Number of times this file was downloaded.

  • Bulk Printer Creation: Number of times the printers were created using this feature.

How Server Receives the Data

After the weekly collection, the data is sent to the iPrint server. If the transfer is unsuccessful, the system attempts to send it again during the next weekly cycle. No attempts to send the data is made outside of the weekly cycles.

The data is not encrypted because no sensitive or identifying information is included.

11.1.15 License

The License page displays information about your current iPrint license such as the product version, date it was issued, expiry details, and so on.

iPrint ships with a 90-day trial license. To continue usage of iPrint, you must update this license to an Enterprise license. The types of licenses available with iPrint are:

  • Trial License: This is a 90-day license to evaluate the Desktop, Mobile, Email, and so on features.

  • Enterprise License: This license provides printing from Desktop, Mobile devices, and any email-enabled devices.

    The major features offered are WalkUp, Identity Card release, and QuickPrint (Web printing). An iPrint extension is also available to print from Chromebook.

  • Desktop License: This license provides printing from Desktop and any email-enabled devices.

    The major features offered are WalkUp, Identity Card release, and QuickPrint (Web printing). An iPrint extension is also available to print from Chromebook.

    With the Desktop license, you can evaluate the Mobile-specific features for 90 days. After 90 days, the mobile-specific features will stop working.

  • Mobile License: This license provides printing from Mobile devices and any email-enabled devices. You can print and release jobs from Mobile apps.

    The major features offered are WalkUp, Identity Card release, QuickPrint (Web printing), and printing to Apple certified AirPrint printers. An iPrint extension is also available to print from Chromebook.

You can obtain a new license key from the Novell Customer Center (NCC).

Accessing the License Page

  1. Under Configuration, click License.

    The License page displays the license details of the iPrint Appliance.

Updating the iPrint Appliance License

To update your iPrint Appliance license:

  1. On the License page, browse and select a valid license (.xml) file to upload.

  2. Click Upload.

    IMPORTANT:If you are running multiple copies of iPrint Appliance, you must update the license for each copy of iPrint Appliance individually.

After copying the license file, iPrint Appliance is updated. Restarting of the services is not required.