Pharos Beacon Update: August 2021 Release Notes

This release represents the latest version of Beacon and Sentry Print. This update includes several important new features including:

• Direct Printing  (Preview) *

• Guest Printing  (Full Release)

• Beacon Web Console: Federated Identity Management (IdM) Authentication Support (Preview)*

• Improved administrator-level access to configuration settings

• MFP Improvements

  • Authenticate to Home Screen

  • FIPS support deploying Sentry Print to Konica Minolta

• Print Scout Improvements and New Features

  • Watermark support for IPP driver (Windows Direct Print only)

  • Finishing options support for the IPP drivers (staple, fold, punch). Available on Windows and macOS only

  • Shared Secure Printer

  • Secure Queue driver now users HP UPD PCL6 driver

* Direct Printing and Federated Identity Management (IdM) Authentication Support are in preview mode, let us know if you want to participate in our preview program. 

Direct Print (Preview)

In March 2021, we introduced the preview version of Direct Print, the cloud-based solution that allows employees in your organization to send their print jobs directly to a selected printer). In June 2021, a new Invite tab was added to Direct Print, and we’ve also added several improvements to Chrome Direct Print reporting.

This version adds support for Email Authentication and Active Directory Authentication for Microsoft Windows and macOS. In previous releases, Direct Print supported OpenID authentication only.

Note: Chrome Direct Print does not support Email Auth and Active Directory Auth.

More information:

• Beacon Direct Print Overview

• Beacon Direct Print Setup Guide

• Chrome Direct Print

• Windows Direct Print

• macOS Direct Print

Guest Printing (Full Release)

Guest Printing allows non-employees (visitors, contractors, etc.) to print documents without requiring a user account in your directory system. The first version of Guest Printing was introduced in the March 2021 release.

In this release, Guest Printing includes the following improvements and features:

• Guest Print has been optimized to work on mobile devices. Users can now easily use the Guest Printing portal on a mobile device with a minimum amount of resizing, panning, and scrolling.

• Guest Printing uses system-generated passcode to identify users at a secure printer. Passcode authentication is now available on  Lexmark devices in addition to HP and Konica Minolta (KM) printers.

• Added a new Job List tab. Guest users can now view a list of their submitted jobs. This gives guest users information about their print jobs such as the number of pages, document name, etc. They can also delete their print jobs from this view.

  

• The Guest Portal has been redesigned with a new sleek user interface. The portal also shows a simple set of instructions on uploading and releasing jobs from a printer.

More Information:

• Pharos Cloud Guest Print Overview

• Configuring Guest Print

• Inviting Guest Users

• How to print documents as a guest user

• Guest Print Settings

Pharos Cloud Web Console:  Federated Identity Management (IdM) Authentication Support (Preview)

Beacon adds Single Sign-on (SSO) support for logging into the Beacon Web Console.  With SSO, system users can log in to Beacon using their credentials from an identity provider(IdP). When a system user logs into the Beacon web console for the first time,  they are redirected to the identity provider’s login page. System users enter their credentials from their identity provider and once successfully authenticated with the IDP they are then redirected back to Beacon and logged on with their account.

Beacon supports the following authentication protocols:

• Security Assertion Markup Language (SAML)

• OpenID Connect

Key Benefits of SSO

• Integrates with well-known identity providers. Beacon supports any SAML-based and OpenID Connect identity providers like Google, Office 365,  AppleConnect, Auth0, and so on.

• Improves user experience. Users can log in using their existing company credentials. Users do not have to remember another set of credentials.

• Helps lower IT costs. Eliminates the responsibility of storing and managing user credentials.

Basic Workflow

A system user configures SSO and invites the external user

1. The Beacon Operations team provisions a customer for your organization,  creates a system user,  and invites this user.

2. The system user (created by the Operations team) logs into the Beacon web console using the credentials set by the Operations team.

3. The system user navigates to the Single Sign-on Configuration tab and configures SSO.

4. The system user creates an external user in the System User tab. The external user is created by adding the user’s email address as well as other required fields (e.g. Name, Role Name).

5. The system user sends an email invite to the external user.

External User logs in to the Beacon web console

1. The Invited external user receives an email and clicks the link in the email. Clicking the link opens the logon page.

   

2. The external user enters their primary email address. This must match the email address that the system user added to Beacon.

3. The external user is redirected to the Identity Provider’s login page and prompted to authenticate by providing their identity provider’s credentials (typically username and password).

4. Once the user has authenticated with their IdP, the user is redirected back to the Beacon web console and logged on with their account.

Changes to the Beacon Web Console for SSO

This section details the changes to the Beacon web console to support Single Sign-on.

New Single Sign-on Configuration Tab

To support SSO, a new Single Sign-on Configuration subtab has been added to the Profile tab of the Beacon web console. This tab is used to enable and configure SSO.

There are three options in the Provider Types:

• None – This is the default option. When selected, Beacon users use their internal user accounts to log into the Beacon web console.

• OpenID Connect – When selected and configured, Beacon uses OpenID Connect (Google, Office 365)  to authenticate users.

• SAML – When selected and configured, Beacon uses SAML based Identity provider (e.g. Auth0, AppleConnect) to authenticate users.

Note: The Single Sign-on feature is available upon request.

Internal and External Users

There are now two types of users in Beacon: internal and external.

• Internal users – Any user created when the Identity Provider is set to None is an internal user. Internal users log in to the Beacon web console using their username and password in Beacon. Both user authentication and management are handled by Beacon.

• External users – Any user created when OpenID Connect or SAML is selected is an external user. The identity provider manages user authentication.

To check whether a user is an internal or external user, navigate to Profile > System Users tab and look for the Internal User column. A value of No in this column indicates that the user is an external user.

For information on how to configure SSO for Beacon, refer to the Configuring Single Sign-on (SSO) login to the Web Console document.

Improved Administrator Level Access to Configuration Settings

VID/PID

When an organization is provisioned in Beacon, your settings are automatically generated and the default card reader VID/PID values are set. The default values are  vid:3111 pid:15354.

In this release, you can now set VID and PID values for your site. The Secure > Settings > Secure Print Settings has new VID and PID sections as shown below.

Beacon supports the following card readers:

• HP X3 (MFP24): vid:1008 pid:69

• HP Y7 (Keystroke): vid:3111 pid: 15354

• Pharos X3 (Keystroke): vid:3111 pid:15354

• Omnikey 5427 (Keystroke): vid:1899 pid:21544

Network Timeout

The new Network Timeout setting in the Secure > Settings screen controls the time before requests to the Site Service from the secure printers time out. The default is 10 seconds.

If a request takes more than 10 seconds to complete, the secure printer will show an error message “ Error Releasing Print Jobs. Unable to complete the request due to network issues. Please try again later”. You can change the default for situations where network connectivity is slower than normal, for example.

One of the methods Sentry Print delivers and releases print jobs to the secure printer is through Print Scout Release. In this method, print submission and print release could occur on different workstations.

The new Restrict Print Scout Release setting in the Secure > Settings screen provides you with the ability to deliver and release secure print jobs only from the originating workstation, but not from alternate workstations. This setting is off by default.

When Restrict Print Scout Release is enabled, the user’s Print Scout will be the primary point to handle job release. If the user’s Print Scout is not available, a Print Scout in Print server mode will be used to download the backup copy of the print job from the cloud storage and send it to the printer. This has the benefit of using local data when it is available and using cloud backup when the user’s Print Scout is not online. When the user’s Print Scout is not online, the job release will be restricted to Print Scouts in Print Server mode, which prevents one user’s data from being handled by another user’s Print Scout. This enhances security and provides a better known and far more controllable workflow for cloud backup release. 

Notes:

• You’ll need to install a Print Scout in print sever mode to ensure that jobs are delivered when the user Print Scout is offline.

• Enable Cloud Storage.

MFP New Features and Improvements

• Authenticate to Home Screen (Lexmark and Canon)

• Sentry Print support for Canon devices

Authenticate to Device Home (For  Ricoh, HP, Konica Minolta, and Lexmark devices)

A new setting called Authenticate to Device Home has been added to the Secure > Settings > Secure Print Settings screen.  This feature is available for  RIcoh, Konica Minolta, Lexmark, and HP devices.

This setting determines whether to display the Sentry Print screen or the Device Home screen on user authentication. This setting is off by default.  When turned off, the Sentry Print screen is displayed to users on authentication. When turned on,  the device’s home screen is displayed upon authentication.

FIPS Support Deploying Sentry Print for Konica Minolta 

Beacon now supports deploying Sentry Print to Konica Minolta when both the server hosting the Device Scout and the Konica Minolta printer are configured for FIPS 140-2.

Print Scout Improvements and New Features

New Watermark feature for the IPP Driver

Starting with Windows Print Scout version 7.25.14.100,  the watermark feature has been added to the IPP driver. This allows you to apply an overlay to printed pages to comply with either internal policy or external regulation. This feature comes with four stock watermarks:

• ​​​​​[username] – This adds the logged-on user’s name as a watermark.

• CONFIDENTIAL

• Draft

• SAMPLE

To add or edit a watermark:

1. Print documents as usual (e.g., File > Print from an application)

2. Select a direct printer to send the print job to.

3. Select Preferences.

4. Select the Watermark tab. Add or edit a watermark and then click OK.

5. Click Print to submit the print job.

Note:  Watermark is supported on Windows only, it is not yet supported on macOS or Linux. The IPP driver for Windows is available for Direct Print only.

More information:

Adding a watermark (IPPdriver)

Finishing options support for the IPP driver

The IPP driver installed with the Windows or macOS Print Scout adds support for the following finishing options:

• Staple

• Fold

• Punch

Note: Finishing options are supported on Windows and macOS only. It is not yet supported on Linux.

Shared Secure Printer

The Windows Print Scout has been updated to provide local print server-based job storage and delivery without the need for workstation Print Scouts. This solution requires a print server to host the secure queue and allows users to print to the queue via LPD/LPR protocol.

A new command line option /hostsecurequeue has been added to install a network shared secure queue on a print server. On a supported Windows Server OS, run the following command to install the secure queue on a print server.

PrintScoutInstaller.exe /printserver /hostsecurequeue

After installation, a secure queue called the PharosSecurePrinter is created on the print server. You will need to add this queue to users’ workstations using LPD/LPR protocol.

Notes:

• The shared secure printer feature is supported on Active Directory authentication only. Email authentication and OpenID are not supported.

• This feature requires the installation of the LDP Server features from Server Manager.

More information:

Shared Secure Printer

Beacon "Secure Queue" driver now uses HP UPD PCL6 driver

The Windows Print Scout installs a default printer queue called the Pharos Secure Printer. This queue used the HP Universal Print Driver PCL 5 by default. In this release, the Pharos Secure Printer now uses HP Universal Print Driver (UPD) for Windows PCL 6 to support newer devices.

Component Release Version

 This release is comprised of the following software components and release versions.