Pharos Sentry SE50 Deployment Guide

Technote: Pharos Uniprint and Sentry Print Integration

Printer Readiness Guides

Sentry Print User Guide

What is Sentry SE50?

Pharos Sentry SE50 is our next-generation embedded platform for supported MFP models across many manufacturers. Sentry SE50 provides a common interface at the MFP for Pharos Cloud, Blueprint Enterprise, and Uniprint, with a similar securing process for administrators.

In the Sentry SE50 workflow, people print as they normally do, but each document is sent to a secure queue and held until the user is physically present at a device for authentication and document release. This secure workflow ensures that the document owner, or a chosen delegate, is the only person who can print the document. It also prevents documents from being forgotten in printer trays where anyone can access them, protecting confidentiality.  

Benefits of Sentry SE50

Security

Sentry SE50 secures output devices and protects information security. Devices can be accessed only by authorized users, either by network login, passcode, or ID card (magnetic or proximity). A print job can be released only by the person who submitted it, or a chosen delegate. This prevents potentially sensitive information from getting into the wrong hands. All of these actions occur over secured, encrypted connections. When using Pharos Cloud, this also occurs as a Zero Trust connection.

Convenience

Users can release their print jobs at any secured printer in the organization’s network, even if the printer is on a different floor, separate building, or across the globe. This allows a user to continue printing even if the most convenient printer is busy or not working.

Cost Savings and Waste Prevention

Print jobs will automatically expire if they are not released within a defined period of time. Users can also manually delete print jobs from their queue by using the printer interface. This reduces unnecessary output and reprints, which it translates into significant cost savings.

Before You Begin

Supported Device List

Sentry SE50 currently supports many different models across manufacturers. Pharos maintains a dynamic list of supported devices on our website, at https://pharos.com/supported-printers-mfds/.  

Readiness Guides by Printer Manufacturer

Prior to securing a supported printer with Sentry SE50, the target printer(s) must be pre-configured, or readied, for deployment. There are similarities between makes (security settings, for example), but some differences exist, too. Refer to the Readiness Guides document in the Community. This walks you through the steps needed prior to securing the printer.

Platform Supportf

• Blueprint v5.3.10436 (General Release) & 5.3.10546 (Update 1): Ricoh

• Blueprint v5.3.10803 (Update 2): HP & Ricoh

• Blueprint v5.3.10909 (Update 3) & 5.3.11082 (Update 4): HP, Konica Minolta, Ricoh, & Xerox

• Blueprint v5.3.11240 (Update 5): Canon, HP, Konica Minolta, Lexmark, Ricoh, Toshiba, & Xerox 

• Blueprint v5.3 11410 (Update 7): Canon, HP, Konica Minolta, Lexmark, Ricoh, Toshiba, & Xerox 

• Blueprint v5.4: Canon, HP, Konica Minolta, Lexmark, Ricoh, Toshiba, & Xerox 

• Blueprint v5.4 (Update 1): Canon, HP, Konica Minolta, Lexmark, Ricoh, Toshiba, & Xerox 

• Uniprint 9.2 (Canon, HP, KM, Ricoh)

Pharos Sentry SE50 is deployed to an organization’s devices via Pharos Print Center for Blueprint or Uniprint. The Secure Printers console allows systems administrators the ability to manage several devices at once based on any number of criteria using filters. When securing a printer in Print Center, the following tasks are automatically performed:

• Installs the Pharos Sentry app (Pharos firmware) on the device.

• Configures the logon method that is allowed on the device (whether to use a proximity card, keyboard login, or both).

• Configures communication with the servers.

• Automatically adds and configures the associated Terminal (with type SE50) in the Administrator.

Accessing Pharos Print Center

The Pharos Print Center can be accessed anytime, and anywhere, by a compatible web browser (Microsoft Internet Explorer or Edge, Google Chrome, Firefox, Apple Safari). The standard URL is https://servername.company.domain/myprintcenter. Logging on in with appropriate credentials (see Managing Logons in the Blueprint Configuration Guide) displays the Secure tab in Print Center. The contents of the Secure tab are shown below: Pharos Blueprint Print Center Pharos Uniprint Print Center

Using the Secure Tab Options

The most important aspect of the Secure tab’s Secure Printers screen is the ability to filter and sort. Filtering allows a specific subset of devices to display for quick deployments across several devices at once. Some attributes, like “Status” allow either “Is equal to” or “Is not equal to” searches, while others, like Manufacturer or Model, provide “Contains” or “Starts with” options.

“Contains” is equivalent to wrapping the search term with wildcard placeholders. For example, filtering on “Contains” for the Model attribute with the search term 25 would search for *25* in the device list, resulting in only the MP 2554 in the list using the screenshot list above. However, if the search term were 30, the search would include both the Aficio MP 301SPF and MP C306 devices because the search would be against *30*.

“Starts with” is similar to “Contains” but the wildcard is only placed at the end of the search term. Filtering on “Starts with” for the Model attribute with the search term MP would result in a search for all items MP*, and only the MP 2554 and MP C306 would return. The other available interface options on the Secure Printers screen are:

• Refresh. This refreshes the returned list based on the current search options. Like the other screens in the Print Center, the Refresh button is a better choice than using the browser’s Refresh (F5) option. This button is always available.

• Secure Printers. This button secures the selected printers, opening the Secure Printers dialog.

• Update Credentials. This button updates the credentials required to access the printer. To update printer credentials in bulk, refer to Appendix E for more information. This is available on Blueprint only. 

• Page Navigation. Shown at the bottom left corner of the interface, these buttons allow for quick page and device selection, as well as controlling how many items are displayed on a page.

Securing a Device

A working Blueprint Enterprise or Uniprint system must be present before securing a printer.

Before You Secure a Device in Blueprint Enterprise

To successfully secure a device, you must ensure that the following conditions are met:

• The device exists in Blueprint Administrator (Device Management > Devices screen).

• The device has the following details: Manufacturer, Model, and IP address.

• The Model of the device is supported. 

• The device has no associated Terminal, or if it does, it should be removed.

• A suitable authentication script is being used. See the Pharos Print Center Guide for your version of Print Center to configure card registration and other Sentry SE50 settings.

Before You Secure a Device in Pharos Uniprint

• Install or upgrade Uniprint to version 9.2. This installs the necessary services required to support Sentry Print SE50 Terminal.

• The device exists in the Pharos Administrator (Output Management > Devices context).

• The device has the following details: Manufacturer, Model, and IP address. 

Provided the selected device(s) correspond to those found in the Supported Device list, the Secure Printers button will activate.

With the necessary devices on screen, one or more can be selected and secured by clicking the Secure Printers button. Blueprint Secure Tab Uniprint Secure Tab

To secure a device with Sentry SE50:

1. The dialog box that is presented offers options for securing the printer.
    

• Available Logon Types. Initially, both the Proximity Card and Keyboard Login options will display here. To select one or both, click on the option and then click the right-facing arrow to move it over to the Enabled Logon Types box.

• Enabled Logon Types. This box shows the logon types that will be enabled for the printer. Initially, this box will be blank since no logon types would have been defined.

• Hosting Server. All available Blueprint servers (Analyst and Collector) or Uniprint Print Servers will display in this list. Select the server desired as the secure printer’s host.

• Review Advanced Options. This option allows administrative credentials to be set for the printer. The “Default” option varies by manufacturer and represents the normal default configuration for the supported models. In most cases, the “Default” setting will fail, as most organizations change the “administrative” logon and password for security.

2. The console includes some default settings for many manufacturer’s “out of the box” security settings. In most cases, deployed printers will have different credentials configured. Click the Review advanced options link and the resulting Set link to change credentials from the default.
    
    

3. In the resulting dialog box, change the administrator name, administrator password, and installation password (for Ricoh only) as required. When changed, the label will read “Set.” Click “Save.”
    
   With the credentials set, the dialog box changes slightly to show Admin Credentials [Set] for the device. The hyperlink changes to read Update and clicking this link will return to the Set device username and password dialog box.
    

4. Click the Secure button to initiate provisioning. After a brief delay, the Status value of the printer will change to show progress (as a percent) with the tag “Processing…”. Note: If the hosting server for the printer(s) being secured is not the same server as the Print Center, progress notifications will not be automatically updated when securing a printer. Click Refresh for the progress notification to show.
   

Pharos Print Center has a session timer of five (5) minutes when sitting idle unless the “Keep me logged in” option is checked, so it is possible that a session may be logged out while a printer is being secured. All provisioning events continue, however, so returning to see progress is as simple as logging back into the Pharos Print Center with administrative credentials. After a brief moment, the progress percentage will refresh on the web page.

The length of time it takes to secure a printer is dependent upon the manufacturer, as some printers require other activities to set device-based options, install other components, and possibly reboot to initialize and launch the newly-installed software. Once the device is secured, the Status will change to Secured and it can be used by employees to release awaiting jobs.

After Securing a Printer in Blueprint

• A terminal record (in Device Management > Terminals screen) is automatically created in Blueprint Administrator with the Terminal Type SE50 (1.0.0). The terminal name corresponds to the serial number of the device. If the device has no serial number, then it uses the hostname or IP address of the device as the Terminal Name.

• Authentication Method is set to Standard Authentication Method. NOTE: If the authentication method should be something else, edit the Default Settings for the SE50 terminal type in the Secure Release Here group within Blueprint Administrator.

After Securing a Printer in Uniprint

• A Sentry SE50 terminal record (in  Output Management > Release Stations context) is automatically created in Pharos Administrator with the Release Station type Sentry SE50 Terminal.  The terminal name corresponds to the name of the device prefixed with SE50 (e.g. SE50 Ricoh Printer Copy Room).

• The Sentry SE50 Bank (for authentication and charging) is automatically associated with the Sentry SE50 terminal record.

Occasionally it becomes necessary to remove Pharos Sentry SE50 from a printer. One reason to remove Pharos Sentry SE50 is to migrate the device to a different server or environment; others include decommissioning a device, replacing the existing device with another, or correcting a deployment error. When removed, the device will no longer be able to release secured print jobs. The process for both Pharos Cloud and Blueprint is very similar.

Removing Sentry SE50 in Blueprint/Uniprint

1. Log in to the Pharos Print Center with administrative credentials and go to the Secure > Secure Printers page. From there, select the secured printer (filtering and sorting as necessary) and click the Secure Printers button.

2. The following screen appears.

3. Select the Unsecure button to remove the Sentry Print app installed on the device.

Reregister (Ricoh devices only)

Reregister is the act of changing the hosting server of a secured device. When you change the hosting server, the Secure button changes to Reregister. Clicking the Reregister button updates the hosting server of the device to the newly selected server.

Note: The Reregister option is not available for other device manufacturers. To change the hosting server for these devices, you will need to unsecure the device first and then resecure it with the new hosting server.   

Appendix A. Troubleshooting Sentry SE50

Issues can sometimes present themselves during the “securing printer” operation, or during use. Here are some common problems that you may experience and their resolution.

Securing a Printer

Error Status During Installation

• If somebody has initiated an administrative session with the printer while it is being secured, log out of the remote session and attempt to secure the printer again. Another established remote administrative session can cause device problems accessing settings or the file system.

• If the printer suddenly becomes unavailable (loss of power or network connectivity), correct the problem and secure the printer again.

• If the provided credentials are incorrect, correct the error and secure the printer again.

The Secure Printers Button Is Not Available/Grayed Out

• Verify that a device is selected.

• Verify that the device has a defined Manufacturer and Model.

• Verify that the Model is in the list of supported products.

The Printer Is Not Secured Check if the device you are trying to secure has an IP address; an IP address is required to secure a printer.

The Printer Is In an Error State With the “Incorrect Password” Message

Incorrect Password: The Admin password does not match the printer at <IP address>. Ensure that the password used matches the Admin password on the printer and then secure the printer again. 

Using the Printer

For issues and errors that affect how Pharos Sentry SE50 responds to user input, please visit the Pharos Community and search for symptoms in the Knowledge Base, see the Secure Release Here Troubleshooting section within the Blueprint Operation Guide, or create a support incident.

Obtaining and Reviewing Log Files for Onsite Installations

The Pharos Systems Sentry Print Service maintains three log files:

• Runtime.log

• Deployment.log

• Timing.log

Of these, the Timing.log file does not contain much useful information. These are stored in C:\ProgramData\PharosSystems\HP Secure Print Service or C:\ProgramData\PharosSystems\Sentry Print Service, or C:\ProgramData\HP\ depending on the version installed.

To control logging of the MPS Site Service, edit LoggingSettings.config found in C:\Program Files (x86)\PharosSystems\HP Secure Print Service\App_Data or C:\Program Files (x86)\PharosSystems\Sentry Print Service\App_Data. By default, trace logging is enabled, but the verbose mode is not. The maximum data size for the log file, by default, is 1MB; backup files are not retained. If changes are made to the LoggingSettings.config file, the “HP Secure Print Service” or “Pharos Systems Sentry Print Service” service must be restarted.

Note: For Uniprint, you can find log files in C:\ProgramData\PharosSystems\SiteService. Configuration files are in this location C:\Program Files(x86)PharosSystems\Sentry

In Blueprint, there are three additional web services: Pharos Identity Service, Pharos MPS Proxy Service, and Pharos Provisioning Service. They store their log files in C:\ProgramData\PharosSystems\Blueprint\Logs. By default, logging is disabled for these web services to preserve disk space. Historical logs are kept indefinitely. Use the Blueprint Server Configuration utility on the server to control web service logging. Logs can either be captured or not.

Log File Collection

When retrieving log files for review, it is recommended to get the current copy of both the Sentry SE50 and the Blueprint service logs, noting failure/trial times to readily correlate the information.

System Time Outs

There are two timeouts that may need to be adjusted, based on the network environment. These are:

• networkTimeout. Found in \Program Files (x86)\PharosSystems\Sentry Print Service\App_Data\generalSettings.config (for Blueprint). For Uniprint, there is a Network Timeout setting in the Secure > Settings tab in the Print Center. 

• sendTimeout for IMfpDeployment. Found in \Program Files (x86)\PharosSystems\Sentry Print Service\Mps.Client.Mfp.Service.exe.config

networkTimeout

This setting has a default of 10 seconds (expressed as 10000 milliseconds in the file) and affects many functions, including, but not limited to, keyboard-based authentication and job listing. Ten seconds may not be enough time to type on the screen’s keyboard, particularly if the password is long and/or complex. If users are complaining that this screen is occurring far too frequently:

then this setting should be changed. Once opened in Notepad, find the line highlighted below:

changing “10000” to something longer, like “20000” or “25000” – but never more than “30000”. Save the changes and then restart the “Pharos Sentry Print Service” service.

sendTimeout

The IMfpDeployment sendTimeout controls the time elapsed between the initiating of a Secure/Unsecure operation and its end. Generally, this timer is only endured if there is a problem encountered during the “secure” or “unsecure” operation. By default, this timer is for one hour. Within the file, the timer is expressed in the format HH:MM:SS, making the default value 01:00:00, as shown in the screen capture below:

In most cases, one hour is excessive. This can be safely changed to 00:30:00 or potentially less, as the average Ricoh deployment (accommodating the necessary reboots) is approximately 15 minutes long. By reducing the timer, faults during deployment will require less waiting time.

Appendix C: Additional Configuration for Sentry Print Device Login Workflow (Blueprint only)

Two new settings have been added to the Pharos Blueprint database.

• PharosHomeIsReviewDocuments – When enabled, users are redirected to the Review Documents screen after they log on.

• BypassWalkupScreen – When enabled, users can immediately see the Keyboard Login screen (instead of the Secure Print walkup screen).

Note: These settings are not enabled by default. Administrators will need to modify the Pharos Print Center settings in the database.

To enable the settings in the Pharos Database:

1. Using the SQL Server Management Studio, open the psbprint.dbo.Settings  table.

2. Select SettingsId = 100.

3. In the ApiSetings element, set the PharosHomeIsReviewDocuments and/or BypassWalkupScreen child element to true.

4. Restart the Pharos Systems TaskMaster Service.

5. Clear replicated data on Collectors.

6. Restart the Pharos Sentry Print Service (or wait until the setting is refreshed).

Appendix D: Allow Card Swipe Login with Kiosk Mode off for supported HP Devices (Blueprint only)

Blueprint 5.4 allows card swipe login when kiosk mode is disabled. This is particularly useful for sites with printers using an older firmware. A new setting called forceOnPremiseHpHomeDeviceAuthViaOxpd has been added to the GeneralSetting.config in Blueprint and defaults to false.

For this feature to work, you will need to disable kiosk mode and set forceOnPremiseHpHomeDeviceAuthViaOxpd to true. When a user is at the HP home screen, swiping a card will log them into the printer and the HP Secure Print app while leaving them on the HP Home screen. Additionally, a second swipe of the card will log the user off. 

Note: Kiosk mode is when the Home Screen App is set to HP Secure Print on the HP EWS page.

Disabling Kiosk Mode

1. Log on to the device's web page. 

2. Navigate to the General > Control Panel Customization > Home Screen Customization page. 

3. Set the Home Screen App to HP. 

Setting forceOnPremiseHpHomeDeviceAuthViaOxpd to true

This must be set per Blueprint Collector affecting all secure devices using that Collector. 1.    Add the entry <add key="forceOnPremiseHpHomeDeviceAuthViaOxpd" value="true" /> to the Sentry Print generalSettings.config, usually found here: C:\Program Files (x86)\PharosSystems\Sentry Print Service\App_Data\generalSettings.config 2.    Restart the Pharos Sentry Print Service. 3.    Click Reset on the touchscreen UI to reload the Sentry Print software. 

Appendix E: How to Update Printer Credentials (Blueprint Only)

Many modern print devices require Blueprint to supply a device’s admin credentials to be able to install the Sentry Print software on the device or access protected parts of the device, like the card reader. In addition, organizations implement credential rotation, where the admin credentials for devices are changed on a regular basis.  There are two ways administrators can update printer credentials:

• Via the Print Center through the Update Credentials button (designed for smaller sites)

• Via the File Importer in Blueprint Administrator (suitable for larger sites)

Updating Printer Credentials via Print Center

The Update Credentials button in Print Center enables administrators to update printer credentials without the need to perform a file import. It simplifies the process of updating a small number of devices, and it enables updating printer credentials without the need to re-secure the printer.

1. In the Secure >  Secure Printers section of Print Center.

2. Choose one or more printers that you want to update.    

   Notes: 

   • To update the credentials of multiple printers at the same time, it is necessary to choose printers from the      same manufacturer.

   • You cannot update credentials of devices that are tagged as "Not Securable" (meaning not Sentry Supported devices).

3. Click Update Credentials.

4. In the Set device username and password dialog, enter the new credentials for the printer selected printer(s).  Click Save. New credentials are automatically replicated to all Collectors.

Updating Printer Credentials via File Importer  (bulk import)

Blueprint administrators can update the admin credentials assigned to existing devices via the File Importer screen.  Admin credentials for a Device are imported from a CSV file using the Device Credentials file importer type. 

Note: The Device Credentials importer does not create new devices. Make sure that the device is already added and configured in the Device Management > Devices screen before importing device credentials.

To create the CSV file:

1. Obtain a list of IP addresses for devices exported from the HP Web JetAdmin (or a similar tool) used to rotate credentials on devices.

2. Use the EncryptDeviceCredentials tool to create an encrypted string holding the credentials. The same string can be used for every device using the same credentials.
   Note: You can get the EncryptDeviceCredentials tool from the Blueprint 5.4 Update 1 package file under the \Utilities\EncryptDeviceCredentials folder.

3. Use Microsoft Excel (or similar) to build the CSV file by combining information from Steps 1 and 2.

To import a device's admin credentials:

1. Prepare the CSV file to import. The importer expects a single header line as well - if a header is not included, the first line of data will be treated as the header and ignored. Each line must contain the following comma-separated fields:

   • IPAddress - IP address of the device.

   • AdminCredentials - The device's encrypted credential generated by the EncrpytDeviceCredentials tool. 

2. Log in to Blueprint Administrator (either from “Blueprint Analyst” or “Administrator Only” installs).

3. Navigate to the Integration> File Importer screen.

4. Click the Import File button on the toolbar. This opens the Choose a file to import dialog.

5. In the Type of Data drop-down box, select the Device Credentials data type.

6. In the File Name field, enter the name of the file to import or click the … button to locate it.

   Note:  If you are reimporting data that already exists in the Blueprint database, and you want the new data to overwrite the old data, check the Force Reimport box. If this box is not checked, Blueprint will refuse to import any file that has already been imported.

7. Click OK. The file is imported. The status of the import, including any errors that may occur, is displayed on the main File Importers screen.