- 18 Jun 2024
- 11 Minutes to read
- Print
- DarkLight
- PDF
Pharos Blueprint 5.4 - Update 3.1 Release Notes
- Updated on 18 Jun 2024
- 11 Minutes to read
- Print
- DarkLight
- PDF
The update includes improvements for Blueprint components like Analyst, Collector, and Administrator. New features in 5.4 Update 3.1 address issues with device terminal records and app icons on HP devices. Update 3 Release introduces multi-language support for Sentry Print login labels. Bug fixes in Sentry Print 3.235.1 and 5.4 Update 2 resolve security vulnerabilities and improve Active Directory group support. The update process for Analyst, Collector, and Administrator installations is detailed, including steps for automated deployment. Integration updates for MobilePrint and other services are highlighted, with recommendations for updating to ensure compatibility. Additional information on Tracker updates and limitations is provided for a comprehensive understanding of the update process.
This update should be applied to all machines hosting Blueprint components, i.e. the Analyst, Collector, Administrator.
The components included in this update are:
Component | Version |
---|---|
Blueprint | 5.411884.0 |
PharosSystems.Blueprint.Services.BniService.dll | 5.4.11884.1 |
PharosSystems.SecureRelease.SecureReleaseService.exe | 4.23.12 |
Windows Print Scout | 7.34.1.100 |
macOS Print Scout | 1.01300 |
Pharos API/Print Center | 5.6.1.29 |
Pharos IPP Service | 8.4.1 |
Sentry Print Service | 4.85.4 |
Identity Service | 17.0.0-pre.2 |
Provisioning Service | 13.0.4 |
MPS Proxy Service | 1.9.3 |
Device Scout | 1.23.9.100 |
The Print Scout package should be distributed to all Workstations where Serverless Printing feature will be used.
What's new in 5.4 - Update 3.1 Release
Device terminal records are now created when provisioning multiple Sentry Print devices at the same time. This addresses an issue with user authentication failing when a device terminal record does not exist.
The Secure Print app icon has been fixed on Sentry Print enabled HP devices with a high-resolution display panel. The app icon previously appeared blurry.
The HP Sign-in button now enforces user authentication after restarting Sentry Print enabled HP devices. This addresses an issue when Open Access Mode is enabled where the preceding user session was not terminated under certain conditions when rebooting the device.
To enable, add <add key="enableUserAuthTtl" value="true" /> to C:\Program Files (x86)\PharosSystems\Sentry Print Service\App_Data\generalSettings.config, and restart the "Pharos Systems Sentry Print Service".
This fix should NOT be applied to Blueprint servers hosting non-HP devices, as it may prematurely terminate active user sessions.
The username is now captured in the HP security event log on a Sentry Print enabled HP device.
Print jobs in the "Global" print group are now suppressed in the Secure Print job list on devices in the "MICR" print group.
What's new in 5.4 - Update 3 Release
Show currently installed servers in the Blueprint Administrator
Sentry Print Updates
Multi-language support for Sentry Print login labels: Added the ability for administrators to edit the text for the login label displayed on Sentry Print printers in their preferred languages.
Resolved the intermittent 15-minute delay that occurred upon device restart before enabling login with a badge swipe again.
Fixed 45.xx timeout error when HP printers load Pharos Sentry Print.
Added a new Sentry Print setting hpAccessoriesLocalCardSwipeImprovement
Print Scout Updates
Added more IPP printing preferences for Windows Print Scout
Policy Print: Enforce policies on first print
Added unique Event ID for Print Scout Service "start" and "stop" events
Removed support for the /reinstall option
Installer Changes
The Blueprint Administrator Only MSI installer now supports upgrades of Blueprint Administrator.
Replaced SQL Native Client with Microsoft OLE DB Driver for SQL Server
Updated the Print Scout installer to show .NET Framework 4.7 is required for the Pharos IPP driver
Known Issues
The existing Delegate Printing function becomes unusable when the Email and PIN feature is configured.
Restarting or stopping the Pharos Systems Sentry Print Service causes it to crash. Workaround: Manually start service after stop.
What was new in Sentry Print 3.235.1
Bugfix - Able to access a secured Ricoh device's web image monitor with a user name that does not exist.
Bugfix - Cached copy of Device's Admin credentials is not immediately cleared when credentials are changed.
Bugfix - Logging for Xerox devices leaks username and password.
What was new in 5.4 - Update 2 Release
Support for users belonging to more than 100 Active Directory Groups.
Blueprint Enterprise now detects if a later version of the Sentry Service is installed, and customers will be promptly warned about it.
Analyst, Collector & Administrator Only are no longer supported on the following Windows versions:
Windows 8
Windows 8.1
Windows Server 2012 R2
"Require authentication for all device functions" setting has been added to Sentry Print.
Added the option to include a warning banner when logging in to the Blueprint Administrator.
The Blueprint health check has been updated to include a timestamp
Smart Queue Deploy for JPMC has been updated. Refer to the Blueprint Technote - Queue Deploy document. Contact Pharos Support to obtain this document.
The following bugs were fixed in 5.4 Update 2:
Addressed the problem of missing meter data in reports.
The issue where a user could access the Ricoh device's WIM (Web Image Monitor) using a non-existing username has been fixed.
This update resolves a security vulnerability in the Site Service for Xerox printers, specifically in version 3.89.1.0, where user passwords may be accessible to administrators under certain conditions.
BP 5.4 Update 2 Security Update - Mandatory
Blueprint 5.4 Update 2 includes a security update to address a known security issue and must be applied to the Analyst and all Collectors. Please note:
This update requires MobilePrint version 2.5.0 or later (if used). Refer to the MobilePrint section below for more information.
Site Security Utility. A new utility is available to use with 5.5.1.12 or later Print Center/Pharos API. This optional but recommended tool adds further protection to credentials used by the Pharos API for communication between Pharos API instances and for MobilePrint communication with Pharos API. The tool and instructions are in the “\Integrations\SiteSecurityUtility” folder of this update.
What was new in 5.4 - Update 1 Release
Device Admin Credential management has been improved to ensure rotation of credentials on a physical device is less likely to cause issues with existing secure devices. They can now be updated in the Print Center from the Secure Printers list as well as the dialog for securing a device. In addition they can be imported via the Administrator UI in bulk. Replication of these credentials to collectors has also been improved.
Customers can download and import the latest models database. Models information now includes whether they are supported by Sentry Print.
The Pharos API health test has been added to the System Monitor. The Pharos API is used by the Print Center and the Sentry Print Service to interface with the Blueprint services.
If sentry Print has been manually uninstalled, the Update 1 Patcher can be used to install and configure it again by setting the <InstallSentryPrint> element in the file "Patcher.xml" to "true".
Note, re-installing the Sentry Print Service will result in a new "Secure Print Trust Root" SSL certificate being created and installed for use by the Sentry Print Service.
This will not match the SSL certificate installed on the iMFPs by the previously installed Sentry Print Service. To get the devices to work with the newly installed Sentry Print Service, you need to either:
Use the Blueprint Server Configuration Tool to rebind the old certificate to the new Sentry Print Service. Or
Re-secure the iMFPs with the new Sentry Print Service.
Customers can specify the Active Directory attribute which holds the "display name" of a user. This is shown as the user's name in the Print Center.
The following bugs were fixed in 5.4 Update 1:
Server offline detection bugs resulted in servers being incorrectly marked as offline therefore preventing attempts to call those servers. This mainly affected calls from collectors.
Health tests results were not able to be updated when the Print Spooler was stopped, which prevented collection of Print Spooler performance counters.
When the "Tracker SSL Support" setting in the Server Configuration Tool was set to "Required" the Tracker Service health test would fail.
Calls to the Tracker Service would not work when IIS had multiple SSL certificates bound to the web port
The Authentication method tester when given bad credentials threw an unhandled exception and prompted to be closed.
Customized Sentry Print Theming on iMFPs revert to defaults when Collectors are unable to communicate with Analyst. Blueprint allows customers to customize the Sentry Print UI that appears on iMFPs. With Blueprint 5.4, the Theme settings for this customization were fetched from the Analyst when required. This meant that when a Collector was unable to contact the Analyst, the UI on iMFPs reverted to the default appearance. In 5.4 Update 1, the Sentry Print Theme settings are now replicated down to the Collectors. Now, when a Collector is unable to contact the Analyst, the iMFPs will continue to display the modified appearance. However, because the settings are replicated, it can take up to 12 hours for changes to be propagated from the Analyst to the Collector which means if you make a change to the Sentry Print Theme settings in the Print Center, it will take up to 12 hours for the changes to be automatically propagated to the Collectors. If you wish the changes to propagate more quickly, you will need to manually clear the "Sentry Print Theme Settings" on each Collector.
How to apply this Update
Warning: Blocked Files
Depending on how this update or its files were copied to the target machine, some of the files may have been 'blocked' by Windows. Trying to update a Blueprint component with a blocked file will most likely prevent that component from working correctly. To check whether a file is blocked and/or unblock it, right-click the file in Windows Explorer and select 'Properties'.
Warning: In use Files
Under some conditions, the upgrader may be unable to replace files because they are in use. If this happens,
Stop all the Application Pools in IIS.
Run the upgrade again.
Start all the Application Pools after the patcher succeeds.
Updating Analyst or Collector
Installation Steps
If updating Analyst, make sure you have an up to date backup of the psbprint database.
Close the Window's Printers window (if it is open). Close any Pharos applications (e.g. Troubleshooter, Blueprint Administrator) that are open.
Note: you do not need to stop the Pharos Services. The update installer will do this automatically.
Open an elevated Windows command prompt and run Patcher.exe from the command line. No additional parameters are necessary.
The update installer does not create a log file. It is recommended that you run DebugView (http://technet.microsoft.com/en-us/sysinternals/bb896647) to capture the output of the installer. This output will include error messages if the installer fails.
If the update installer fails, you can correct the cause of the error and run Patcher.exe again.
At completion, the Patcher may automatically force a restart. Follow the remaining instructions after the restart.
To log the installation of MSI files associated with the update, edit <MsiLogFileDirectory> in the Patcher.xml file with a folder path.
If Site Monitor with a lite license is installed and the logged on user does not have permissions to remove the Site Monitor database, the DbAdminUser and EncryptedDbAdminPassword elements can be populated in the patcher.xml to allow full uninstallation of Site Monitor.
Open an elevated command prompt and type in patcher /encrypt:MySecretPassword to retrieve the encrypted version of the Db Admin Password.
On Analyst, open the Blueprint Analyst, go to Reporting -> Publications and click on "Publish to Data Warehouse" on the toolbar.
Automated Server Deployment
Customers with a large number of Blueprint Servers may want to deploy this update using an automated software deployment tool (e.g. IBM's Tivoli).
To help with this process, the Patcher can be configured to send an e-mail at the end of the patching process indicating the patching attempt's success or failure. The configuration is held in the file Patcher.xml. Modify the file as follows:
Change the <automated> element from "false" to "true".
Set "to" to the e-mail address you want the notification sent to.
Set "from" to the e-mail address you want the notification to claim it was sent from.
Set smtpServerHost to the FQDN of the mail server.
Leave smtpServerPort alone, unless the mail server is using a non-standard port. Or you want the communication encrypted using SSL.
If the mail server and its Host are configured to support SSL, you can change useSSL to "true" and smtpServerPort to the SSL port (usually 465).
Set smtpUserName and smtpPassword to the user and password needed to use the mail server.
If you do not want to put an unencrypted password in the Patcher.xml file, you can put the password as encrypted text into smtpEncryptedPassword. You can encrypt the password by calling Patcher.exe from the command line with the flag "/encrypt:". e.g. Assume your mail server's password is "MySecretPassword".
Open an elevated command prompt and type in patcher /encrypt:MySecretPassword
Patcher.exe will return EncryptedPassword:L9EMZX9r1CkvI8rNybP/dikf09zwBPLMfl6OMk7/nXOCgZQpaePQDoGDULN3eAbe"
Set smtpEncryptedPassword="L9EMZX9r1CkvI8rNybP/dikf09zwBPLMfl6OMk7/nXOCgZQpaePQDoGDULN3eAbe"
If your deployment tool will run the patcher under an account that has permission to send e-mails, then you can set useDefaultCredentials to "true" and leave smtpUserName, smtpEncryptedPassword and smtpPassword blank.
Updating standalone installations of the Blueprint Administrator
If Workstation Tracker is installed along with the Blueprint Administrator, applying the update will NOT update the Tracker.
Close the Window's Printers window (if it is open).
Open an elevated Windows command prompt and run Patcher.exe from the command line. No additional parameters are necessary.
Note: The update installer does not create a log file. It is recommended that you run DebugView (http://technet.microsoft.com/en-us/sysinternals/bb896647) to capture the output of the installer. This output will include error messages if the installer fails.A reboot might be required after the update is run. This is done automatically so make sure you save any open files prior to applying the update.
If the update installer fails, you can correct the cause of the error and run Patcher.exe again. Alternatively, you can contact Pharos for manual upgrade instructions.
Updating Tracker on Print Servers
On all the Windows Print Servers where tracking is required, use the Blueprint Print Scout package contained in the Tracker directory to install or upgrade the Tracker.
Updating Tracker on Windows Workstations
Print Scout packages should be distributed to all workstations hosting the Blueprint Tracker, so you can take advantage of the new features and improvements.
Integrations
MobilePrint
MobilePrint version 2.5.0 was updated to work with the updated security measures implemented in the Print Center in Update 2. If you are using Mobile Print, ensure that your MobilePrint is at least version 2.5.0.
MobilePrint won't be able to retrieve changes to its configuration until it is updated because it won't be able to establish communication with the Pharos API. Failing to update to the latest version might also lead to a situation where multiple logon requests are generated by MobilePrint. These logon requests do not present a substantial risk. Standard MobilePrint operations, such as file uploads and print release will continue to work.
Other
VPSX, HP ePrint, and Apple UTF-8 Integration
Any previously installed version of these Integrations will stop working once the update is applied.
After applying this update, you will need to re-install the integration using the version included with this Update. i.e. replace the deployed DLLs with the new versions.
If TLS 1.2 is the ONLY cipher suite enabled the VPSX SRH integration will not work.
Limitations
If "Integrated Security" is used to connect to MS SQL, the Print Center won't work after applying this release. To fix, set the Pharos ASP.NET v4.0 App Pool in IIS to use an account that has MS SQL permissions. Refer to the "New Features" document in the Pharos Community for more information.