Lexmark v33714169 Common Criteria Installation Supplement and Guide User Guide

Lexmark v33714169 Common Criteria Installation Supplement and

Specifications

Supported Printers
The following LexmarkTM printers are supported

• Printer A
• Printer B
• Printer C

Operating Environment
The printer requires the following operating environment

• Temperature : 10°C to 32°C (50°F to 90°F)
• Humidity : 20% to 80% relative humidity
• Power : AC 100-240V, 50/60Hz

Product Usage Instructions

Overview and First Steps

• This guide provides instructions on how to configure a supported LexmarkTM printer to meet the Common Criteria certified target of evaluation. Please follow these instructions carefully to ensure that the printer meets the evaluation requirements.
• This guide is intended for service providers and network administrators responsible for managing security appliances and software in their network environment. It assumes a working knowledge of printers.
• Some settings can be configured using either the Embedded Web Server or the printer control panel. Instructions for both methods are provided where applicable.
• For information on setting up the printer or using printer features, refer to the printer User’s Guide.

Note: The printer User’s Guide and the Embedded Web Server Administrator’s Guide can be found at support.lexmark.com.

Physical Configuration
To physically configure the printer, follow these steps

1. Unpack the printer and remove all packaging materials.
2. Place the printer on a stable surface.
3. Connect the power cord to the printer and plug it into a power outlet.
4. Connect the printer to your computer or network using the appropriate cables.
5. Turn on the printer and wait for it to initialize.

Configuring the Printer
To configure the printer, follow these steps

1. Access the Embedded Web Server by entering the printer’s IP address in a web browser.
2. Log in using the administrator credentials.
3. Navigate to the configuration settings you want to modify.
4. Make the necessary changes and save the settings.

Troubleshooting

Login Issues
If you are experiencing login issues, try the following steps

1. Double-check the administrator credentials and ensure they are entered correctly.
2. Clear your browser cache and cookies.
3. Restart the printer and try logging in again.

LDAP Issues
If you are experiencing LDAP issues, consider the following troubleshooting steps

1. Verify that the LDAP server settings are correct.
2. Check network connectivity to the LDAP server.
3. Ensure that the printer has proper access rights to the LDAP server.

Secure Held Print Jobs Issues
If you are encountering issues with secure held print jobs, try these solutions

1. Check that the secure held print feature is enabled.
2. Ensure that the printer has enough memory to store the held print jobs.
3. Verify that the print jobs are correctly sent to the secure held print queue.

Audit Log
The audit log records important events and actions performed on the printer. To access the audit log, follow these steps

1. Access the Embedded Web Server.
2. Navigate to the audit log section.
3. View and analyze the recorded events and actions.

Erasing Keys in Flash Memory
To erase keys stored in flash memory, follow these steps

1. Access the Embedded Web Server.
2. Navigate to the flash memory settings.
3. Select the option to erase keys.
4. Confirm the action when prompted.

Notices
Refer to the notices section in the user manual for important information and warnings regarding the use of the printer.

Frequently Asked Questions (FAQ)

• Q: Where can I find the printer User’s Guide?
  A: The printer User’s Guide can be found at support.lexmark.com.

• Q: What printers are supported by this guide?
  A: The supported printers are Printer A, Printer B, and Printer C. Please note that not all features described in this guide may be available in all printers.

• Q: How can I troubleshoot login issues?
  A: To troubleshoot login issues, double-check the administrator credentials, clear your browser cache and cookies, and restart the printer before attempting to log in again.

• Q: What should I do if I encounter LDAP issues?
  A: If you encounter LDAP issues, verify the LDAP server settings, check network connectivity to the LDAP server, and ensure that the printer has proper access rights to the LDAP server.

• Q: How do I access the audit log?
  A: To access the audit log, access the Embedded Web Server, navigate to the audit log section, and view the recorded events and actions.

• Q: How can I erase keys stored in flash memory?
  A: To erase keys stored in flash memory, access the Embedded Web Server, navigate to the flash memory settings, select the option to erase keys, and confirm the action when prompted.

Change history

December 2022
Added information on erasing keys in flash memory.

November 2022

• Updated the list of supported printers.
• Added information on the Lexmark Trusted Platform Module (TPM).
• Updated the information on preshared keys.
• Updated the steps on checking physical interfaces and installed firmware.
• Deleted the information on configuring printer hard disk encryption because hard disk encryption is now automatic.
• Added information on disabling the Intelligent Storage Drive.

February 2018

• Added information on the following to conform to the Hard Copy Device Protection Profile
  • Updating firmware
  • Configuring the time source settings
  • Configuring the minimum password length
  • Configuring login restrictions
  • Password requirements for local accounts
  • Setting up Internet Protocol Security (IPSec)
  • Configuring the screen timeout
• Updated the list of supported printers.

October 2016

• Added information on the following
  • Disabling flash drive access
  • Configuring print permissions
  • Access controls and their required level of protection

May 2016
Initial document release for multifunction products with a tablet-like touch‑screen display.

Overview and first steps

Overview

• This guide describes how to configure a supported LexmarkTM printer to conform to the Common Criteria certified target of evaluation. Carefully follow the instructions in this guide to make sure that the printer meets the requirements of the evaluation.
• This guide is intended for use by service providers and network administrators responsible for the management of security appliances and software in their network environment. A working knowledge of printers is required for effective use of this guide.
• Some settings can be configured using either the Embedded Web Server or the printer control panel. Where applicable, instructions for both methods are included.
• For information on setting up the printer or using printer features, see the printer User’s Guide.

Note : The printer User’s Guide and the Embedded Web Server Administrator’s Guide are available at support.lexmark.com.

Supported printers

Multifunction products (MFPs)

• Lexmark CX622, without hard disk, with fax
• Lexmark CX622h, with hard disk and fax
• Lexmark CX625, without hard disk, with fax
• Lexmark CX625h, with hard disk and fax
• Lexmark CX730, without hard disk and fax
• Lexmark CX730, without hard disk, with fax
• Lexmark CX730, with hard disk, without fax
• Lexmark CX730, with hard disk and fax
• Lexmark CX735, without hard disk
• Lexmark CX735, with hard disk
• Lexmark CX820, with hard disk and fax
• Lexmark CX825, with hard disk and fax
• Lexmark CX860, with hard disk and fax
• Lexmark CX930, without hard disk and fax
• Lexmark CX930, without hard disk, with fax
• Lexmark CX930, with hard disk, without fax
• Lexmark CX930, with hard disk and fax
• Lexmark CX931, without hard disk and fax
• Lexmark CX931, without hard disk, with fax
• Lexmark CX931, with hard disk, without fax
• Lexmark CX931, with hard disk and fax
• Lexmark CX942, without hard disk, with fax
• Lexmark CX942, with hard disk and fax
• Lexmark CX943, without hard disk, with fax
• Lexmark CX943, with hard disk and fax
• Lexmark CX944, without hard disk, with fax
• Lexmark CX944, with hard disk and fax
• Lexmark MX421, without hard disk, with fax
• Lexmark MX432, with hard disk and fax
• Lexmark MX521, without hard disk, with fax
• Lexmark MX521, without hard disk and fax
• Lexmark MX522, with hard disk and fax
• Lexmark MX622, without hard disk, with fax
• Lexmark MX622h, with hard disk and fax
• Lexmark MX721, without hard disk, with fax
• Lexmark MX721h, with hard disk and fax
• Lexmark MX722, without hard disk, with fax
• Lexmark MX722h, with hard disk and fax
• Lexmark MX725, without hard disk, with fax
• Lexmark MX822, with hard disk and fax
• Lexmark MX826, with hard disk and fax
• Lexmark MX931, without hard disk and fax
• Lexmark MX931, without hard disk, with fax
• Lexmark MX931, with hard disk, without fax
• Lexmark MX931, with hard disk and fax

Single-function printers (SFPs)

• Lexmark CS820, without hard disk
• Lexmark CS730, without hard disk
• Lexmark CS735, without hard disk
• Lexmark CS943, without hard disk
• Lexmark MS622, without hard disk
• Lexmark MS822, without hard disk
• Lexmark MS826, without hard disk

Note: MFPs support copy, e‑mail, fax, and printing features. Printers with a hard disk support hard disk features. Some of the features described in this guide may not be available in all printers.

Operating environment
The instructions provided in this guide are based on the following assumptions and objectives

• The printer is installed in a cooperative, nonhostile environment that is physically secured or monitored and protected from unauthorized access to printer external interfaces.
• The administration platform and local area network are physically and logically secured.
• Authorized administrators are trained and capable of performing tasks related to the installation, configuration, operation, and maintenance of the network environment. This includes—but is not limited to—operating systems, network protocols, and security policies and procedures.
• Authorized administrators are trusted to use their access rights appropriately.
• Audit records exported from the printer to another trusted location are accessible to authorized personnel for periodic review and are secured from unauthorized access.
• The operating environment can identify and authenticate users whose accounts are defined externally (LDAP, Kerberos, and so on).
• When an administrator configures Network Time Protocol (NTP), the operating environment provides reliable time stamps.
• Users are aware of and are trained to follow the security policies and procedures of their organization. Users are authorized to use the printer according to these policies and procedures.

Understanding the home screen
The screen on the front of the printer is touch sensitive and can be used to access printer functions and navigate settings and configuration menus.

Touch Settings to access settings and configuration menus for the printer.

Notes

• Access to printer menus may be restricted to administrators only.
• By default, the secured applications or functions are hidden from the printer home screen.

Using the keyboard on the display
Some printer settings require one or more alphanumeric entries, such as server addresses, user names, and passwords. When an alphanumeric entry is needed, a keyboard appears.

As you touch the letters and numbers, your selections appear in a corresponding field at the top of the screen. The keyboard on the display may also contain other icons, such as Done, Next, or Submit.

• To type a single uppercase or shift character, touch , and then touch the letter or number.
• To turn on Caps Lock, double‑tap , and then continue typing. Caps Lock remains engaged until you touch it again.
• Touch to delete a single character, or press and hold it to delete everything that you have typed.

Accessing the Embedded Web Server

1. Obtain the printer IP address. Do either of the following
   • Locate the IP address on the top of the printer home screen.
   • From the printer home screen, touch Settings > Network/Ports > Network Overview.
2. Open a Web browser, and then type the printer IP address.

Physical configuration

Physical configuration checklist
Before beginning configuration tasks, do the following

1. Make sure that no optional interfaces are installed.
2. If the device does not have a Trusted Platform Module (TPM), then install the Lexmark TPM option.
3. Check the firmware version.
4. Attach a lock to the printer.

Checking physical interfaces and installed firmware

1. Make sure that only one network interface is installed in the printer. There must be no optional network, parallel, or serial interfaces.
2. If the device supports Wi-Fi, then disable it by connecting the device to a wired network.
3. Turn on the printer using the power switch.
4. From the home screen, touch Settings > Reports > Menu Settings Page. The printer prints several pages of device information.
5. In the Installed Features section, make sure that no Pluggable Firmware Option (PFO) cards are installed.
6. If you have not yet installed hard disk or fax options, then install them before proceeding.
7. If the device does not have a Trusted Platform Module (TPM), then install the Lexmark TPM option.
8. To check the firmware version, under the Device Information section, locate Base =.

Note: To make sure that the Base value is correct and up‑to‑date, contact your Lexmark representative.

Updating firmware

1. From the Embedded Web Server, click Settings > Device > Update Firmware.
2. Browse to the required flash file.
3. Click Upload.

Note: For more information on updating the device firmware, contact your Lexmark representative.

Attaching a lock

• Warning—Potential Damage: After a lock is attached, the metal plate and controller board cannot be removed. The security jumper cannot be accessed without causing visible damage to the device.
• Before you begin, make sure that the printer case is closed.
• Locate the security slot, and then attach a lock. It is the same type of security slot found on most laptop computers. You can typically find it at the back of the printer near an outside edge.

Configuring the printer
You can achieve an evaluated configuration on a non-network (standalone) printer in just a few steps.

Configuration checklist
This checklist outlines the steps required to configure the settings needed to achieve the evaluated configuration for a standalone printer.

• Disable the host USB interface.
• Disable ThinPrint.
• Disable flash drive access.
• Disable SNMP.
• Disable the home screen icons.
• Require all jobs to be held.
• Erase temporary data files.
• Create and modify digital certificates.
• Set up Internet Protocol Security (IPsec).
• Shut down the port access.
• Configure the time source settings.
• Configure the security audit logging settings.
• Configure the e‑mail settings.
• Set the fax storage location.
• Configure the fax settings.
• Configure the security reset jumper behavior.
• Configure the minimum password length.
• Configure the login restrictions.
• Configure the print permissions.
• Set up local accounts.
• Set up local groups and permissions.
• Set up network accounts.
• Set the default login methods.

Disabling the host USB

1. From the home screen, touch Settings > Network/Ports > USB.
2. Set Enable USB Port to Off.
3. From the Enable USB Port dialog box, touch Yes to reboot the printer.

Disabling ThinPrint

1. From the home screen, touch Settings > Network/Ports > ThinPrint.
2. Set Enable ThinPrint to Off.

Disabling flash drive access

1. From the home screen, touch Settings > Device > Preferences.
2. Set Flash Drive Access to Disabled.

Disabling the AirPrint software feature

1. From the home screen, touch Settings > Security > Mobile Services Management > AirPrint.
2. Set AirPrint Print, AirPrint Scan, and AirPrint Fax to Off. the home screen icons

The final step is to remove unnecessary icons from the printer home screen.

1. From the home screen, touch Settings > Device > Visible Home Screen Icons.
2. Turn off the following:
   • Held Jobs
   • FTP
   • USB
   • Job Queue
   • Shortcut Center
   • Bookmarks
   • App Profiles
   • Scan Profiles
   • Forms and Favorites
   • Card Copy

Holding all jobs

1. From the home screen, touch Settings > Security > Confidential Print Setup.
2. Set “Require All Jobs to be Held” to On.
3. Set the Confidential Job Expiration value.

Note: Off is not a recommended setting.

Erasing temporary data files

1. From the home screen, touch Settings > Security > Erase Temporary Data Files.
2. Set “Stored in onboard memory” to On.
3. From the “Stored on hard disk” menu, select 3 Pass Erase.

Creating and modifying digital certificates
Certificates are needed for domain controller verification and for SSL support in LDAP. Each certificate must be in a separate PEM (.cer) file.

Setting certificate defaults
These settings apply to new certificates generated in Certificate Management.

1. From the Embedded Web Server, click Settings > Security > Certificate Management.

2. Click Configure Certificate Defaults, and then specify the values for the following fields:

   • Common Name—Type a name for the printer. Leave this field blank if you want to use the printer host name as the common name.
   • Organization Name—Type the name of the company or organization issuing the certificate.
   • Unit Name—Type the name of the unit within the company or organization issuing the certificate.
   • Country/Region—Type the country or region where the company or organization issuing the certificate is located. You can type only up to two characters.
   • Province Name—Type the province where the company or organization issuing the certificate is located.
   • City Name—Type the city where the company or organization issuing the certificate is located.
   • Subject Alternate Name—Type the alternate name and prefix that conforms to RFC 2459. For example, IP:123.123.123.123. Leave this field blank if you want to use the IPv4 address.
     Note : You can type up to 128 characters in all fields, except in Country/Region.

3. Click Save.

Creating a certificate

1. From the Embedded Web Server, click Settings > Security > Certificate Management.
2. From the Device Certificates section, click Generate, and then specify the values for the following fields:
   • Friendly Name—Type a name for the certificate. You can type up to 64 characters.
   • Common Name—Type a name for the printer. Leave this field blank if you want to use the printer host name as the common name.
   • Organization Name—Type the name of the company or organization issuing the certificate.
   • Unit Name—Type the name of the unit within the company or organization issuing the certificate.
   • Country/Region—Type the country or region where the company or organization issuing the certificate is located. You can type only up to two characters.
   • Province Name—Type the province where the company or organization issuing the certificate is located.
   • City Name—Type the city where the company or organization issuing the certificate is located.
   • Subject Alternate Name—Type the alternate name and prefix that conforms to RFC 2459. For example, IP:123.123.123.123. Leave this field blank if you want to use the IPv4 address.

Note : You can type up to 128 characters in all fields, except in Country/Region and Friendly Name. 3 Click Generate.

Viewing, downloading, and deleting a certificate

1. From the Embedded Web Server, click Settings > Security > Certificate Management.
2. From the Device Certificates list, click a certificate.
3. From the View Certificate window, do one of the following:

• To remove a previously saved certificate, click Delete.
• To download or save the certificate as a PEM (.cer) file, click Download To File.
• To download or save the signing request as a CSR file, click Download Signing Request.
• To upload a previously signed certificate, click Install Signed Certificate, browse to the certificate source file, and then click Save.

Installing a Certificate Authority (CA) certificate

A CA certificate is required when using Smart Card Authentication.

1. From the Embedded Web Server, click Settings > Security > Certificate Management.

2. From the Manage CA Certificates section, click Upload CA, and then browse to the PEM (.cer) file.
   Sample certificate
   —–BEGIN CERTIFICATE—–MIIE1jCCA76gAwIBAgIQY6sV0KL3tIhBtlr4gHG85zANBgkqhkiG9w0BAQUFADBs
   l3DTbPe0mnIbTq0iWqKEaVne1vvaDt52iSpEQyevwgUcHD16rFy+sOnCaQ== —–END CERTIFICATE—–

3. Reboot the printer.

Setting up Internet Protocol Security (IPSec)
IPSec encrypts IP packets as they are transmitted over the network between devices. It does not handle authentication or restrict access.

Note : An IPSec-trusted communications channel must be configured between the printer and all the network services that are used, including authentication, audit, e-mail, and NTP servers.

1. From the Embedded Web Server, click Settings > Network/Ports > IPSec.

2. Select Enable IPSec.

3. Set Base Configuration to Secure.

4. In the IKE SA Lifetime (Hours) menu, select a value from 1 to 24.

5. In the IPSec SA Lifetime (Hours) menu, select a value from 1 to 8.

6. Configure the authenticated connections.

   • From the Pre‑Shared Key Authenticated Connections section, type the IP address of the client device that you want to connect to the printer.
   • From the Certificate Authenticated Connections section, type the IP address of the client device that you want to connect to the printer.
     Note : If you are using preshared key (PSK) authentication, then type the corresponding key. Retain the key to use later when configuring client devices. Preshared keys may have up to 256 characters, composed of a combination of uppercase and lowercase letters, numbers, and special characters. For adequate security, preshared keys must have at least 22 characters.

7. Click Save.

Shutting down port access
Disabling virtual ports helps prevent intruders from accessing the printer using a network connection.

1. From the Embedded Web Server, click Settings > Network/Ports > TCP/IP > TCP/IP Port Access.
2. Clear the following check boxes:
   • TCP 21 (FTP)
   • UDP 69 (TFTP)
   • UDP 137 (WINS)
   • UDP 161 (SNMP)
   • UDP 162 (SNMP Traps)
   • TCP 631 (IPP)
   • TCP 5001 (IPDS)
   • UDP 5353 (mDNS)
   • UDP 9300/UDP 9301/UDP 9302 (NPAP)
   • TCP 9500/TCP 9501 (NPAP)
   • TCP 9600 (IPDS)
   • ThinPrint
   • UDP 3702/TCP 65001 (WS-Discovery)
   • TCP 65002 (WSD Print Service)
   • TCP 65003 (WSD-Eventing)
   • TCP 65004 (WSD Scan Service)
3. Click Save.

Configuring time source settings
An accurate system clock is necessary to make sure that the audit log time stamps are accurate. You can set the system clock manually, or automatically using Network Time Protocol (NTP). We recommend using the NTP method.

Configuring NTP settings
Use NTP to sync printer date and time settings automatically with a trusted clock.

Note : Before configuring the NTP settings, if your network uses Dynamic Host Configuration Protocol (DHCP), then make sure that the settings are not provided automatically.

Using the Embedded Web Server

1. From the Embedded Web Server, click Settings > Device > Preferences > Date and Time > Network Time Protocol.
2. Select Enable NTP, and then type the IP address or host name of the NTP server.
3. If the NTP server requires authentication, then in the Enable Authentication menu, select MD5 key.
4. In the “Install MD5 key” field, browse to the file containing the NTP authentication credentials.
5. Click Save.

Using the control panel

1. From the home screen, touch Settings > Device > Preferences > Date and Time > Network Time Protocol.
2. Set Enable NTP to On.
3. Touch NTP Server, type the IP address or host name of the NTP server, and then touch OK.
4. If the NTP server requires authentication, then set Enable Authentication to MD5 key.

Configuring the system clock manually

Using the Embedded Web Server

1. From the Embedded Web Server, click Settings > Device > Preferences > Date and Time > Configure.
2. In the “Manually Set Date and Time” field, configure the date and time.
3. Set the date format, time format, and time zone.
4. Click Save.

Using the control panel

1. From the home screen, touch Settings > Device > Preferences > Date and Time > Configure.
2. Touch Manually Set Date and Time, configure the date and time, and then touch Set.
3. Set the date format, time format, and time zone.

Configuring security audit logging

Using the Embedded Web Server

1. From the Embedded Web Server, click Settings > Security > Security Audit Log.

2. Select Enable Audit and Enable Remote Syslog, and then configure the following:

   • Remote Syslog Server—Type the IP address or host name of the remote syslog server.
   • Remote Syslog Port—Enter the port number of the remote syslog server used on the destination server.
   • Remote Syslog Method—Select Normal UDP or Stunnel, depending on the configuration on the destination server.
   • Severity of Events to Log—Select 5 ‑ Notice. Events specified at this severity level and up are logged.
   • Remote Syslog Non‑Logged Events—Send all events to the remote server regardless of the specified severity level.
   • Admin’s E-mail Address—Type one or more e‑mail addresses to which the notifications about certain log events are sent automatically. Use commas to separate multiple e‑mail addresses.
   • E‑mail Log Cleared Alert—Send an e‑mail when you clear the log.
   • E‑mail Log Wrapped Alert—Send an e‑mail when the log is full and begins to overwrite the oldest entries.
   • Log Full Behavior—Select whether to overwrite the oldest entries or to delete all entries and send a notification through e‑mail when the log storage is full.
   • E‑mail % Full Alert— Send an e-mail when log storage space reaches a specified percentage of capacity.
   • Full Alert Level— Specify the percentage (1–99) of log storage space that must be used before an e-mail alert is triggered.
   • E‑mail Log Exported Alert—Send an e-mail when the log file is exported.
   • E‑mail Log Settings Changed Alert—Send an e-mail when log settings are changed.
   • Log Line Endings—Specify how line endings are handled in the log file, depending on the operating system in which the file is parsed or viewed.
   • Digitally Sign Exports—Add a digital signature to e-mail alerts.
     Note : To use e-mail alerts, configure the SMTP settings. For more information, see “Configuring e-mail” on page 17.

3. Click Save.

Using the control panel

1. From the home screen, touch Settings > Security > Security Audit Log.
2. Set Enable Audit and Enable Remote Syslog to On, and then configure the following:
   • Remote Syslog Server—Type the IP address or host name of the remote syslog server.
   • Remote Syslog Port—Enter the port number of the remote syslog server used on the destination server.
   • Remote Syslog Method—Select Normal UDP or Stunnel, depending on the configuration on the destination server.
   • Severity of Events to Log—Select 5 ‑ Notice. Events specified at this severity level and up are logged.
   • Remote Syslog Facility—Select a facility code for events logged to the destination server. All events sent from the device are tagged with the same code to support sorting and filtering by network monitor or intrusion detection software.
   • Admin’s E‑mail Address—Type one or more e‑mail addresses to which the notifications about certain log events are sent automatically, and then touch OK. Use commas to separate multiple e‑mail addresses.
   • Log Full Behavior—Select whether to overwrite the oldest entries or to delete all entries and send a notification through e‑mail when the log storage is full.
   •  % Full Alert Level— Specify the percentage (1–99) of log storage space that must be used before an e-mail alert is triggered.
   • Log Line Endings—Specify how line endings are handled in the log file, depending on the operating system in which the file is parsed or viewed.
3. Set the following to On:
   • Remote Syslog Non‑Logged Events—Send all events to the remote server regardless of the specified severity level.
   • E‑mail Log Cleared Alert—Send an e‑mail when you clear the log.
   • E‑mail Log Wrapped Alert—Send an e‑mail when the log is full and begins to overwrite the oldest entries.
   • E‑mail % Full Alert— Send an e-mail when log storage space reaches a specified percentage of capacity.
   • E‑mail Log Exported Alert—Send an e-mail when the log file is exported.
   • E‑mail Log Settings Changed Alert—Send an e-mail when log settings are changed.
   • Digitally Sign Exports—Add a digital signature to e-mail alerts.

Note : To use e-mail alerts, configure the SMTP settings. For more information, see “Configuring e-mail” on page 17.

Configuring e-mail
Note : Make sure that the printer is configured to send user data as an attachment to e‑mail.

Using the Embedded Web Server

1. From the Embedded Web Server, click Settings > Device > Notifications > E‑mail Alerts Setup > E‑mail Setup.

2. Configure the SMTP settings, and then click Save.

   • Primary SMTP Gateway—Type the IP address or host name of the server used for sending e-mail.
   • Primary SMTP Gateway Port—Enter the port number of the primary SMTP server.
   • Secondary SMTP Gateway—Type the server IP address or host name of the secondary or backup SMTP server.
   • Secondary SMTP Gateway Port—Enter the port number of the secondary or backup SMTP server.
   • SMTP Timeout—Enter how long the printer waits for the server to respond before it times out.
   • Reply Address—Type the e-mail address where you want to receive responses.
   • Use SSL/TLS—Specify whether to send an e-mail using an encrypted link.
   • SMTP Server Authentication—Specify the type of authentication used to access the SMTP server.
   • Device-Initiated E-mail—Select Use Device SMTP Credentials.
     Note : If the printer requires user credentials to send e-mail, then specify the appropriate information for authentication credentials.

3. From the Embedded Web Server, click E‑mail > E-mail Defaults > Admin Controls.
   Note : This setting is applicable only in some printer models.

4. In the E-mail Images Sent As menu, select Attachment, and then click Save.

5. Click Web Link Setup, and then make sure that all fields are cleared.

6. Click Save.

Using the control panel

1. From the home screen, touch Settings > Device > Notifications > E‑mail Alerts Setup > E‑mail Setup.

2. Configure the SMTP settings.

   • Primary SMTP Gateway—Type the IP address or host name of the server used for sending e-mail.
   • Primary SMTP Gateway Port—Enter the port number of the primary SMTP server.
   • Secondary SMTP Gateway—Type the server IP address or host name of the secondary or backup SMTP server.
   • Secondary SMTP Gateway Port—Enter the port number of the secondary or backup SMTP server.
   • SMTP Timeout—Enter how long the printer waits for the server to respond before it times out.
   • Reply Address—Type the e-mail address where you want to receive responses.
   • Use SSL/TLS—Specify whether to send an e-mail using an encrypted link.
   • SMTP Server Authentication—Specify the type of authentication used to access the SMTP server.
   • Device-Initiated E-mail—Select Use Device SMTP Credentials.
     Note : If the printer requires user credentials to send e-mail, then specify the appropriate information for authentication credentials.

3. From the home screen, touch Settings > E‑mail > E-mail Defaults > Admin Controls.
   Note : This setting is applicable only in some printer models.

4. In the E‑mail Images Sent As menu, select Attachment, and then return to the previous menu.

5. Touch Web Link Setup, and then make sure that all fields are cleared.

Setting the fax storage location

1. From the home screen, touch Settings > Device > Maintenance > Configuration Menu > Fax Configuration.
2. From the Fax Storage Location menu, select Disk.

Configuring fax
If your printer includes fax capabilities and is attached to a phone line, then enable held faxes and disable fax forwarding and the driver to fax. The printer provides Group 3 digital fax capability in conformance with ITU-T Recommendations T.4 and T.30. This interface can be used to receive faxes to be printed, or to send faxes of scanned images.

Using the Embedded Web Server

1. From the Embedded Web Server, click Settings > Fax > Analog Fax Setup.

2. Do the following
   Enable held faxes

   • Click Fax Receive Settings > Holding Faxes.

   • Set Held Fax Mode to Always On, and then click Save.
     Disable fax forwarding

   • Click Fax Receive Settings > Admin Controls.

   • Set Fax Forwarding to Print, and then click Save.
     Disable the driver to fax

   • Click Fax Send Settings > Admin Controls.

   • Clear Driver to Fax, and then click Save.

Using the control panel

1. From the home screen, touch Settings > Fax.

2. Do the following
   Enable held faxes

   • Touch Analog Fax Setup > Fax Receive Settings > Holding Faxes.

   • Set Held Fax Mode to Always On.
     Disable fax forwarding

   • Touch Analog Fax Setup > Fax Receive Settings > Admin Controls. b Set Fax Forwarding to Print.
     Disable the driver to fax

   • Touch Analog Fax Setup > Fax Send Settings > Admin Controls.

   • Turn off Driver to Fax.

Configuring security reset jumper behavior
The security reset jumper is a hardware jumper on the controller board that can be used to reset the security settings on the device.

Note : Using the security reset jumper can remove the printer from the evaluated configuration.

1. From the home screen, touch Settings > Security > Miscellaneous.
2. Touch Security Reset Jumper, and then select either of the following:
   • Enable “Guest” access—Grants access to all aspects of the printer to a guest user account. All login methods that were previously on the device still exists, but the guest user can access and delete them at will.
   • No Effect—Removes access to all security menus. Use this option with caution.
     Warning —Potential Damage: If No Effect is selected and the password (or other applicable credentials) is lost, then you are not able to access the security menus. To regain access to the security menus, contact your system administrator.

Configuring the minimum password length
For conformance, the minimum password length is eight characters. Lexmark recommends at least 15 characters. The maximum password length is 32 characters.

Using the Embedded Web Server

1. From the Embedded Web Server, click Settings > Security > Miscellaneous.
2. Enter the minimum password length.
3. Click Save.

Using the control panel

1. From the home screen, touch Settings > Security > Miscellaneous.
2. Enter the minimum password length.

Configuring login restrictions

Using the Embedded Web Server

1. From the Embedded Web Server, click Settings > Security > Login Restrictions.
2. Configure the login restrictions.
   • Login failures—The number of failed login attempts before the user gets locked out. Enter a value from 1 to 10. The default value is 3.
   • Failure time frame—The time frame between failed login attempts before the user gets locked out. Enter a value from 1 to 60. The default value is 5.
   • Lockout time—The lockout duration. Enter a value from 1 to 60. The default value is 5.
   • Web Login Timeout—The delay for a remote login to be inactive before the user is logged off automatically. Enter a value from 1 to 120. The default value is 10.
3. Click Save.
4. From the Embedded Web Server, click Settings > Device > Preferences.
5. In the Screen Timeout field, set the idle time in seconds before the display shows the home screen, or before the printer logs off a user account automatically. Enter a value from 5 to 300 seconds. The default value is 60 seconds.

Using the control panel

1. From the home screen, touch Settings > Security > Login Restrictions.
2. Configure the login restrictions. For more information, see step 2 of “Using the Embedded Web Server” on page 20.

Configuring print permissions

1. From the home screen, touch Settings > Security > Miscellaneous.
2. Set Print Permission to On.

Disabling the Intelligent Storage Drive
On devices with an Intelligent Storage Drive, you must not use the drive to store user data.

Using the Embedded Web Server

1. From the Embedded Web Server, click Settings > Security > Miscellaneous.
2. Set Use Intelligent Storage Drive for User Data to Off.
3. Click Save.

Using the control panel

1. From the home screen, touch Settings > Security > Miscellaneous.
2. Set Use Intelligent Storage Drive for User Data to Off.

Setting up local accounts
Local accounts are stored in the printer memory and are provided authentication‑level security.

Creating local accounts

1. From the Embedded Web Server, click Settings > Security > Login Methods.

2. From the Local Accounts section, click Add User.

3. Select User Name/Password.

4. From the User Information section, type the user information and authentication credentials.
   Notes

   • The password must contain at least one lowercase letter, one uppercase letter, and one nonalphabetic character.
   • The password must not contain dictionary words or variations of the user name.

5. From the Permission Groups section, select one or more groups.
   Note : To create a group for the user, click Add New Group. For more information, see “Creating local account groups” on page 22.

6. Click Save.

Editing and deleting local accounts

1. From the Embedded Web Server, click Settings > Security > Login Methods.
2. From the Local Accounts section, click the authentication method where the user account belongs to.
3. Click the user account that you want to edit or delete.
4. Do either of the following:
   • To edit the user account, update the user information, and then click Save.
   • To delete the user account, click Delete User.

Note : To delete multiple user accounts, select the account, and then click Delete.

Setting up local groups and permissions

Creating local account groups
Use groups to customize users’ access to applications and printer functions.

1. From the Embedded Web Server, click Settings > Security > Login Methods.

2. Do either of the following:
   Add a group when managing permissions

   • From the Local Accounts section, click Manage Groups/Permissions. b Click Add Group.
     Add a group when creating or editing a user account

   • Create or edit a user account.

   • From the Permission Groups section, select Add New Group.

3. Type a unique group name.

4. From the Access Controls section, select the functions, menus, and applications that the group can access. 5 Click Save.

Notes

• To import access controls from another group, click Import Access Controls, and then select a group.
• For more information on access controls, see “Understanding access controls” on page 27.

Editing or deleting local account groups

1. From the Embedded Web Server, click Settings > Security > Login Methods.
2. From the Local Accounts section, click Manage Groups/Permissions.
3. Click the group, and then do either of the following:
   • Configure the access controls, and then click Save.
   • Click Delete Group.

Notes

• To import access controls from another group, click Import Access Controls, and then select a group.
• To delete multiple groups, select the groups, and then click Delete.
• For more information on access controls, see “Understanding access controls” on page 27.

Setting up network accounts
Creating an LDAP or LDAP+GSSAPI login method

1. From the Embedded Web Server, click Settings > Security > Login Methods.

2. From the Network Accounts section, click Add Login Method > LDAP.

3. Select the authentication type.

   • LDAP
   • LDAP+GSSAPI

4. Configure the settings. General Information

   • Setup Name—Type a unique name for the LDAP network account.

   • Server Address—Type the IP address or the host name of the LDAP server.

   • Server Port—Enter the port where LDAP queries are sent.

   • Note : If you are using SSL, then use port 636. Otherwise, use port 389.

   • Required User Input—Select the required LDAP authentication credentials used when logging in to the printer. This setting is available only in the LDAP setup.

   • Use Integrated Windows Authentication—Select one of the following:

   • Do not use

   • Use if available—Use Windows operating system authentication credentials, if available.

   • Require—Use only Windows operating system authentication credentials.
     Note: This setting is available only in the LDAP+GSSAPI setup.
     Device Credentials

   • Anonymous LDAP Bind—Bind the printer with the LDAP server anonymously. This option is applicable only if your LDAP server allows anonymous binding. Enabling this option does not require you to provide authentication credentials. This option is available only in the LDAP setup.

   • Use Active Directory Device Credentials—Use user credentials and group designations that are pulled from the existing network comparable to other network services. This option is available only in the LDAP + GSSAPI setup.

   • If Anonymous LDAP Bind or Use Active Directory Device Credentials is disabled, then provide the authentication credentials used to bind the printer with the LDAP server.

   • Device Username

   • For LDAP setup, type the fully qualified distinguished name (DN) of a user registered to the LDAP server.

   • For LDAP+GSSAPI setup, type the DN of a user registered to the Kerberos server.

   • Device Realm—The realm used for the Kerberos server. This setting is available only in the LDAP + GSSAPI setup.

   • Device Password—Type the password for the user.
     Advanced Options

   • Use SSL/TLS—If the LDAP server requires SSL, then select SSL/TLS.

   • Require Certificate—If the LDAP server requires a certificate, then select Yes.

   • Userid Attribute—Type the LDAP attribute to search for when authenticating users’ credentials. The default value is sAMAccountName, which is common in a Windows operating system environment. For other directories, you can type uid, cn, or a user-defined attribute. For more information, contact your system administrator.

   • Mail Attribute—Type the LDAP attribute that contains the users’ e-mail addresses. The default value is mail.

   • Fax number Attribute—Type the LDAP attribute that contains the users’ fax number. The default value is facsimiletelephonenumber.

   • Full Name Attribute—Type the LDAP attribute that contains the users’ full names. The default value is cn.

   • Home Directory Attribute—Type the LDAP attribute that contains the users’ home directory. The default value is homeDirectory.

   • Group Membership Attribute—Type the LDAP attribute required for group search. The default value is memberOf.

   • Search Base—The node in the LDAP server where user accounts reside. You can type multiple search bases, separated by commas.
     Note : A search base consists of multiple attributes separated by commas, such as cn (common name), ou (organizational unit), o (organization), c (country), and dc (domain).

   • Search Timeout—Enter a value from 5 to 30 seconds or 5 to 300 seconds, depending on your printer model.

   • Follow LDAP Referrals—Search the different servers in the domain for the logged‑in user account.

   • Search Specific Object Classes

   • person—Search the “person” object class.

   • Custom Object Classes—Type the name of the custom object class to search.
     Note : A maximum of three custom object classes can be searched. Type the other object class in the other Custom Object Class field.

   • Address Book Setup
     The following settings are used to configure the address book used when scanning to an e‑mail address.

   • Displayed Name—Select the LDAP attribute that you want to show on the address book.

   • Max Search Results—Type the maximum search results shown on the address book.

   • Use user credentials—Use the logged‑in user credentials to connect to the LDAP server.

   • Search Attributes—Select LDAP attributes used as search filters.

   • Custom Attributes—Type LDAP custom attributes used as search filters.

5. Click Save and Verify.

Editing or deleting LDAP or LDAP+GSSAPI login methods

1. From the Embedded Web Server, click Settings > Security > Login Methods.
2. From the Network Accounts section, click the LDAP or LDAP+GSSAPI login method. 3 Do either of the following:
   • To edit the login method, update the LDAP or LDAP+GSSAPI settings, and then click Save and Verify.
   • To delete login method, click Delete LDAP.

Creating a Kerberos login method

1. From the Embedded Web Server, click Settings > Security > Login Methods.
2. From the Network Accounts section, click Add Login Method > Kerberos.
3. Do one of the following:
   • Create a simple Kerberos configuration file
   • From the Generate Simple Kerberos File section, configure the following:
   • KDC Address—Type the IP address or host name of the KDC IP.
   • KDC Port—Enter the port number used by the Kerberos server.
   • Realm—Type the realm used by the Kerberos server. The realm must be typed in uppercase.
   • Import a Kerberos configuration file
   • In the Import Kerberos File field, browse to the krb5.conf file.
4. If necessary, from the Miscellaneous Settings section, configure the following settings:
   • Character Encoding—Select the character encoding used for the configuration file.
   • Disable Reverse IP Lookups
5. Click Save and Verify.

Creating an Active Directory login method

1. From the Embedded Web Server, click Settings > Security > Login Methods.
2. From the Network Accounts section, click Add Login Method > Active Directory.
3. Configure the settings.
   • Domain—Type the realm or domain name of the Active Directory server.
   • User Name—Type the name of the user that can authenticate to the Active Directory.
   • Password—Type the password of the user.
   • Organizational Unit—Type the organizational unit attribute the user belongs to.
4. Click Join Domain.

Editing or deleting an Active Directory login method

1. From the Embedded Web Server, click Settings > Security > Login Methods.

2. From the Network Accounts section, click the Active Directory login method.

3. Do either of the following:

   • To delete the login method, click Unjoin Domain.

4. Configure the following settings, and then click Save and Verify.
   General Information

   • Setup Name—Type a unique name for the Active Directory login method.

   • Server Address—Type the IP address or the host name of the LDAP server.

   • Server Port—Enter the port where queries are sent.

   • Required User Input—Select the required authentication credentials when logging in to the printer.

   • Use Integrated Windows Authentication—Select one of the following:

   • Do not use

   • Use if available—Use Windows operating system authentication credentials, if available.

   • Require—Use only Windows operating system authentication credentials.

   • Device Credentials

   • Use Active Directory Device Credentials—Use user credentials and group designations that are pulled from the existing network comparable to other network services.

   • If Use Active Directory Device Credentials is disabled, then provide the authentication credentials used to bind the printer with the Active Directory server.

   • Device Username—Type the fully qualified DN of a user registered to the Active Directory server.

   • Device Realm—The Active Directory domain name.

   • Device Password—Type the password for the user.
     Advanced Options

   • Use SSL/TLS—If the LDAP server requires SSL, then select SSL/TLS.

   • Require Certificate—If the LDAP server requires a certificate, then select Yes.

   • Userid Attribute—Type the LDAP attribute to search for when authenticating users’ credentials. The default value is sAMAccountName, which is common in a Windows operating system environment. For other directories, you can type uid, cn, or a user-defined attribute. For more information, contact your system administrator.

   • Mail Attribute—Type the LDAP attribute that contains the users’ e-mail addresses. The default value is mail.

   • Fax number Attribute—Type the LDAP attribute that contains the users’ fax number. The default value is facsimiletelephonenumber.

   • Full Name Attribute—Type the LDAP attribute that contains the users’ full names. The default value is cn.

   • Home Directory Attribute—Type the LDAP attribute that contains the users’ home directory. The default value is homeDirectory.

   • Group Membership Attribute—Type the LDAP attribute required for group search. The default value is memberOf.

   • Search Base—The node in the LDAP server where user accounts reside. You can type multiple search bases, separated by commas.
     Note : A search base consists of multiple attributes separated by commas, such as cn (common name), ou (organizational unit), o (organization), c (country), and dc (domain).

   • Search Timeout—Enter a value from 5 to 30 seconds or 5 to 300 seconds, depending on your printer model.

   • Follow LDAP Referrals—Search the different servers in the domain for the logged‑in user account.
     Search Specific Object Classes

   • person—Search the “person” object class.

   • Custom Object Classes—Type the name of the custom object class to search.
     Note : A maximum of three custom object classes can be searched. Type the other object class in the other Custom Object Class field.
     Address Book Setup
     The following settings are used to configure the address book used when scanning to an e‑mail address.

   • Displayed Name—Select the LDAP attribute that you want to show on the address book.

   • Max Search Results—Type the maximum search results shown on the address book.

   • Use user credentials—Use the logged‑in user credentials to connect to the LDAP server.

   • Search Attributes—Select LDAP attributes used as search filters.

   • Custom Attributes—Type LDAP custom attributes used as search filters.

5. Click Save and Verify.

Editing or deleting LDAP or LDAP+GSSAPI login methods

1. From the Embedded Web Server, click Settings > Security > Login Methods.
2. From the Network Accounts section, click the LDAP or LDAP+GSSAPI login method.
3. Do either of the following:
   • To edit the login method, update the LDAP or LDAP+GSSAPI settings, and then click Save and Verify.
   • To delete login method, click Delete LDAP.

Creating a Kerberos login method

1. From the Embedded Web Server, click Settings > Security > Login Methods.

2. From the Network Accounts section, click Add Login Method > Kerberos.

3. Do one of the following:

   • Create a simple Kerberos configuration file
   • From the Generate Simple Kerberos File section, configure the following:
   • KDC Address—Type the IP address or host name of the KDC IP.
   • KDC Port—Enter the port number used by the Kerberos server.
   • Realm—Type the realm used by the Kerberos server. The realm must be typed in uppercase.
     Import a Kerberos configuration file
     In the Import Kerberos File field, browse to the krb5.conf file.

4. If necessary, from the Miscellaneous Settings section, configure the following settings:

   • Character Encoding—Select the character encoding used for the configuration file.
   • Disable Reverse IP Lookups

5. Click Save and Verify.

Creating an Active Directory login method

1. From the Embedded Web Server, click Settings > Security > Login Methods.
2. From the Network Accounts section, click Add Login Method > Active Directory.
3. Configure the settings.
   • Domain—Type the realm or domain name of the Active Directory server.
   • User Name—Type the name of the user that can authenticate to the Active Directory.
   • Password—Type the password of the user.
   • Organizational Unit—Type the organizational unit attribute the user belongs to.
4. Click Join Domain.

Editing or deleting an Active Directory login method

1. From the Embedded Web Server, click Settings > Security > Login Methods.

2. From the Network Accounts section, click the Active Directory login method.

3. Do either of the following:

   • To delete the login method, click Unjoin Domain.

   • Configure the following settings, and then click Save and Verify.
     General Information

   • Setup Name—Type a unique name for the Active Directory login method.

   • Server Address—Type the IP address or the host name of the LDAP server.

   • Server Port—Enter the port where queries are sent.

   • Required User Input—Select the required authentication credentials when logging in to the printer.

   • Use Integrated Windows Authentication—Select one of the following:

   • Do not use

   • Use if available—Use Windows operating system authentication credentials, if available.

   • Require—Use only Windows operating system authentication credentials.
     Device Credentials

   • Use Active Directory Device Credentials—Use user credentials and group designations that are pulled from the existing network comparable to other network services.

   • If Use Active Directory Device Credentials is disabled, then provide the authentication credentials used to bind the printer with the Active Directory server.

   • Device Username—Type the fully qualified DN of a user registered to the Active Directory server.

   • Device Realm—The Active Directory domain name.

   • Device Password—Type the password for the user.
     Advanced Options

   • Use SSL/TLS—If the LDAP server requires SSL, then select SSL/TLS.

   • Require Certificate—If the LDAP server requires a certificate, then select Yes.

   • Userid Attribute—Type the LDAP attribute to search for when authenticating users’ credentials. The default value is sAMAccountName, which is common in a Windows environment. For other directories, you can type uid, cn, or a user-defined attribute. For more information, contact your system administrator.

   • Mail Attribute—Type the LDAP attribute that contains the users’ e-mail addresses. The default value is mail.

   • Fax number Attribute—Type the LDAP attribute that contains the users’ fax number. The default value is facsimiletelephonenumber.

   • Full Name Attribute—Type the LDAP attribute that contains the users’ full names. The default value is cn.

   • Home Directory Attribute—Type the LDAP attribute that contains the users’ home directory. The default value is homeDirectory.

   • Group Membership Attribute—Type the LDAP attribute required for group search. The default value is memberOf.

   • Search Base—The node in the LDAP server where user accounts reside. You can type multiple search bases, separated by commas.
     Note : A search base consists of multiple attributes separated by commas, such as cn (common name), ou (organizational unit), o (organization), c (country), and dc (domain).

   • Search Timeout—Enter a value from 5 to 30 seconds or 5 to 300 seconds, depending on your printer model.

   • Follow LDAP Referrals—Search the different servers in the domain for the logged‑in user account.
     Search Specific Object Classes

   • person—Search the “person” object class.

   • Custom Object Classes—Type the name of the custom object class to search.
     Note : A maximum of three custom object classes can be searched. Type the other object class in the other Custom Object Class field.

Address Book Setup
The following settings are used to configure the address book used when scanning to an e‑mail address:

• Displayed Name—Select the LDAP attribute that you want to show on the address book.
• Max Search Results—Type the maximum search results shown on the address book.
• Use user credentials—Use the logged‑in user credentials to connect to the LDAP server.
• Search Attributes—Select LDAP attributes used as search filters.
• Custom Attributes—Type LDAP custom attributes used as search filters.

Understanding access controls
Access controls let you limit users’ access to functions, applications, and printer management. Depending on the login method that you are using, access controls are assigned to a group where a user belongs to.

Note : Some access controls are available only in some printer models.

1. From the Embedded Web Server, click Settings > Security > Login Methods.
2. From the login method that you are using, click Manage Permissions or Manage Groups/Permissions.
3. Select a group, and then configure the access controls.
   • Function Access—Allow users to access printer functions.
   • Administrative Menus—Allow users to access the menus in the Embedded Web Server that are used to manage functions, applications, and security.
   • Device Management—Allow users to use printer management options.
   • Apps—Allow users to use the application when the application access control is selected.
   • Note the following access controls and their required level of protection.
   • No Access—Disable access to a function for all users and administrators.

Remote Management Create Profiles

• Held Jobs Access
• Internal Printing Protocol (IPP) Manage Bookmarks
• Use Profiles
• Manage Shortcuts
• FTP Function
• Administrator access only—Use an authentication method that provides administrator‑only access.
• Security Menu
• Network/Ports Menu
• SE Menu
• Device Menu
• Release Held Faxes
• Access Address Book in Apps Modify Address Book Reports Menu
• Option Card Menu
• Import / Export Settings Apps Configuration Firmware Updates
• New Apps
• Out of Service Erase
• Authenticated Users—Use an authentication method that provides access to authenticated users.
• Cancel Jobs At Device
• Operator Panel Lock
• Administrator discretion—Use any valid setting acceptable at administrator discretion.
• Copy Function
• Color Dropout
• E‑mail Function
• Fax Function
• Change Language from Home Screen Paper Menu
• Screen Saver
• Secure Held Jobs
• Not applicable—USB ports are disabled.
• Flash Drive Print
• Flash Drive Scan
• Flash Drive Color Printing
• Required—Enable the following access controls so the printer can accept print jobs.
• B/W Print
• Color Print

Setting default login methods

1. From the Embedded Web Server, click Security > Login Methods.
2. Click Change beside Default Browser Login.
3. Select the login method that you want to use for Control Panel and Browser.

User access
Administrators and users are required to log in to the printer using a method that provides both authentication and authorization. Under the evaluated configuration, three options are available for allowing access to network‑connected devices: Local Accounts, LDAP, LDAP+GSSAPI, and Smart Card Authentication.

Configuring the Secure Held Print Jobs settings

1. From the Embedded Web Server, navigate to the configuration page for the application:
   Apps > Secure Held Print Jobs > Configure

2. From the Release Options section, configure the settings.

   • Release Method—Specify how users print their held jobs.
   • Display Print Jobs Sorted By—Specify how the print jobs are listed on the display.

3. Click Apply.

Configuring Smart Card Authentication Client

Configuring login screen settings
Use the login screen settings to set how you want users to log in to the printer.

1. From the Embedded Web Server, navigate to the configuration page for the application:
   Apps > Smart Card Authentication Client > Configure

2. From the Login Screen section, in the Login Type menu, select Smart Card Only.

3. Set User Validation Mode to Active Directory.

4. Click Apply.

Configuring advanced settings

1. From the Embedded Web Server, navigate to the configuration page for the application:
   Apps > Smart Card Authentication Client > Configure

2. From the Advanced Settings section, select a session user ID.
   Note : Some applications, such as Secure Held Print Jobs and Secure E-mail, require a value for the session user ID.

3. In the E-mail From Address menu, select where the printer retrieves the user e-mail address.

4. If necessary, select Wait for user information to retrieve all user information before the user is allowed to access the home screen or secure application.
   If the following settings are set to LDAP Lookup, then select this option.

   • Session User ID

   • E‑mail From Address
     If the following settings are not empty, then select this option.

   • Other User Attributes

   • Group Authorization List
     Note : If you are using manual login for Secure E-mail, then select this option to store the user e-mail address in the login session. To allow manual login users to send e-mail to themselves, enable “Send me a copy” in the printer e‑mail settings.

5. If necessary, select Use SSL for User Info to retrieve user information from the domain controller using an SSL connection.

6. If necessary, in the Other User Attributes field, type other LDAP attributes that must be added to the session. Use commas to separate multiple values.

7. In the Group Authorization List, type the Active Directory groups that can access applications or functions.
   Use commas to separate multiple values.
   Note : The groups must be in the LDAP server.

8. If DNS is not enabled in your network, then upload a hosts file.
   Type the mappings in the text file in the format of xy, where x is the IP address and y is the host name. You can assign multiple host names to an IP address. For example, 255.255.255.255 HostName1 HostName2 HostName3.
   You cannot assign multiple IP addresses to a host name. To assign IP addresses to groups of host names, type each IP address and its associated host names on a separate line of the text file.
   For example
   123.123.123.123 HostName1 HostName2 456.456.456.456 HostName3

9. Click Apply.

Controlling access to device functions

Securing access to the printer
Securing access to the home screen
Users are required to authenticate before accessing the printer home screen.

Note : Before you begin, make sure that the Display Customization application is enabled in your printer. For more information, see the Display Customization Administrator’s Guide.

1. From the Embedded Web Server, click Settings > Security > Login Methods.

2. From the Public section, click Manage Permissions.

3. Expand Apps, clear Slideshow, Change Wallpaper, and Screen Saver, and then click Save.

4. From the Additional Login Methods section, click Manage Permissions beside Smart Card.

5. Select a group whose permissions you want to manage.
   Note : The All Users group is created by default. More group names appear when you specify existing Active Directory groups in the Group Authorization List field. For more information, see “Configuring advanced settings” on page

7. Expand Apps, and then select Slideshow, Change Wallpaper, and Screen Saver.

8. Click Save.

Securing access to individual applications and functions
Users are required to authenticate before accessing an application or a built‑in printer function.

1. From the Embedded Web Server, click Settings > Security > Login Methods.

2. From the Public section, click Manage Permissions.

3. Restrict public access to the applications or functions that you want to secure. Do any of the following:

   • For Secure E‑mail, expand Function Access, clear E‑mail Function, and then click Save.
   • For Secure Held Print Jobs, expand Apps, clear Secure Held Print Jobs, and then click Save.
   • For other applications or functions, expand one or more categories, clear the application or function, and then click Save.

4. From the Additional Login Methods section, click Manage Permissions beside Smart Card.

5. Select a group whose permissions you want to manage.
   Note : The All Users group is created by default. More group names appear when you specify existing Active Directory groups in the Group Authorization List field. For more information, see “Configuring advanced settings” on page

7. Select the applications or functions that you want authenticated users to access. Do any of the following:

   • For Secure E‑mail, expand Function Access, and then select E‑mail Function.
   • For Secure Held Print Jobs, expand Apps, and then select Secure Held Print Jobs.
     For other applications or functions, expand one or more categories, and then select the application or function.

8. Click Save.

Disabling unused applications

1. From the Embedded Web Server, click Apps.
2. Select an unused application.
3. Click Stop.

Troubleshooting

Login issues

Cannot detect the card reader or the smart card
Try one or more of the following

• Make sure that the card reader is connected properly to the printer
• Make sure that the card reader and the smart card are compatible
• Make sure that the card reader is supported
• For a list of supported card readers, see the Readme file.
• Make sure that the card reader driver is installed on the printer
• Contact your Lexmark representative

Error reading the smart card
Try one or more of the following

• Make sure that the smart card is supported
• For a list of supported smart cards, see the Readme file.
• Make sure that the smart card driver is installed in the printer

User is locked out
Try one or more of the following

Update the allowed number of login failures and lockout time Note: This solution is applicable only in some printer models. The user may have reached the allowed number of login failures.

1. From the Embedded Web Server, click Settings > Security > Login Restrictions.
2. Update the allowed number of login failures and the lockout time.
3. Click Save.
   Note : Wait for the lockout time to pass before the new settings take effect.

Reset or replace the smart card
Check whether the type of smart card that you are using can be reset. If the card cannot be reset, then replace the card.

Printer home screen does not lock
Try one or more of the following

• Make sure that Display Customization is enabled
• For more information, see the Display Customization Administrator’s Guide.
• Secure access to the home screen
• For more information, see “Securing access to the home screen” on page 31.

Cannot generate or read certificate information from the smart card
Try one or more of the following

• Make sure that the certificate information on the smart card is correct Contact your Lexmark representative

Domain controller certificate is not installed

• Make sure that the correct certificate is installed on the printer
• For information on installing, viewing, or modifying certificates, see “Creating and modifying digital certificates” on page 12.

Cannot find realm in the Kerberos configuration file

Add or change the realm
If you are using simple Kerberos setup, then do the following:

1. From the Embedded Web Server, navigate to the configuration page for the application: Apps > Smart Card Authentication Client > Configure

2. From the Simple Kerberos Setup section, in the Realm field, add or change the realm. The realm must be typed in uppercase.
   Note : The simple Kerberos setup does not support multiple Kerberos realm entries. If multiple realms are needed, then install a Kerberos configuration file containing the necessary realms.

3. Click Apply.
   If you are using the device Kerberos setup file, then add or change the realm in the file. The realm must be typed in uppercase. When you are finished, reinstall the file on the printer.

Cannot access individual applications and functions on the printer
Try one or more of the following

• Allow secure access to applications or functions
• For more information, see “Securing access to individual applications and functions” on page 31.
• If the user belongs to an Active Directory group, then make sure that the group is authorized to access the applications and functions

LDAP issues

LDAP lookups fail
Try one or more of the following

Make sure that the server and firewall settings are configured to allow communication between the printer and the LDAP server on port 389 and port 636
The default ports are port 389 and port 636.
If reverse DNS lookup is not used in your network, then disable it in the Kerberos settings

1. From the Embedded Web Server, click Settings > Security.
2. From the Network Accounts section, click Kerberos.
3. From the Miscellaneous Settings section, select Disable Reverse IP Lookups. 4 Click Save and Verify.

If the LDAP server requires SSL, then enable SSL for LDAP lookups

1. From the Embedded Web Server, navigate to the configuration page for the application:
   Apps > Smart Card Authentication Client > Configure

2. From the Advanced Settings section, select Use SSL for User Info.

3. Click Apply.

Narrow the LDAP search base to the lowest possible scope that includes all necessary users Make sure that all LDAP attributes that are being searched for are correct

Secure Held Print Jobs issues

Cannot determine the user ID
This error indicates that the local account, network account, or authentication module login method is not setting the user ID for the session. Try one or more of the following:

• Make sure that the application is secured
• For more information, see “Configuring the Secure Held Print Jobs settings” on page 29.
• Make sure that the session user ID is set correctly
• From the Embedded Web Server, do one of the following:
• Using a local account login method

1. Click Settings > Security > Login Methods.
2. From the Local Accounts section, click the local account type, and then make sure that the account has  a user name.
3. Click Save.

Using a network account login method

1. Click Settings > Security > Login Methods.
2. From the Network Accounts section, click the network account, and then make sure that the account has the correct user ID. For more information, contact your system administrator.
3. Click Save.

Using an authentication module

1. Click Apps.
2. Select the authentication module, and then click Configure.
3. Specify the appropriate setting for the session user ID.
4. Click Save or Apply.

Contact your solution provider
If you still cannot resolve the problem, then contact your solution provider.

No print jobs are available for the user
Try one or more of the following

• Make sure that jobs are sent to the correct printer and have not expired
• The user may have sent the jobs to a different printer, or the jobs may have been automatically deleted because they were not printed in time.
• Make sure that the session user ID is set correctly
• From the Embedded Web Server, do one of the following:

Using a local account login method

1. Click Settings > Security > Login Methods.
2. From the Local Accounts section, click the local account type, and then make sure that the account has a user name.
3. Click Save.

Using a network account login method

1. Click Settings > Security > Login Methods.
2. From the Network Accounts section, click the network account, and then make sure that the account gets the correct user ID. For more information, contact your system administrator.
3. Click Save.

Using an authentication module

1. Click Apps.
2. Select the authentication module, and then click Configure.
3. Specify the appropriate setting for the session user ID.
4. Click Save or Apply.

Contact your solution provider
If you still cannot resolve the problem, then contact your solution provider.

Audit log
The security audit log is a record of security-related events. The log is stored locally in the device, and can be exported through e‑mail or browsed on request. Log records can be sent to an external Syslog server while they are generated.

The basic format of the log records is defined in RFC5424. The following is the generic log format: VERSION TIMESTAMP HOSTNAME APPNAME PROCID [SD-

ELEMENT] MSG
Where

• PRI is a priority value that is a two- or three-digit number that is defined in RFC5424. The value must be enclosed in < and >. The severity of the event is part of the input to the calculation of this number. VERSION is a value of 1 that is the version of the specification that is used for defining the log file. TIMESTAMP is the ISO 8601 time in ([YYYY-MM-
• DD]T[hh:mm:ss]) format.
• HOSTNAME is the host name or IP address of the device.
• APPNAME is the application name indicating the process that triggered the event log message.
• PROCID is the process ID that is generally specified as 0, but may be another valid process ID for some applications.
• MSGID is a text string that is defined within each event. The string must be enclosed in < and >. It provides more information about the event.
• [SD-ELEMENT] is a structured data element that consists of one EventNum value followed by zero or more name-value pairs that provide detailed log information.
• MSG contains the Event Name and Event Message fields described in the individual event definitions.

< job> [event17375@641 JobId=”105″ Job_Type=”InternalPrintWorkflow”] Job Completed:
Job started| < 53>1 2017-10-21T18:12:27Z CX725 jobmanager 0
< job> [event17327@641 JobId=”38″ Job_Type=”FaxSendWorkflow”] Job Started:
Successful user identification and authentication| < 53>1 2017-10-21T16:17:30Z CS820 auth 0 **[event11527@641 SessionId=”Fak4tZcHTBH0L6Cs” Auth_Method=”Username/Password” Username=”admin” UniqueUserId=”69901267-0520-460f- baf6-6bc56180e730″ Fullname=”Administrator”] Login successful: ‘admin’
Unsuccessful user authentication| **< 52>1 2017-11-13T19:31:37Z CX922 auth 0