IBM Security MaaS360

 View Only
  • 1.  Block Printing

    Posted Tue July 13, 2021 06:29 PM

    Hi All,  Has anyone found a way or is there a way to block printing to non-network printers on a Microsoft Surface or Apple device? My V.P. would like to prevent anyone from printing to a printer that we don't own or control.

     

    Thanks!

     

    Bob Yeager

    I.T. Project Manager

    Harborstone Credit Union

    Direct or Fax: (253) 583-8685

    Phone: (253) 584-2260 or 1-800-523-3641

    Visit us online at  harborstone.com

     




    CONFIDENTIALITY NOTICE: Harborstone Credit Union respects your Internet privacy and would like to remind you that the confidentiality of Internet e-mail cannot be guaranteed. Do not include private or confidential information such as passwords, account numbers, Social Security numbers, etc., in e-mails to Harborstone Credit Union. This communication is only for the person(s) named above and may contain information that is confidential, privileged or exempt from disclosure under applicable law. If you are not the person(s) named above be aware that disclosure, copying, distribution or use of this communication is strictly PROHIBITED. If you have received this communication in error please notify us by reply e-mail.


  • 2.  RE: Block Printing

    Posted Mon July 26, 2021 04:59 AM
    Edited by Eamonn O'Mahony Mon July 26, 2021 05:00 AM
    Hi Bob
    I just saw your post today so apologies for delay in replying.
    There are a number of ways users can print from these devices and therefore a number of ways you might consider configuring controls. Please note that where appropriate I am referring to the Windows computer OS policy settings as this is the type of Windows that Surface tablets has implemented. 

    1. Via native device printing capability. 
    - iOS devices have AirPrint meaning the AirPrint protocol is used to send documents to a compatible printer. This can be disabled in iOS policy: Device Settings > AirPrint. 
    - MacOS devices also use AirPrint and this can be disabled in MacOS policy: Configuration > AirPrint. 
    I haven't seen any equivalent settings on Windows computer policy. 
    2. Via app
    A number of printer manufacturers have their own apps on the App Store / Play Store which are capable of sending documents to printers. The way to block these apps would be to put them in the Blocklist in the App Compliance part of the device policy. You would need to locate the relevant apps, note their App ID's, and put these in the policy section to block installation. However if you allow BYOD, the personal devices may not be appropriate for configuring this sort of block. 
    3. Via Bluetooth
    Again a number of modern printer manufacturers support Bluetooth so you can send a document or image to a printer from a device. 
    - iOS policy: Supervised settings > Restrictions & Network > Restrictions > Allow Bluetooth Modification. 
    - MacOS policy: Restrictions > System Preferences > Configure Device Restrictions (enable) > System Preferences > Bluetooth
    I haven't seen any equivalent settings on Windows computer policy. 
    4. Via USB cable
    If a device supports direct connection to a printer via USB device, this might also be something to look into. 
    Some of the devices have USB cable connection controls on their policy meaning you could disable the options. 
    5. Restrict on Workplace policy
    The Workplace policy is where you configure the settings for MaaS360 apps (Mail, Browser, etc) if you have these in your contract and your users are using them. 
    The control can be found in WorkPlace > Security > Configure Data Protection Policies > Restrict Print. 
    This is potentially a more satisfying setting as it will apply specifically to corporate content consumed within the MaaS360 container space only meaning only corporate content is blocked from printing. 

    As a few general observations: 
    • For devices where personal usage is allowed - or if you permit BYOD connected devices - controls at device level may not be appropriate as they may be excessively restrictive and might even be counter-productive where you actually want users to be able to print corporate content from their devices. 
    • iOS devices use the concept of Supervised mode (implemented by enrolling via Apple Configurator or Apple Device Enrollment Program) meaning only specific device setup gives you this higher level of control. If you want to use for example the App Compliance feature, it is probably more efficient used on Supervised devices, as you have a 'hardened' setting which users cannot modify, and you can prevent them from removing the MaaS360 control. 
    • The use of the last option within the MaaS360 container - a data-level control rather than at device level - is probably the best approach, however it does require you to use the MaaS360 apps for corporate data. 

    Hope this helps!
    Best

    ------------------------------
    Eamonn O'Mahony
    Technical Client Success Manager
    IBM Security
    Dublin, Ireland
    ------------------------------