Creating or editing a device password (advanced)

MarkVision Professional allows administrators to set up a combined total of up to 250 user-level and administrator-level passwords on each supported device. Each password must be between 8 and 128 UTF-8 characters, and it must be identified by a unique name (example: “IT Manager's Password”). The unique name should be between 1 to 128 UTF-8 characters.

1. From the MarkVision Professional Home screen, select Security - Password from the All Tasks list.

2. Select a device.

   Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.

3. Add or edit a password for the device:

   • Click Add to create a new device password.

   • Select a password from the list and click Edit to edit an existing device password.

   Notes:

   • Select the Admin Password box to create an administrator-level password. If an activity is secured by an administrator-level password, then only that password will grant access to the activity. Administrator-level passwords also override any normal password. If an activity is protected by a normal password, then any administrator-level password will also grant access.
   • To delete a password, select a password from the list and then click Delete. Clicking Delete All will delete all passwords on the list, whether they are selected or not.

Creating a PIN

Typically, Personal Identification Numbers (PINs) are used to control access to specific device menus or to a device itself. On certain devices, however, MarkVision Professional allows administrators to create a combined total of 250 user-level and administrator-level PINs that control specific activities, such as scanning or copying. These PINs can later be used to create security templates that control specific function access.

1. From the MarkVision Professional Home screen, select Security - PIN from the All Tasks list.

2. Select devices using the Quick Find or Folders tabs.

   Use Ctrl + click and Shift + click to select multiple devices.

   Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.

3. Click Add.

4. Type the name of the PIN configuration in the Name box. Each PIN must have a unique name consisting of 1-128 UTF-8 characters (example: “Copy Lockout PIN”).

5. Type a four-digit PIN in the appropriate box, and then re-enter the PIN to confirm it.

   Note: The indicator light changes to green when the two PIN numbers are identical. When the PIN numbers do not match, the indicator light remains red.

6. Select Admin PIN if the PIN will be used as the Administrator PIN.

   Note: If an activity is secured by a specific Administrator PIN, then only that PIN will grant access to it.

7. Click OK.

Managing multiple PIN setups

1. From the MarkVision Professional Home screen, select Security - PIN from the All Tasks list.

2. Select devices using the Quick Find or Folders tabs.

   Use Ctrl + click and Shift + click to select multiple devices.

   Notes:

   • When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
   • To apply settings to multiple devices, use the Device Policies tasks in MVP. See the MVP User's Guide for more information about using Device Policies.

3. Select a PIN setup from the list and click Edit.

4. Edit the name or the PIN as necessary and click OK.

   Note: The indicator light changes to green when the two PIN numbers are identical. When the PIN numbers do not match, the indicator light remains red.

5. To delete a PIN setup, select it from the list and click Delete.

   Note: Clicking Delete All will delete all currently saved PIN setups.

Using internal accounts

MVP administrators can configure one internal account building block per supported device. Each internal account can include a maximum of 32 user groups and 250 user accounts. The internal accounts building block can be used in a security template only after each user's group membership has been defined.

Each security template that uses the internal accounts building block must define the user groups that can access the function(s) protected by the template. Any user who is a member of the groups included in the security template can access any function controlled by that security template.

Defining user groups

Before creating new internal accounts for a device in MVP, an administrator should first define at least one user group. To define user groups:

1. From the MarkVision Professional Home screen, select Security - Internal Accounts from the All Tasks list.

2. Select a device.

3. Click Setup Groups.

4. Enter names for up to 32 user groups.

   Note: Group names have a 128-character limit.

Creating internal accounts

To create an internal account:

1. From the MarkVision Professional Home screen, select Security - Internal Accounts from the All Tasks list.

2. Select a device.

3. Click Add.

   Enter information into the necessary fields (required fields are in italics):

   • Account Name—Type the user's account name (example: “Jack Smith”). You may use up to 128 UTF-8 characters.

   • User ID—Type an ID for the account (example: “jsmith”). You may use up to 128 UTF-8 characters.

   • Password—Type a password of between 8 and 128 characters.

   • Re-enter Password—Type the password entered in the field above. The indicator light changes to green when the two passwords are identical. When the passwords do not match, the indicator light remains red.

   • E-mail—Type the user's e-mail address (example: “jsmith@markvision.com”).

   • Groups—Select the groups to which the account belongs. Hold down the Ctrl key to select multiple groups for the account.

4. Click OK.

   Note: Clicking Reset will cancel all changes before applying them.

Specifying settings for internal accounts

Settings selected in the Internal Accounts Settings section will determine the information an administrator must submit when creating a new internal account, as well as the information a user must submit when authenticating.

• Require password—Select this box to make the password a required field when creating new internal accounts.

• Require e-mail address—Select this box to make the e-mail address a required field when creating new internal accounts.

• Required user credentials—Select either User ID or User ID and Password to specify the information a user must submit when authenticating.

Using Kerberos authentication (advanced)

MVP administrators can store only one Kerberos configuration file (krb5.conf) on a supported device. However, the krb5.conf file can apply to multiple realms and Kerberos Domain Controllers (KDCs). An administrator must thus anticipate all of the different types of authentication requests that the Kerberos server might receive, and then configure the krb5.conf file to handle all such requests.

Notes:

• Because only one krb5.conf file is used, uploading or re-submitting a simple Kerberos file will overwrite the configuration file.
• The krb5.conf file can specify a default realm. However, if a realm is not specified in the configuration file, then the first realm specified will be used as the default realm for authentication.

Creating a simple Kerberos configuration file

1. From the MarkVision Professional Home screen, select Security - Kerberos (Advanced) from the All Tasks list.

2. Select devices using the Quick Find or Folders tabs.

   Use Ctrl + click and Shift + click to select multiple devices.

   Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.

3. Type the KDC (Kerberos Domain Controller) address in the KDC Address field.

4. Type the number of the port used by the Kerberos server in the KDC Port field.

   Note: UDP 88 is the default Kerberos service port.

5. Type the realm used by the Kerberos server in the Realm field

6. Click Apply to save the information as a krb5.conf file on the selected device, or click Undo to reset the fields and start again.

Uploading a Kerberos configuration file

1. From the MarkVision Professional Home screen, select Security - Kerberos (Advanced) from the All Tasks list.

2. Select devices using the Quick Find or Folders tabs.

   Use Ctrl + click and Shift + click to select multiple devices.

   Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.

3. Click Browse to find the krb5.conf file, then click Add.

4. Click Apply to upload the krb5.conf file to the selected device, or click Undo to reset the field and search for a new configuration file.

   Notes:

   • Click Delete to remove the Kerberos configuration file from the selected device.
   • Click View to view the Kerberos configuration file for the selected device.
   • Click Test Setup to verify that the Kerberos configuration file for the selected device is functional.

Configuring LDAP settings (advanced)

Lightweight Directory Access Protocol (LDAP) is a standards-based, cross-platform, extensible protocol that runs directly on top of TCP/IP and is used to access specialized databases called directories. Its strength is that it can interact with many different kinds of databases, making it more flexible than many other authentication methods.

Notes:

• MVP allows administrators to store a maximum of five unique LDAP configurations on a supported device. Each configuration must have a unique name.
• Administrators can create up to 32 user-defined groups that apply to each unique LDAP configuration.
• An LDAP building block cannot be deleted if it is being used as part of a security template.

To add a new LDAP setup

1. From the MarkVision Professional Home screen, select Security - LDAP from the All Tasks list.

2. Select devices using the Quick Find or Folders tabs.

   Use Ctrl + click and Shift + click to select multiple devices.

   Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.

3. Click Add.

4. Enter the appropriate information in the LDAP Configuration dialog:

   • Setup Name—This name will be used to identify each particular LDAP Server Setup when creating security templates.

   • Server Address—Enter the IP Address or the Host Name of the LDAP Directory Server where the authentication will be performed.

   • Server Port—The port used by the local computer to communicate with the LDAP Directory Server. The default LDAP port is 389.

   • Use SSL/TLS—Select SSL (Secure Sockets Layer), TLS (Transport Layer Security), or None.

   • Userid Attribute—Enter the name of the attribute that uniquely identifies users. For example, type cn or userid, where cn stands for “common name.” A user-defined attribute name is also acceptable in this field.

   • Mail Attribute—Enter the attribute name of the user's e-mail address.

   • Full Name Attribute—Enter the attribute name of the user's full name.

     Note: The Mail Attribute and Full Name Attribute fields are available only on MFPs.

   • Search Base—The Search Base (sometimes called the Distinguished Name, or DN) is the node in the LDAP Directory Server where user accounts exist. Multiple search bases may be entered, separated by semi-colons.

     Notes:

     • A Search Base consists of multiple attributes—such as cn (common name), ou (organizational unit), o (organization), c (country), or dc (domain)—separated by commas.
     • For LDAP v3 and later, the Search Base field can be left blank, although it will cause searches to take considerably longer.

   • Search Timeout—Enter a value of from 5 to 30 seconds.

   • Required User Input—Select either User ID or User ID and Password to specify which credentials a user must provide when attempting to access a function protected by the LDAP building block.

   • Anonymous LDAP Bind—If selected, MVP will bind with the LDAP server anonymously, and the MFP Distinguished Name and MFP Password fields will be grayed out.

   • MFP Distinguished Name—Enter the distinguished name of the print server(s).

   • MFP Password—Enter the password for the print server(s).

     Note: You should include values in the “MFP Distinguished Name” and “MFP Password” fields if the LDAP server does not allow anonymous binds. The device will bind to the LDAP server using these credentials so that it can search the LDAP directory.

   • Person—Click to select or clear. When selected, the “person” object class is used to search user accounts. If the server uses different object classes, specify them in the “Custom Object Class” field below.

   • Custom Object Class—Click to select or clear; the MVP administrator can define up to three custom search object classes.

     Note: If you are unsure about the object classes that the LDAP server uses, type an asterisk (*) in the field to conduct a wildcard search for all available object classes.

   • Configure Groups—MVP administrators can restrict access to specific groups by entering identifiers for those groups (such as the group's common name). Up to 32 groups may be specified.

     Notes:

     • The Group search base should be specified first (Example: ou=empgroup,dc=orange,dc=com).
     • The shortname for the group can be user-defined (Example: “staff”).
     • The Group Identifier is the group's Common Name (cn) (Example: cn=staff).

5. Click OK to save changes, or click Reset to return to previous values.

To edit an existing LDAP setup

1. From the MarkVision Professional Home screen, select Security - LDAP from the All Tasks list.

2. Select devices using the Quick Find or Folders tabs.

   Use Ctrl + click and Shift + click to select multiple devices.

   Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.

3. Select a setup from the list.

4. Click Edit.

5. Make any changes in the LDAP Configuration dialog.

6. Click OK to save changes, or click Reset to return to previous values.

To delete an existing LDAP setup

1. From the MarkVision Professional Home screen, select Security - LDAP from the All Tasks list.

2. Select devices using the Quick Find or Folders tabs.

   Use Ctrl + click and Shift + click to select multiple devices.

   Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.

3. Select a setup from the list.

4. Click Delete.

5. Click Yes.

Note: Click Delete All to delete all LDAP + GSSAPI setups in the list.

To validate an existing LDAP setup

1. From the MarkVision Professional Home screen, select Security - LDAP from the All Tasks list.

2. Select devices using the Quick Find or Folders tabs.

   Use Ctrl + click and Shift + click to select multiple devices.

   Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.

3. Select a setup from the list.

4. Click Test Setup.

Configuring LDAP + GSSAPI settings

Some MVP administrators may prefer authentication to an LDAP server using GSSAPI (Generic Security Services Application Programming Interface) instead of simple LDAP authentication because the transmission is always secure. Instead of authenticating directly with the LDAP server, the user will first authenticate with a Kerberos server to obtain a Kerberos “ticket.” This ticket is then presented to the LDAP server using the GSSAPI protocol for access.

Notes:

• MVP allows administrators to store a maximum of five unique LDAP + GSSAPI configurations on a supported device. Each configuration must have a unique name.
• Administrators can create up to 32 user-defined groups that apply to each unique LDAP + GSSAPI configuration.
• An LDAP + GSSAPI building block cannot be deleted if it is being used as part of a security template.

To add a new LDAP + GSSAPI setup

1. From the MarkVision Professional Home screen, select Security - LDAP + GSSAPI from the All Tasks list.

2. Select devices using the Quick Find or Folders tabs.

   Use Ctrl + click and Shift + click to select multiple devices.

   Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.

3. Click Add.

4. Enter the appropriate information in the LDAP Configuration dialog:

   • Setup Name—This name will be used to identify each particular LDAP Server Setup when creating security templates.

   • Server Address—Enter the IP Address or the Host Name of the LDAP Directory Server where the authentication will be performed.

   • Server Port—The port used by the local computer to communicate with the LDAP Directory Server. The default LDAP port is 389.

   • Use SSL/TLS—Select SSL (Secure Sockets Layer), TLS (Transport Layer Security), or None.

   • Userid Attribute—Enter the name of the attribute that uniquely identifies users. For example, type cn or userid, where cn stands for “common name.” A user-defined attribute name is also acceptable in this field.

   • Mail Attribute—Enter the attribute name of the user's e-mail address.

   • Full Name Attribute—Enter the attribute name of the user's full name.

     Note: The Mail Attribute and Full Name Attribute fields are available only on MFPs.

   • Search Base—The Search Base (sometimes called the Distinguished Name, or DN) is the node in the LDAP Directory Server where user accounts exist. Multiple search bases may be entered, separated by semi-colons.

     Note: A Search Base consists of multiple attributes—such as cn (common name), ou (organizational unit), o (organization), c (country), or dc (domain)—separated by commas.

   • Search Timeout—Enter a value of from 5 to 30 seconds.

   • MFP Distinguished Name—Enter the distinguished name of the print server(s).

   • MFP Password—Enter the password for the print server(s).

   • Person—Click to select or clear. When selected, the “person” object class is used to search user accounts. If the server uses different object classes, specify them in the “Custom Object Class” field below.

   • Custom Object Class—Click to select or clear; the MVP administrator can define up to three custom search object classes.

     Note: If you are unsure about the object classes that the LDAP server uses, type an asterisk (*) in the field to conduct a wildcard search for all available object classes.

   • Configure Groups—MVP administrators can restrict access to specific groups by entering identifiers for those groups (such as the group's common name). Up to 32 groups may be specified.

     Notes:

     • The Group search base should be specified first (Example: ou=empgroup,dc=orange,dc=com).
     • The shortname for the group can be user-defined (Example: “staff”).
     • The Group Identifier is the group's Common Name (cn) (Example: cn=staff).

5. Click OK to save changes, or click Reset to return to previous values.

To edit an existing LDAP + GSSAPI setup

1. From the MarkVision Professional Home screen, select Security-LDAP + GSSAPI from the All Tasks list.

2. Select devices using the Quick Find or Folders tabs.

   Use Ctrl + click to select multiple devices.

   Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.

3. Select a setup from the list.

4. Click Edit.

5. Make any changes in the LDAP Configuration dialog.

6. Click OK to save changes, or click Reset to return to previous values.

To delete an existing LDAP + GSSAPI setup

1. From the MarkVision Professional Home screen, select Security-LDAP + GSSAPI from the All Tasks list.

2. Select devices using the Quick Find or Folders tabs.

   Use Ctrl + click to select multiple devices.

   Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.

3. Select a setup from the list.

4. Click Delete.

5. Click Yes.

Note: Click Delete All to delete all LDAP + GSSAPI setups in the list.

Using NTLM authentication

NTLM (Windows NT LAN Manager) is Microsoft's solution for enabling authentication without requiring the transmission of a user's password across a network in clear text. Instead of comparing the user's actual password, the NTLM server and the client generate and compare three encrypted strings based on the user's password.

An MVP administrator can store only one NTLM configuration on a supported device because each device can only be registered to a single NT domain.

Notes:

• Because the information in the NTLM configuration file is confidential, an MVP administrator must access, and make changes to, the full NTLM configuration from the Embedded Web Server (EWS) page for a supported device. MVP allows changes only to the address of the default user domain for the NTLM server.
• Open the Embedded Web Server home screen using the secure version of the page (by typing the IP address of the device into the address bar of the Web browser, beginning “https://”), rather than an unsecured browsing window. If you do not connect to the Embedded Web Server using HTTPS, you will not be able to register your device with an NT domain.
• The NTLM building block can be used in a security template only after a supported device has registered with the NTLM domain.
• The NTLM building block cannot be deleted or unregistered if it is being used as part of a security template.

Specifying the default user domain for the NTLM server

1. From the MarkVision Professional Home screen, select Security - NTLM from the All Tasks list.

2. Select devices using the Quick Find or Folders tabs.

   Use Ctrl + click and Shift + click to select multiple devices.

   Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.

3. Type the default user domain in the Default User Domain field. This is the default NT domain used when MVP attempts to authenticate users.

4. Click Apply to save the new default user domain.