This article presents: 

• -Prerequisites for implementing mass fleet security settings.  


• -The order of required and administered policies, to include:      
   




• - Building Blocks


• - Security Templates


• - Access Control
   


• -Example procedure   


• -Additional information    


• -The removal of the security templates  

The following prerequisites and concepts help ensure successful security configuration: 

• - mDNS needs to enabled on the MFP or printer for security configurations to work properly. Click here for screen shot.
   
  NOTE: You will have to reset access controls to "no security", restart the device, delete, and rediscover the device in MVP, if either of the following occurs:

•  - If the MFP or printer's mDNS protocol is turned off and back on again, or


•  - There is a discrepancy from expected results.

Other concepts

• - Dependent security settings and configurations must be the same among the ALL devices.
• - Security settings must match from device to device.

Configuration order is critical to success

You must follow the configuration order: Building blocks > Template > Access Control. 

 Why?

• - Security configuration (Building Blocks for authentication) on a device is a prerequisite to the creation and application of the security template.
• - You will create one policy for any print server/device and create/configure its security configuration.  
• - A security template is a prerequisite to the creation and implementation of an access control policy.
• - This policy security template will be available to all devices via access control. 
• - Security-related building blocks cannot be deleted if they are part of a security template.

 

This example should be referenced in concert with concepts covered in the MVP 11.2 User's Guide.
To emphasize the correct order, the policy names that are given in the example will be as follows: 

• - Step#1building blocks 


• - Step#2Template


• - Step#3Access Control  

NOTE: These names directly coincide with the order that should be followed. However, these naming conventions do not need to be followed in practice.
 

In this stage you will perform the following:

• - Create the building block profiles. This example will produce an NTLM and Kerberos building block.
     NOTE: NTLM is not described in Step/Action table below. 
• - Name the individual building blocks by function or other unique identifier.   
• - Edit or Add the building block security settings depending on whether you are performing this function for first time, or whether you are changing existing security parameters.  
• - This will become your security configuration. 

  

Step	Action
1	Under Configure/Setup Devices, click on Device Policies - Create/Manage.
2	There are two option to create the necessary Print Server* building block device policy: - Click on New if creating a new building block, or - Click on an already-created building block if you are editing parameters to create a new security building block. Security configuration = building blocks = security device policy. * - "print server " device policies need to be created for security authentication or authorization requirements.
3	Provide a Name to the building block policy as required for this procedure; e.g., Step#1 building blocks.
4	In the right-hand window pane, scroll down the list of Print Server policies, and click the plus sign (+) next to Security.
5	Next, click the (+) located next to Advanced Security, which is required for creation of Building Blocks that involve Kerberos.
6	Next, click the (+) located next to Building Blocks.
7	Select and configure (edit) the desired or necessary level of device authentication or authorization.  These types include any of the following, and more than one may be required for different device functions: -Password -PIN -Internal Account -Kerberos (5) -NTLM -LDAP -LDAP + GSSAPI
8	LDAP + GSSAPI is configured in this example so, click the (+) next to Simple Kerberos Setup, and place a checkmark next to LDAP + GSSAPI.
9	Click EDIT or ADD to create a new building block, or update an existing policy to act as a building block.   Fill in the required fields. See User's Guide  for a detailed explanation of these settings.
10	Click Ok after completion.
11	Click Apply.
	Observe the following messaging in the lower MVP pane: -Date/Time: Applying Policy Changes: Step#1 building blocks (building block name provided) -Date/Time: Finished Applying Policy Changes: Step#1 building blocks
12	Repeat this process for other required building blocks that will be needed in order to access certain functions on the MFP.
13	Building blocks configured in the above steps can now be used to configure the "Security Template".

Click here for illustration of this procedure.  

You will create one policy for a Security Template.

Step	Action
1	The two options create the necessary Print Server* security template device policy: -Click on New if creating a new security template, or -Click on an already-created security template policy in order to edit parameters. * Again, this should be a "print server " device policy to properly administer authentication or authorization requirements.
2	Provide a Name to the security template policy as required for this procedure; e.g., Step#2Template.
3	Again, in the right-hand window pane, scroll down the list of Print Server policies, and click the plus sign (+) located next to Security.
4	Next, click the (+) located next to Advanced Security.
5	Place a checkmark next to Security Template.
6	Click Edit.
7	Click Add to add new building block(s), or click on an existing template in order to highlight it, and then click on Edit to change parameters of an existing template.
8	The template must include the template name as well as ALL the included building blocks that were created in Stage 1 above. For this example, the configuration went as follows: Security template fields Kerberos NTLM Security Template Name kerberos NTLM testtemplate Authentication Setup kerberos_building_block NTLM_building_block DEMO Authorization Setup not applicable not applicable not applicable Groups not applicable not applicable not applicable Click OK after filling out these Name -  Authentication/authorization Setup - Groups fields.
9	Click Apply.
10	Observe the following messaging in the lower MVP pane: -Date/Time: Applying Policy Changes: Step#2Templates -Date/Time: Finished Applying Policy Changes: Step#2 Templates

Click here for illustration.

You now have the required Security Template. This security template will be required to configure the Access Control policy. 
Before you begin this step, please be aware of specific implementation rules regarding the "Access Control's" Security Menu at the Device and Security Menu Remotely features, and dependency on Advanced Credentials. Click here for more information.     

Step	Action
1	To create the necessary Access Control policy: -Click on New if creating a new security template, or -Click on an already-created access control to edit function access parameters.   * Again, this should be a "print server " device policy in order to properly administer authentication or authorization requirements.
2	Provide a Name to the access control policy as required for this procedure; e.g., Step#3Accesscontrol.
3	Again, in the right-hand window pane, scroll down the list of Print Server policies, and click the plus sign (+) located next to Security.
4	Next, click the (+) located next to Advanced Security.
5	Next, click the (+) located next to Access Control.
6	Place a checkmark next to the function that requires security.
7	In this example, the following was selected: Function Security Copy testtemplate E-mail NTLM Create Profile (e.g., the ability to create scan profiles or shortcuts) kerberos
8	Click Apply.
9	Click Yes to the confirmation.
10	Observe the following messaging in the lower MVP pane: -Date/Time:  Applying Policy Changes: Step#3Accesscontrol.

Click here for illustration.

Now apply the policies one after another in the same sequence used to create Building Blocks, Security Templates and Access Control.

Step	Action
1	From All Tasks, select Home, and then select Device Policies - Apply.
2	Select Step#1 building blocks, and make sure the printer(s) are selected in the far left-hand folder/printers contents pane.
3	Click on Apply Policy.
4	Click Yes to the confirmation.
5	Repeat this procedure for Step#2templates and access control.
6	Observe the following messaging in the lower MVP pane: -Started Applying Policy: Step#1 building blocks (building block name provided) -Applied Policy Step#1 building blocks - IP address(es) -Finished Applying Policy: Step#1 building blocks This messaging will repeat for each of the applied policies.

Click here for illustration.

Verification of success

Step	Action
1	Click on Settings > Security > Advanced Security > Building Blocks > LDAP + GSSAPI.
2	Verify the Name of the Building Block; e.g., DEMO.
3	Click on Settings > Security > Advanced Security > Security Templates.
4	Verify that all of the Security Template Names are present.
5	Click on Settings > Security > Advanced Security > Access Control.
6	Verify that all of the functions have the proper Security Template names assigned to them.

Click here for illustration.

Create or Edit new policies:

Step	Action
1	Create/Edit Building Block (security configuration)
2	Create/Edit Security Template
3	Create/Edit Access Control

Apply policies in order of creation: 

Step	Action
4	Apply Building Block (security configuration) policy
5	Apply Security Template Policy
6	Apply Access Control Policies

Deletion of security configuration:
To remove a security configuration, you must follow the exact reverse order from which they were configured and implemented. 
To do this:

• -Undo/Reset Access Control* settings, or
• -Delete Access Control settings.
• -Delete Security Templates.
• -Delete Building Blocks.

*IMPORTANT! If you do not set Access Control back to No Security for each function, individual deletion of security templates and building blocks will not be allowed.  
Click here for illustration.  

If you need additional assistance, please contact Lexmark Technical Support. NOTE: When calling for support, you will be asked for your machine/model type and serial number (SN).
Please call from near the computer and printer in case the technician on the phone asks you to perform a task involving one or all of these devices.