Deny of Airprint wanted

  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Declaration of views_handler_field_user_name::init() should be compatible with views_handler_field_user::init(&$view, $data) in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/views/modules/user/views_handler_field_user_name.inc on line 61.
peschapad's picture

peschapad

Joined: May 1, 2014
No votes yet

Hello!

We are using supervised iDevices managed by Datomo.
User have the opportunity to install private apps in the unmannaged sector of the devices.
Our business apps are in the managed sector without opportunity for the user to move data between the sectors.
We are looking for a opportunity to deny the use of airprint on the iDevices because we don't want the user to redirect printjobs of business-data to a privat pc in wlan with airprint-simultator like "Presto Collobos".

Any ideas? Airprint is configurable but i can't deny the use.
Is there a posibility to deny the bonjour-protocol? Or to redirect it to dev/nul?
Maybe a proxy-setting for bonjour?
Is there a app who will catch the airprint-traffic before leaving the iDevice?

Best regards
Peter

Top
benhuckle's picture

benhuckle

Joined: Oct 4, 2013
WWW

Could block the port? It's on

Your rating: None

Could block the port? It's on port 5353.

Well known TCP and UDP ports used by Apple.

Ben Goulding-Huckle
Onefruit Charge & Sync Solutions
www.onefruit.co

Top
peschapad's picture

peschapad

Joined: Apr 29, 2014

Hi Ben, How can i do this?

Your rating: None

Hi Ben,

How can i do this? Do i have any firewalloptions on the devices?
The connection for AirPrint will be established in private WLAN at home,
so i think i can't use a proxy.

Best regards
Peter

Top
jesselvella's picture

jesselvella

Joined: Oct 23, 2013

AirPrint

Your rating: None

I worked with AirPrint for sometime now and the only way I could block it was inside our network and segment the AirPrint printers to a different subnet than the iPads. So for users at home with their own personal printer I don't know what you'll be able to do. Even if you enable a Global Proxy setting I don't believe you'll be able to block ports since it's sending a broadcast to the local subnet the iPad is on. If you could give us a bit more detail about your setup maybe we can find a solution for you.

Thank you
Jesse Vella

Top
peschapad's picture

peschapad

Joined: Apr 29, 2014

Hi Jessel! We will use Ipads

Your rating: None

Hi Jessel!
We will use Ipads in supervised mode with a installed MDM from Datomo. We will have managed business apps, which are allowed to exchange data beetween themselve. This will be a SAP-App and the native Mail-App with our EAS-Account.
The user may install any private unmannaged app outside this managed area. We must make sure, that there will be no data flow from an managed app to an unmanaged app. (To make a hardcopy will be tolerated, but we don't want a opportunity to export much data.) We deny AirDrop and Imessage and made some restriktion for the user. This works fine, moving a mail from manage account to unmanaged account is not possible,open managed attachment in unmanged attachment is not possible and so on. But Airpint generates a hole in this wall, user can install a software on private pc which emulate an airprint-printer. Then the user can caputere the print-file in a pdf. This data-flow is not allowed and tolerated. So i have to stop use of airprint or i have to redirect airpint to nirvana.

Best regards
Peter

Top
Collobos's picture

Collobos

Joined: May 1, 2014
WWW

Solutions to post.

Your rating: None (1 vote)

Hi Peter,

Lanny with Collobos here. I’m not sure I have the whole picture of what you are trying to do but I wanted to offer a solution based on my understanding of your requirements. You do want to “permit” printing otherwise you simply wouldn’t enable an Enterprise AirPrint solution in the environment. However, you also want to potentially control who can print to what printer, and there is a good solution for that. We think about this in terms of Authentication and Authorization.

Authentication - Presto Enterprise allows you to secure a printer. This requires users to Authenticate against their AD credentials. Once successfully entered, Presto will pass the print job to the printer.

Authorization - Goto the Security tab in the printer control panel for a specific printer. You can then set rules around what users/groups can print to a specific printer. If that user is not permitted to print, the print job will fail after Authentication.

Additional ways to potentially manage what printers show on a device also include leveraging DHCP option 119 Scopes and only allowing printers to be advertised on specific subnets. We regularly see environments where only certain users have access to certain network segments and printers can be advertised out only to those specific segments.

I hope these ideas land in the ballpark of what you were looking for and let me know if you feel you need additional clarification.

Best, Lanny

Top

Who is online?

There are currently 0 admins, 0 users and 262 guests online. Connected users: .

Recent Activity