Technical white paper

HP Insights

Learn about the architecture, policies, and safeguards that help keep
your information secure when using HP Insights

Table of contents
Introduction............................................................................................................................................................................2
Your network .........................................................................................................................................................................3
Device Scout ......................................................................................................................................................................3
Print Scout..........................................................................................................................................................................3
HP Insights deployment architecture .................................................................................................................................4
Security ...................................................................................................................................................................................5
A shared responsibility .....................................................................................................................................................5
Customer readiness ..............................................................................................................................................................5
Platform communication .................................................................................................................................................5
Cloud API endpoints ..........................................................................................................................................................5
Network ports and protocols...........................................................................................................................................6
Deployment requirements...............................................................................................................................................7
Network utilization ................................................................................................................................................................9
Device Scout ......................................................................................................................................................................9
Print Scout....................................................................................................................................................................... 10
Cloud architecture security ............................................................................................................................................... 11
Infrastructure security ................................................................................................................................................... 11
Privacy ............................................................................................................................................................................. 11
Technical white paper | HP Insights

Introduction
HP Insights 1 is a multivendor print management platform in the cloud that gives you a complete view of your organization’s
print environment, on demand. HP Insights gives you clarity and control. It reveals the true cost of your printing and provides
the decision support you need to reduce costs and improve end-user convenience.
HP Insights is a cloud service that encompasses two elements.
• Fleet Analytics—Provides a comprehensive, multivendor view of print from your network devices and reveals volume,
service, and operating cost information to help you build and maintain a more efficient fleet.
• Print Analytics—Reveals how print is created in your environment, including information about the user, the application,
the device, and comprehensive output parameters. It reveals opportunities to reduce costs and waste, and it helps you to
discover the fleet design that best supports your people.

To perform its intended functions, HP Insights will scan, collect, and store information about your print environment, your
users, and your print jobs. The solution also gives you control over what data is collected and who can see it.

Fleet Analytics Print Analytics

• Device status • Who is printing

• Device meters • What is being printed
• Device volume • Targets and trends
• Device toner levels • Outliers
• Cost of print • Cost of print

Encrypted communication
Device Scout Print Scout
Existing Print
and/or
non-dedicated server(s) Workstations
server

Company
network
Networked
printers Networked
printers
Local
printers

Figure 1: HP Insights overview

2
Technical white paper | HP Insights

Your network
To take full advantage of the HP Insights platform, you will need to install certain components in your local area network.
Depending on your requirements and licensing, these components may include:
• Device Scout
• Print Scout

NOTE: In some cases, multiple scouts of each type may be installed.

No device or print information can be transmitted to HP Insights until one or more scouts are installed and the scouts are
activated with a registration key. If your registration key is ever invalidated or deleted from HP Insights, no further device or
print information will be collected, even if the Print/Device Scouts remain installed.
At any time, you may stop any HP scout from collecting information by uninstalling each scout using the Add/Remove
Programs feature in the Windows® control panel. Instructions on how to uninstall the scouts can be found in the application
installation document.

Device Scout
The Device Scout finds all printers within your network and collects data on device status, meters, and consumables for use
in Fleet Analytics views. The Device Scout will attempt to collect the following information from network devices that report
themselves via SNMP as output devices:

• IP address • Display reading

• Device description • MAC address
• Maintenance kit levels • Device status
• Device serial number • Manufacturer
• Non-toner supply levels • Model number
• Meter reads • Error codes
• Asset number • Toner levels
• Monochrome or color identification • Firmware version/patch level
• Location

NOTE: Not all devices will report every attribute.

Print Scout
The Print Scout can be deployed to print servers and/or workstations (PC and Mac) to collect comprehensive information on
how print is being created within the organization.
Print Scouts on print servers collect information on network printers and MFPs while Print Scouts deployed to workstations
collect data on both network printing and any printing sent to locally attached devices. The Print Scout collects the following
types of data:
• Information about the user from Active Directory
• Information from the printing device via SNMP
• Information about the print job via print stream analysis

You can control what data is collected and who can see it. You can configure the Print Scout’s collection settings to disable
the collection of certain types of data and obfuscate certain data if you need to maintain individual privacy. You can also
apply role-based viewing restrictions, giving some users a limited view of the data.

3
Technical white paper | HP Insights

HP Insights deployment architecture

The Print Scout and the Device Scout may be deployed in the same environment. Depending on your network topology and
print environment, you may have multiple Print Scouts and Device Scouts. One of each is shown here for simplicity.

Company intranet
HP Insights cloud
Internet Proxy
Device Scout (if required) Insights firewalls/
load balancers
HTTPS (TLS) HTTPS (TLS)

SNMP HTTPS (TLS)

HTTPS (TLS)

Print Scout
(workstation)

Network printers
Print Scout USB
(server)

Print queue
Locally-attached
printer

Network printers

Figure 2: HP Insights deployment architecture

• The Device Scout registers itself via an HTTPS (TLS) connection to HP Insights. Once the Device Scout has registered and
obtained a copy of its configuration, it disconnects from HP Insights and operates autonomously until the next configured
check-in time.
• The Print Scout also registers itself via an HTTPS (TLS) connection to HP Insights. The Print Scout behaves slightly
differently than the Device Scout in that it will upload job data as it is captured.
• The security of customer data is critical. HP uses a combination of technological and procedural controls to restrict access
to customer data.

4
Technical white paper | HP Insights

Security
HP Insights addresses the following threat areas:
• Machine or technical failure: Such an event could include power loss, network connectivity loss, or data storage failure.
HP Insights uses a cloud-based infrastructure with a minimum of three geographic zones. The cloud infrastructure can
detect a variety of fault conditions and remove or fix defective components on the fly with no interruption of service.
• Malicious attack: Such an event could include an attempt to intercept data in transmission, denial of service, or the
attempted altering or disabling of established security measures such as logins or encrypted communication. HP Insights
encrypts all external connections using SSL or TLS at the highest level supported by the connecting browser. All
application components are isolated by function; only necessary traffic can pass between components.
• Passive data loss or corruption: These losses could be caused by software defects, incompatibilities between software
components, or data storage loss. The HP Insights cloud infrastructure mitigates these risks through a formal software
quality assurance methodology. In the event of a data corruption problem, HP maintains pre-state backups in order to
roll back any data-altering changes. HP also uses segregation of duties and least privilege principles to restrict the level
of access employees have, to include only that which is required to perform their job function. Access levels are
periodically reviewed and adjusted as business needs or job roles change.

A shared responsibility
As an HP Insights customer, you share the responsibility to protect your data. As your organization continually refines its
security strategy to stay current with evolving threats, make certain that securing your print environment is a priority. Add
these security items to your standard processes to help you address the diverse and ever-evolving threats out there.
1. Ensure that all scouts are accessible to authorized users only.
2. Ensure that servers and/or workstations hosting scouts are fully patched and meet all other security requirements of
your organization.
• Ensure that servers and/or workstations are regularly maintained according to the policies of your organization.
• Ensure that the minimum necessary credentials are granted to individuals within your organization.
3. If the Print/Device Scout will be installed on a shared server (i.e., a server that performs multiple functions or that will
be running software from another vendor), ensure that you have verified compatibility with HP Insights technical
support before installing.

Customer readiness
This section details the environmental requirements and recommendations necessary to successfully deploy HP Insights. It
also records the ports and protocols used for Fleet Analytics and Print Analytics.

Platform communication
Your email security software must be set to trust the following email address from HP Insights to help prevent your
organization from quarantining or blocking the message or sending the email communication to the Junk or Spam folder:
Insights <[email protected]>

Cloud API endpoints

HP Insights cloud API endpoints process collected data and push application updates and configuration settings.
If your organization restricts internet access, it is recommended to whitelist the domain *.insights.hpondemand.com to
ensure that communication with current and future cloud API endpoints is allowed. Below is a list of cloud API endpoints if
your organization requires the list of permitted URLs.

5
Technical white paper | HP Insights

EU instance
• https://api-eu.insights.hpondemand.com
• https://devicescout-eu.insights.hpondemand.com
• https://eu.insights.hpondemand.com
• https://login-eu.insights.hpondemand.com
• https://mfp-api-eu.insights.hpondemand.com
• https://printscout-eu.insights.hpondemand.com

US instance
• https://api.insights.hpondemand.com
• https://devicescout.insights.hpondemand.com
• https://files.insights.hpondemand.com
• https://login.insights.hpondemand.com
• https://mfp-api.insights.hpondemand.com
• https://printscout.insights.hpondemand.com
• https://www.insights.hpondemand.com

Network ports and protocols

The following diagrams show the ports and protocols used in HP Insights.

Fleet Analytics
The figure below shows the basic structure and ports required to deploy the Fleet Analytics tool.

HP Insights
https://*.insights.hpondemand.com

CLOUD

Firewall TCP 443

COMPANY UDP 161

NETWORK

Network printer Device Scout

Figure 3: Fleet Analytics structure and ports

6
Technical white paper | HP Insights

Print Analytics
The figure below shows the basic structure and ports required to deploy the Print Analytics tool.

HP Insights
https://*.insights.hpondemand.com
CLOUD

Firewall TCP 443

UDP 161

COMPANY
NETWORK Print Scout
USB
Network printer

Local printer

Figure 4: Print Analytics structure and ports

Deployment requirements
Device Scout
The Device Scout discovers network printers and collects device data (status, meters, consumables).

Requirements
1. Supported operating systems:
• Windows Server: 2012, 2012 R2, 2016, and 2019
• Windows: 8, 8.1, and 10
2. Microsoft .NET Framework 4.6.1 (or newer) must be installed.
3. The Device Scout must be able to communicate with network printers to collect device data.
4. The Device Scout must be able to communicate with the HP Cloud API endpoints to (1) upload collected device data
and (2) download application updates and configuration settings.
5. The Web proxy server configuration (server, port, user credentials) is known, if required to access the public internet
(cloud).
6. For Windows systems, end point protection (antivirus) software must trust the Device Scout and Local Connector
executable (.exe) files and dynamic link library (.dll) files within this directory path and all its subfolders:
• C:\Program Files (x86)\HP\DeviceScout
• C:\Program Files (x86)\HP\HP Secure Print Service

7. End point protection (antivirus) software must trust the Windows services for the Device Scout and Local Connector:
• HP Device Scout Service
• HP Secure Print 2 Service

7
Technical white paper | HP Insights

8. The following network ports must be open:

• Outbound (Device Scout connecting to the cloud API endpoint):
– 443 TCP (TLSv1.2)
• Outbound (Device Scout connecting to the network printer):
– 161 UDP (SNMP v1/v2 or SNMP v3)

Print Scout
The Print Scout tracks all print job activity and collects device, print, and user information for print analytics.

Requirements
1. Supported operating systems:
• Windows: 8, 8.1, and 10
• macOS: 10.14, 10.15, and 11
• Windows Server: 2012, 2012 R2, 2016, and 2019
2. For Windows systems, Microsoft .NET Framework 4.6.1 (or newer) must be installed.
3. The Print Scout can be installed on (1) an end-user workstation and (2) a Windows printer server.
4. The Print Scout must be able to communicate with network printers to collect device data.
5. The Print Scout must be able to communicate with the cloud APIs to (1) upload collected print job, device data, and
end-user information and (2) download application updates and configuration settings.
6. The Web proxy server configuration (server, port, user credentials) is known, if required to access the internet (cloud).
7. For Windows systems, end point protection (antivirus) software must trust the Print Scout executable (.exe) files and
dynamic link library (.dll) files within this directory path and all its subfolders:
• C:\Program Files (x86)\HP\PrintScout

8. For Windows systems, end point protection (antivirus) software must trust the Windows services for the Print Scout:
• HP Print Scout Service
• HP Print Scout Spooler Service

9. The following network ports must be open:

• Outbound (Print Scout connecting to the cloud API endpoint):
– 443 TCP (TLS v1.2)
• Outbound (Print Scout connecting to the network printer):
– 161 UDP (SNMP v1/v2 or SNMP v3)

Network printer
A printer that is accessible by network connection, making it usable by other computers connected to the network.

Requirements
1. SNMP v1/v2 and/or SNMP v3 must be enabled
• SNMP v1/v2: Read access is enabled and the Get Community Name string is known
• SNMP v3: Username, Authentication Protocol and Passphrase, Privacy Protocol and Passphrase, and Context Name
are known
– Passphrase: 8 to 255 characters
– Authentication Protocol: MD5 or SHA1
– Privacy Protocol: DES or AES-128
2. The following network ports must be open:
• Inbound (Device Scout connecting to the network printer):
– 161 UDP (SNMP v1/v2 or SNMP v3)
• Inbound (Print Scout connecting to the network printer):
– 161 UDP (SNMP v1/v2 or SNMP v3)

8
Technical white paper | HP Insights

Network utilization
Device Scout
The Device Scout requires access to your local area network to operate effectively.
The Device Scout will generate local network traffic when performing these operations:
• Scanning configured network ranges for printing devices
• Collecting meter data from discovered devices
• Collecting service alerts from discovered devices

The Device Scout uses SNMP to communicate with local network devices and supports SNMPv1/v2 and/or SNMP v3. In some
cases, the Device Scout will also try to connect to a device using HTTP port 80, if the device is a known model that cannot
report serial number or meter reads via SNMP.

NOTE: The Device Scout does not record or track SNMP-enabled devices within its scanning range that do not report
themselves as output devices.

The Device Scout will generate outgoing network traffic when performing these operations:
• Registering a new scout
• Polling the scout control server for new configuration or instructions
• Uploading discovered device data to HP Insights
• Uploading device meter data to HP Insights
• Uploading scout health check information to HP Insights

The Device Scout uses secure HTTPS communication when connecting to HP Insights. Additionally, all end-user access to
the application is encrypted using TLS. Unencrypted SNMP traffic is restricted to the local subnets that the Device Scout is
configured to monitor.

Device Scout network traffic

Here are the average payload sizes for the various Device Scout operations:

Task type Device type Network traffic

Discovery Device 15.9 KB

Usage Non-device 0.1 KB

Status Device 16.6 KB

Integration Device 2.0 KB

Excluding IP ranges
Non-printing SNMP-configured devices respond with a 126-byte payload, which tells the Device Scout that the device is not
a printing device. While not harmful, this overhead may add up over large IP ranges. Therefore, we recommend using
“Exclude Ranges” in the Device Scout configuration to skip over any IP ranges that are not likely to contain output devices.

Device Scout communication patterns

• Registering a scout: Customers create and configure a Device Scout record in the web application. To download the
installation package, you must enter the site encryption key. A unique installation package per Device Scout record is
created. During the installation of this package, the Device Scout will open a secure connection to HP Insights and identify
itself using the registration information contained in the package. Once a package has been installed and registered, it
cannot be used again.

9
Technical white paper | HP Insights

• Polling the scout control server: Upon initial registration, and periodically during normal operation, the Device Scout will
poll the control server for updates to its configuration state. Updates might include new IP ranges to scan, a new version
to download, or a new schedule for discovering or reading devices.
• Uploading discovered device data: The Device Scout will upload discovered devices once per period, configured within the
application. Discovery scans can be configured daily or weekly. More frequent uploads will result in more network traffic,
but newly discovered devices will be displayed in the application more quickly.
• Uploading device meter data: The Device Scout will upload meter reads to the scout control server on a scheduled basis.
Usage (meter) data can only be scheduled for a daily scan and upload. You configure this setting within the application.
• Uploading toner data: Toner information will be collected along with meter data by default. Or, you can configure it to be
collected as frequently as 15-minute intervals.
• Uploading scout health check information: The Device Scout Monitor runs as a scheduled Windows task to check the
health of the Device Scout and its ability to communicate with HP Insights. It tracks the successful completion of scout
activities such as discoveries, status collections, and configuration updates. It uploads this information on a configured
basis, once per day.
• SNMP device discovery: The Device Scout performs SNMP scans to discover new printing devices on a configured network
segment. Some network monitoring tools may treat SNMP scans as sources of network congestion. HP recommends
registering the Device Scout with your network security office so they know to expect this network traffic.
You can configure the Device Scout to exclude certain subnets or IP addresses, restrict the scout’s scans to certain times
of the day, and reduce network utilization to a specific level.
• Scout configuration data: The Device Scout retrieves its configuration data by initiating an outgoing secure HTTPS
connection to the scout control server. When the configuration has been received, the Device Scout terminates the
connection and operates without any outgoing connections until the next scheduled configuration check.
Additionally, the Device Scout will only communicate with output devices when configured to do so, and it does not hold
open continuous data connections.
• Automatic scout updates: From time to time, a new version of the Device Scout will be released with updated
functionality and any bug fixes. By default, the Device Scout will check for new versions of itself daily. If a new version is
available, the scout will automatically download and install the new version. Based on your organization’s preferences,
you can easily control this setting; you can set it to Notify, Off, or Automatic (the default).

Print Scout
The Print Scout uploads print job information as it occurs. The Print Scout does not perform network-wide discoveries; it will
only know about the printers connected to the local machine or printers having print queues on the local machine.

Print Scout network traffic summary

Task type Frequency Network traffic

Active Directory (AD) lookups Once per day, per user Depends on size of average AD record

Status 1 x 24 hours 2 KB

Print job uploads On print submission 3 KB

Device SNMP lookup On print release 2.5 KB

• Print Scout status checks: The Print Scout checks in with HP Insights once per day to upload its health report and check
for new settings. This check is under 2 KB and in most cases will return an empty response if there have been no
configuration changes. The Print Scout will also check for configuration changes when each job is uploaded.
• Active Directory (AD) lookups: When a user prints, the Print Scout will look up Active Directory information about that
user. The AD lookup will occur only once per day. AD traffic is difficult to estimate because the amount of data stored in
AD is highly variable. However, the maximum traffic AD lookups can generate would be the total number of unique AD
users times the average AD record size. The Mac Print Scout does not look up user information in Active Directory.
• Device SNMP lookup: The Print Scout will attempt to verify output device information via SNMP when a job is processed.
The SNMP lookup will occur only once per day. It is a small subset of data that the Device Scout collects, and it averages
2.5 KB per device.
10
Technical white paper | HP Insights

• Print job uploads: The bulk of network traffic will be job data sent to the HP Insights server. This data is highly variable
because of the strings involved (printer name, driver name, user details, SNMP details, etc.). A good approximation is
2.5 to 3 KB per job.

Cloud architecture security

HP Insights runs in the HP Cloud to deliver a safe and scalable application experience. The solution runs on a true cloud
(cloud-native) platform built on Amazon Web Services (AWS). HP exclusively uses Infrastructure-as-a-Service (IaaS)
providers that have achieved a SSAE 16 audit and ISO 27001 security certification covering all IaaS infrastructure and
facilities. Additionally, HP Insights uses a tiered application structure to isolate data within the cloud.

Infrastructure security
HP conducts periodic vulnerability assessments in all production environments. Access to production environments is
restricted based on business need. Access roles are configured using Segregation of Duties (SOD) principles. System access
levels are periodically reviewed and adjusted when necessary.
All production operating system and framework components are patched during predetermined maintenance windows.
HP uses generally accepted guidelines for deploying new operating system and framework updates in a test environment
before promoting to production.
HP monitors all vendor service bulletins for zero-day vulnerabilities and has processes in place for emergency patching
should the need arise.

Privacy
HP Insights does not collect, store, maintain, or transmit any information regarding the content of print jobs, and thus has
no way of accessing, housing, or transmitting information, even if this information is printed or otherwise sent to print
devices monitored by HP Insights.
For more information regarding HP’s privacy and data protection practices, please visit HP’s Privacy Statement at
hp.com/privacy.

Learn more
hp.com/go/jetadvantageinsights

1
HP Insights is a web-based application that requires internet access. It is bundled with HP Secure Print but can also be purchased separately. For more information,
see hp.com/go/jetadvantageinsights.

2
HP Secure Print works with most network-connected printers and MFPs. On-device authentication requires HP FutureSmart firmware 4.8 or newer. Supported card
readers include X3D03A (HP USB Universal Card Reader) and Y7C05A (HP HIP2 Keystroke Reader). Internet connection required for some functionality. For more
information, see hp.com/go/secureprint.

© Copyright 2016, 2020-2021 HP Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for
HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Windows is a U.S. registered trademark of the Microsoft group of companies.

4AA6-2556ENW, June 2021, Rev. 2