Common Criteria

Installation Supplement and Administrator Guide

December 2022 www.lexmark.com

Contents 2

Contents
Change history.............................................................................................. 4
Overview and first steps.............................................................................. 5
Overview................................................................................................................................................................ 5
Physical configuration.........................................................................................................................................8

Configuring the printer...............................................................................10

Configuration checklist..................................................................................................................................... 10
Disabling the host USB...................................................................................................................................... 11
Disabling ThinPrint.............................................................................................................................................. 11
Disabling flash drive access............................................................................................................................. 11
Disabling the AirPrint software feature..........................................................................................................11
Disabling the home screen icons....................................................................................................................11
Holding all jobs................................................................................................................................................... 12
Erasing temporary data files............................................................................................................................12
Creating and modifying digital certificates..................................................................................................12
Setting up Internet Protocol Security (IPSec).............................................................................................. 14
Shutting down port access.............................................................................................................................. 14
Configuring time source settings................................................................................................................... 15
Configuring security audit logging................................................................................................................ 16
Configuring e-mail.............................................................................................................................................. 17
Setting the fax storage location......................................................................................................................18
Configuring fax....................................................................................................................................................19
Configuring security reset jumper behavior.............................................................................................. 20
Configuring the minimum password length............................................................................................... 20
Configuring login restrictions.........................................................................................................................20
Configuring print permissions.........................................................................................................................21
Disabling the Intelligent Storage Drive.........................................................................................................21
Setting up local accounts................................................................................................................................. 21
Setting up local groups and permissions....................................................................................................22
Setting up network accounts......................................................................................................................... 23
User access........................................................................................................................................................ 29
Controlling access to device functions.........................................................................................................31
Contents 3

Troubleshooting.......................................................................................... 33
Login issues........................................................................................................................................................ 33
LDAP issues........................................................................................................................................................ 35
Secure Held Print Jobs issues....................................................................................................................... 36

Audit log.......................................................................................................38
Erasing keys in flash memory................................................................... 40
Notices.......................................................................................................... 41
Index............................................................................................................. 42
Change history 4

Change history
December 2022
• Added information on erasing keys in flash memory.

November 2022
• Updated the list of supported printers.
• Added information on the Lexmark Trusted Platform Module (TPM).
• Updated the information on preshared keys.
• Updated the steps on checking physical interfaces and installed firmware.
• Deleted the information on configuring printer hard disk encryption because hard disk encryption is now
automatic.
• Added information on disabling the Intelligent Storage Drive.

February 2018
• Added information on the following to conform to the Hard Copy Device Protection Profile:
– Updating firmware
– Configuring the time source settings
– Configuring the minimum password length
– Configuring login restrictions
– Password requirements for local accounts
– Setting up Internet Protocol Security (IPSec)
– Configuring the screen timeout
• Updated the list of supported printers.

October 2016
• Added information on the following:
– Disabling flash drive access
– Configuring print permissions
– Access controls and their required level of protection

May 2016
• Initial document release for multifunction products with a tablet-like touch‑screen display.
Overview and first steps 5

Overview and first steps

Overview
This guide describes how to configure a supported LexmarkTM printer to conform to the Common Criteria
certified target of evaluation. Carefully follow the instructions in this guide to make sure that the printer meets
the requirements of the evaluation.
This guide is intended for use by service providers and network administrators responsible for the management
of security appliances and software in their network environment. A working knowledge of printers is required
for effective use of this guide.
Some settings can be configured using either the Embedded Web Server or the printer control panel. Where
applicable, instructions for both methods are included.
For information on setting up the printer or using printer features, see the printer User’s Guide.
Note: The printer User’s Guide and the Embedded Web Server Administrator’s Guide are available at
support.lexmark.com.

Supported printers
Multifunction products (MFPs)
• Lexmark CX622, without hard disk, with fax
• Lexmark CX622h, with hard disk and fax
• Lexmark CX625, without hard disk, with fax
• Lexmark CX625h, with hard disk and fax
• Lexmark CX730, without hard disk and fax
• Lexmark CX730, without hard disk, with fax
• Lexmark CX730, with hard disk, without fax
• Lexmark CX730, with hard disk and fax
• Lexmark CX735, without hard disk
• Lexmark CX735, with hard disk
• Lexmark CX820, with hard disk and fax
• Lexmark CX825, with hard disk and fax
• Lexmark CX860, with hard disk and fax
• Lexmark CX930, without hard disk and fax
• Lexmark CX930, without hard disk, with fax
• Lexmark CX930, with hard disk, without fax
• Lexmark CX930, with hard disk and fax
• Lexmark CX931, without hard disk and fax
• Lexmark CX931, without hard disk, with fax
• Lexmark CX931, with hard disk, without fax
• Lexmark CX931, with hard disk and fax
• Lexmark CX942, without hard disk, with fax
Overview and first steps 6

• Lexmark CX942, with hard disk and fax

• Lexmark CX943, without hard disk, with fax
• Lexmark CX943, with hard disk and fax
• Lexmark CX944, without hard disk, with fax
• Lexmark CX944, with hard disk and fax
• Lexmark MX421, without hard disk, with fax
• Lexmark MX432, with hard disk and fax
• Lexmark MX521, without hard disk, with fax
• Lexmark MX521, without hard disk and fax
• Lexmark MX522, with hard disk and fax
• Lexmark MX622, without hard disk, with fax
• Lexmark MX622h, with hard disk and fax
• Lexmark MX721, without hard disk, with fax
• Lexmark MX721h, with hard disk and fax
• Lexmark MX722, without hard disk, with fax
• Lexmark MX722h, with hard disk and fax
• Lexmark MX725, without hard disk, with fax
• Lexmark MX822, with hard disk and fax
• Lexmark MX826, with hard disk and fax
• Lexmark MX931, without hard disk and fax
• Lexmark MX931, without hard disk, with fax
• Lexmark MX931, with hard disk, without fax
• Lexmark MX931, with hard disk and fax

Single-function printers (SFPs)

• Lexmark CS820, without hard disk
• Lexmark CS730, without hard disk
• Lexmark CS735, without hard disk
• Lexmark CS943, without hard disk
• Lexmark MS622, without hard disk
• Lexmark MS822, without hard disk
• Lexmark MS826, without hard disk
Note: MFPs support copy, e‑mail, fax, and printing features. Printers with a hard disk support hard disk
features. Some of the features described in this guide may not be available in all printers.

Operating environment
The instructions provided in this guide are based on the following assumptions and objectives:
• The printer is installed in a cooperative, nonhostile environment that is physically secured or monitored and
protected from unauthorized access to printer external interfaces.
• The administration platform and local area network are physically and logically secured.
Overview and first steps 7

• Authorized administrators are trained and capable of performing tasks related to the installation,
configuration, operation, and maintenance of the network environment. This includes—but is not limited to
—operating systems, network protocols, and security policies and procedures.
• Authorized administrators are trusted to use their access rights appropriately.
• Audit records exported from the printer to another trusted location are accessible to authorized personnel
for periodic review and are secured from unauthorized access.
• The operating environment can identify and authenticate users whose accounts are defined externally
(LDAP, Kerberos, and so on).
• When an administrator configures Network Time Protocol (NTP), the operating environment provides
reliable time stamps.
• Users are aware of and are trained to follow the security policies and procedures of their organization. Users
are authorized to use the printer according to these policies and procedures.

Understanding the home screen

The screen on the front of the printer is touch sensitive and can be used to access printer functions and navigate
settings and configuration menus.

Touch Settings to access settings and configuration menus for the printer.

Notes:
• Access to printer menus may be restricted to administrators only.
• By default, the secured applications or functions are hidden from the printer home screen.
Overview and first steps 8

Using the keyboard on the display

Some printer settings require one or more alphanumeric entries, such as server addresses, user names, and
passwords. When an alphanumeric entry is needed, a keyboard appears.

As you touch the letters and numbers, your selections appear in a corresponding field at the top of the screen.
The keyboard on the display may also contain other icons, such as Done, Next, or Submit.

To type a single uppercase or shift character, touch , and then touch the letter or number. To turn on Caps
Lock, double‑tap , and then continue typing. Caps Lock remains engaged until you touch it again.

Touch to delete a single character, or press and hold it to delete everything that you have typed.

Accessing the Embedded Web Server

1 Obtain the printer IP address. Do either of the following:
• Locate the IP address on the top of the printer home screen.
• From the printer home screen, touch Settings > Network/Ports > Network Overview.
2 Open a Web browser, and then type the printer IP address.

Physical configuration

Physical configuration checklist

Before beginning configuration tasks, do the following:
1 Make sure that no optional interfaces are installed.
2 If the device does not have a Trusted Platform Module (TPM), then install the Lexmark TPM option.
3 Check the firmware version.
4 Attach a lock to the printer.
Overview and first steps 9

Checking physical interfaces and installed firmware

1 Make sure that only one network interface is installed in the printer. There must be no optional network,
parallel, or serial interfaces.
2 If the device supports Wi-Fi, then disable it by connecting the device to a wired network.
3 Turn on the printer using the power switch.
4 From the home screen, touch Settings > Reports > Menu Settings Page. The printer prints several pages
of device information.
5 In the Installed Features section, make sure that no Pluggable Firmware Option (PFO) cards are installed.
6 If you have not yet installed hard disk or fax options, then install them before proceeding.
7 If the device does not have a Trusted Platform Module (TPM), then install the Lexmark TPM option.
8 To check the firmware version, under the Device Information section, locate Base =.
Note: To make sure that the Base value is correct and up‑to‑date, contact your Lexmark representative.

Updating firmware
1 From the Embedded Web Server, click Settings > Device > Update Firmware.
2 Browse to the required flash file.
3 Click Upload.
Note: For more information on updating the device firmware, contact your Lexmark representative.

Attaching a lock
Warning—Potential Damage: After a lock is attached, the metal plate and controller board cannot be
removed. The security jumper cannot be accessed without causing visible damage to the device.
Before you begin, make sure that the printer case is closed.
Locate the security slot, and then attach a lock. It is the same type of security slot found on most laptop
computers. You can typically find it at the back of the printer near an outside edge.
Configuring the printer 10

Configuring the printer

You can achieve an evaluated configuration on a non-network (standalone) printer in just a few steps.

Configuration checklist
This checklist outlines the steps required to configure the settings needed to achieve the evaluated
configuration for a standalone printer.

Disable the host USB interface.

Disable ThinPrint.

Disable flash drive access.

Disable SNMP.

Disable the home screen icons.

Require all jobs to be held.

Erase temporary data files.

Create and modify digital certificates.

Set up Internet Protocol Security (IPsec).

Shut down the port access.

Configure the time source settings.

Configure the security audit logging settings.

Configure the e‑mail settings.

Set the fax storage location.

Configure the fax settings.

Configure the security reset jumper behavior.

Configure the minimum password length.

Configure the login restrictions.

Configure the print permissions.

Set up local accounts.

Configuring the printer 11

Set up local groups and permissions.

Set up network accounts.

Set the default login methods.

Disabling the host USB

1 From the home screen, touch Settings > Network/Ports > USB.
2 Set Enable USB Port to Off.
3 From the Enable USB Port dialog box, touch Yes to reboot the printer.

Disabling ThinPrint
1 From the home screen, touch Settings > Network/Ports > ThinPrint.
2 Set Enable ThinPrint to Off.

Disabling flash drive access

1 From the home screen, touch Settings > Device > Preferences.
2 Set Flash Drive Access to Disabled.

Disabling the AirPrint software feature

1 From the home screen, touch Settings > Security > Mobile Services Management > AirPrint.
2 Set AirPrint Print, AirPrint Scan, and AirPrint Fax to Off.

Disabling the home screen icons

The final step is to remove unnecessary icons from the printer home screen.
1 From the home screen, touch Settings > Device > Visible Home Screen Icons.
2 Turn off the following:
• Held Jobs
• FTP
• USB
• Job Queue
• Shortcut Center
• Bookmarks
• App Profiles
• Scan Profiles
Configuring the printer 12

• Forms and Favorites

• Card Copy

Holding all jobs

1 From the home screen, touch Settings > Security > Confidential Print Setup.
2 Set “Require All Jobs to be Held” to On.
3 Set the Confidential Job Expiration value.
Note: Off is not a recommended setting.

Erasing temporary data files

1 From the home screen, touch Settings > Security > Erase Temporary Data Files.
2 Set “Stored in onboard memory” to On.
3 From the “Stored on hard disk” menu, select 3 Pass Erase.

Creating and modifying digital certificates

Certificates are needed for domain controller verification and for SSL support in LDAP. Each certificate must be
in a separate PEM (.cer) file.

Setting certificate defaults

These settings apply to new certificates generated in Certificate Management.
1 From the Embedded Web Server, click Settings > Security > Certificate Management.
2 Click Configure Certificate Defaults, and then specify the values for the following fields:
• Common Name—Type a name for the printer. Leave this field blank if you want to use the printer host
name as the common name.
• Organization Name—Type the name of the company or organization issuing the certificate.
• Unit Name—Type the name of the unit within the company or organization issuing the certificate.
• Country/Region—Type the country or region where the company or organization issuing the certificate
is located. You can type only up to two characters.
• Province Name—Type the province where the company or organization issuing the certificate is located.
• City Name—Type the city where the company or organization issuing the certificate is located.
• Subject Alternate Name—Type the alternate name and prefix that conforms to RFC 2459. For example,
IP:123.123.123.123. Leave this field blank if you want to use the IPv4 address.
Note: You can type up to 128 characters in all fields, except in Country/Region.
3 Click Save.
Configuring the printer 13

Creating a certificate
1 From the Embedded Web Server, click Settings > Security > Certificate Management.
2 From the Device Certificates section, click Generate, and then specify the values for the following fields:
• Friendly Name—Type a name for the certificate. You can type up to 64 characters.
• Common Name—Type a name for the printer. Leave this field blank if you want to use the printer host
name as the common name.
• Organization Name—Type the name of the company or organization issuing the certificate.
• Unit Name—Type the name of the unit within the company or organization issuing the certificate.
• Country/Region—Type the country or region where the company or organization issuing the certificate
is located. You can type only up to two characters.
• Province Name—Type the province where the company or organization issuing the certificate is located.
• City Name—Type the city where the company or organization issuing the certificate is located.
• Subject Alternate Name—Type the alternate name and prefix that conforms to RFC 2459. For example,
IP:123.123.123.123. Leave this field blank if you want to use the IPv4 address.
Note: You can type up to 128 characters in all fields, except in Country/Region and Friendly Name.
3 Click Generate.

Viewing, downloading, and deleting a certificate

1 From the Embedded Web Server, click Settings > Security > Certificate Management.
2 From the Device Certificates list, click a certificate.
3 From the View Certificate window, do one of the following:
• To remove a previously saved certificate, click Delete.
• To download or save the certificate as a PEM (.cer) file, click Download To File.
• To download or save the signing request as a CSR file, click Download Signing Request.
• To upload a previously signed certificate, click Install Signed Certificate, browse to the certificate source
file, and then click Save.

Installing a Certificate Authority (CA) certificate

A CA certificate is required when using Smart Card Authentication.
1 From the Embedded Web Server, click Settings > Security > Certificate Management.
2 From the Manage CA Certificates section, click Upload CA, and then browse to the PEM (.cer) file.
Sample certificate:
-----BEGIN CERTIFICATE-----
MIIE1jCCA76gAwIBAgIQY6sV0KL3tIhBtlr4gHG85zANBgkqhkiG9w0BAQUFADBs
…
l3DTbPe0mnIbTq0iWqKEaVne1vvaDt52iSpEQyevwgUcHD16rFy+sOnCaQ==
-----END CERTIFICATE-----

3 Reboot the printer.

Configuring the printer 14

Setting up Internet Protocol Security (IPSec)

IPSec encrypts IP packets as they are transmitted over the network between devices. It does not handle
authentication or restrict access.
Note: An IPSec-trusted communications channel must be configured between the printer and all the network
services that are used, including authentication, audit, e-mail, and NTP servers.
1 From the Embedded Web Server, click Settings > Network/Ports > IPSec.
2 Select Enable IPSec.
3 Set Base Configuration to Secure.
4 In the IKE SA Lifetime (Hours) menu, select a value from 1 to 24.
5 In the IPSec SA Lifetime (Hours) menu, select a value from 1 to 8.
6 Configure the authenticated connections.
• From the Pre‑Shared Key Authenticated Connections section, type the IP address of the client device
that you want to connect to the printer.
• From the Certificate Authenticated Connections section, type the IP address of the client device that
you want to connect to the printer.
Note: If you are using preshared key (PSK) authentication, then type the corresponding key. Retain the
key to use later when configuring client devices. Preshared keys may have up to 256 characters,
composed of a combination of uppercase and lowercase letters, numbers, and special characters. For
adequate security, preshared keys must have at least 22 characters.
7 Click Save.

Shutting down port access

Disabling virtual ports helps prevent intruders from accessing the printer using a network connection.
1 From the Embedded Web Server, click Settings > Network/Ports > TCP/IP > TCP/IP Port Access.
2 Clear the following check boxes:
• TCP 21 (FTP)
• UDP 69 (TFTP)
• UDP 137 (WINS)
• UDP 161 (SNMP)
• UDP 162 (SNMP Traps)
• TCP 631 (IPP)
• TCP 5001 (IPDS)
• UDP 5353 (mDNS)
• UDP 9300/UDP 9301/UDP 9302 (NPAP)
• TCP 9500/TCP 9501 (NPAP)
• TCP 9600 (IPDS)
• ThinPrint
• UDP 3702/TCP 65001 (WS-Discovery)
Configuring the printer 15

• TCP 65002 (WSD Print Service)

• TCP 65003 (WSD-Eventing)
• TCP 65004 (WSD Scan Service)
3 Click Save.

Configuring time source settings

An accurate system clock is necessary to make sure that the audit log time stamps are accurate. You can set
the system clock manually, or automatically using Network Time Protocol (NTP). We recommend using the NTP
method.

Configuring NTP settings

Use NTP to sync printer date and time settings automatically with a trusted clock.
Note: Before configuring the NTP settings, if your network uses Dynamic Host Configuration Protocol
(DHCP), then make sure that the settings are not provided automatically.

Using the Embedded Web Server

1 From the Embedded Web Server, click Settings > Device > Preferences > Date and Time > Network Time
Protocol.
2 Select Enable NTP, and then type the IP address or host name of the NTP server.
3 If the NTP server requires authentication, then in the Enable Authentication menu, select MD5 key.
4 In the “Install MD5 key” field, browse to the file containing the NTP authentication credentials.
5 Click Save.

Using the control panel

1 From the home screen, touch Settings > Device > Preferences > Date and Time > Network Time Protocol.
2 Set Enable NTP to On.
3 Touch NTP Server, type the IP address or host name of the NTP server, and then touch OK.
4 If the NTP server requires authentication, then set Enable Authentication to MD5 key.

Configuring the system clock manually

Using the Embedded Web Server
1 From the Embedded Web Server, click Settings > Device > Preferences > Date and Time > Configure.
2 In the “Manually Set Date and Time” field, configure the date and time.
3 Set the date format, time format, and time zone.
4 Click Save.
Configuring the printer 16

Using the control panel

1 From the home screen, touch Settings > Device > Preferences > Date and Time > Configure.
2 Touch Manually Set Date and Time, configure the date and time, and then touch Set.
3 Set the date format, time format, and time zone.

Configuring security audit logging

Using the Embedded Web Server
1 From the Embedded Web Server, click Settings > Security > Security Audit Log.
2 Select Enable Audit and Enable Remote Syslog, and then configure the following:
• Remote Syslog Server—Type the IP address or host name of the remote syslog server.
• Remote Syslog Port—Enter the port number of the remote syslog server used on the destination server.
• Remote Syslog Method—Select Normal UDP or Stunnel, depending on the configuration on the
destination server.
• Severity of Events to Log—Select 5 ‑ Notice. Events specified at this severity level and up are logged.
• Remote Syslog Non‑Logged Events—Send all events to the remote server regardless of the specified
severity level.
• Admin's E-mail Address—Type one or more e‑mail addresses to which the notifications about certain
log events are sent automatically. Use commas to separate multiple e‑mail addresses.
• E‑mail Log Cleared Alert—Send an e‑mail when you clear the log.
• E‑mail Log Wrapped Alert—Send an e‑mail when the log is full and begins to overwrite the oldest entries.
• Log Full Behavior—Select whether to overwrite the oldest entries or to delete all entries and send a
notification through e‑mail when the log storage is full.
• E‑mail % Full Alert— Send an e-mail when log storage space reaches a specified percentage of capacity.
• % Full Alert Level— Specify the percentage (1–99) of log storage space that must be used before an e-
mail alert is triggered.
• E‑mail Log Exported Alert—Send an e-mail when the log file is exported.
• E‑mail Log Settings Changed Alert—Send an e-mail when log settings are changed.
• Log Line Endings—Specify how line endings are handled in the log file, depending on the operating
system in which the file is parsed or viewed.
• Digitally Sign Exports—Add a digital signature to e-mail alerts.
Note: To use e-mail alerts, configure the SMTP settings. For more information, see “Configuring e-mail”
on page 17.
3 Click Save.

Using the control panel

1 From the home screen, touch Settings > Security > Security Audit Log.
2 Set Enable Audit and Enable Remote Syslog to On, and then configure the following:
• Remote Syslog Server—Type the IP address or host name of the remote syslog server.
• Remote Syslog Port—Enter the port number of the remote syslog server used on the destination server.
Configuring the printer 17

• Remote Syslog Method—Select Normal UDP or Stunnel, depending on the configuration on the
destination server.
• Severity of Events to Log—Select 5 ‑ Notice. Events specified at this severity level and up are logged.
• Remote Syslog Facility—Select a facility code for events logged to the destination server. All events
sent from the device are tagged with the same code to support sorting and filtering by network monitor
or intrusion detection software.
• Admin's E‑mail Address—Type one or more e‑mail addresses to which the notifications about certain
log events are sent automatically, and then touch OK. Use commas to separate multiple e‑mail
addresses.
• Log Full Behavior—Select whether to overwrite the oldest entries or to delete all entries and send a
notification through e‑mail when the log storage is full.
• % Full Alert Level— Specify the percentage (1–99) of log storage space that must be used before an e-
mail alert is triggered.
• Log Line Endings—Specify how line endings are handled in the log file, depending on the operating
system in which the file is parsed or viewed.
3 Set the following to On:
• Remote Syslog Non‑Logged Events—Send all events to the remote server regardless of the specified
severity level.
• E‑mail Log Cleared Alert—Send an e‑mail when you clear the log.
• E‑mail Log Wrapped Alert—Send an e‑mail when the log is full and begins to overwrite the oldest entries.
• E‑mail % Full Alert— Send an e-mail when log storage space reaches a specified percentage of capacity.
• E‑mail Log Exported Alert—Send an e-mail when the log file is exported.
• E‑mail Log Settings Changed Alert—Send an e-mail when log settings are changed.
• Digitally Sign Exports—Add a digital signature to e-mail alerts.
Note: To use e-mail alerts, configure the SMTP settings. For more information, see “Configuring e-mail”
on page 17.

Configuring e-mail
Note: Make sure that the printer is configured to send user data as an attachment to e‑mail.

Using the Embedded Web Server

1 From the Embedded Web Server, click Settings > Device > Notifications > E‑mail Alerts Setup > E‑mail
Setup.
2 Configure the SMTP settings, and then click Save.
• Primary SMTP Gateway—Type the IP address or host name of the server used for sending e-mail.
• Primary SMTP Gateway Port—Enter the port number of the primary SMTP server.
• Secondary SMTP Gateway—Type the server IP address or host name of the secondary or backup SMTP
server.
• Secondary SMTP Gateway Port—Enter the port number of the secondary or backup SMTP server.
• SMTP Timeout—Enter how long the printer waits for the server to respond before it times out.
• Reply Address—Type the e-mail address where you want to receive responses.
• Use SSL/TLS—Specify whether to send an e-mail using an encrypted link.
Configuring the printer 18

• SMTP Server Authentication—Specify the type of authentication used to access the SMTP server.
• Device-Initiated E-mail—Select Use Device SMTP Credentials.
Note: If the printer requires user credentials to send e-mail, then specify the appropriate information for
authentication credentials.
3 From the Embedded Web Server, click E‑mail > E-mail Defaults > Admin Controls.
Note: This setting is applicable only in some printer models.
4 In the E-mail Images Sent As menu, select Attachment, and then click Save.
5 Click Web Link Setup, and then make sure that all fields are cleared.
6 Click Save.

Using the control panel

1 From the home screen, touch Settings > Device > Notifications > E‑mail Alerts Setup > E‑mail Setup.
2 Configure the SMTP settings.
• Primary SMTP Gateway—Type the IP address or host name of the server used for sending e-mail.
• Primary SMTP Gateway Port—Enter the port number of the primary SMTP server.
• Secondary SMTP Gateway—Type the server IP address or host name of the secondary or backup SMTP
server.
• Secondary SMTP Gateway Port—Enter the port number of the secondary or backup SMTP server.
• SMTP Timeout—Enter how long the printer waits for the server to respond before it times out.
• Reply Address—Type the e-mail address where you want to receive responses.
• Use SSL/TLS—Specify whether to send an e-mail using an encrypted link.
• SMTP Server Authentication—Specify the type of authentication used to access the SMTP server.
• Device-Initiated E-mail—Select Use Device SMTP Credentials.
Note: If the printer requires user credentials to send e-mail, then specify the appropriate information for
authentication credentials.
3 From the home screen, touch Settings > E‑mail > E-mail Defaults > Admin Controls.
Note: This setting is applicable only in some printer models.
4 In the E‑mail Images Sent As menu, select Attachment, and then return to the previous menu.
5 Touch Web Link Setup, and then make sure that all fields are cleared.

Setting the fax storage location

1 From the home screen, touch Settings > Device > Maintenance > Configuration Menu > Fax Configuration.
2 From the Fax Storage Location menu, select Disk.
Configuring the printer 19

Configuring fax
If your printer includes fax capabilities and is attached to a phone line, then enable held faxes and disable fax
forwarding and the driver to fax. The printer provides Group 3 digital fax capability in conformance with ITU-T
Recommendations T.4 and T.30. This interface can be used to receive faxes to be printed, or to send faxes of
scanned images.

Using the Embedded Web Server

1 From the Embedded Web Server, click Settings > Fax > Analog Fax Setup.
2 Do the following:

Enable held faxes

a Click Fax Receive Settings > Holding Faxes.
b Set Held Fax Mode to Always On, and then click Save.

Disable fax forwarding

a Click Fax Receive Settings > Admin Controls.
b Set Fax Forwarding to Print, and then click Save.

Disable the driver to fax

a Click Fax Send Settings > Admin Controls.
b Clear Driver to Fax, and then click Save.

Using the control panel

1 From the home screen, touch Settings > Fax.
2 Do the following:

Enable held faxes

a Touch Analog Fax Setup > Fax Receive Settings > Holding Faxes.
b Set Held Fax Mode to Always On.

Disable fax forwarding

a Touch Analog Fax Setup > Fax Receive Settings > Admin Controls.
b Set Fax Forwarding to Print.

Disable the driver to fax

a Touch Analog Fax Setup > Fax Send Settings > Admin Controls.
b Turn off Driver to Fax.
Configuring the printer 20

Configuring security reset jumper behavior

The security reset jumper is a hardware jumper on the controller board that can be used to reset the security
settings on the device.
Note: Using the security reset jumper can remove the printer from the evaluated configuration.
1 From the home screen, touch Settings > Security > Miscellaneous.
2 Touch Security Reset Jumper, and then select either of the following:
• Enable "Guest" access—Grants access to all aspects of the printer to a guest user account. All login
methods that were previously on the device still exists, but the guest user can access and delete them
at will.
• No Effect—Removes access to all security menus. Use this option with caution.
Warning—Potential Damage: If No Effect is selected and the password (or other applicable credentials) is
lost, then you are not able to access the security menus. To regain access to the security menus, contact
your system administrator.

Configuring the minimum password length

For conformance, the minimum password length is eight characters. Lexmark recommends at least 15
characters. The maximum password length is 32 characters.

Using the Embedded Web Server

1 From the Embedded Web Server, click Settings > Security > Miscellaneous.
2 Enter the minimum password length.
3 Click Save.

Using the control panel

1 From the home screen, touch Settings > Security > Miscellaneous.
2 Enter the minimum password length.

Configuring login restrictions

Using the Embedded Web Server
1 From the Embedded Web Server, click Settings > Security > Login Restrictions.
2 Configure the login restrictions.
• Login failures—The number of failed login attempts before the user gets locked out. Enter a value from
1 to 10. The default value is 3.
• Failure time frame—The time frame between failed login attempts before the user gets locked out. Enter
a value from 1 to 60. The default value is 5.
• Lockout time—The lockout duration. Enter a value from 1 to 60. The default value is 5.
• Web Login Timeout—The delay for a remote login to be inactive before the user is logged off
automatically. Enter a value from 1 to 120. The default value is 10.
Configuring the printer 21

3 Click Save.
4 From the Embedded Web Server, click Settings > Device > Preferences.
5 In the Screen Timeout field, set the idle time in seconds before the display shows the home screen, or before
the printer logs off a user account automatically. Enter a value from 5 to 300 seconds. The default value is
60 seconds.

Using the control panel

1 From the home screen, touch Settings > Security > Login Restrictions.
2 Configure the login restrictions. For more information, see step 2 of “Using the Embedded Web Server” on
page 20.

Configuring print permissions

1 From the home screen, touch Settings > Security > Miscellaneous.
2 Set Print Permission to On.

Disabling the Intelligent Storage Drive

On devices with an Intelligent Storage Drive, you must not use the drive to store user data.

Using the Embedded Web Server

1 From the Embedded Web Server, click Settings > Security > Miscellaneous.
2 Set Use Intelligent Storage Drive for User Data to Off.
3 Click Save.

Using the control panel

1 From the home screen, touch Settings > Security > Miscellaneous.
2 Set Use Intelligent Storage Drive for User Data to Off.

Setting up local accounts

Local accounts are stored in the printer memory and are provided authentication‑level security.

Creating local accounts

1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Local Accounts section, click Add User.
3 Select User Name/Password.
4 From the User Information section, type the user information and authentication credentials.
Configuring the printer 22

Notes:
• The password must contain at least one lowercase letter, one uppercase letter, and one
nonalphabetic character.
• The password must not contain dictionary words or variations of the user name.
5 From the Permission Groups section, select one or more groups.
Note: To create a group for the user, click Add New Group. For more information, see “Creating local
account groups” on page 22.
6 Click Save.

Editing and deleting local accounts

1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Local Accounts section, click the authentication method where the user account belongs to.
3 Click the user account that you want to edit or delete.
4 Do either of the following:
• To edit the user account, update the user information, and then click Save.
• To delete the user account, click Delete User.
Note: To delete multiple user accounts, select the account, and then click Delete.

Setting up local groups and permissions

Creating local account groups

Use groups to customize users’ access to applications and printer functions.
1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 Do either of the following:

Add a group when managing permissions

a From the Local Accounts section, click Manage Groups/Permissions.
b Click Add Group.

Add a group when creating or editing a user account

a Create or edit a user account.
b From the Permission Groups section, select Add New Group.
3 Type a unique group name.
4 From the Access Controls section, select the functions, menus, and applications that the group can access.
5 Click Save.
Configuring the printer 23

Notes:
• To import access controls from another group, click Import Access Controls, and then select a group.
• For more information on access controls, see “Understanding access controls” on page 27.

Editing or deleting local account groups

1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Local Accounts section, click Manage Groups/Permissions.
3 Click the group, and then do either of the following:
• Configure the access controls, and then click Save.
• Click Delete Group.
Notes:
• To import access controls from another group, click Import Access Controls, and then select a group.
• To delete multiple groups, select the groups, and then click Delete.
• For more information on access controls, see “Understanding access controls” on page 27.

Setting up network accounts

Creating an LDAP or LDAP+GSSAPI login method

1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Network Accounts section, click Add Login Method > LDAP.
3 Select the authentication type.
• LDAP
• LDAP+GSSAPI
4 Configure the settings.

General Information
• Setup Name—Type a unique name for the LDAP network account.
• Server Address—Type the IP address or the host name of the LDAP server.
• Server Port—Enter the port where LDAP queries are sent.
Note: If you are using SSL, then use port 636. Otherwise, use port 389.
• Required User Input—Select the required LDAP authentication credentials used when logging in to the
printer. This setting is available only in the LDAP setup.
• Use Integrated Windows Authentication—Select one of the following:
– Do not use
– Use if available—Use Windows operating system authentication credentials, if available.
– Require—Use only Windows operating system authentication credentials.
Note: This setting is available only in the LDAP+GSSAPI setup.
Configuring the printer 24

Device Credentials
• Anonymous LDAP Bind—Bind the printer with the LDAP server anonymously. This option is applicable
only if your LDAP server allows anonymous binding. Enabling this option does not require you to provide
authentication credentials. This option is available only in the LDAP setup.
• Use Active Directory Device Credentials—Use user credentials and group designations that are pulled
from the existing network comparable to other network services. This option is available only in the LDAP
+GSSAPI setup.
• If Anonymous LDAP Bind or Use Active Directory Device Credentials is disabled, then provide the
authentication credentials used to bind the printer with the LDAP server.
– Device Username
• For LDAP setup, type the fully qualified distinguished name (DN) of a user registered to the LDAP
server.
• For LDAP+GSSAPI setup, type the DN of a user registered to the Kerberos server.
– Device Realm—The realm used for the Kerberos server. This setting is available only in the LDAP
+GSSAPI setup.
– Device Password—Type the password for the user.

Advanced Options
• Use SSL/TLS—If the LDAP server requires SSL, then select SSL/TLS.
• Require Certificate—If the LDAP server requires a certificate, then select Yes.
• Userid Attribute—Type the LDAP attribute to search for when authenticating users’ credentials. The
default value is sAMAccountName, which is common in a Windows operating system environment. For
other directories, you can type uid, cn, or a user-defined attribute. For more information, contact your
system administrator.
• Mail Attribute—Type the LDAP attribute that contains the users’ e-mail addresses. The default value is
mail.
• Fax number Attribute—Type the LDAP attribute that contains the users’ fax number. The default value
is facsimiletelephonenumber.
• Full Name Attribute—Type the LDAP attribute that contains the users’ full names. The default value is cn.
• Home Directory Attribute—Type the LDAP attribute that contains the users’ home directory. The default
value is homeDirectory.
• Group Membership Attribute—Type the LDAP attribute required for group search. The default value is
memberOf.
• Search Base—The node in the LDAP server where user accounts reside. You can type multiple search
bases, separated by commas.
Note: A search base consists of multiple attributes separated by commas, such as cn (common name),
ou (organizational unit), o (organization), c (country), and dc (domain).
• Search Timeout—Enter a value from 5 to 30 seconds or 5 to 300 seconds, depending on your printer
model.
• Follow LDAP Referrals—Search the different servers in the domain for the logged‑in user account.
Configuring the printer 25

Search Specific Object Classes

• person—Search the “person” object class.
• Custom Object Classes—Type the name of the custom object class to search.
Note: A maximum of three custom object classes can be searched. Type the other object class in the
other Custom Object Class field.

Address Book Setup

The following settings are used to configure the address book used when scanning to an e‑mail address.
• Displayed Name—Select the LDAP attribute that you want to show on the address book.
• Max Search Results—Type the maximum search results shown on the address book.
• Use user credentials—Use the logged‑in user credentials to connect to the LDAP server.
• Search Attributes—Select LDAP attributes used as search filters.
• Custom Attributes—Type LDAP custom attributes used as search filters.
5 Click Save and Verify.

Editing or deleting LDAP or LDAP+GSSAPI login methods

1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Network Accounts section, click the LDAP or LDAP+GSSAPI login method.
3 Do either of the following:
• To edit the login method, update the LDAP or LDAP+GSSAPI settings, and then click Save and Verify.
• To delete login method, click Delete LDAP.

Creating a Kerberos login method

1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Network Accounts section, click Add Login Method > Kerberos.
3 Do one of the following:

Create a simple Kerberos configuration file

From the Generate Simple Kerberos File section, configure the following:
• KDC Address—Type the IP address or host name of the KDC IP.
• KDC Port—Enter the port number used by the Kerberos server.
• Realm—Type the realm used by the Kerberos server. The realm must be typed in uppercase.

Import a Kerberos configuration file

In the Import Kerberos File field, browse to the krb5.conf file.
4 If necessary, from the Miscellaneous Settings section, configure the following settings:
• Character Encoding—Select the character encoding used for the configuration file.
• Disable Reverse IP Lookups
5 Click Save and Verify.
Configuring the printer 26

Creating an Active Directory login method

1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Network Accounts section, click Add Login Method > Active Directory.
3 Configure the settings.
• Domain—Type the realm or domain name of the Active Directory server.
• User Name—Type the name of the user that can authenticate to the Active Directory.
• Password—Type the password of the user.
• Organizational Unit—Type the organizational unit attribute the user belongs to.
4 Click Join Domain.

Editing or deleting an Active Directory login method

1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Network Accounts section, click the Active Directory login method.
3 Do either of the following:
• To delete the login method, click Unjoin Domain.
• Configure the following settings, and then click Save and Verify.

General Information
– Setup Name—Type a unique name for the Active Directory login method.
– Server Address—Type the IP address or the host name of the LDAP server.
– Server Port—Enter the port where queries are sent.
– Required User Input—Select the required authentication credentials when logging in to the printer.
– Use Integrated Windows Authentication—Select one of the following:
• Do not use
• Use if available—Use Windows operating system authentication credentials, if available.
• Require—Use only Windows operating system authentication credentials.

Device Credentials
– Use Active Directory Device Credentials—Use user credentials and group designations that are
pulled from the existing network comparable to other network services.
– If Use Active Directory Device Credentials is disabled, then provide the authentication credentials
used to bind the printer with the Active Directory server.
• Device Username—Type the fully qualified DN of a user registered to the Active Directory server.
• Device Realm—The Active Directory domain name.
• Device Password—Type the password for the user.

Advanced Options
– Use SSL/TLS—If the LDAP server requires SSL, then select SSL/TLS.
– Require Certificate—If the LDAP server requires a certificate, then select Yes.
Configuring the printer 27

– Userid Attribute—Type the LDAP attribute to search for when authenticating users’ credentials. The
default value is sAMAccountName, which is common in a Windows environment. For other
directories, you can type uid, cn, or a user-defined attribute. For more information, contact your
system administrator.
– Mail Attribute—Type the LDAP attribute that contains the users’ e-mail addresses. The default value
is mail.
– Fax number Attribute—Type the LDAP attribute that contains the users’ fax number. The default
value is facsimiletelephonenumber.
– Full Name Attribute—Type the LDAP attribute that contains the users’ full names. The default value
is cn.
– Home Directory Attribute—Type the LDAP attribute that contains the users’ home directory. The
default value is homeDirectory.
– Group Membership Attribute—Type the LDAP attribute required for group search. The default value
is memberOf.
– Search Base—The node in the LDAP server where user accounts reside. You can type multiple search
bases, separated by commas.
Note: A search base consists of multiple attributes separated by commas, such as cn (common
name), ou (organizational unit), o (organization), c (country), and dc (domain).
– Search Timeout—Enter a value from 5 to 30 seconds or 5 to 300 seconds, depending on your printer
model.
– Follow LDAP Referrals—Search the different servers in the domain for the logged‑in user account.

Search Specific Object Classes

– person—Search the “person” object class.
– Custom Object Classes—Type the name of the custom object class to search.
Note: A maximum of three custom object classes can be searched. Type the other object class in
the other Custom Object Class field.

Address Book Setup

The following settings are used to configure the address book used when scanning to an e‑mail address:
– Displayed Name—Select the LDAP attribute that you want to show on the address book.
– Max Search Results—Type the maximum search results shown on the address book.
– Use user credentials—Use the logged‑in user credentials to connect to the LDAP server.
– Search Attributes—Select LDAP attributes used as search filters.
– Custom Attributes—Type LDAP custom attributes used as search filters.

Understanding access controls

Access controls let you limit users’ access to functions, applications, and printer management. Depending on
the login method that you are using, access controls are assigned to a group where a user belongs to.
Note: Some access controls are available only in some printer models.
1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the login method that you are using, click Manage Permissions or Manage Groups/Permissions.
Configuring the printer 28

3 Select a group, and then configure the access controls.

• Function Access—Allow users to access printer functions.
• Administrative Menus—Allow users to access the menus in the Embedded Web Server that are used
to manage functions, applications, and security.
• Device Management—Allow users to use printer management options.
• Apps—Allow users to use the application when the application access control is selected.
Note the following access controls and their required level of protection.
• No Access—Disable access to a function for all users and administrators.
Remote Management
Create Profiles
Held Jobs Access
Internal Printing Protocol (IPP)
Manage Bookmarks
Use Profiles
Manage Shortcuts
FTP Function
• Administrator access only—Use an authentication method that provides administrator‑only access.
Security Menu
Network/Ports Menu
SE Menu
Device Menu
Release Held Faxes
Access Address Book in Apps
Modify Address Book
Reports Menu
Option Card Menu
Import / Export Settings
Apps Configuration
Firmware Updates
New Apps
Out of Service Erase
• Authenticated Users—Use an authentication method that provides access to authenticated users.
Cancel Jobs At Device
Operator Panel Lock
• Administrator discretion—Use any valid setting acceptable at administrator discretion.
Copy Function
Color Dropout
E‑mail Function
Fax Function
Change Language from Home Screen
Paper Menu
Screen Saver
Secure Held Jobs
Configuring the printer 29

• Not applicable—USB ports are disabled.

Flash Drive Print
Flash Drive Scan
Flash Drive Color Printing
• Required—Enable the following access controls so the printer can accept print jobs.
B/W Print
Color Print

Setting default login methods

1 From the Embedded Web Server, click Security > Login Methods.
2 Click Change beside Default Browser Login.
3 Select the login method that you want to use for Control Panel and Browser.

User access
Administrators and users are required to log in to the printer using a method that provides both authentication
and authorization. Under the evaluated configuration, three options are available for allowing access to
network‑connected devices: Local Accounts, LDAP, LDAP+GSSAPI, and Smart Card Authentication.

Configuring the Secure Held Print Jobs settings

1 From the Embedded Web Server, navigate to the configuration page for the application:
Apps > Secure Held Print Jobs > Configure
2 From the Release Options section, configure the settings.
• Release Method—Specify how users print their held jobs.
• Display Print Jobs Sorted By—Specify how the print jobs are listed on the display.
3 Click Apply.

Configuring Smart Card Authentication Client

Configuring login screen settings

Use the login screen settings to set how you want users to log in to the printer.
1 From the Embedded Web Server, navigate to the configuration page for the application:
Apps > Smart Card Authentication Client > Configure
2 From the Login Screen section, in the Login Type menu, select Smart Card Only.
3 Set User Validation Mode to Active Directory.
4 Click Apply.
Configuring the printer 30

Configuring advanced settings

1 From the Embedded Web Server, navigate to the configuration page for the application:
Apps > Smart Card Authentication Client > Configure
2 From the Advanced Settings section, select a session user ID.
Note: Some applications, such as Secure Held Print Jobs and Secure E-mail, require a value for the
session user ID.
3 In the E-mail From Address menu, select where the printer retrieves the user e-mail address.
4 If necessary, select Wait for user information to retrieve all user information before the user is allowed to
access the home screen or secure application.
If the following settings are set to LDAP Lookup, then select this option.
• Session User ID
• E‑mail From Address
If the following settings are not empty, then select this option.
• Other User Attributes
• Group Authorization List
Note: If you are using manual login for Secure E-mail, then select this option to store the user e-mail
address in the login session. To allow manual login users to send e-mail to themselves, enable “Send me
a copy” in the printer e‑mail settings.
5 If necessary, select Use SSL for User Info to retrieve user information from the domain controller using an
SSL connection.
6 If necessary, in the Other User Attributes field, type other LDAP attributes that must be added to the session.
Use commas to separate multiple values.
7 In the Group Authorization List, type the Active Directory groups that can access applications or functions.
Use commas to separate multiple values.
Note: The groups must be in the LDAP server.
8 If DNS is not enabled in your network, then upload a hosts file.
Type the mappings in the text file in the format of xy, where x is the IP address and y is the host name. You
can assign multiple host names to an IP address. For example, 255.255.255.255 HostName1
HostName2 HostName3.
You cannot assign multiple IP addresses to a host name. To assign IP addresses to groups of host names,
type each IP address and its associated host names on a separate line of the text file.
For example:
123.123.123.123 HostName1 HostName2
456.456.456.456 HostName3
9 Click Apply.
Configuring the printer 31

Controlling access to device functions

Securing access to the printer

Securing access to the home screen

Users are required to authenticate before accessing the printer home screen.
Note: Before you begin, make sure that the Display Customization application is enabled in your printer. For
more information, see the Display Customization Administrator’s Guide.
1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Public section, click Manage Permissions.
3 Expand Apps, clear Slideshow, Change Wallpaper, and Screen Saver, and then click Save.
4 From the Additional Login Methods section, click Manage Permissions beside Smart Card.
5 Select a group whose permissions you want to manage.
Note: The All Users group is created by default. More group names appear when you specify existing
Active Directory groups in the Group Authorization List field. For more information, see “Configuring
advanced settings” on page 30.
6 Expand Apps, and then select Slideshow, Change Wallpaper, and Screen Saver.
7 Click Save.

Securing access to individual applications and functions

Users are required to authenticate before accessing an application or a built‑in printer function.
1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Public section, click Manage Permissions.
3 Restrict public access to the applications or functions that you want to secure. Do any of the following:
• For Secure E‑mail, expand Function Access, clear E‑mail Function, and then click Save.
• For Secure Held Print Jobs, expand Apps, clear Secure Held Print Jobs, and then click Save.
• For other applications or functions, expand one or more categories, clear the application or function,
and then click Save.
4 From the Additional Login Methods section, click Manage Permissions beside Smart Card.
5 Select a group whose permissions you want to manage.
Note: The All Users group is created by default. More group names appear when you specify existing
Active Directory groups in the Group Authorization List field. For more information, see “Configuring
advanced settings” on page 30.
6 Select the applications or functions that you want authenticated users to access. Do any of the following:
• For Secure E‑mail, expand Function Access, and then select E‑mail Function.
• For Secure Held Print Jobs, expand Apps, and then select Secure Held Print Jobs.
Configuring the printer 32

• For other applications or functions, expand one or more categories, and then select the application or
function.
7 Click Save.

Disabling unused applications

1 From the Embedded Web Server, click Apps.
2 Select an unused application.
3 Click Stop.
Troubleshooting 33

Troubleshooting
Login issues

Cannot detect the card reader or the smart card

Try one or more of the following:

Make sure that the card reader is connected properly to the printer

Make sure that the card reader and the smart card are compatible

Make sure that the card reader is supported

For a list of supported card readers, see the Readme file.

Make sure that the card reader driver is installed on the printer

Contact your Lexmark representative

Error reading the smart card

Try one or more of the following:

Make sure that the smart card is supported

For a list of supported smart cards, see the Readme file.

Make sure that the smart card driver is installed in the printer

User is locked out

Try one or more of the following:

Update the allowed number of login failures and lockout time

Note: This solution is applicable only in some printer models.
The user may have reached the allowed number of login failures.
1 From the Embedded Web Server, click Settings > Security > Login Restrictions.
2 Update the allowed number of login failures and the lockout time.
3 Click Save.
Note: Wait for the lockout time to pass before the new settings take effect.
Troubleshooting 34

Reset or replace the smart card

Check whether the type of smart card that you are using can be reset. If the card cannot be reset, then
replace the card.

Printer home screen does not lock

Try one or more of the following:

Make sure that Display Customization is enabled

For more information, see the Display Customization Administrator’s Guide.

Secure access to the home screen

For more information, see “Securing access to the home screen” on page 31.

Cannot generate or read certificate information from the smart card

Try one or more of the following:

Make sure that the certificate information on the smart card is correct

Contact your Lexmark representative

Domain controller certificate is not installed

Make sure that the correct certificate is installed on the printer
For information on installing, viewing, or modifying certificates, see “Creating and modifying digital
certificates” on page 12.

Cannot find realm in the Kerberos configuration file

Add or change the realm
• If you are using simple Kerberos setup, then do the following:
1 From the Embedded Web Server, navigate to the configuration page for the application:
Apps > Smart Card Authentication Client > Configure
2 From the Simple Kerberos Setup section, in the Realm field, add or change the realm. The realm
must be typed in uppercase.
Note: The simple Kerberos setup does not support multiple Kerberos realm entries. If multiple
realms are needed, then install a Kerberos configuration file containing the necessary realms.
3 Click Apply.
• If you are using the device Kerberos setup file, then add or change the realm in the file. The realm must
be typed in uppercase. When you are finished, reinstall the file on the printer.
Troubleshooting 35

Cannot access individual applications and functions on the printer

Try one or more of the following:

Allow secure access to applications or functions

For more information, see “Securing access to individual applications and functions” on page 31.

If the user belongs to an Active Directory group, then make sure that the group is authorized to access the
applications and functions

LDAP issues

LDAP lookups fail

Try one or more of the following:

Make sure that the server and firewall settings are configured to allow communication between the
printer and the LDAP server on port 389 and port 636
The default ports are port 389 and port 636.

If reverse DNS lookup is not used in your network, then disable it in the Kerberos settings
1 From the Embedded Web Server, click Settings > Security.
2 From the Network Accounts section, click Kerberos.
3 From the Miscellaneous Settings section, select Disable Reverse IP Lookups.
4 Click Save and Verify.

If the LDAP server requires SSL, then enable SSL for LDAP lookups
1 From the Embedded Web Server, navigate to the configuration page for the application:
Apps > Smart Card Authentication Client > Configure
2 From the Advanced Settings section, select Use SSL for User Info.
3 Click Apply.

Narrow the LDAP search base to the lowest possible scope that includes all necessary users

Make sure that all LDAP attributes that are being searched for are correct
Troubleshooting 36

Secure Held Print Jobs issues

Cannot determine the user ID

This error indicates that the local account, network account, or authentication module login method is not setting
the user ID for the session. Try one or more of the following:

Make sure that the application is secured

For more information, see “Configuring the Secure Held Print Jobs settings” on page 29.

Make sure that the session user ID is set correctly

From the Embedded Web Server, do one of the following:

Using a local account login method

1 Click Settings > Security > Login Methods.
2 From the Local Accounts section, click the local account type, and then make sure that the account has
a user name.
3 Click Save.

Using a network account login method

1 Click Settings > Security > Login Methods.
2 From the Network Accounts section, click the network account, and then make sure that the account
has the correct user ID. For more information, contact your system administrator.
3 Click Save.

Using an authentication module

1 Click Apps.
2 Select the authentication module, and then click Configure.
3 Specify the appropriate setting for the session user ID.
4 Click Save or Apply.

Contact your solution provider

If you still cannot resolve the problem, then contact your solution provider.

No print jobs are available for the user

Try one or more of the following:

Make sure that jobs are sent to the correct printer and have not expired
The user may have sent the jobs to a different printer, or the jobs may have been automatically deleted
because they were not printed in time.
Troubleshooting 37

Make sure that the session user ID is set correctly

From the Embedded Web Server, do one of the following:

Using a local account login method

1 Click Settings > Security > Login Methods.
2 From the Local Accounts section, click the local account type, and then make sure that the account has
a user name.
3 Click Save.

Using a network account login method

1 Click Settings > Security > Login Methods.
2 From the Network Accounts section, click the network account, and then make sure that the account
gets the correct user ID. For more information, contact your system administrator.
3 Click Save.

Using an authentication module

1 Click Apps.
2 Select the authentication module, and then click Configure.
3 Specify the appropriate setting for the session user ID.
4 Click Save or Apply.

Contact your solution provider

If you still cannot resolve the problem, then contact your solution provider.
Audit log 38

Audit log
The security audit log is a record of security-related events. The log is stored locally in the device, and can be
exported through e‑mail or browsed on request. Log records can be sent to an external Syslog server while
they are generated.
The basic format of the log records is defined in RFC5424. The following is the generic log format:
<PRI>VERSION TIMESTAMP HOSTNAME APPNAME PROCID <MSGID> [SD-ELEMENT] MSG
Where:
PRI is a priority value that is a two- or three-digit number that is defined in RFC5424. The value must be
enclosed in < and >. The severity of the event is part of the input to the calculation of this number.
VERSION is a value of 1 that is the version of the specification that is used for defining the log file.
TIMESTAMP is the ISO 8601 time in ([YYYY-MM-DD]T[hh:mm:ss]) format.
HOSTNAME is the host name or IP address of the device.
APPNAME is the application name indicating the process that triggered the event log message.
PROCID is the process ID that is generally specified as 0, but may be another valid process ID for some
applications.
MSGID is a text string that is defined within each event. The string must be enclosed in < and >. It provides
more information about the event.
[SD-ELEMENT] is a structured data element that consists of one EventNum value followed by zero or more
name-value pairs that provide detailed log information.
MSG contains the Event Name and Event Message fields described in the individual event definitions.

Auditable event Sample audit message

Job completed
Job started
Successful user identification and
authentication
Unsuccessful user authentication
Unsuccessful user identification
Use of management functions
<53>1 2017-10-29T15:05:59Z CX725 jobmanager 0
<job> [event17375@641 JobId="105"
Job_Type="InternalPrintWorkflow"] Job Completed:
<53>1 2017-10-21T18:12:27Z CX725 jobmanager 0
<job> [event17327@641 JobId="38"
Job_Type="FaxSendWorkflow"] Job Started:
<53>1 2017-10-21T16:17:30Z CS820 auth 0 <login>
[event11527@641 SessionId="Fak4tZcHTBH0L6Cs"
Auth_Method="Username/Password" Username="admin"
UniqueUserId="69901267-0520-460f-
baf6-6bc56180e730" Fullname="Administrator"]
Login successful: 'admin'
<52>1 2017-11-13T19:31:37Z CX922 auth 0 <login>
[event47@641 Auth_Method="Username/Password"]
Login failed: 'admin'
<52>1 2017-11-30T14:45:22Z CX820 auth 0 <login>
[event2744@641 Auth_Method="Username/Password"]
Login failed: 'bogus'
<53>1 2017-11-14T19:07:52Z CX922 auth 0 <setting>
[event75@641 SessionId="h.8oL7lB3ZcK6Rbv"]
Permission 'fax' added for LDAP group: 'Users'
Audit log 39

Auditable event Sample audit message

Modification to the group of users that are
part of a role
Changes to the time
Failure to establish session
Audit log cleared by an authorized
administrator
<53>1 2017-10-21T16:07:20Z CX820 auth 0 <setting>
[event13960@641 SessionId="YTLGJH3SYqpyKZDQ"]
Permission 'email' added for group: 'Users'
<53>1 2017-10-01T00:31:00Z CX820 timemgr 0 <time>
[event14151@641] Time changed due to time source
change
<52>1 2017-11-15T05:34:25Z CX922 IPSec 0 <ipsec>
[event219@641] peer=10.197.46.31[4500] :
msg[6]=Retransmit Timeout :IKE message
retransmission timed out
<49>1 2017-11-22T21:10:02Z CX922 Audit 675 <audit>
[event1@641 SessionId="AMewwauzzBfbdjHH"] Audit
Log Cleared
Erasing keys in flash memory 40

Erasing keys in flash memory

The following types of keys are stored in the flash memory:
• RSA private keys—These keys are associated with device certificates and are overwritten when the device
certificate is deleted.
• IPSec preshared keys (PSKs)—These keys are overwritten when the PSK setting is modified or cleared.
• Disk encryption keys—These keys are overwritten when you perform the "Sanitize all information on hard
disk" function.
When the flash component performs wear leveling or garbage collection, physical copies of these keys may
continue to exist inside the flash component for some time.
When any of these keys are destroyed, they are first overwritten in the flash memory with zeroes. You can see
the changes in the visible storage locations for these items in the flash component.
The flash component supports the TRIM command and implements garbage collection to destroy persistent
copies of old storage locations when not actively engaged in other tasks. The file system that maps to the flash
component and location of the keys also supports the TRIM command. The file system is configured to use the
command.
Notices 41

Notices
Edition notice
December 2022
The following paragraph does not apply to any country where such provisions are inconsistent with local
law: LEXMARK INTERNATIONAL, INC., PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This publication could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in later editions. Improvements or changes in the
products or the programs described may be made at any time.
References in this publication to products, programs, or services do not imply that the manufacturer intends to
make these available in all countries in which it operates. Any reference to a product, program, or service is
not intended to state or imply that only that product, program, or service may be used. Any functionally
equivalent product, program, or service that does not infringe any existing intellectual property right may be
used instead. Evaluation and verification of operation in conjunction with other products, programs, or services,
except those expressly designated by the manufacturer, are the user’s responsibility.
For Lexmark technical support, go to http://support.lexmark.com.
For information on Lexmark's privacy policy governing the use of this product, go to
www.lexmark.com/privacy.
For information on supplies and downloads, go to www.lexmark.com.
© 2016 Lexmark International, Inc.
All rights reserved.

GOVERNMENT END USERS

The Software Program and any related documentation are "Commercial Items," as that term is defined in 48
C.F.R. 2.101, "Computer Software" and "Commercial Computer Software Documentation," as such terms are
used in 48 C.F.R. 12.212 or 48 C.F.R. 227.7202, as applicable. Consistent with 48 C.F.R. 12.212 or 48 C.F.R.
227.7202-1 through 227.7207-4, as applicable, the Commercial Computer Software and Commercial Software
Documentation are licensed to the U.S. Government end users (a) only as Commercial Items and (b) with only
those rights as are granted to all other end users pursuant to the terms and conditions herein.

Trademarks
Lexmark and the Lexmark logo are trademarks or registered trademarks of Lexmark International, Inc. in the
United States and/or other countries.
Active Directory and Windows are trademarks of the Microsoft group of companies.
All other trademarks are the property of their respective owners.
Index 42

Index
A checking physical interfaces disabling the home screen
access controls 31 before 9 icons 11
understanding 27 configuration checklist 10 disabling the host USB 11
accessing the Embedded Web configuring login restrictions 20 disabling the Intelligent Storage
Server 8 configuring NTP settings 15 Drive 21
Active Directory configuring print permissions 21 disabling ThinPrint 11
creating login method 26 configuring the application 29 disabling unused applications 32
deleting login method 26 configuring the minimum Display Customization
editing login method 26 password length 20 enabling 31
advanced settings configuring the system clock domain certificate error 34
configuring 30 manually 15 domain controller certificate not
AirPrint configuring time source installed 34
disabling 11 settings 15
application creating an Active Directory login E
configuring 29 method 26 e-mail
applications creating groups configuring 17
securing 31 local accounts 22 editing an Active Directory login
assumptions 6 creating Kerberos login method 26
attaching a lock 9 method 25 editing local account groups 23
audit log 38 creating LDAP login method 23 editing local accounts
overview 38 creating LDAP+GSSAPI login password 22
audit logging method 23 PIN 22
configuring 16 creating local accounts 21 user name 22
authentication and authorization password 21 user name and password 22
options 29 user name 21 Embedded Web Server
accessing 8
C D encrypting network data 14
cannot access applications or data files encryption
functions on the printer 35 erasing 12 IPSec 14
cannot detect the card reader 33 date and time settings 15 environment
cannot determine the user ID 36 default login methods operating 6
cannot find realm in the Kerberos setting 29 erasing keys in flash memory 40
configuration file 34 deleting an Active Directory login erasing temporary data files 12
cannot generate or read method 26 error reading the smart card 33
certificate information from deleting LDAP login method 25 error while reading card 33
card 34 deleting LDAP+GSSAPI login e‑mail function
cannot read the smart card 33 method 25 securing 31
card is locked out 33 deleting local account groups 23
card reader not detected 33 deleting local accounts F
certificate error 34 password 22 fax forwarding 19
certificates PIN 22 fax settings
creating and modifying 12 user name 22 driver to fax 19
change history 4 user name and password 22 fax forwarding 19
checklist digital certificates held faxes 19
configuration 10 creating and modifying 12 fax storage location
configuration disabling AirPrint 11 setting 18
checking firmware before 9 disabling flash drive access 11 firmware
checking 9
Index 43

updating 9 local accounts P

flash drive access creating 21 physical configuration
disabling 11 creating groups 22 checklist 8
functions creating user name 22 physical interfaces
securing 31 deleting groups 23 checking during
deleting password 22 preconfiguration 9
H deleting PIN 22 port access
held faxes 19 deleting user name 22 shutting down 14
held jobs deleting user name and preconfiguration tasks
securing 31 password 22 checking firmware 9
holding all jobs 12 editing groups 23 checking physical interfaces 9
home screen 7 editing password 22 print permissions
securing access 31 editing PIN 22 configuring 21
home screen icons editing user name and printer home screen does not
disabling 11 password 22 lock 34
host USB lock printers
disabling 11 attaching 9 supported 5
hosts file logging
installing 30 configuring the security audit
log 16 R
login method realm not found 34
I creating Active Directory 26
Intelligent Storage Drive creating LDAP 23 S
disabling 21 creating LDAP+GSAAPI 23 securing
interfaces deleting Active Directory 26 applications 31
checking during deleting LDAP 25 e‑mail function 31
preconfiguration 9 deleting LDAP+GSSAPI 25 held jobs 31
IPSec editing Active Directory 26 home screen 31
setting up 14 login restrictions printer functions 31
configuring 20 security
J login screen settings reset jumper on the controller
jobs configuring 29 board 20
holding 12 security audit log 16
M security audit log
K minimum password length configuring 16
Kerberos configuring 20 security certificates
creating login method 25 missing Kerberos realm 34 creating and modifying 12
keyboard on the display multifunction products 5 security objectives 6
using 7 security reset jumper
keys enabling 20
N setting default login methods 29
erasing in flash memory 40 no print jobs available for setting the fax storage
user 36 location 18
L NTP settings shutting down port access 14
LDAP configuring 15 single‑function printers 5
creating login method 23 SMTP settings
deleting login method 25 O configuring 17
LDAP lookups fail 35 objectives 6 supported printers 5
LDAP+GSSAPI operating environment 6 syslog
creating login method 23 overview 5 configuring 16
deleting login method 25 system clock
configuring 15
Index 44

T
ThinPrint
disabling 11
time source settings
configuring 15
touch screen
using 7
troubleshooting
cannot access applications or
functions on the printer 35
cannot detect the card
reader 33
cannot determine the user
ID 36
cannot find realm in the
Kerberos configuration file 34
cannot generate or read
certificate information from
card 34
cannot read the smart card 33
card reader not detected 33
certificate error 34
domain certificate error 34
domain controller certificate not
installed 34
error reading the smart card 33
LDAP lookups fail 35
missing Kerberos realm 34
no print jobs available for
user 36
printer home screen does not
lock 34
realm not found 34
user is locked out 33

U
unauthorized user 35
understanding access
controls 27
unused applications
disabling 32
updating firmware 9
flash file 9
user is locked out 33