Security Policy Setting Items

The following settings are related to the security policy of the printer. Place a check mark next to the items you want to apply in the Settings screen.

To allow sharing of security policies among Canon printers, regardless of the differences in functions between models, all Canon printers possess the same security policy setting items.

Therefore, depending on the security policy setting item, configuring it may not affect the operation of the printer.

In the case of items that do not affect the operation of the printer, even if configured, one of the following descriptions will be displayed on the security policy setting screen.

Note: This setting does affect any functions on this printer. Restrictions will not be applied.

Note: The feature is restricted on this printer, regardless of the security policy.

Interface

Wireless policy

Prohibiting wireless connections prevents many unspecified accesses.

Policy name	Overview
Prohibit use of direct connection	<Wireless Direct Enabled/Disabled> is <disabled>, and access from various devices using Wireless Direct is not possible.
Prohibit use of wireless LAN (Wi-Fi)	<Wireless LAN Enabled/Disabled> is <disabled>, and wireless connection via Wi-Fi router or access point is not possible.

USB connection policy

Prohibiting USB connections prevents unauthorized connections and data from being taken out.

Policy name	Overview
Prohibit use of USB device	<Use as a USB device> is turned <OFF>. USB connection to a computer is not possible.
Prohibit use of USB external storage devices	<Use USB external storage devices> is turned <OFF>. USB external storage devices cannot be used.

Network

Communication operational policy

Enforce signature and certificate validation to communicate more securely.

Policy name	Overview
Always verify signatures when using SMB/WebDAV server functions	<Require an SMB signature to connect> and <Use SMB authentication> in the <SMB server settings> is applied. <Use TLS> when <Setting WebDAV server> is applied. If the printer is used as an SMB server or WebDAV server, the electronic certificate signature is verified during communication.
Always verify server certificate when using TLS	Communication with mail servers that cannot be verified by a printer-embedded CA certificate is not possible.
Prohibit cleartext authentication for server functions	When using the printer as a server, cleartext authentication and functions that use cleartext authentication cannot be used.
Prohibit use of SNMPv1	The printer driver, management software, and other software may not be able to communicate with the printer.

Note

Even if you check Verify server certificates when communicating with TLS, communication with IEEE802.1X/EAP networks is not eligible.

Port Usage Policy

This prevents external intrusion by closing unused ports.

Policy name	Overview
Restrict LPD port (Port: 515)	The <LPD protocol setting> is <disabled>. LPD printing is not possible.
Restrict RAW port (Port: 9100)	The <RAW protocol setting> is <disabled>. RAW printing and JPEG printing from a smartphone are not possible.
Restrict FTP port (Port: 21)	FTP printing is not possible.
Restrict WSD port (Port: 3702, 60000)	<Enable/disable WSD> is <disabled>. <WSD scan from the printer> is <disabled>. The functionality of the WSD may not be available, and device information may not be retrieved from the driver.
Restrict BMLinkS port (Port: 1900)	Printing from a BMLinkS-compatible printer driver is not possible.
Restrict IPP port (Port: 631)	<IPP Enable/disable> of Wi-Fi and Wireless Direct is <disabled>. IPP printing is not possible. Printing with Mopria or AirPrint are also not possible.
Restrict SMB port (Port: 139, 445)	The printer cannot be used as an SMB server. The management software cannot communicate with various software.
Restrict SMTP port (Port: 25)	SMTP reception is not possible. The management software cannot communicate with various software.
Restrict dedicated port (port number: 9002, 9006, 9007, 9011-9015, 9017-9019, 9022, 9023, 9025, 20317, 47545-47547)	Dedicated ports cannot be used.
Restrict port of remote operation (port number: 5900)	Remote operation functionality cannot be used.
Restrict mDNS port (Port: 5353)	The <Bonjour setting> is <disabled>. Search on the network by mDNS (smartphone search from the app etc. on iOS) and automatic setting are not possible. Printing with Mopria or AirPrint are also not possible.
Restrict SLP port (Port: 427)	Searching on the network or setting automatically by SLP is not possible.
Restrict SNMP port (Port: 161)	<SNMPv1 settings> and <SNMPv3 settings> are <disabled>. It may not be possible to acquire or configure device information from your computer or smartphone using SNMP. Printer driver, management software, management by Media Configuration Tool, or Easy Wireless (Easy WL) Connect not possible.

Authentication

Authentication operational policy

By thoroughly authenticating users, unauthorized operations by unregistered users can be avoided.

Policy name	Overview
Prohibit users to use device	Unregistered users will no longer be able to log in to the printer, and print jobs from the computer will be canceled.
Force setting of auto logout	User management settings: Auto logout time Screen lock function: Enable/disable screen lock setting and time to screen lock If you do not operate for a certain period of time, you will be automatically logged out.

Policy name

Overview

Prohibit users to use device

Unregistered users will no longer be able to log in to the printer, and print jobs from the computer will be canceled.

Force setting of auto logout

User management settings: Auto logout time

Screen lock function: Enable/disable screen lock setting and time to screen lock

If you do not operate for a certain period of time, you will be automatically logged out.

Password operational policy

Restricts password operation strictly.

Policy name	Overview
Prohibit cache saving of password for external servers	Whenever accessing an external server, a password is required. In addition, the authentication information of logged in users is not retained.
Display warning when default password is in use	If you are using the password set at the time of purchase, a warning message is displayed.
Prohibit use of default password for remote access	When accessing the printer from your computer, the password set at the time of purchase cannot be used.

Password settings policy

Set a certain complexity and validity period for passwords used for user authentication so that they are not easily guessed by third parties.

After setting a password that does not match the password settings policy, the password that does not match the policy is still valid even when you set the password settings policy. By resetting your password, you will be able to set a password that conforms to the password settings policy.

Each item in the password settings policy can be configured, even if the setting appears to be partially inconsistent. Passwords can only be set with input characters and input length that meet the required conditions.

Policy name	Overview
Minimum number of characters for password	The <Minimum number of characters> is set to <ON>. Users cannot set a password that is less than the number of characters specified in Minimum number of characters on the settings screen.
Set password validity period	Set password validity period.
Prohibit use of 3 or more identical consecutive characters	Users cannot set a password that contains 3 or more consecutive identical characters.
Force use of at least 1 uppercase character	Users cannot set a password not containing uppercase characters.
Force use of at least 1 lowercase character	Users cannot set a password not containing lowercase characters.
Force use of at least 1 digit	Users cannot set a password not containing digits.
Force use of at least 1 symbol	Users cannot set a password not containing symbols.

Lockout Policy

If the login operation using the entered password fails for a certain number of consecutive times, the user is prevented from logging in for a certain period.

Policy name	Overview
Enable lockout	A function to lock out specified users, including administrators, for a specified period of time when they enter the wrong password the specified number of times. [Target Function] Security administrator password/administrator password/standard user password

Policy name

Overview

Enable lockout

A function to lock out specified users, including administrators, for a specified period of time when they enter the wrong password the specified number of times.

[Target Function] Security administrator password/administrator password/standard user password

Key/Certificate

Protect your valuable data by preventing the use of weak encryption or by encrypting user passwords and keys within specific hardware.

Policy name	Overview
Prohibit use of weak encryption	Weak encryption cannot be used. If checked, "Prohibit use of key/certificate with weak encryption" can be selected. The configurable functions are IPsec, TLS, SNMPv3, and wireless LAN.
Prohibit use of key/certificate with weak encryption	Keys and certificates with weak encryption cannot be used. The target functions are IPsec and TLS.
Use TPM to store password and key	Passwords and keys are encrypted and stored in a specific piece of hardware.

Policy name

Overview

Prohibit use of weak encryption

Weak encryption cannot be used. If checked, "Prohibit use of key/certificate with weak encryption" can be selected.

The configurable functions are IPsec, TLS, SNMPv3, and wireless LAN.

Prohibit use of key/certificate with weak encryption

Keys and certificates with weak encryption cannot be used. The target functions are IPsec and TLS.

Use TPM to store password and key

Passwords and keys are encrypted and stored in a specific piece of hardware.

Log

Allows periodic audits by requiring logging

Policy name	Overview
Force recording of audit log	<Acquire operation log> is set to <ON>, <Display job history> is set to <ON>, <Acquire job history from management software> of <Display job history> is set to <Allow>, <Acquire audit log> is set to <ON>, <Acquire authentication log via network> is set to <ON>, and <Display print job username as login name> is set to <ON>. Audit logs are always logged.
Force SNTP settings	<Use SNTP> of <SNTP settings> is set to ON. SNTP time synchronization is required. Enter the [Server name] in the Remote UI settings screen.

Job

Printing Policy

Prevents information leakage by printing.

Policy name	Overview
Prohibit immediate printing of received jobs	Manages the printing of received images by fax.

Sending/Receiving Policy

Restricts the destination operation at the time of sending and the processing method of received data.

Policy name	Overview
Allow sending only to registered addresses	Faxes can only be sent to addresses registered in the address book. Restricted fax functions Fax - Phonebook - Select List - Edit Destination/(Edit Destination, Delete Destination, Edit Group Dial, Delete Group Dial) Fax - enter number Fax - redial Fax transfer menu - Specify transfer destination Scan - Attach manuscript to email - Email direct from printer - Edit email address book Scan - Attach manuscript to email - Email directly from printer - Select recipient address - Direct input Scan - Attach manuscript to email - Email directly from printer - Select recipient address - Select from input history Dial input in fax mode When speed dial tool 2 is started, a dialog box will be displayed and it will not be available. Destination Folder Settings in the Quick Utility Toolbox not possible.
Force confirmation of fax number	<Security control> <Confirm fax number> is set to <ON>. A confirmation is required when entering a fax number.
Prohibit auto forwarding	Autosave is not possible.

Policy name

Overview

Allow sending only to registered addresses

Faxes can only be sent to addresses registered in the address book.

Restricted fax functions

Fax - Phonebook - Select List - Edit Destination/(Edit Destination, Delete Destination, Edit Group Dial, Delete Group Dial)
Fax - enter number
Fax - redial
Fax transfer menu - Specify transfer destination
Scan - Attach manuscript to email - Email direct from printer - Edit email address book
Scan - Attach manuscript to email - Email directly from printer - Select recipient address - Direct input
Scan - Attach manuscript to email - Email directly from printer - Select recipient address - Select from input history
Dial input in fax mode
When speed dial tool 2 is started, a dialog box will be displayed and it will not be available.
Destination Folder Settings in the Quick Utility Toolbox not possible.

Force confirmation of fax number

<Security control> <Confirm fax number> is set to <ON>.

A confirmation is required when entering a fax number.

Prohibit auto forwarding

Autosave is not possible.

Storage

Policy name	Overview
Force complete deletion of data	Remove removable media, such as HDDs, and forcibly make it impossible to salvage deleted data when analyzed.