How to prevent users from printing from their phones?
Posted by walks-beneath-treees@reddit | sysadmin | View on Reddit | 113 comments
We don't have an AD here, and it's a mixed environment (Windows, MacBooks and Linux desktops).
Recently, some employees have been abusing the printers, and they've already printed half of what we printed last year in only 3 months.
The manager wanted me to restrict printing, but I ran into some troubles.
First of all, I thought about creating a printer server in a Debian VM via vagrant and funnel all printing through the server. It did work, and I managed to print from the VM, and from a workstation via the VM.
The printer that is giving us the most trouble, a Lexmark MX410de, has a built-in whitelist and it did work to restrict computers from printing, but it does nothing for the phones.
If I disable mDNS, the printer no longer advertises itself on the network, but then no one can scan and AirPrint doesn't work either, which means the lawyers can't print from their MacBooks.
Is there anything else I could try? I thought maybe CUPS / SAMBA could have some option to authenticate before printing, but I don't know if it will restrict phones from printing.
I know that we should probably solve this with something like Papercut, but it's the public sector we're talking about, and budgets are tight and bureaucracy is rampant.
TheRedstoneScout@reddit
Is everything on the same network?
Users shouldn't be able to connect their personal devices to the corporate network that would supposedly have your printers on it.
walks-beneath-treees@reddit (OP)
We're on the process of separating networks, guest and internal.
gmc_5303@reddit
Corp wired, corp WiFi, printers, and guest should all be separate vlans headed back to a firewall to control exactly what talks to what.
TruthSeekerWW@reddit
Why should Corp wired be seperate to Corp wifi?
gmc_5303@reddit
I don't put them on the same subnet or security zone because for me: a: it's always a different subnet, and b: wifi being over the air, I always consider it less secure than a physical cable.
vertisnow@reddit
Until then, you should absolutely disable the 'guest' network immediately. You don't have a guest network.
thortgot@reddit
That's the right solution to the problem. Should be quick to do.
Rotate your corporate wifi and ideally only deploy the password through your rmm of choice.
Even better if you implement enterprise wifi with device certs but that can be a bunch of work.
TheRedstoneScout@reddit
This will solve your problem.
Papercut is an excellent way to secure things even further though if you get the chance
DiscipleOfYeshua@reddit
100% my first question: “how are user devices on your office network?”
Setup RADIUS. Buh-bye user devices.
dewatermeloan@reddit
I'm trying to use RADIUS for this (i have it deployed already). However, if the users just put in their credentials, they are still going to login on their mobile phones. This is against company policy obviously.
How can I block personal devices using radius? Any tips?
DiscipleOfYeshua@reddit
Im you’re sorted to create a cert per device. Knowing passwords becomes useless. No cert, no communications.
zatset@reddit
RADIUS is a good option, but comes with inconveniences. And requires you to use proper networking equipment. On one of my previous jobs the infrastructure was a mix of dumb and smart switches. And as we know RADIUS requires either MAC auth(dynamic MAC-s make that option hell and easy to spoof), username and password inconvenience or using certificates(again inconveniences, even more serious that the first 2 options)
exedore6@reddit
Please don't tell me you're not having all your users use a PSK for wireless?
I understand that you run the network you have, but I'd strongly recommend going to at least EAP/MSCHAPv2 radius for wireless devices. Onboarding isn't terrible with a self-signed certificate for the radius server, or you can buy a commercial cert to avoid PKI.
There are also tools to help with onboarding likeCAT, which usually use an onboarding SSID to help configure the profiles.
Yes, you're not going to get this with a bunch of routers from OfficeMax. Yes, you'll need to learn something about PKI (but not too much unless you want to go with a full EAP/TLS approach). There are even options where you don't need to manage your own radius server or pki (SecureW2 for example).
Darkhexical@reddit
There's also the option of ipsk which is more likely to work universally.
exedore6@reddit
That needs newer hardware than 802.1x but it would be a smoother, unless you had a ton of users.
bingblangblong@reddit
There's nothing particularly wrong with using PSK for guest wireless though.
exedore6@reddit
If the printers are on the network, it's not guest wireless.
zatset@reddit
I was just pointing out the advantages and disadvantages. I perfectly understand you. In practice sometimes things can become messy, though.
yrogerg123@reddit
Users aren't hardwiring their phones, they're just connecting to WIFI. Use WPA-3 enterprise for corp and offer guest WIFI. Done.
Bendo410@reddit
Then you document what the solutions are and bring them to management and every time somebody complains at that point you cc your manager in an email and remind them of the solution while also looking for a better and secure job.
Something will happen eventually and when it does , heads will roll and you don’t want your reputation ruined because of piss poor management .
slowclapcitizenkane@reddit
They have no AD, and I'm guessing no endpoint management whatsoever. That's how. This is basic infrastructure that's missing.
Fitz_2112b@reddit
OP doesn't even have AD, you think they're setting up RADIUS?
discosoc@reddit
They "don't have an AD" which means it's incredibly common for the network to be flat.
Mealerz6388@reddit
Omg, and lawyers there too, and a server and your WiFi is on the same LAN? That’s all I got from your question! Get a decent firewall, start zoning things off. Get separate printer for WiFi network if you want users to print with their byod’s.. personally I’d tell them to stock the ink and paper. You need to zone your networks, my goodness I hope you take backups of your server!
OccasionalRedditor99@reddit
Why are people printing so much? What are they printing? Is it for business or personal? Look at the business driver first!
publicdomainadmin@reddit
CUPS or VLANning is probably the best bet here. VLANs these days are a basic necessity imho these days.
Just a cursory read of this post tells me your network and setup probably isn't as good as it could be and some overall TLC might be needed. I wonder what else critical I can access over your wifi.
walks-beneath-treees@reddit (OP)
I'm talking to the network folks to see if they can create some VLANs to isolate these phones from the rest of the network. I've been trying to do this for a while now, but the previous management didn't care. Let's hope I can do it now.
Darkhexical@reddit
https://m.youtube.com/watch?v=gfNeCCurovs if you have a lot of IoT you may want to look into this: https://m.youtube.com/watch?v=gfNeCCurovs
walks-beneath-treees@reddit (OP)
Thanks, I'm gonna watch this.
pdp10@reddit
And the current management wants printer consumable costs halted. Looks like you're getting VLANs.
Proper_Individual578@reddit
This is your excuse to at least get personal devices off the corp network. Don't implement any other solution to this issue, you now have a cost that management can see for their insecure setup.
INSPECTOR99@reddit
HHhhhmmm, it sounds like the previous Mgt. was criminally negligent regarding NetSec in a Legal framework... :-(
Aur0nx@reddit
This is the way. Personal phones shouldn’t be on the same VLAN as the rest of the network.
FastFredNL@reddit
Simple. Don't have printers on the same network as smartphones, or any other personal user devices.
cloudsourced285@reddit
This is as much of a manager problem as it is a technical. Management should harden up and tell people they are not allowed to print like mad men.
Ferretau@reddit
turn off bonjour
Allokit@reddit
Disable WiFi Direct Printing by logging into the printers UI.
They are completely bypassing what you've put in place because they dont use the wifi, or a computer to print.
They are using their phone and connecting directly to the printer.
Allokit@reddit
MacBooks do not NEED AirPrint. Its just an option. Install ot on MBPs via the IP
omasque@reddit
Keep an eye out for the finger patterns that denote something about to print (file > print kind of thing), sprint toward them and just slap the phone from their hand in time.
Public_Warthog3098@reddit
What the heck did I just read.
SiIverwolf@reddit
Yeah I think what was left of my processing power for the day just got fried.
OP you've got bigger issues than your printing. WTF are personal phones doing even being able to talk to printers in the first place?
hauntedfire@reddit
Might have to get papercut, print management software. Depends if printing cost is more then papercut cost.
Demonbarrage@reddit
Your cellphones aren't on a Guest VLAN, with the printer on the corporate VLAN or a printer VLAN? If you've got VLANs but the phone VLAN can talk to the printer VLAN, then all you need is a firewall rule.
GhostNode@reddit
Beat them.
mr_limpet112@reddit
How are they even connecting their personal phones to your network?
Awlson@reddit
Is your network not segmented at all? Why are they phones not connecting to a byod network, that has no access to company resources (storage, printing, etc). Heck with printing, having their phones on your main network is a security risk.
Kahless_2K@reddit
Why are their phones even on your network?
zerassar@reddit
Is airprint really needed for mac's these days? Can't you deploy a normal printer to the mac's and then just turn off airprint completely
knightress_oxhide@reddit
What is the cost of the paper and toner being used? What is your calculated hourly rate? How many hours will you spend on this issue instead of handling other issues?
If A*B < X then it is a waste of your time and should come out of another department's budget.
Moontoya@reddit
Why are you solving a wetware issue with technology?
HR / user policy and punishing violators is the wiser move
knightress_oxhide@reddit
Yep, you end up spending a quarter of your budget on people using a few sheets of paper and toner that costs nothing.
mcfedr@reddit
this is the real answer. talk to people!
thomasmitschke@reddit
You maybe should consider redesigning your network with an eye on security.
redstarduggan@reddit
This. How are phones able to talk to printers? This is how skynet takes over.
knightress_oxhide@reddit
Too late for that. But thank god my phone can talk to my printer because printers suck and sometimes I can't print from my computer.
thomasmitschke@reddit
Skynet will take over when everyone uses ai agents on their computers and thinks it’s a good idea…
CantPullOutRightNow@reddit
Only allow personal phones on a guest VLAN. Kind of bothersome that a public sector network isn’t already doing that. It’s like a zero cost security measure.
zer04ll@reddit
PIN codes to print so you know who prints what
Break2FixIT@reddit
You can turn off the mdns / bonjour / air print from the printer itself
zsrh@reddit
Disable AirPrint, Wi-Fi direct printing in the printer settings.
DualPrsn@reddit
this is the answer.
kona420@reddit
Separate guest and managed wifi my dude. Turn off wifi direct on the printers themselves.
For your first pass on this in a mostly unmanaged network, I would suggest mac whitelisting for the managed wifi or at least at the firewall. Doesn't stop the printer access per se but no internet people get the message they are on the wrong network. Ugly but functional is managing access through DHCP.
There are lots of things you really need well before resolving this printer issue, but I'm guessing you are getting heat on it so take advantage to get some control back.
rejectionhotlin3@reddit
WiFi VLAN + no mDNS relay.
TangoCharliePDX@reddit
Put the printer on an isolated subnet - an IP that the mobile devices cannot find, so it doesn't have to even be separate copper.
Then set up a print server of any kind, that requires a login.
Asleep_Spray274@reddit
This isn't a technical problem to solve. Dont use technology to fix problems with people. This is a management problem to solve
RhymenoserousRex@reddit
Uh we don’t allow cellular devices on the corporate network and we disable printers WiFi features so they only print from on net.
Guest wireless exists for devices but they have no route to the printer.
SlickAstley_@reddit
If im not mistaken, printing from phones can very often be different protocols/ports.
You might get lucky and find you can just turn off all Mopria and WSD shite from the printer's RUI.
jsand2@reddit
Why are you letting personal cell phones connect to your work network??
Thats a big nope from me dawg.
Thats a much bigger issue than people printing from said phones!!
Eternal_Glizzy_777@reddit
We found the easiest solution was to just get rid of printers altogether.
walks-beneath-treees@reddit (OP)
My wildest dream is to throw away all the printers
Eternal_Glizzy_777@reddit
Keep the dream alive comrade! By hook or by crook we’ll get to a point in time where printers are considered to be relics of a distant, darker past.
exedore6@reddit
I'd not put the phones on the same subnet as the printers. Possibly actively block the phones from talking to the printers with an access list/firewall rule.
Disable any unnecessary services on the printers.
But,
Ask yourself why you care what they're using to print.
Are they printing things they shouldn't print regardless of the device?
Do the prints come out wrong somehow, so a waste?
Should the things they're printing not be accessible from their personal phones, like customer data?
A print release solution (like papercut) is a godsend for getting print accounting, and introducing just enough friction to keep the BS printing under control.
Making sure what amounts to guest devices can't access resources they shouldn't is a bigger problem than just printing. I'd be inclined to put phones on a guest vlan and make sure that there's no way they can talk to the printers (and other resources)
TheLionYeti@reddit
get a guest network yesterday, put all non company owned devices on it put the printers on the company network problem solved.
SVD_NL@reddit
Does the printer have any sort of authenticated printing? Looking at the docs this printer does have some sort of confidential/held printing solution. Accounting is also a term regularly used to track print jobs.
Otherwise i'd highly recommend Printix, which really isn't too expensive. Also promote it as a secure printing solution! security and data loss prevention often magically conjures up a bag of cash.
Also, if you use CUPS you can use IPP, which MacBook and Linux users should be able to add. I'm pretty sure you can add authenticated printing to CUPS. I believe you can even link it to an AD if you have one.
walks-beneath-treees@reddit (OP)
Yes it does have authenticated printing. We're going to create a separate VLAN for the phones, and have the printers talk to the server only, and try to have users authenticate against it to print.
Educational_Boot315@reddit
While I do agree that corporate network and guest network should be different, seeing as your company isn’t even doing the bare minimum now makes me suspect you really aren’t on a position to roll out 802.1x and getting the preshared key is trivial.
But also we don’t block AirPrint because we have company issued phones and tablets, and even if we didn’t, people printing from a BYOD device shouldn’t be that big of a deal.
This is an employee abusing company resources, which you most likely (or really should) have a policy around. It’s an HR issue.
walks-beneath-treees@reddit (OP)
They do the bare minimum because no one cared and my budget requests were all denied.
I know, it sounds like a bad place to work in indeed. This year's management seems to care a little bit more to allow me some budget to work with.
And I told the manager that this an HR issue and we can't solve this kind of problem with technology. Said employee is doing some other bad stuff but the public sector / government has this kind of problem when some people have ties to a politician etc.
Frothyleet@reddit
Sometimes you have to say, "here is the technical solution for your problem, it costs $X".
If they don't think solving the problem is worth $X, that's totally up to them. They could also try telling employees not to abuse their printer privileges.
walks-beneath-treees@reddit (OP)
Management we had until last year gave zero *** about anything regarding security, licensing etc. It kinda made me wary of saying: "we need to buy something to solve this problem". This year's management is taking things more seriously... I told her about the VLANs and the software we might need to purchase to solve the problem, and she told me to start looking for solutions..
stufforstuff@reddit
Get a real business printer that requires key codes to print. Bill usage to the users code. You're trying to fix a human problem with a tech solution - that NEVER works.
countsachot@reddit
Device isolation.
TerrificVixen5693@reddit
I just HAD to repost for r/shittysysadmin
jfernandezr76@reddit
Make the head of the lawyers talk to the employees and to set rules about that.
zatset@reddit
Lexmark printers can be setup to require PIN to be entered before a copy is printed.
Phones should be on a separate network. The least you can do is setting another subnet for them and set up deny rules to the IP-s of the printers on the router/firewall you use.
anonymousITCoward@reddit
I think they use wireless direct... see if you can disable it on the printer...
crystalbruise@reddit
The easy fix without full tools was network-level control, put printers on a separate VLAN and only allow print server IPs to talk to them. Then disable AirPrint/mDNS so phones can’t see them, but still allow scanning via the server. Not perfect, but it works.
Waretaco@reddit
Having technical solutions in place is a good start, but it should be followed up with a corporate Acceptable Use Policy employees agree to so they know and can be held accountable for use of company resources.
Geek_Wandering@reddit
Block access to the printers IPs from the WiFI.
BackseatGamers-Jake@reddit
Find a new job. That environment sounds like a nightmare.
Calm-Show-9606@reddit
Try having a senior manager, preferably CEO send a email to everyone announcing unauthorized use of printers will be a 3 day suspension without pay! Specifically use of printers by phones. I know places that ban personal phones while at work.
publicdomainadmin@reddit
What an annoying suggestion.
toebob@reddit
It’s no more annoying than management expecting IT to enforce limits on the use of office supplies. Management is more concerned about the volume of printing and the use of toner and paper than they are about security.
publicdomainadmin@reddit
Never should an issue so trivial result in messing with payroll. You need to screw your head on right if you think impacting peoples payroll is EVER a right move. Progressive discipline exists for a reason, casual warning, verbal warning, written warning, then maybe we talk about consequences. Nuclear option straight out of the gate is an insane take.
Ztoffels@reddit
You know whats an insane take? Using a printer thats not yours to print personal shits, so many shits that in 3 months you already printed half of last years prints….
publicdomainadmin@reddit
Then there is a process of discipline and review for that. You can't pre-suspend people without pay under a blanket warning like that.
Ztoffels@reddit
I understand that legally, its not viable.
But in my Tyranny world, that should happen.
shigdebig@reddit
These people are stealing from the workplace. They should be warned and fired. This isn't a technology problem.
BoltActionRifleman@reddit
Agreed, if they walked in and took the equivalent amount out of the cash drawer they’d likely be fired on the spot. It’s in no way excessive to tell employees they’ll be suspended without pay for stealing. If anything, it’s a bit lax.
SOMDH0ckey87@reddit
Just blacklist there phones MAC from the network
Expensive_Plant_9530@reddit
Better to whitelist allowed devices, especially with MAC address randomization being a common feature of modern smartphones.
SOMDH0ckey87@reddit
That’s what I meant
Rubenel@reddit
Most mobile devices use private MAC addresses. This suggestions is useless.
jimboslice_007@reddit
Yeah, phones shouldn't be on the same network as anything else.
Expensive_Plant_9530@reddit
Note, you mentioned Papercut: If your org qualifies as non-profit, Papercut NG has insane pricing discounts. Highly recommended.
You can opt for a one time payment, or you can pay a yearly maintenance fee that covers support and upgrades.
Honestly the biggest issue here is you need to control access.
Why are personal devices allowed on the network at all?
If personal devices must be allowed for other reasons, you need to setup some VLANs and ACLs that disallow the network personal devices connect to from connecting to the network that the printers live on.
Isolate them.
Also Macs don’t “need” AirPrint to print. You just need to install the proper drivers.
AlkalineGallery@reddit
We print to a central print server and can release a print on any printer with a badge swipe. Secure and easy to use. Win win.
deadnerd51@reddit
This seems very much like a network issue. Personal devices should not be on the corporate network. Separate Corporate + Staff / Guest networks would fix this.
bughunter47@reddit
What exactly are they printing, is the material company related or personal use?
You can isolate via virtual network your wireless internet network from your wired net, disable wireless print on the printers. This will force users to print only from physically network connected machines.
theoriginalzads@reddit
Honestly if they don’t decide to proceed with network segregation and don’t do some basic device management I’d suggest looking for a new job. They’re just waiting for a bigger problem to happen and you don’t wanna be there when it happens.
Secret_Account07@reddit
What?
How are users phones getting on the private network? Are your printers reachable from Guest/Public WiFi?
charlyAtWork2@reddit
We put the printer offline and user come with their laptop and connect with USB. Its feel a bit like the 80s. and its work well
LevarGotMeStoney@reddit
Add the printer from the print server to your user's macbooks and disable airprint on the printer itself.
ludlology@reddit
All the linux paths you mentioned are using a hammer to drive a screw
Just put the printer on its own network and use firewall rules to block what has access to it.
If all these phones are byod, they should also be on their own network.
Cold-Abrocoma-4972@reddit
Have to limit network connection from printer to CUPS box only.
Should be a way to get avahi on cups to act as airprint proxy