Technical white paper
HP JetAdvantage Security
Manager
Release Notes v3.5
Table of contents
Overview 2
Key Features 2
What’s New in Security Manager 3.5? 3
Features and Usability Improvements 3
New Policy Items and policy changes 4
New Devices Supported 4
Fixes 4
Software Notes and Known Issues 5
Installation 7
Installation Notes 8
Supported Operating Systems and Databases9
Operating Systems 9
Hardware Requirements 10
Notes 10
VMware and Hypervisor Support 10
Requirements 10
Solutions 11
Network Port Assignments 11
Ports diagram 13
Appendix A 15
Release History 15
Appendix B 33
Links to HP Security Manager Whitepapers33
Overview
Announcing HP JetAdvantage Security Manager 3.5, the latest release of the industry’s first policybased solution that helps you increase security, strengthen compliance, and reduce risk across your
imaging and printing fleet. With Security Manager, you can gain control of your fleet by enabling an
effective, policy-based approach to securing HP imaging and printing devices. Through the intuitive
and intelligent security policy editor, you can easily create a custom and comprehensive device
security policy that is suited for your specific environment.
A Security Manager Base Policy template is provided as a great place to begin creation of a custom
security policy or to use as is, if appropriate, as a baseline security policy for your environment. You
can schedule the Assess and Remediate task to execute on a daily, weekly or monthly basis to
monitor the print environment for settings that do not comply with the chosen security policy, and
then automatically return those settings to the policy-specific state. In addition, the Security Manager
Instant-On Security feature can place your HP imaging and printing device into the desired security
state, as soon as it is attached to the network. The Instant-On Security feature is also invoked when
the device is cold-reset or changes IP addresses.
Security Manager also offers a Fleet Certificate Management solution. This feature eliminates the
manually deployed, singular device, network certificate implementation process and replaces it with
an automatic, fleet based, security policy centered method of certificate management. By using this
feature, you can easily replace the default device self-signed certificate with an authorized Certificate
Authority (CA) signed certificate and manage it for validity, expiration, and revocation. Implemented
as an extension of the Security Manager policy editor, this solution handles network certificate
management as a background task like any other Security Manager assessment and remediation.
Key Features
• The Security Manager Instant-On Security feature allows supported devices to automatically locate
the Security Manager server and receive your company approved device security policy as soon as the
device is attached to the network. Instant-On Security then maintains policy-based compliance during
device resets and address changes.
• The Security Manager Policy Editor allows print administrators with minimal security knowledge, as
well as experienced security administrators, to build a valid, comprehensive security policy to deploy
across the HP imaging and printing fleet. The Policy Editor provides security setting intelligence
through basic definition, recommendations, validations and constraints to ensure creation of a valid
policy. A Security Manager Base Policy template is provided as a great place to begin creation of a
custom policy or to use as is, if appropriate, as a baseline policy for your environment.
• Security Manager can be scheduled to assess and remediate devices on a daily, weekly or monthly
occurrence. When configured in this fashion, Security Manager automatically assesses your fleet for
its current setting and returns non-compliant settings to the desired state of the security policy used
in the assessment. Unlike other management tools, Security Manager only fixes what is out of
compliance, then it reports on exactly what was out of compliance that had to be remediated. This is
valuable in understanding where vulnerabilities exist in your environment.
• The Security Manager Certificate Management solution replaces a manual, highly interactive network
certificate deployment process with an automated policy-based solution that deploys and manages
network certificates like any other assessed and remediated Security Manager device security setting.
Automated fleet deployment of Certificate Authority (CA) signed certificates to accommodate
encrypted printing, 802.1x protected network authentication and other print environment related
encryption/authentication needs is now possible with this solution.
What’s New in Security Manager 3.5?
Features and Usability Improvements
• 110979/109115 Migration to .net 4.8. The old .net 3.5 is no longer needed.
• 103558 Added account lockout due to invalid password. Account lockout is now configurable in the
web.config file (the already existing option AutoLogOut can be enabled in the same file).
• 109620 Added Malay and Spanish localization
• 109219 SMB2 and SMB3 can now be disabled via the expanded policy item SMB/CIFS (Shared
Folder)
• 109711/110863 Additional Ciphers have been added to the policy item Web Encryption Settings or
Active Ciphers
• 109226\111922 Added support for Chromium based Microsoft Edge 79 or higher
• 110094 Added support for using System Name in the From Address for the Outgoing E-mail (SMTP)
policy item under Shared Items
• 110519 HPSM services can run as a local user
• 110991 Changed default timeouts and retries to EAPRetry = 1, snmpRequestTimeout = 5000 and
timeBetweenEapRetry= 1000
• 108681 Added support for licenses with different end-dates in UI.
• 10560/110010 Support for Device level assessment of remediation history and alerts on device
level and in dashboard.
• 109851 HPSM will be using the asset identifier from the pfirmware.glf to find the corresponding
firmware level for a device.
• 109827 Added Advanced option for the filter creation.
• 107944 Added CA Certificate support for Zebra devices
• 110675 Added ID Certificate support for Zebra devices
• 109211 Installer now contains SQL Express 2019
• 109706 HPSM installer now asks for credentials before creating/updating the Database
• 109461 Added option under Settings, General to automatic delete device which have status:
network connection error for x number of days.
• 109260 Added configuration options in the hpsm_service.exe.config to either add a device with
same IP address or hostname or to overwrite a device with the same IP address or
hostname
• 111029 EST (Enroll over secure transport) certificate management added. This is currently in beta
and based upon RFC 7030
• 108834 Qualys Service Integration (beta)
• 109615 The words “Use Default Credentials” have been changed into “Specify Credentials” for the
Email Server Settings
• 109667 InstallDBrmt.bat script has been renamed into:
InstallOrUpgradeRemoteDB.bat
The InstallSQLScripts.zip file now contains a Readme_InstallSqlScripts.txt
• 108834 Qualys Service Integration (beta)
• 110580 The term Alerts has been renamed into Alert Subscriptions
New Policy Items and policy changes
• 1009779 E-mail domain restriction
• 109207 The configuration option Digital Send has been renamed into Job Behavior
• 109514 Descriptions to prevent email spoofing have been improved in the policy item Outgoing
E-mail (SMTP)
• 110762 The configuration option System logging has been renamed into Syslog (System logging)
• 110802 All links to existing whitepapers have been added to the HPSM inbuild-help
• 110781 The Group filter option has been renamed into Group membership and all the filter options
are now working
• 111467 DAT log files are now using same time settings as other HPSM log files, thus local time
instead of UTC time
• 110826/109247 Added descriptive comments for configurable parameters in HPSM configuration
file and improved existing descriptions
• 109029 Renamed Jet Advantage Link into HP Workpath (HP Jetadvantage)
• 111342 The names of the configuration options for Stored Data PIN Protections options now in sync
with Futuresmart 4 and the word Temporary has been added to Retain Print Jobs After
Reboot and Job Storage Limit.
• 111502 IRM Authentication has been added into HPSM and the descriptions for existing HPAC
authentications have been updated.
New Devices Supported
HP Color LaserJet Enterprise M554
HP Color LaserJet Enterprise M555
HP Color LaserJet Enterprise MFP M578
HP DesignJet T650 24-in
Managed devices:
HP Color LaserJet Managed MFP E77428
HP LaserJet Managed MFP E72535
HP LaserJet Managed MFP E72430
Fixes
• 109070 Performance issues/DB growth is no longer occurring when policy change notification is
enabled.
• 109917 Web mail can now be configured in the HPSM UI for Automated report Settings as it’s no
longer required to fill in a Domain.
• 110353 Application Event Log is no longer showing ‘incorrect syntax near ‘)’ during
nightly maintenance when Remove historic data is set to x number of days.
• 109614 It’s now possible to Save Email server settings and unable to Send Test Email without user
credentials
• 109961 HPSM is no longer hanging on Export page when you enter a long or invalid email address
and CPU might go to 100%.
• 109907 HPSM is now accepting an email address which contains a plus sign (+)
• 110997 When SNMPv3 credentials are wrong HPSM will no longer attempt twice with the
wrong credentials during verify
• 110998 When SNMPv3 credentials are wrong HPSM will no longer try 6 times to attempt to
set 3 OID’s
• 111369 Parent Tasks marked as completed if there is any exception while getting data from
the DB
• 109860 The default setting for Delect Rule has been change from No Action to Cascade for
the foreignkeys such as FK984CDE507E9133 for RecToReasonsTable which prevents
intermittent Stale database Errors
• 110549 Performance when remediating EWS password while device is set to snmp read-
only has been improved
• 111167 Instant on will now also use the global credentials if the device specific credentials are
not valid for the device
• 112394 HP Devices which have SNMPv3 configured and SNMPv1 disabled will no longer end
up in credentials error during discovery/verify/remediation.
• 110990 After manual importing devices into a group, the number of devices in the group does
now match the discovery list.
• 110918 HPSM can now install certificate on Z9 when CSR Source is set to HPSM
• 109215 HPSM can now remediate SNMP settings on a LJM404 with secure if SNMPv3
configuration is available in the policy.
• 111591 When Hostname Resolution is disabled, Manual discovery will no longer perform a
hostname resolution
• 109614 Email server settings can now be saved without specifying user credentials
• 109917 Webmail servers can now be used for Automated report settings as domain field is no longer
required
• 111180 HPSM can now configure SNMPv3 settings (username remains empty) on HP LaserJet 400
MFP M425
• 109274 When applying an SNMP v3 only policy HPSM no longer indicates unable to remediate with
SNMPv1 credential error when the device is only configured with SNMPv3 only.
• 111738 ID certificate installation using Venafi SCEP service is now downloading the certificate from
the Venafi SCEP server correctly.
• 111368 Syslog Server IP is now removed from a device during remediation of a policy with syslog
disabled.
Software Notes and Known Issues
• 111911 The groups pane on the left might show different number of devices for the same group
which is listed in the main window/pane. This can happen even after hitting the Refresh
button for the groups section (left pane) and after hitting the Refresh button for devices
screen (right pane).
Workaround: run the following script on the HPSM database:
use HPIPSC
--Delete unused DeviceNodeIndentity entries
Delete from dbo.DeviceToDeviceNodeIdenityTable where Device_ID
not in (select ID from DeviceTable where state=2)
• 113300 The manual maintenance script and nightly maintenance are not making the
recommendations table smaller. This will be fixed in HPSM 3.6. Workaround: see 112833
• 112833 Nightly maintenance task is failing due to too many parameters (in HPSM_Service.log file: The
incoming request has too many parameters. The server supports a maximum of 2100
parameters). This will be fixed in HPSM 3.6.
Workaround for 11300 and 112833: run the following script regularly (weekly/biweekly) on
the HPSM database:
USE HPIPSC ; -- HPSM database name
DECLARE @X INT=1;
DECLARE @DeleteOlderThan INT=10; -- Days. Records older than this day will be deleted
WAY:
SELECT TOP 10000 * into #NEWTABLE FROM
(SELECT rec.ID AS recID, rToret.KEY_ID as rToretID, rt.ID AS rtID, rvt.ID as rvtID, rTorv.ID AS
rTorvID,
rTorat.KEY_ID AS rToratKEY_ID, rat.ID AS ratID, av.ID AS avID, raTop.ID AS raTopID
FROM dbo.RecommendationTable rec
LEFT OUTER JOIN dbo.RecToReasonsTable rToret ON rToret.KEY_ID = rec.ID
LEFT OUTER JOIN dbo.ReasonTable rt ON rt.ID = rToret.Reason
LEFT OUTER JOIN dbo.ReasonToReasonValuesTable rTorv ON rTorv.ID = rt.ID
LEFT OUTER JOIN dbo.ReasonValueTable rvt ON rvt.ID = rTorv.ReasonValue_ID
LEFT OUTER JOIN dbo.RecToRecommendationActionsTable rTorat ON rTorat.KEY_ID = rec.ID
LEFT OUTER JOIN dbo.RecommendationActionTable rat ON rat.ID = rTorat.RecommendationAction
LEFT OUTER JOIN dbo.AssessmentValueTable av ON av.ID = rat.ActionValue_REF
LEFT OUTER JOIN dbo.RecActionsToParametersTable raTop ON raTop.ID = rat.ID
where rec.Date < getdate()- @DeleteOlderThan Or rec.AssessmentAndPolicyUniqueID NOT IN ( select
distinct dal.assessmentAndPolicyUniqueID as uniqueID from dbo.DeviceAssessmentLogTable dal
where dal.State = 2 )) as Sub1
--select count (*) from #NEWTABLE
DELETE a FROM dbo.RecToRecommendationActionsTable a INNER JOIN #NEWTABLE B ON a.KEY_ID=
B.rToratKEY_ID
DELETE a FROM dbo.RecToReasonsTable a inner join #NEWTABLE B on a.KEY_ID = B.rToretID
DELETE a FROM dbo.RecommendationTable a inner join #NEWTABLE B on a.ID = B.recID
DELETE a FROM dbo.ReasonToReasonValuesTable a inner join #NEWTABLE B on a.ID = B.rTorvID
DELETE a FROM dbo.ReasonTable a inner join #NEWTABLE B on a.ID = B.rtID
DELETE a FROM dbo.ReasonValueTable a inner join #NEWTABLE B on a.ID = B.rvtID
DELETE a FROM dbo.RecActionsToParametersTable a inner join #NEWTABLE B on a.ID = B.raTopID
DELETE a FROM dbo.RecommendationActionTable a inner join #NEWTABLE B on a.ID = B.ratID
DELETE a FROM dbo.AssessmentValueTable a inner join #NEWTABLE B on a.ID = B.avID
SET @X = (select count (*) from #NEWTABLE)
drop table #NEWTABLE
IF @X=10000 GOTO WAY;
• 107960 An assessment or assessment and remediation task for HP Designjet Z3200ps 24in Photo,
HP DesignJet Z2600 PostScript , HP Designjet Z6600 and HP Designjet T7100 devices will fail
even while the device is supported by HPSM. This issue is under investigation by HP.
• 112215 HPSM shows status as ERROR when remediating an HP Futuresmart printer with a policy
which includes disk encryption status after performing a partial clean on the device with USB
drive inserted . This is under investigation.
• 112383 HPSM in-build help for Admin (EWS) password is not mentioning that Admin (EWS) password
is also supported for Zebra devices
• 112029 Some HPSM Configuration values are not updated after upgrade. HPSM 3.5 has the
following new default settings:
PolicyChangeNotification is now disabled
EAPRetry = 1
snmpRequestTimeout = 5000
timeBetweenEapRetry= 1000
During an upgrade the PolicyChangeNotification will always be disabled, regardless of it’s
value in 3.4. If this doesn’t match the desired behavior, change the settings in the
hpsm_service.exe.config file and restart the HPSM service.
• 112349 Unable to remediate SNMPv3 settings with a policy which disabled SNMPv1, enables
SNMPv3 with a non-complex passphrase, while the device was enforcing strong encryption
for SNMPv3 before the policy was applied. After attempting this combination the device will
end up in credentials error with SNMPv1 and SNMPv3 disabled.
Workaround: always use a complex passphrase in the policy for SNMPv3. This issue will be
fixed in a future release of HPSM.
• 112301 When user switch the language from non-English language to a different non-English
language the fonts and styles are not loading properly.
Resolution: Refresh the browser or open HPSM in a new browser tab.
• 109548 The HPSM installer is using powerscript files (CheckIISInstalled.ps1 and IISInstall.ps1) to
install HPSM. HPSM installation will fail to correctly install HPSM if local security policies do
not allow to run unsigned powerscript files.
Resolution: temporarily allow to run unsigned powerscript files during HPSM installation.
• 110914 Unable to install ID certificate on DesignJet T790 and Z6 when the device is set to a
non-English language. The following error message will be visible: " The certificate request
returned from the printer was empty". This is caused by a firmware limitation.
Resolution: Change the language of the device to English before installing the ID certificate
with HPSM.
• 112568 HPSM will not send an email when after finishing a remediation task if one of the devices in
the group has network connection error. Instead the task details will show: Error while
sending automated email. Invalid email address. This issue does not occur on new
installations.
• 111092 HPSM can not install a ID certificate with HPSM on T790 and T1300 which have an HP
JetDirect 640N. This issue is under investigation.
• Older versions of Web Jetadmin may not have assigned rights for Network Service to use its self-
signed certificate. If so, Instant on Reflection will fail if attempting to add Instant On discovered
devices to that Web Jetadmin installation. Manually assign rights for Network Service to use the selfsigned certificate to resolve.
• Email Summary Remediation report sent via email claims devices are remediating successfully when
they are powered down and cannot be remediating successfully.
• Upgrades from version 2.1.2 directly to version 3.1 or beyond are not supported and will result in
tasks being unable to run. Upgrade to version 2.1.4 or 2.1.5 first from version 2.1.2 before upgrading
to version 3.1 or beyond.
• A locked policy automatically becomes unlocked after 2 hours.
• For better representation of pages, maximum recommended zoom is 150%.
• For the Web Encryption Strength individual ciphers, a device status can display as Network Connection
Error if the device is verified after applying a policy with RC4-SHA and RC4-MD5 ciphers enabled. In
order to ensure communication between a server and client, both sides need to have the same set of
supported ciphers. If a device is set to use RC4-SHA/RC4-MD5 as the active ciphers after remediation,
but the operating system doesn’t support these ciphers, a Network Connection Error will be displayed.
RC4-SHA and RC4-MD5 are considered weak ciphers and are not supported in the operating system.
• DesignJet devices do not allow device guest permission to be configured from Security Manager under
Role Based Access Control if the devices are not configured with an Admin password.
• If a Policy has Subject Alternate names (SANs) enabled with a Domain name entered to include the
Universal Printer name (UPN) as a SAN, the UPN is sent as ‘username@domainName’ to DNS. This is
not accepted by an OpenTrust CA.
• If browser security level is set to High, Security Manager will not be able to perform any file related
operations in IE until the security level is set to any other stage.
Installation
The Security Manager software is provided as a universal installation executable that is compatible with all
supported operating systems. Installation options include a full local install or a full local install with a remote
database option. For proper Security Manager installation and operation, specific Microsoft software must be
present.
The requirements are listed below:
• Microsoft .NET Framework 4.8.
• Microsoft SQL Server Database
• Microsoft Internet Information Services (IIS) - (part of installation script)
If these are not present on the system, the installation process installs some of the required software. This
includes the option to install the Microsoft SQL Server Express 2019 database which is bundled with the
product.
Note: SQL Express 2019 is not supported on all operating systems. When using an operating system on which
SQL 2019 is not supported, then you must install manually an older version of SQL (Express) before starting
the HPSM installer.
Installation Notes
• The browser-based interface requires Internet Information Services (IIS) in order to operate. The installer
will verify that IIS is enabled with the proper settings enabled and will offer to enable the proper settings if
desired. The Installation Guide specifies the proper IIS setting to be enabled if it is desired to perform
manually. If the installer fails to set some of the IIS settings, it may be necessary to configure them
manually. Since the installer is attempting to enable IIS, it may prompt for a machine restart.
• The browser-based interface is set to use port 7637 by default during installation. Security Manager is
launched in a browser as such: https://localhost:7637. If it is desired to change this port, it can be
changed by editing the bindings for the HPSM web site under IIS Manager.
• The browser-based interface offers the ability to use an existing server certificate or to create a self-
signed certificate during installation. The self-signed certificate allows the data to be encrypted between
client and server, while an existing server certificate not only encrypts data but also provides trust that the
server is who it says it is. IIS will always search and bind for the server certificate in the personal store of
computer account. An identity certificate needs to be of the type “Server Authentication” in order to
provide trust.
• The browser-based interface supports Microsoft Internet Explorer, Google Chrome and Microsoft Edge
Chromium based. The following settings may need to be configured on certain machines or operating
systems if Security Manager is having difficulty loading:
o Internet Explorer may require the “Display intranet sites in Compatibility View” box to be unchecked
under Compatibility View Settings if the login screen for Security Manager is not appearing.
o Internet Explorer may require the “Bypass proxy server for local addresses” box to be checked under
Internet Options, Connections, LAN Settings if the login screen for Security Manager is not appearing.
o Windows 10 may require HTTP2 to be disabled in the browser if Security Manager continually logs out
the user.
• Newer versions of Google Chrome may require the following technique to disable HTTP2:
Launch chrome by disable http/2 through RUN cmd.
Open RUN prompt and type "chrome.exe --disable-http-2"
Open registry and add two new parameters:
o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2Cleartext DWORD 0
o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2Tls DWORD 0
• Based on the system state, in some cases, installation/uninstallation prompts for a system restart. This is
caused by the MS Installer seeing a particular value present in the registry. A workaround rather than
rebooting is to change an entry available in registry:
o HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\pendingFileRenameOperation
This entry needs to be deleted if it exists.
• Users need to be re-added to the HPIPSC group after software upgrade.
• Licenses need to be re-loaded if the operating system is upgraded.
• Licenses need to be re-added if the database is being restored from 2014 to 2016 SQL Express.
• The Security Manager service must have the proper permissions to access the Security Manager service
database. If the service and database are installed on the same computer, the installation process
manages the assignment of database permissions. If the service and the database are installed on
separate computers, you must configure the correct permissions for the remote database. For complete
Security Manager installation information, see the Security Manager Installation and Setup Guide at
www.hp.com/go/securitymanager. Also see the whitepaper titled “HP JetAdvantage Security Manager -
Using Microsoft® SQL Server” for more information.
• If a firewall is installed on the computer on which the Security Manager service runs, and the service will be
accessed from the user interface on a remote computer, the firewall must be set to allow access to the
service. The older Security Manager service listens on port 8002, which must be opened in the firewall to
allow remote access to the service. The new browser-based interface listens on port 7637 be default. If
you do not want to allow remote access to the Security Manager web service for either version, then you
can block the respective ports with a firewall.
• For complete uninstallation, all the HPSM installation files/folders should be closed before uninstalling.
Supported Operating Systems and Databases
Operating Systems
Client and Server
• Windows 8
• Windows 8.1
• Windows 10
• Microsoft Server 2008 R2
• Microsoft Server 2012
• Microsoft Server 2012 R2
• Microsoft Server 2016
• Microsoft Server 2019
Note: Windows 7 SP1 is no longer tested. Therefore, it is no longer officially supported but can be
used at customer’s own risk. Also, only 64-bit operating systems are tested.
Tested Browsers
• Microsoft Internet Explorer 11 and greater
• Google Chrome v70.0 and greater
• Microsoft Edge, Chromium based, version 79 and greater
.NET Versions
Recommended: .NET 4.8
IIS Versions
Recommended: 7.5 or newer.
Tested Databases
• Microsoft SQL Server Express 2014
• Microsoft SQL Server 2016
• Microsoft SQL Server 2017
• Microsoft SQL Server Express 2019 (bundled with HPSM 3.5 installer)
HP Jet Advantage Security Manager requires a Microsoft SQL database to store data. For customers who do
not have their own full SQL Server or do not want to use a SQL license, Security Manager bundles a recent
version of SQL Server Express that can be installed and used if desired. Since organizations usually upgrade
SQL Server less often than operating systems, older versions may be used for quite some time, especially if
the applications accessing SQL don't use the features added to the new SQL versions. While Security Manager
only tests the two most recent SQL versions at the time of release, there should be no issues using older or
newer SQL versions as Security Manager uses basic calls into the SQL database that would be supported by
virtually all SQL releases.
Backward and forward compatibility should be present, there just isn’t capacity to test the multitude of SQL
versions offered over the years.
Hardware Requirements
Server minimum hardware
• CPU: Dual-core processor or greater – 2.33 GHz or greater
• RAM: 64-bit systems – Minimum 8 GB
• STORAGE: Minimum of 4 GB
Client minimum hardware
• CPU: PC with 1.8 GHz or greater processor
• RAM: 64-bit systems – 4 GB or greater
The following hardware requirements are recommended, especially with the inclusion of IIS for the web-based
interface. Microsoft recommends quad core processors and 10 GB RAM for IIS.
Recommended Server Hardware
• CPU: 4 or more processor cores – 2.8GHz or higher processor speed
• RAM: 64-bit systems – 12 GB or greater
• STORAGE – 4 GB or greater
Notes
• Connecting to a remote database is made possible through the install process. See whitepaper titled
“HP JetAdvantage Security Manager - Using Microsoft® SQL Server” for more information.
• After upgrading to Security Manager 3.1 and beyond from earlier versions, existing policies must be
opened in the policy editor and saved to be compatible with Security Manager 3.1.
• Before any upgrade or machine restart, it is required that no tasks are in running state. Otherwise, the
tasks will remain in the database in a running state.
• For better performance, it is recommended to start new tasks only after the completion of the current
task. For example, launch verification task only after the discovery task is complete.
VMware and Hypervisor Support
Security Manager is supported in a VMware and Hyper-V with windows versions listed previously.
Requirements
The Supported Operating Systems and Databases listed above, are also supported in VMware and Hyper-V
environments. Hyperthreading is optional for VMware and Hyper-V. Reserve memory is required for Hyper-V.
Note 1
If installing Security Manager on a VMware instance, you must use the hardware (MAC) address of that virtual
adapter during the ordering of the license file. Be aware that VMware dynamically generates the virtual
adapter MAC address and does not guarantee it will remain static during session restarts or power toggling. If
the MAC address changes, the print license service will fail to operate properly. Refer to VMware help
documentation for instructions on how to configure a static MAC address or how to change the modified MAC
address back to original.
Note 2:
Importing a license file might fail on VMware VM’s. Resolution: reboot the virtual machine.
Note 3:
SQL 2017 or 2019 is recommended on VMware as testing with older versions and partially disabled TLS
settings did show random database connectivity issues.
Solutions
When used with third party solutions or any print or management solution requiring access to the device, the
Security Manager Base Policy template, or any template defined to meet the security standards for a
company, might require changes to the security settings. See the solution documentation to determine
whether policy changes are required to accommodate specific functionality. Care should be taken when
creating policies as to not disrupt the operation of any solutions that may be installed on devices.
NOTE: Testing a small number of devices in a sandbox or test environment when solutions are present on
devices is highly recommended before applying settings to a fleet as undesired behavior may occur with
certain settings on certain solutions. Solutions may fail to install/operate, or potentially even worse behavior
can occur on devices, when some settings are applied to devices with solutions present.
Security settings that have been known to affect either the installation or operation of solutions include:
• DNS server configured
• SNMP GET Community Name (Read Community Name) required for installation and configuration
• EWS password required for installation and configuration
• Command Load & Execute enabled
• PJL Access Commands enabled
• Remote Firmware Updates enabled
• Allow PJL Access enabled
• PJL Password not set
• Legacy Firmware Upgrades enabled (Current versions of firmware are signed with the SHA-256
hashing algorithm. Enabling this option allows installation of legacy firmware signed with the less
secure SHA-1 algorithm)
• Control Panel Timeout
Please see the whitepaper titled “HP JetAdvantage Security Manager - Policy Editor Settings” for more
detailed information regarding settings for solutions.
Network Port Assignments
This section lists the ports used by Security Manager.
Port
Protocol
Service
Notes
Client to Server
7637
(version 3.0+)
TCP
HTTPS
Port set during installation to be used to secure data between client and HPSM
server via browser. This port may be changed to something else by editing
bindings for the HPSM web site under IIS Manager. HPSM versions 3.0 and
beyond.
When configuring firewalls, an administrator can either open up ports used by the application (above table) or
allow certain program executables access through the firewall. For the latter, Security Manager includes three
separate services represented by four executables:
C:\Program Files (x86)\HP JetAdvantage Security
Manager\HPSM_Service.exe
C:\Program Files (x86)\HP JetAdvantage Security Manager\HP Print
License Service\HP.Print.License.Host.WindowsService.exe
8002
(version 2.1.5-)
TCP
WCF-NET.TCP
WCF with message encryption - port used from a remote client interface to the
Security Center service. HPSM versions 2.1.5 and prior.
Server to Devices
80 and 8080
TCP
HTTP
Port used for HTTP communication to devices only when SSL is not supported
on the device. Also used to gather the latest firmware versions from the web if
firmware assessments are enabled and configured to dynamically retrieve
from web.
443
TCP
HTTPS
Port used for secure HTTP communication to devices, HTTP Web over SSL.
N/A
ICMP
PING
Internet Control Message Protocol - port used to check if node is active.
161
UDP
SNMP
Simple Network Management Protocol - port used for many configuration
items on devices as well as discovery of devices.
7627
TCP
SOAP-HTTP
Web service port used to manage communications on Futuresmart devices.
Devices to Server
3329
TCP
HP Instant-On Security
Secure port (uses SSL) used from the device to the Security Manager service for
Instant-On discovered devices.
Server to SQL database
1433
TCP
MS SQL
Standard DB Connection - port used from the Security Manager service to a
remote SQL database with a default instance. Can be customized in a
configuration file.
1434
UDP
MS SQL Browser service
Standard connection to SQL browser service to retrieve the TCP port for the
named SQL instance
dynamic
TCP
MS SQL
Standard DB connection to a named SQL instance using dynamic ports
Server to Email
25 SMTP
Simple Mail Transfer
Protocol
Typical port used for communication to mail server if Automated Output
feature is enabled. Port can be customized under File, Settings, Automated
Output.
Server to Certificate Authority
135
TCP
DCOM/RPC
Certificate management - port used between Security Manager service and CA
server.
Random allocated
high TCP ports
above 1024
TCP
DCOM/RPC
Certificate management - port used between Security Manager service and CA
server.
Licensing
7000
TCP
HP Print License Service
Licensing heartbeat – Heartbeat port used between the Security Manager
service and the HP Print License service. This is the communication between
two services on the same machine and needs to be open on the incoming and
outgoing port
8888
TCP
HP Print License Service
Licensing - port used between the Security Manager service and the HP Print
License service. This is the communication between two services on the same
machine and needs to be open on the incoming and outgoing port.
27000
TCP
Flexera service
Licensing - port used by the Flexera service (lmgrd.exe). This port is used to
communicate between the FlexeraLicensingService and the HP Print License
Service. These two services reside on the same machine and therefore this
port needs to be open for incoming and outgoing communication.
C:\Program Files (x86)\HP JetAdvantage Security Manager\HP Print
License Service\HPQ.exe
C:\Program Files (x86)\HP JetAdvantage Security Manager\HP Print
License Service\lmgrd.exe
The only time Security Manager could potentially traverse outside the company firewall is if “Check for Latest
Firmware assessments” are enabled in a policy and Security Manager is instructed to dynamically pull the
latest firmware list from the web (Firmware Index File Source set to Web). The Firmware Index File Source can
also be configured so that a firmware index file can be uploaded into Security Manager (Firmware Index File
Source set to file) rather than having Security Manager dynamically download the latest file from the web, if
desired. The latter requires a user occasionally downloading the firmware index file separately from the web
outside of Security Manager then importing the file into Security Manager.
Ports diagram
Current HP driver, support, and security alerts
delivered directly to your desktop.
Appendix A
Release History
Version history of HP JetAdvantage Security Manager releases
Version
Release Date
Features
2.0.0
(Major
Release)
Feb 2012
• 76 HP Device Models Supported (See Supported Devices)
• Instant-On Security
• Intelligent Security Policy Editor
• Background Security Compliance Monitoring
2.0.5
May 2012
• Added support for HP LaserJet Enterprise 500 color MFP
M575
• Added support for HP LaserJet Enterprise 500 MFP M525
• Added support for Microsoft SQL 2012 and Microsoft SQL
2012 Express
2.0.7
Nov 2012
• Implemented Password Management Functionality
• Enhanced Instant-On Security
• Added support for operating systems:
o Windows 8 & Windows Server 2012
• Added support for devices & accessories:
o HP LaserJet 700 M712
o HP LaserJet color flow MFP M575
o HP LaserJet flow MFP M525
o HP LaserJet 700 color MFP M775
o HP Jetdirect 640n and 695nw
2.0.8
April 2013
• Device DNS alias resolve and discovery
• Selectable SNMPv3/AES or SHA-1credential/device
communication
• New support for HP Officejet Pro devices:
o 251dw printer
o 276dw MFP
o X451dw printer
o X476dw MFP
o X551dw printer
o X576dw MFP
• New support for HP LaserJet Pro devices:
o P2055 printer
o 300 color MFP M375
o 400 printer M401
o 400 MFP M425
o 400 color printer M451
o 400 color MFP M475
o 500 MFP M521
Version
Release Date
Features
o 500 color MFP M570
• Additional HP LaserJet Enterprise support:
o 700 MFP M725
2.0.9
Nov 2013
• New policy settings – Jetdirect NFC & Wireless Direct Print,
FIPS-140, PJL Access Control, Legacy Firmware Upgrade
• Enhanced policy settings – SNMPv3 (AES/SHA-1), Web
Encryption Strength (TLS 1.1 & 1.2)
• Added Windows Authentication & LDAP support for Single
Function Future Smart Devices
• Added the display of service connections to IPSC UI
console.
• New device support for:
o HP LaserJet flow MFP M830
o HP LaserJet M806
o HP Color LaserJet flow MFP M880
o HP Color LaserJet M855
o HP Color LaserJet M750
o HP LaserJet MFP M435
o HP Jetdirect 2800w NFC/Wireless Direct Accessory
2.0.10
April 2014
• Added FIPS-140 support for JetDirect Print Server cards
• Added MS Server 2012 R2 and Windows 8.1 OS support
• New device support for:
o HP Officejet Color MFP X585
o HP Officejet Color flow MFP X585
o HP Officejet Color X555
o HP Color LaserJet MFP M680
o HP Color LaserJet flow MFP M680
o HP Color LaserJet M651
o HP Color Laserjet MFP M476
o HP LaserJet M701/M706
2.1.0
(Major
Release)
Nov 2014
• New Fleet Certificate Management solution
• Added/Updated Security Settings
• Improved Reports
• Data Export
• TLS1.1/1.2 Communication
• New HP Device Support
o HP LaserJet M201
o HP LaserJet M202
o HP LaserJet MFP M225
o HP LaserJet MFP M226
o HP LaserJet MFP M630
o HP LaserJet MFP flow M630
o HP/TROY Device Support
2.1.1
Mar 2015
• Fixed mismatched region language settings issue
Version
Release Date
Features
• Unchecked SSL 3.0 by default in policy settings
• Corrected error string for blank CSR
• Adjusted timing reading certificate revocation list (CRL)
• Solved mass SNMP Read/Write credential failures
• New HP Device Support
o HP LaserJet Enterprise M604
o HP LaserJet Enterprise M605
o HP LaserJet Enterprise M606
o HP Color LaserJet Pro M252
o HP Color LaserJet Pro MFP M277
o HP Color LaserJet Enterprise M552
o HP Color LaserJet Enterprise M553
2.1.2
Sep 2015
• Complete rename to HP JetAdvantage Security Manager
• Assessments on Limited Policy included by default
• Automatic remediation summary output via email
• Auto-Refresh of user interface during active tasks
• Stored Data improvements
• Group PINs - remediation
• Enable Fax Receive policy item
• Auto-discovery of devices
• Multiple CA certificate management
• Best Possible for CSR
• Updated SQL Express to 2012
• New HP Device Support
o HP LaserJet MFP M527
o HP LaserJet Flow MFP 527
o HP LaserJet M506
o HP Color LaserJet MFP M477
o HP Color LaserJet M452
o HP LaserJet MFP M426
o HP LaserJet M402
o HP Color LaserJet MFP M577
o HP Color LaserJet Flow MFP M577
Version
Release Date
Features
2.1.4
Feb 2016
• Improved credential management including global
credential store
• Firmware assessments
• Assessment on new security features (Secure Boot,
Intrusion Detection, Whitelisting)
• Ability to enter greater than 8 MB for Max Attach Size
under E-mail settings
• Upgrade improvements when using a remote SQL
database
• HP LaserJet M400 series devices now allow SNMPv3
remediation
• Fixed cases where Instant On discovered devices are not
remediating
• Fixed cases where tasks are hanging and never completing
• Max Attach Size under E-mail settings no longer reports
failure on assess when values match
• Security Manager no longer crashes when attempting to
upload CA cert without a particular value present
• HP Color LaserJet M476 no longer claims Not Supported
• Auto-refresh is now turned off by default
• Updated bundled SQL to Microsoft SQL Server Express
2014
• New HP Device Support
o HP LaserJet Pro M501
o HP Color LaserJet Pro MFP M377
o HP PageWide Color 556
o HP PageWide Color MFP M586
o HP PageWide Color Flow MFP M586
o HP PageWide Pro 452
o HP PageWide Pro MFP 477
o HP PageWide Pro 552
o HP PageWide Pro MFP 577
o HP PageWide XL 4500
o HP PageWide XL 5000
o HP PageWide XL 8000
o HP DesignJet T1120 44In
o HP DesignJet T1500/Postscript
o HP DesignJet T2300/Postscript
o HP DesignJet T2500/Postscript
o HP DesignJet T770
o HP DesignJet T790 44In
o HP DesignJet T790PS 24In
o HP DesignJet T790PS 44In
o HP DesignJet T920/Postscript
o HP DesignJet T1300
o HP DesignJet T1300/Postscript
o HP Designjet T3500
o HP Designjet Z5400
2.1.5
June 2016
• New Policy Items
o Verify Certificate for IPP/IPPS Pull Printing
Version
Release Date
Features
o Enable WINS Port
o WINS Registration
o Secure Disk Password
• Changes to Policy Items
o Subject Alternate Names (SANs) added to Identity
certificates.
o 802.1x remediation
o Bootloader Password remediation
o Ability to remediate SSL 3.0
o Maximum Attachment Size for SMTP E-mail
settings can be remediated to any custom value
between (0-999).
o EWS Password Account Lockout settings
• Certificate Management of Pro devices
• Installed solutions can now set "Local" for many of the
Authentication Manager settings
• Reports include Device Model column instead of Device
Name for consistency across products
• Assessments reports now include an Export Data tab to
export to .csv or .xml file on the fleet
• Serial number no longer has to be upper case for Instant
On filtering
• The checkbox to E-mail results for remediation task now
saves correctly in UI when editing task
• dbo_DeviceTable now removes records during nightly
cleanup when device is deleted
• Database is no longer locked to a specific Security
Manager server allowing for much easier failover
techniques on the Security Manager server
• New HP Device Support
o HP LaserJet Pro M203
o HP LaserJet Pro MFP M227
3.0 April 2017
• Browser-based user interface
• Dashboard indicating status of fleet compliance
• Ability to login as guest or admin role
• Logging of user and service activity in syslog format for
integration into SIEM tools
• Support for Symantec Certificate Authority
• Addition of User Principal Name (UPN) as Subject Alternate
Name (SAN) in identity certificate to support Active
Directory User accounts authentication onto 802.1x
networks
• New policy items:
o Service Access Code
o Wi-Fi Direct
• Password Complexity joined the existing Account Lockout
features for several credential types
• Firmware Downgrade
• Improvements to Authentication Manager policy
configuration to support additional solutions as sign-in
method
Version
Release Date
Features
• Fixes:
o PJL Password now supported for LJ 5200
o Fixed two very unique possible causes for task
hangs
• New HP Device Support
o HP Color LaserJet Enterprise M652
o HP Color LaserJet Enterprise M653
o HP Color LaserJet Enterprise MFP M681
o HP Color LaserJet Enterprise MFP M682
o HP Color LaserJet MFP E77822
o HP Color LaserJet Flow MFP E77822
o HP Color LaserJet MFP E77825
o HP Color LaserJet Flow MFP E77825
o HP Color LaserJet MFP E77830
o HP Color LaserJet Flow MFP E77830
o HP Color LaserJet MFP E87640
o HP Color LaserJet Flow MFP E87640
o HP Color LaserJet MFP E87650
o HP Color LaserJet Flow MFP E87650
o HP Color LaserJet MFP E87660
o HP Color LaserJet Flow MFP E87660
o HP LaserJet Enterprise M607
o HP LaserJet Enterprise M608
o HP LaserJet Enterprise M609
o HP LaserJet Enterprise MFP M631
o HP LaserJet Enterprise Flow MFP M631
o HP LaserJet Enterprise MFP M632
o HP LaserJet Enterprise Flow MFP M632
o HP LaserJet Enterprise MFP M633
o HP LaserJet Enterprise Flow MFP M633
o HP LaserJet MFP E72525
o HP LaserJet Flow MFP E72525
o HP LaserJet MFP E72530
o HP LaserJet Flow MFP E72530
o HP LaserJet MFP E72535
o HP LaserJet Flow MFP E72535
o HP LaserJet MFP E82540
o HP LaserJet Flow MFP E82540
o HP LaserJet MFP E82550
o HP LaserJet Flow MFP E82550
o HP LaserJet MFP E82560
o HP LaserJet Flow MFP E82560
o HP PageWide Pro 750
o HP PageWide Pro 755
o HP PageWide Pro MFP 772
o HP PageWide Pro MFP 777
o HP PageWide P75050
o HP PageWide P75060
o HP PageWide MFP P77740
o HP PageWide MFP P77750
o HP PageWide MFP P77760
o HP Designjet T930
Version
Release Date
Features
o HP Designjet T930 Postscript
o HP Designjet T1530
o HP Designjet T1530 Postscript
o HP Designjet T2530
o HP Designjet T2530 Postscript
3.0.1
July 2017
• Addressed Cross Site Scripting and AngularJS
vulnerabilities found during penetration testing with the
new web user interface.
• Switched to using a new library to perform HTTP
operations on devices to eliminate potential task hangs on
some servers that rejected the old MSHTML library.
3.1 December 2017
• Scheduled reports to file or email
• Autogrouping
• Support for OpenTrust Certificate Authority
• Addition of System Name as Subject Alternate Name (SAN)
in identity certificate
• SQL database scripts included during install
• Support for Secure by Default initiative on new 24.5
firmware
• New policy items:
o Web Scan and Secure Web Scan
o Individual cipher suites under Web Encryption
Settings
o Role Based Access Control
o Add Roles to User or Group
o EWS Roles under Authentication Manager
o HP Connection Inspector
o Cross Site Request Forgery (CSRF) Prevention
o IPSEC/Firewall
o 802.1x (wireless)
• Fixes:
o Global credentials working properly
o Incorrect passwords stored in database remain in
database if unsuccessful
o Time zone difference between client and server
allows for running tasks immediately if desired
o Time zone displayed in proper 24-hour format if
desired
Version
Release Date
Features
o CA certificates are now deleted if checkbox is
checked to remove certificates not in policy
o CA certificates are now successfully installed on
devices set to non-English language
• New HP Device Support
o HP Color LaserJet M254
o HP Color LaserJet MFP M281
o HP Color LaserJet E65050
o HP Color LaserJet E65060
o HP Color LaserJet E67550
o HP Color LaserJet E67560
o HP LaserJet E60055
o HP LaserJet E60065
o HP LaserJet E60075
o HP LaserJet MFP E62555
o HP LaserJet MFP E62565
o HP LaserJet MFP E62575
o HP LaserJet MFP E72545
o HP LaserJet Flow MFP E72545
o HP PageWide Enterprise Color 765dn
o HP PageWide Enterprise Color MFP 780
o HP PageWide Enterprise Color Flow MFP 785
o HP PageWide Color E55650
o HP PageWide Color MFP E58650
o HP PageWide Managed Color E75160
o HP PageWide Managed Color MFP E77650
o HP PageWide Managed Color MFP E77660
o HP PageWide P55250
o HP PageWide MFP P77740
o HP PageWide MFP P77750
o HP PageWide MFP P77760
o HP PageWide MFP P57750
o HP DesignJet T830 24-in MFP
o HP DesignJet T1700dr PostScript
o HP Digital Sender Flow 8500
o HP ScanJet Flow N9120 fn2
o Zebra ZTC ZT410-203dpi ZPL
Version
Release Date
Features
3.1.1
March 2018
• Fixed issue with Admin (EWS) Password always
remediating even if matching policy
• Fixed SQL scripts included in HPSM folder
3.2 July 2018
• Features
o Instant on Reflection
o Mac Address as column
o Firmware assessment added to Essential policy
o Changed label of Limited policy to Essential policy
o Default licenses increased from quantity 20 to 50
• New Policy Items:
o HTTPS
o CIFS (Shared Folder)
o FTP Client
o FTP Server
o JetAdvantage Link
o Extended Signature Verification
o Control Panel Logout Policy
• Fixes:
o Order of operation causing Network Connection
Error or Credentials Failed status
o Autogroups limited to 10
o Autogroup filter for Hostname cannot be blank
o Disk Encryption Status claims failed for SSD/eMMC
o File Erase Mode fails when no disk is present
o Incorrect hover help for Certificate Authority Name
o Can’t install an intermediate CA cert on older
devices
o Duplicate ID certificates installed
o Can’t add IP Addresses to ACL
o Installer uses ODBC to connect to SQL on third
option for Connect to Existing DB
o Device replacing another at same IP Address does
not update all attributes
• Secure Boot Presence fails for devices that don’t support
feature
• SNMPv3 queries when v3 is disabled
• New Device Support
o HP PageWide Managed Color P75250
o HP PageWide Managed Color MFP P77440
o HP LaserJet MFP E50045n
o HP LaserJet MFP E52545dn
o HP LaserJet Flow MFP E52545c
o HP Color LaserJet MFP E55040dn
o HP Color LaserJet MFP E57540dn
o HP Color LaserJet Flow MFP E57540c
o HP Designjet T3500
o HP Designjet Z5600
o Samsung Multifunction MultiXpress K7400,
K7500, K7600, K7650, K703, K705, K706
o Samsung Multifunction MultiXpress X7400,
X7500, X7600, X703, X704, X705, X706
Version
Release Date
Features
o Samsung Multifunction ProXpress M4580, M4583
o Samsung Multifunction MultiXpress M4370,
M5370, M5270
o Samsung Multifunction MultiXpress X4220,
X4250, X4300, X400, X401, K4250, K4300,
K4350, K401, K400
3.2.1
December 2018
• Features:
o Firmware version is now an autogrouping filter.
o Added option to display Error if an assessment
could not be performed instead of remaining at
Passed assessment status from the last
successful assessment. The Email Summary
Remediation report now indicates the device was
not remediated.
o More than one range can be entered for a single IP
Range discovery.
o Discoveries can now be scheduled to occur at
some desired frequency.
o Added option to properly assess PJL Password if
PJL Access is disabled by temporarily enabling PJL
Access.
o Added support for Active Directory authentication
to be used to remotely manage devices instead of
Admin (EWS) Password.
o A new option is available to limit Assessment &
Remediation history stored in the database to
some desired amount of days.
o New Repetitive Remediation report includes
devices being remediated for the same items
multiple times.
o Added support for Zebra devices with Link OS
>=5.0
o HP SM support for CSRF with JEDI FS3 firmware
o Admin password policy item support for Zebra
devices
o Added Fax Receive Owner option (Drop down
values as Guest, Administrator, Network User)
under Fax Receive Policy Item.
• New Policy Items:
o SIP Server Settings (FOIP Support)
o Postscript Security
o Wireless Radio State
o Information Hiding
Version
Release Date
Features
• Fixes:
o Vulnerabilities in Bootstrap library and AngularJS
library resolved by patching code fixes from new
versions.
o Installation no longer fails with Create a New or
Upgrade Existing DB option while upgrading after
database scripts have already been used to
upgrade database.
o Write verification failed is no longer displayed
while remediating FTP firmware Update policy on
some devices.
o CA certificate now remediates on a CLJ
CM4730mfp when server localization is nonEnglish.
o Invalid Identity Certificate is no longer observed in
device status on verifying a device after
remediation of an identity certificate.
o SNMP Read/write Community Name is now
attempted in global credentials if public is enabled
for SNMP Reads on the device.
o Duplicate identity certificates are no longer
installed if an assessment finds a mismatch in the
ID certificate. Certificate is replaced instead of
appended.
o CA certificate displays Issued To name instead of
Issued By name.
o Fixed CA certificates issue on older devices
requiring checkbox to allow intermediate certs.
Root and intermediate certificates now install
successfully.
o Web Encryption Strength no longer fails on older
devices that don’t support individual ciphers if a
Read Community Name is present on the device
and public is disabled.
o Fixed ID certificates issue where SANs are
assessed incorrectly, and a new certificate is
always installed.
o Secure Boot Presence / Whitelisting / Intrusion
Detection now correctly indicate Not Supported
for models that do not support them and no
longer fail in reports when Ignore is selected or
unsupported devices.
o Fixed ID certificates issue where Common Name
not Formed in CSR is displayed when the CA is set
to manually approve requests instead of
automatically generating certificates.
Version
Release Date
Features
o Fixed issue where PJL Password was not being
pulled from the Global Credential Store during
assessments/remediations.
o HP Jetdirect XML Services now assesses properly
on some older Jetdirect nics.
o Added certificate management support for T1700
DesignJet Device.
o Fixed the issue where secure by default in FS 4.5
was breaking instant on remediation.
o Fixed model name sorting issue on older devices
that display with lower case.
o Resolved the issue with downgrade for HPSM
where a lower version was allowed to be installed
on a higher version.
o Fixed the behavior with Send FAX Policy. Now this
policy can be enabled/disabled in Policy Editor UI.
o Fixed the SAN behavior for non-unified devices
where FQDN was not displayed.
o Fixed the issue where Zebra devices were not
getting discovered using auto-discovery IP range
option.
o Fixed the behavior where a not reachable device
was showing as “credential failed”.
o Fixed the behavior where PJL password was not
remediating on multiple older devices.
o Fixed FTP Firmware update behavior on LJ M631.
o Fixed the issue with CLJ CP4520 where SNMPv3
was not remediating before.
o Fixed the certificate behavior on CLJ 3600 and LJ
300 M375 devices. Now CA and ID certificate
shows as not supported.
• New Device Support
o HP PageWide Color MFP 779
o HP PageWide Color MFP 775
o HP PageWide Color MFP 751
o HP Color LaserJet M653
o HP Color LaserJet MFP M681
o HP LaserJet MFP M609
o HP LaserJet MFP M633
o Zebra ZQ320
o Zebra ZQ620
Note: With 3.2.1 release all Zebra devices with Link OS >=5.0 are
supported. So any devices listed below with required Link OS may
work as expected.
Version
Release Date
Features
o Zebra QLn220
o Zebra QLn320
o Zebra ZQ310
o Zebra ZQ510
o Zebra ZD410
o Zebra ZD420
o Zebra ZD500R
o Zebra ZT230 200dpi
o Zebra ZT610 203dpi
3.3 Aug 2019
• Features:
o Stop automatically allowing members of local
admin group to launch HPSM-100122
o Security Manager should automatically remediate
ID certificates which are revoked/deleted-103278
o HPSM shall preserve few settings during upgrade-
103973
o HPSM still referring to .NET 3.51 during
installation-104487
o Security Manager compliance with FIPS 140
standards-103003
o Improve Syslog effectiveness - are we capturing
the right events? -100923
o Support Analyst role in Security Manager-103256
o HPSM needs to compare asset name from firm
service against glf entry for firmware upgrade82285
o Support for Windows server 2019-104924
o Advanced error handling on DB connectivity and
update-101995
o Changes to Essential and Base policy items -
review from PSAS team-104773
o Some of the RBAC menus in EWS is missing in
Locksmith-104599
o Better refresh behavior for devices with new
hostname-87705
o Accessibility: TAA Compliant RAM Disk-94288
o [Epic]Secure loading and access restriction in
certificate management plugins-103991
o [EPIC]- Security Shield Dashboard in HP SM-
102887
o Localize Newly added Chinese text in 3.2-104852
o Proper backup & restore of data during
installation-104685
o French language for HPSM-104950
o SQL 2017 support with Level 140 support in
Security Manager-105218
o Added UPN field to ID cert Policy (Based on the
string value the UPN will be generated)-104689
o Fixed the behavior for Disk encryption policy when
the device has the disk present but can’t be
encrypted-105087
Version
Release Date
Features
o Support for configurable alerts based on the
security posture of devices over a period103130/106168
o Policy for Email settings does not support device-
individual from: addresses-104871
o [EPIC][Reports] Executive Fleet Assessment
Report-103129
o [Localization] Add support for new German
language-105983
o [Epic] FW Assessment against known
vulnerabilities (Shell’s)-94289
o Improving Auto Group filter deficiencies-106062
o 106281: [Installation][Usability]Provide option to
enter custom name as database name during
installation/upgrade
• New Policy Items:
o RAM Disk Configuration
• Fixes:
o Policy Items Assessed report has incorrect
numbers-100976.
o SNMPv3 credential store UI only supporting up to
23 characters-104690
o PDF report download not working in latest chrome
version-104883
o Count mismatch between policy items and
assessed items-104085
o ID cert remediation on a few Pro devices fails with
409 conflict error-104593
o SNMPv1/v2 Read and Read/Write Community
Names limited to 20 characters in UI-104879
o Remediating ID certificate every time on German
OS server-104688
o 3.2.1 broke ability to enable GCM ciphers and TLS
1.0/1.1 in same policy-104884
o Upgradation issue with RBAC changes and RBAC
Policy is not getting saved with latest release
version Policy item selected -105366
o Network services policy state becomes invalid
without any changes/validation-105209
o Installation is getting terminated if dot net 3.5 is
not installed while installing HPSM with SQL 2014105553
o SnmpV3 fails to set when best possible encryption
algorithm is applied on the device-105483
o "Write verification failed...." error message
observed when performing CA certificate, A&R
task on Pro devices-104661
o P3005 and J7979 JDI need to tag IPPS as Not
Supported-105159
o Configuring FS4 Contacts using Security Manager
results in an EWS error message-104874
Version
Release Date
Features
o [HPSM 3.3][Installation]: Installation is getting
terminated if .net 3.5 is not installed & user tries
to install SQL2014 from HPSM-106007
o Web Encryption Strength not working for OfficeJet
X476 and X576-106026
o CA certs fail to install on M401/402 in different
language-106589
o LJ 4050 and LJ 4100 should be tagged as Not
Supported for latest firmware policy item-106674
o deleting a task should kill all open tasks-104451
o can't remediate 802.1x on Pro and Oz devices-
106510
o LJ P3015 should tag File Erase Mode as Not
Supported-107250
o Remote Configuration Password broken for LJ
M630-106821
o not adding 802.1x name to SANs in ID certificate-
106771
o not installing CA certs intermittently on Oz
devices-106282
o not deleting CA certs on non-unified devices when
checkbox to delete is checked-106118
• New Device Support:
o HP LaserJet MFP M528
o HP LaserJet M507
o HP LaserJet MFP E82560
o HP Color Laserjet MFP E87640
o HP Color LaserJet FlowMFP M776
o HP Color LaserJet M856
o HP Color laserjet MFP E77422
o HP laserjet MFP E72425
o HP DesignJet XL 3600 MFP
o HP DesignJet T2600dr MFP
o HP Color LaserJet Pro MFP M479fdw
o HP Color LaserJet Pro M454dn
o HP LaserJet Pro M404dn/dw
o HP LaserJet Pro MFP M428fdn
3.4.0.16986
Dec’19
• Features:
o Support Edit of Discovery task in Security Manager
o Licensing Improvement
o HPSM Database Improvement
o Remediate LDAP and SMTP credentials
o Firmware Assessment Usability Improvements
o Autogrouping to automatically remediate policies
assigned to group
o SCEP standard connector support in Certificate
Management-
o Firmware Assessment Improvement.
o NTP server/Time Sync for the print fleet.
o Security Manager should support Pull Print under
RBAC
o Policy change notification feature in Security
Manager
Version
Release Date
Features
o Term SKUs support in HP Security Manager -
license expiry warning
• New Policy Items:
o Network Server Sync
• Fixes:
o Incorrect response from HPSM to Instant On
packets
o Device Announcement Agent shows error in
recommendations when IP Address field is blank
o Device status is changed to error state when A & R
task is executed with HTTPS enable policy item on
Samsung device-
o Unable to remediate 802.1x setting values when
applied policy with no password with PEAP
enabled settings
o Selected policy items are getting unselected post
upgrade-
o Bootloader Password broken in 3.3, can't
remediate if device has existing password
o Unable to launch HPSM when installed in French
OS
o Renewal Threshold in ID Cert policy doesn't allow
value above 365
o Admin (EWS) Password minimum password length
does not allow 0 value
o unlicensed device reverts to licensed after
discovery
o Auth Manager breaks Pull Print on device
o Jedi devices claim unexpected value or type when
remediating job held timeout
o CA Certificates should replace the JD Certificate
Store Certificate for Non-Unified Devices.
o Disk Encryption Status reporting failed on non-
encryptable disks on Oz devices
o PJL Password config entry to temporarily enable
PJL Access needs to apply for remediations too
• New Device Support:
o HP LaserJet M608
o HP LaserJet MFP M635
3.5.0.19036
Dec ‘20
Features
o Added support for Microsoft Edge (Chromium) browser
o Bundled with SQL Express 2019
o Additional Ciphers have been added to the policy item Web
Encryption Settings.
o Add configuration option for timeout of direct SQL
commands.
o Added support for license with different end-dates.
o Add support for variable data for the Return E-mail
address.
o Added Zebra Certificate Management
Version
Release Date
Features
o Enhanced Dashboard with support for Device level
assessment and remediation history and alerts.
o [Firmware Assessment-File/HPWeb] Use Asset Identifier
to match firmware detail entries from glf file.
o Several performance improvements
o HPSM installer now asks for credentials before
creating/updating the Database.
o TLS 1.2 support in HPSM Installer.
o Maintenance Task Improvements.
o All HPSM services can now run as a local user.
o Certificate Management Plug-in Improvements
o Added localization into Malay and Spanish
o Added option to disable SMBv1, v2, v3
o Added EST (Enroll over secure transport) ID certificate
support
o HPSM integration with Qualys.
New Policy Items
E-mail Domain Restriction
Updated Policy Names:
JA Link -> HP work path
Digital send -> Job Behavior
Web Encryption Settings -> Web Encryption Settings or
Active Ciphers
System Logging > Syslog (System logging)
CCC Logging > Enhanced (security event) logging
CIFS (Shared Folder) > SMB/CIFS(Shared Folder)
Fixes
o Officejet x576 no longer fails in assessment for CP Lock
when moderate is selected
o LJ M404 (with latest firmware) can now remediate settings
requiring SNMP in same remediation as enabling v3.
o When applying an SNMP v3 only policy HPSM no longer
indicates unable to remediate with SNMPv1 credential
error when the device is only configured with SNMPv3
only.
o HPSM is now accepting an email address which contains a
plus sign (+).
o HPSM is no longer hanging on Export page when you enter
long, or invalid email address and CPU is not going to
100%.
o When running the installDBrmt.bat script for a remote
database it no longer adds rights for network service.
o The JetDServerCert (servcert.pfx) has been renewed
o Assessment of EWS password is no longer taken ~ 10
minutes when snmp access is set to read-only.
o Credentials no longer failing with M401 over SNMPv3 with
SNMPv1 read enabled.
o The term Alerts has been changed into Alert
Subscriptions.
Version
Release Date
Features
o M404-M405 Series and M454 Series expose 'Retain Print
Job' also w/o Flash Drive and no longer cause invalid
remediations results (when latest device firmware is used)
o syslogging can now be disabled when enhanced security
event logging is enabled on the device
o ID certificate on Z9 can now be installed when CSR Source
is set to HPSM.
o No longer hanging tasks
o Instant on is now also using global credentials.
o No longer intermittent database Stale Errors with default
setting for Delect Rule to No Action for foreignkey
FK984CDE507E9133 for RecToReasonsTable.
o HPSM can now remediate the setting Retain Print Jobs
after Reboot when set to disabled on policy and enabled
on the device.
o Manual discovery will not perform a hostname resolution
resolution, when host-name resolution has been disabled
o ID certificate installation no longer failing with Venafi SCEP
service.
o Added missing sign-In Methods for new HPAC versions in
HPSM.
New Device Support
HP Color LaserJet Enterprise M554
HP Color LaserJet Enterprise M555
HP Color LaserJet Enterprise MFP M578
HP DesignJet T650 24-in
Managed devices:
HP Color LaserJet Managed MFP E77428
HP LaserJet Managed MFP E72535
HP LaserJet Managed MFP E72430
Appendix B
Links to HP Security Manager Whitepapers
There are a lot of whitepapers/manuals available for HP Jetadvantage Security Manager.
The overview on the web, can be found by going to: http://www.hp.com/go/securitymanager
After that click on the link Whitepapers and Support Documents.
This will show the following list:
HP JetAdvantage Security Manager - Policy Editor Settings (white paper)
HP JetAdvantage Security Manager - Reporting, Email Alert Subscriptions & Remediation Summary,
Auditing & Syslog Functionality (white paper)
HP JetAdvantage Security Manager - Using licenses and troubleshooting licensing issues (white
paper)
HP JetAdvantage Security Manager - Securing the HP JetAdvantage Security Manager (white paper)
HP JetAdvantage Security Manager - User Guide
HP JetAdvantage Security Manager - Supported devices and features table
HP JetAdvantage Security Manager - Installation and Setup Guide
HP JetAdvantage Security Manager - Credential Management (white paper)
HP JetAdvantage Security Manager - Release Notes with Ports (white paper)
HP JetAdvantage Security Manager – Device Discovery, Determining Device Details and Exporting Devices
(white paper)
HP JetAdvantage Security Manager - Instant-On Security and Auto-Group Remediation (white paper)
HP JetAdvantage Security Manager - Automatic Email notification for remediation tasks and policy
changes (white paper)
HP JetAdvantage Security Manager - Sizing and Performance (white paper)
HP JetAdvantage Security Manager - Supported Devices (white paper)
HP JetAdvantage Security Manager - Certificate Management (white paper)
HP JetAdvantage Security Manager - Manage devices with FutureSmart 4.5 Firmware
HP JetAdvantage Security Manager - Using Microsoft® SQL Server (white paper)
HP JetAdvantage Security Manager - Troubleshooting Issues (white paper)
© Copyright 2020 HP Developme nt Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP
products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
c03601653ENW, Rev.32, Mar 2021
Loading...