ASD's Blueprint for Secure Cloud

Printing

This section describes the design decisions associated with the management of Applications deployed to endpoints for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Printing is a legitimate method of data transfer out of an environment. Printing enables users to physically export data from a network and hence also it can be leveraged by malicious actors for data exfiltration. To minimise the risks associated with printing, the allowed locations for printing should be controlled. Microsoft Intune can be leveraged to control printers available for a device and whether a user is able to add additional local printers.

For a user to leverage an available printer, connectivity and a device driver is often required. The drivers can be delivered and updated using Microsoft Intune and/or Microsoft Endpoint Configuration Manager (MECM). Connectivity will depend on the connected network(s) of the device. Options include:

  • Corporate Network printing - In the workplace, the domain joined computers can connect to the print servers and send jobs to the queue.
  • External Network printing via Hybrid Cloud Print - Without network connectivity via Citrix, a VPN, or Microsoft Hybrid Cloud Print, direct print server connectivity is not available. Microsoft Hybrid Cloud Print utilises a reverse proxy to communicate with the print servers located within the work network.
  • External Network printing via VPN - When direct printer connectivity is not available from external networks, a VPN such as Windows 10 Always-On VPN can enable clients to function as if they were part of the corporate network.

When deploying a hybrid solution, the allocation of printers to users should be considered. Other management solutions such as Group Policy and MECM may be servicing the allocation of printers to devices.

Cloud native deployments

Hybrid deployments

Universal Print

Universal Print enables organisations to manage print infrastructure through cloud services for compatible printers and apart from the printer does not require any additional on-premises infrastructure. The service integrates with Microsoft Entra ID and where required also supports single sign-on. By using the additional Universal Print connector software, organisations can also deploy the service for non-compatible printers.

Universal Print Architecture

Universal Print provides a limited pool of print jobs per month for organisations with applicable Microsoft 365 subscriptions. Organisations can also add additional print volume when required. Microsoft’s licencing Universal Print page provides additional information.

Organisations should undertake an assessment of the Universal Print service to determine its fit with the organisational risk appetite and requirements. For those organisations electing to implement Universal Print, Microsoft provide the following guidance: Set up Universal Print.

Security & Governance

  • None identified

Design

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra