Managing Security Policies

32 minute read Last updated on April 03, 2024

To create and maintain Shield Guard security policies for your tenant, click on Policies in the Navigation pane. The Policies page appears in the following illustration, showing three custom policies and the two sample security policies:

The Policies page provides access to the security policies in your tenant. Each individual policy is capable of monitoring security settings for supported Konica Minolta MFPs (multi-function peripheral devices) and SFPs (single-function peripheral devices), and each policy is fully customizable. In addition, most policy settings include an Automatic Remediation option to automatically bring the device’s corresponding setting into compliance with the policy setting.

Note: Shield Guard supports all bizhub Standard and Platinum device security settings, as well as select Ultimate settings.

About Security Policies

Shield Guard security policies enable you to remotely monitor and maintain the security settings for any device in a Shield Guard tenant. You access the tenant and its security policies via the Shield Guard Portal. Each tenant can contain an unlimited number of security policies and devices.

Each Shield Guard security policy contains the same list of settings - settings that correspond to the security switches available in Konica Minolta devices. You customize your policies via the Monitor column in the Security settings tables. You toggle on the policy settings you want Shield Guard to monitor, and toggle off the policy settings you want Shield Guard to ignore. In the following illustration, the Auto Document Deletion setting has been toggled on, and is awaiting the user to specify the frequency at which to delete documents.

For each policy setting you toggle on, Shield Guard compares the setting with the device’s corresponding setting. If the policy setting matches the device’s setting, Shield Guard assesses that setting as compliant. If Shield Guard assesses all device security settings as compliant with the policy, the device receives a security status of Secure.

If Shield Guard assesses one or more device settings as not compliant with the policy, the device receives a status of Not Secure. The Dashboard and Devices pages display a Not Secure status for the device, and the Logs page lists the individual settings assessed as Not Secure.

Once you assign a security policy to a device (or device group), Shield Guard can begin remote monitoring of the device(s). Once assigned, the policy runs continuously, communicating with the Shield Guard agent at user-defined intervals. The agent queries the portal for the current policy settings, then compares the device’s settings with the policy’s corresponding settings. If any issues are found, the portal updates with the information so you can take corrective action.

Notes:

For the Shield Guard agent to communicate with the Shield Guard Portal (and the portal to communicate back to the agent), the agent must be running. The agent launches automatically when the Shield Guard screensaver is active on a device.
Any changes you make to settings in a security policy are applied at the first server heartbeat sync that occurs after the Shield Guard screensaver launches.
To help you get started, Shield Guard includes two sample security policies. You can use these policies in any way that meets your needs.

Device Restrictions

Shield Guard supports all bizhub devices supported by MarketPlace. However, the functionality of some Shield Guard policy settings is restricted to newer devices. Note the following:

Platinum settings are supported only on i-Series devices, with the exception of User Authentication and Public Authentication, which are supported on all MarketPlace devices.
Ultimate settings are supported only on i-Series devices on which the LK-116 Virus Scan i-Option has been installed.
Automatic Remediation is supported only on i-Series devices, with the exception of Admin Password Configuration, for which automatic remediation is supported on all MarketPlace devices.
Due to device limitations, devices using microSD cards do not support all Shield Guard policy settings.

Sample Security Policies

Shield Guard includes two sample security policies, the Standard Policy and the Advanced Policy. You can use these policies in any way that meets your needs. The following illustration shows the Policies page listing the sample policies:

For the sample security policies, all security settings are included, and you have the following options:

View a policy’s current configuration.
Assign the policy to one or more devices as-is, without modifications.
Modify the security settings and assign the policy to one or more devices.
Rename the policy and assign it to devices under the new name, with or without modifications to security settings.

Notes:

You can also create a new policy from scratch.
The Overview topic includes a description of a sample custom policy.

Policies Table

The Policies table lists all policies in the tenant. See the following illustration:

The Information bar at the top of the Policies page contains the following information, fields, and buttons:

Page Icon - The icon representing the current page.
Page Name - The name of the current page.
Total Policies - A running list of the total number of security policies in the current tenant.
Search - A search filter you can use to restrict the policies displayed in the Policies table to a string you specify.
Create New Policy - This button provides access to the Create a New Policy page.

The Policies table provides information on, and action options for, each device, including the following:

Name - The name of the policy.
Last Modified - The date and time at which the policy was last modified.
Rows per page - This option appears at the bottom of the Policies table display. Use it to specify the number of policy rows to display per page. For example, if your tenant contains many policies, you can specify a large number of policies per page, such as 25. The more policies per page, the less likely you will have to navigate to another page of policies.
Previous/Next buttons - If your tenant contains more policies than the number of rows specified at the Rows per page field, these buttons (next to the Rows per page field) activate. Use them to navigate to other pages of the policies table.

Action Options in the Policies Table

In addition to information on each policy, the Policies table provides access to action options you can use to modify a policy and/or apply it to a device. Click on the associated button to access the action. The following table lists the action options available for each policy.

Action Icon	Function
	Assign Policy - Accesses the Assign Policy to Devices window.
	Show Policy - Accesses the View Policy page.
	Edit Policy - Accesses the Edit Policy page.
	Clone Policy - Creates a copy of the policy and displays it in the Edit Policy page where you can give the policy a unique name and modify it to suit your needs.
	Delete Policy - Deletes the policy.

Assigning a Policy to Devices or Device Groups

To assign a security policy to devices or device groups, click on the Assign Policy button for a policy in the Policies table. The Assign Policy to Devices or Groups window appears. The following illustration shows the window when the Devices tab is selected:

Assign Policy to Devices or Groups window

In the Available panel, all devices from your MarketPlace account appear, restricted to devices that have not yet been assigned to a group (whether by you or another user). Do the following:

In the Available panel, click on the selection box next to each device to which you want to assign the security policy. To select all available devices, click on the box in the panel header.
Once you select a box, the > button between the panels activates. When you have selected all the devices you are interested in, click on the > button. The devices appear in the Selected panel.
To remove one or devices from the Selected panel, click on their associated boxes and then click on the < button. The devices return to the Available panel.

Note: To exit the Assign Policy to Devices or Groups window without selecting any devices, click outside the window at any time.
When the Selected panel contains all the devices you are interested in, click on the ASSIGN POLICY button. You return to the Policies page. If you now access the Devices page, you can see the policy you assigned is now listed in the Policy Name column for each device you selected for policy assignment.

To assign the policy to all devices in a device group, click on the Groups tab and use the same procedure as described for the Devices tab.

Note: You can also assign a policy to the devices in a group using the Modify Device Group window on the Devices page.

Viewing Security Policies

The View Policy page appears when you click on the Show button for a policy in the Policies table. It displays a read-only version of the selected policy. The following illustration shows the top portion of a security policy called “Second Floor East”, in which the Default Admin Password Check setting has been toggled on.

Creating Policies

To create a new, custom security policy, access the Policies page, where you have the following options when creating a policy:

Create a new policy from scratch - Click on the Create New Policy button to access the Create a New Policy page.
Rename an existing policy - On the Policies page, click on the Edit button associated with the policy you want to rename. The Edit Policy page appears where you can rename and otherwise modify the policy to suit your preferences. For example, you can modify and rename one of the sample policies.

Notes:

Not all devices support all Shield Guard security settings. For example, some older devices do not support some bizhub Platinum Security settings. If you toggle on a setting in Shield Guard that is not supported on a device, Shield Guard will assess the setting as Not Secure, causing the device to fail its security assessment. If you toggle off the setting, Shield Guard will ignore the setting during assessments.
For devices that do not support automatic remediation, activating automatic remediation on a setting has no effect.
The Overview topic includes a description of a sample custom policy.

Creating a New Policy

The Create a New Policy page accesses the policy template, which you use to create a new policy. The template includes Shield Guard policy settings corresponding with each of the security settings available in supported Konica Minolta MFPs (multi-functional peripheral devices) and SFPs (single-function peripheral devices). Each Shield Guard security setting can be toggled on or off.

Some settings include an Additional Options field. If you toggle on such a setting, the Additional Options field becomes a required field.

To create a new policy from scratch, access the Policies page and click on the Create New Policy button. The Create a New Policy page appears:

In the policy template, all settings are toggled off by default. The Create a New Policy page consists of the following sections:

Policy Settings
Standard Security Settings
Platinum Security Settings
Ultimate Security Settings

To create a new security policy, take the following steps:

Step 1 - Name your policy

Use the Name your policy field to specify a meaningful name for the policy. This is a required field.

Step 2 - Specify Policy Settings

Use this section to specify the frequency of communications between the Shield Guard Agent and the Shield Guard Portal for devices to which the current security policy is assigned. Specify the following:

Server heartbeat sync frequency - Specify the frequency by which you want the agent to communicate with the Shield Guard Portal to retrieve the latest changes (if any) to the security policy. The agent stores the latest settings until the next heartbeat sync.

Note: Once you apply this setting to a policy, if you later modify the setting, changes are applied at the completion of the previously scheduled sync. For example, if the current setting is 7 days and you change it to 15 minutes, the change will be applied at the next sync (7 days after the previous sync). Thereafter, syncs will occur every 15 minutes, until you change the setting again.
Check MFP local settings frequency - Specify the frequency by which you want the agent to run a “device check”. A device check records the current status of each of the device’s security settings for which the corresponding policy setting is toggled on (and ignores the toggled-off settings). If any of the following occurred since the last device check, the agent notifies the portal:
- One or more settings on the device were modified.
- One or more device settings do not match their corresponding policy setting.
If the agent reports any issues to the portal, the portal runs an assessment of the policy to determine if any device settings are not compliant with the policy.
Offline threshold - Specify the number of server heartbeats you want to elapse without a communication from the agent before Shield Guard reports a device in the policy as Offline. For example, if you set the heartbeat sync frequency to 5 minutes and the offline threshold tolerance to 3, then if the agent on a device has not pinged the portal in the last 15 minutes, the portal assumes the device is offline and assigns that status to the device.

Notes:

The Shield Guard Agent communicates with the portal only when the Shield screensaver is active on the device. That is, once the screensaver activates on a device, the agent then communicates based on your settings here until the screensaver deactivates. For example, if you set the Check MFP local settings frequency to 5 minutes, then after 5 minutes expires, the policy will run a check on each device as soon as the screensaver runs on the device. If the screensaver is running as the 5 minutes expires, the device check begins immediately.
The Overview topic includes a description of a sample custom policy with a typical communication frequency configuration between portal and device.

Step 3 - Specify Security Settings to Monitor

Shield Guard policies assess only settings for which monitoring is toggled on in Shield Guard. To toggle on the settings you want Shield Guard to monitor, use the Monitor column on the Policies page. Toggle off the settings you want Shield Guard to ignore.

Note: Some devices may not include all settings supported by Shield Guard, and/or not provide an API that Shield Guard can use to access and assess the setting. Thus, you may configure a policy to monitor a setting that Shield Guard cannot. When Shield Guard attempts to assess such a setting, a log is generated.

Shield Guard Assessments

If a Shield Guard security setting contains additional configuration options, then Shield Guard assesses each option to determine compliance with the policy. For example, the Auto Document Deletion setting, when toggled on, includes a requirement to specify a frequency at which to delete the documents (one hour, one day, etc.). For Shield Guard to assess this setting as Secure, the frequency specified on the device must match the frequency specified in the Shield Guard policy.

However, if a monitored Shield Guard setting contains no additional options (for example, the Password Rules setting), then Shield Guard assesses only whether or not the setting is enabled on the device. If the setting is enabled on the device, Shield Guard assesses it as Secure, and Not Secure otherwise.

Security Settings Tables

The following sections include the Security Settings tables (Standard, Platinum, and Ultimate). Each table includes the following columns of information:

Shield Guard Setting - The name of the Shield Guard setting.
Functionality at the Device - The functionality of the device setting (when enabled) that corresponds to the Shield Guard setting.
Shield Guard Assessment - Shield Guard’s assessment of the setting. Monitoring for the setting must be toggled on for Shield Guard to assess the device setting.
Automatic Remediation - Indicates if Shield Guard supports automatic remediation for the setting. If both the Shield Guard setting and the device setting support automatic remediation, then Shield Guard can remediate it.

Standard Security Settings

Use this section to configure the Shield Guard Standard Security settings for the current policy. The Standard Security settings correspond with the bizhub SECURE Service settings supported by the device. Toggle on all settings you want the policy to monitor. Be sure to configure the additional options (if any) for the settings you toggle on. Toggle off all other settings.

The following table lists the Standard Security settings as well as descriptions of the device’s corresponding bizhub SECURE Standard Security settings and how Shield Guard assesses those settings.

Shield Guard Setting	Functionality at the Device	Shield Guard Assessment	Automatic Remediation?
Admin Password Configuration	Devices have no corresponding setting. Instead, Shield Guard can update the device’s admin password based on user-defined settings in Shield Guard.	Monitors the admin password on the device. If due for an update, Shield Guard assesses the setting as Not Secure, generates a new password, sends it to the device, and assesses the setting as Secure after the next device assessment.	Y
Default Admin Password Check	Devices have no corresponding setting. Instead, each device’s Admin Password setting is initially set to a default. Admins can use this field to specify their own password for the device.	Monitors the admin password on the device. If the password has been changed from the device’s default, Shield Guard assesses the setting as Secure. Note: The Default Admin Password Remediation setting requires this setting (Default Admin Password Check) to be toggled on in order to remediate admin passwords. Thus, if you attempt to toggle off this setting while the Default Admin Password Remediation setting is toggled on, a warning message appears with two options. If you click on OK, both settings are toggled off. If you click on Cancel, both settings remain toggled on. No warning message appears if the Default Admin Password Remediation setting is not currently toggled on, or if you are attempting to toggle on this setting (Default Admin Password Check).	N
Password Rules	Imposes character requirements on device admin passwords, whether generated by Shield Guard or specified manually at the device. An example of a character requirement is a minimum password length.	Monitors the Password Rules setting on the device. If enabled, Shield Guard assesses the setting as Secure.	N
Auto Document Deletion	Deletes stored data after a user-defined period expires, including data stored in personal or public user boxes, and system boxes. Not supported on MicroSD storage devices.	Monitors the Document Delete Time setting on the device. If the time period specified at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
Encrypted PDF Deletion	Deletes stored, encrypted PDFs after a user-defined period expires. Not supported on MicroSD storage devices.	Monitors the Encrypted PDF Delete Time setting on the device. If the time period specified at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
ID + Print Deletion	Deletes stored, secure print data in the ID & Print user box after a user-defined period expires. Not supported on MicroSD storage devices.	Monitors the ID & Print Delete Time setting on the device. If the time period specified at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
Secure Document Deletion	Deletes documents stored in the Secure Print user box after a user-defined period expires. Not supported on MicroSD storage devices.	Monitors the Delete Secure Print File setting at the device. If the frequency interval specified at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
Temporary Data Overwrite	Overwrites stored temporary data after it expires, in addition to deleting it, providing added security. Not supported on i-Series devices.	Monitors the Overwrite HDD Data setting at the device. If enabled, Shield Guard assesses the setting as Secure.	N
Storage Encryption	Encrypts the MFP’s storage device.	Monitors the device’s storage device (hard drive (HDD), solid-state drive (SSD), or MicroSD). If encryption has been enabled on the device, Shield Guard assesses the setting as Secure.	N
Storage Lock Password	Imposes a password requirement to access the device’s storage device.	Monitors the storage device password requirement setting on the device. If enabled, Shield Guard assesses the setting as Secure. Hard drive (HDD) or solid-state drive (SSD) only. MicroSD not supported.	N

Platinum Security Settings

Use this section to configure the Shield Guard Platinum Security settings for a selected policy. These settings correspond with the bizhub SECURE Platinum settings on the device. Toggle on the settings you want Shield Guard to monitor, and toggle off the rest. Be sure to configure the additional options (if any) for the settings you toggle on.

Note: Platinum Security settings are supported only on i-Series devices, with the exception of User Authentication and Public Authentication, which are available for use on all devices supported by Shield Guard.

The following table lists the Platinum Security settings as well as descriptions of the device’s corresponding bizhub SECURE Platinum Security settings and how Shield Guard assesses those settings.

Shield Guard Setting	Functionality at the Device	Shield Guard Assessment	Automatic Remediation?
User Authentication	Activates the user authentication requirement at the device.	Monitors the User Authentication setting on the device. If enabled, Shield Guard assesses the setting as Secure. This Platinum Security setting is available for use on all devices supported by Shield Guard. Note: If you attempt to toggle off monitoring of this setting while the Public Authentication setting is toggled on, a warning message appears indicating the Public Authentication setting will be toggled off as well. That is, to monitor the Public Authentication setting, you must also monitor this setting.	N
Public Authentication	Applies a user-defined mode of restriction on public user’s access to the device. Configuration options are listed below: Restricted - Restricts public users from logging in to the device. To log in, users must have a personal account. On with login - Activates the Public User shared account, and requires public users to log in with the public user password. On without login - Activates the Public User shared account, and allows public users to log in without the public user password.	Monitors the Public Authentication setting at the device. If the mode specified at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure. This Platinum Security setting is available for use on all devices supported by Shield Guard. Note: If you attempt to toggle on monitoring of this setting while the user Authentication setting is toggled off, a warning message appears indicating the User Authentication setting will be toggled on as well. That is, to monitor this setting, you must also monitor the User Authentication setting.	N
Mode Using SSL/TLS	Enables a user-defined SSL/TLS login mode on the device.	Monitors the Mode Using SSL/TLS setting on the device. If the SSL/TLS mode on the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
SSL/TLS Version Setting	Enables a user-defined range of SSL/TLS versions to be available for use on the device.	Monitors the SSL/TLS Version setting on the device. If the range of SSL/TLS versions specified on the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
Admin Mode Logout Time	Applies an automatic admin-mode logout time for the device. When the device is in Admin mode, if no device activity occurs for the specified period, the device logs out. Not accessible at the device. Must be accessed via the Web Connection app.	Monitors the automatic admin-mode logout setting on the device. If the time period specified at the device for automatic admin-mode logout matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
User Mode Logout Time	Applies an automatic user-mode logout time for the device. When the device is in User (Public) mode, if no device activity occurs for the specified period, the device logs out. Not accessible at the device. Must be accessed via the Web Connection app.	Monitors the automatic user-mode logout setting on the device. If the time period specified at the device for automatic user-mode logout matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
FTP Server	Activates the FTP Server function on the device. Not supported on MicroSD storage devices.	Monitors the FTP Server setting on the device. If the configuration at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
FTP TX	Activates the FTP Transmission function on the device. Not supported on MicroSD storage devices.	Monitors the FTP TX setting on the device. If the configuration at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
Job Log	Transmits audit logs to a specified WebDAV server. MicroSD storage devices support only the Auto (syslog) transmission method.	Monitors the Job Log setting on the device. When you enable this setting, additional options appear. You must select at least one log type to obtain, and specify a transmission method for the logs. If you select the Manual (XML) method, you must also specify your preference for overwriting the log file in the event the log storage area reaches capacity. If you select Restrict, a warning message appears indicating that once log storage reaches capacity, the device will prevent users from running additional jobs until the log storage area is cleared. If the configuration at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
Service Location Protocol	Activates Service Location Protocol (SLP) on the device.	Monitors the SLP setting on the device. If the configuration at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
MFP Shared Folder Deletion	Deletes documents stored in the device’s Shared folder after a user-defined period expires. Not supported on MicroSD storage devices.	Monitors the “MFP Shared Folder Deletion” setting at the device. If the frequency interval specified at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
SNMP v1/v2c	Activates SNMP (Simple Network Management Protocol) v1/v2c on the device.	Monitors the SNMP v1/v2c setting on the device. If the configuration at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
SNMP v3	Activates SNMP (Simple Network Management Protocol) v3 on the device.	Monitors the SNMP v3 settings on the device. If the configuration at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y

SNMP v3 Settings

Shield Guard can monitor, and auto-remediate, SNMP v3 settings on supported devices. The Simple Network Management Protocol (SNMP) is designed to enable remote configuration and monitoring of device settings across a local network. Version 3 of SNMP includes improvements to the prior protocols (v1/v2c), providing additional security to prevent unauthorized access and manipulation of the settings within a device.

Note the following:

Shield Guard support for SNMP v3 is limited to Konica Minolta i-Series devices.
At this time, Shield Guard does not support password management for SNMP v3. Password management for SNMP v3, for example, changing a password, must be done at the device.
For information on SNMP v3 or how your devices interact with the protocol, refer to the product’s documentation.

The following illustration shows Shield Guard’s default SNMP v3 settings:

The following lists Shield Guard’s SNMP v3 settings and describes how Shield Guard assesses a device’s corresponding settings. For all Shield Guard settings, if the configuration at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.

Status - Monitors and reports the status of the SNMP v3.
Port Number - Monitors the UDP Port setting on the device. The default port for SNMP is 161, but you can edit this field. Note that SNMP v1/v2c also uses the SNMP port.
Context Name - Monitors the Context Name setting on the device. Accepts up to 63 characters.
Discovery User Permissions - Enables the Discovery User Name setting.
- Discovery User Name - Monitors the Discovery User Name setting on the device. Accepts 1 to 32 characters.
Read User Name - Monitors the Read User Name setting on the device. Accepts up to 32 characters.
- Read Security Level - Monitors the Read Security Level setting on the device.
Write User Name - Monitors the Write User Name setting on the device. Accepts up to 32 characters.
- Write Security Level - Monitors the Write Security Level setting on the device.
Encryption Algorithm - Monitors the Encryption Algorithm setting on the device.
Authentication Method - Monitors the Authentication Method setting on the device.

Notes:

All Shield Guard SNMP v3 settings support automatic remediation. However, the SNMP Settings feature must be enabled on the device. Due to device limitations, Shield Guard cannot monitor or enable this setting remotely. Thus, to auto-remediate SNMP v3 settings at a device, you must manually toggle on the SNMP Settings switch at the device.
If appears next to a field (for example, Read User Name), you can select it to auto-generate a random text string and insert it into the field.
Shield Guard provides default values for all SNMP v3 fields except the Context Name field, for which you must provide a value before you can save the policy.
Spaces are restricted from use in SNMP v3 settings, as well as the following characters:

Restricted Character Description

\ backslash

' single quote

" double quote

# pound sign

Restricted Character	Description
\	backslash
'	single quote
"	double quote
#	pound sign

Ultimate Security Settings

Use this section to configure the Shield Guard Ultimate Security settings for a selected policy. These settings correspond with the bizhub SECURE Ultimate settings on the device. Toggle on the settings you want Shield Guard to monitor, and toggle off the rest. Be sure to configure the additional options (if any) for the settings you toggle on.

Notes:

If you configure Shield Guard to monitor an Ultimate setting on a device that does not support the setting, Shield Guard will assess the setting as Not Secure.
Shield Guard Ultimate Security settings are supported only on i-Series devices on which:
- The LK-116 Virus Scan i-Option is supported.
- The LK-116 Virus Scan i-Option has been installed.

The following table lists the Ultimate Security settings as well as descriptions of the device’s corresponding bizhub SECURE Ultimate Security settings and how Shield Guard assesses those settings.

Shield Guard Setting	Functionality at the Device	Shield Guard Assessment	Automatic Remediation?
Virus Scan License	Devices have no corresponding setting. Instead, if the LK-116 Virus Scan i-Option is licensed on the device, then Ultimate Security settings are available on the device and Shield Guard can monitor the settings.	Monitors the LK-116 i-Option on the device. If the LK-116 i-Option has been licensed (installed and enabled) on the device, Shield Guard assesses the setting as Secure.	N
Log Pattern File Version	Devices have no corresponding setting. Instead, the LK-116 Virus Scan i-Option installs a pattern file (a database of virus information) onto the device to identify and eradicate viruses.	Polls the device for the version of the antivirus pattern file. If a change is detected, the Shield Guard agent sends the updated value to the log in the Shield Guard portal.	N
Pattern File Updates	Displays an alert on the MFP panel when the virus scan pattern file fails to update.	Monitors the “Update failure of pattern file” setting at the device. If enabled, Shield Guard assesses the setting as Secure.	Y
Real-Time Scanning	Enables admins to enable/disable the Real-Time Scanning option on the device. This option scans all files sent, scanned, or accessed by the device, as well as files located on USB drives.	Monitors the Real-Time Scanning setting on the device. If enabled, the Job Control Levels appear where you can specify how you want the device to respond when the LK-116 kit detects a virus. If the configuration at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure.	Y
Regular Scan	Enables admins to enable/disable the Regular Scan option on the device. This option performs a full virus scan of the device at a user-specified interval. Note: Enabling this option on the device can impact device performance, so we recommend you schedule the scan to occur at off-peak hours.	Monitors the Regular Scan setting on the device. If the configuration at the device matches the Shield Guard policy setting, Shield Guard assesses the setting as Secure. Note: When scheduling a regular scan to occur monthly, if the day of the month you select exceeds the number of days in a given month, the scan will occur on the final day of that month. For example, if you select 31, then in April, the scan will occur on April 30 (the last day in April). Note that, for scheduling purposes, devices always consider February to have 28 days.	Y

Note: If neither of the above scanning options are enabled on the device, then:

No virus scanning occurs.
No check of the pattern file version occurs.
No update of the pattern file occurs, so no log indicating a change to the pattern file will be generated.

The Antivirus Pattern File

The LK-116 Virus Scan i-Option includes an antivirus pattern file. This file is a database of virus information that is constantly updated to include the latest antivirus information from around the globe. As part of the installation of the LK-116 Virus Scan i-Option onto a device, the antivirus pattern file is installed onto the device.

In order for the LK-116 Virus Scan i-Option to maintain the latest version of the pattern file on a device, note the following:

The device must be connected to the internet.
Virus scanning must occur. That is, at least one of the scanning options (Real-Time Scanning or Regular Scan) must be enabled on the device.

A virus scan triggers a check of the pattern file. If an updated version is available, it is downloaded to the device and the scan proceeds using the new pattern file. If no new version is available, the scan proceeds using the existing pattern file.

Monitoring Changes to the Antivirus Pattern File

Shield Guard can monitor changes to the antivirus pattern file on each device assigned to a security policy. If the following is true, then Shield Guard will create a log for every change detected in the antivirus pattern file on a device:

The device supports the LK-116 Virus Scan i-Option.
The LK-116 kit has completed its initial installation. If Shield Guard assesses the device before the installation is complete, a log will be generated showing a device value of “Pending”.
The Log Pattern File Version setting is enabled in the policy.
At least one of the virus scanning options (Real-Time Scanning or Regular Scan) is enabled on the device.

The LK-116 kit should complete its installation automatically, within a few minutes. If not, consider the following remedies:

Reboot the device to trigger the pattern file update.
Confirm that your network settings are not preventing the update.
Configure the proxy server (if any) to allow the device to pull the pattern file update, as this is independent of the proxy settings used by MarketPlace and Shield Guard. In the Web Connection app, access the following:

Network/Machine Update Settings/HTTP Proxy Settings
Contact your authorized Konica Minolta service team to take action to resolve the problem, including potentially updating the device’s firmware.

Device Support for the LK-116 Virus Scan i-Option

Not all devices support the LK-116 Virus Scan i-Option, including some i-Series devices. If you configure a Shield Guard policy to monitor Ultimate settings (that is, you enable the Virus Scan License setting), note the following:

Device Supports LK-116?	Configuration of LK-116 at the Device	Shield Guard Assessment of the Virus Scan License Setting	Shield Guard Log
No	Not Applicable	Not Secure	Labels the device value as “Not supported”
Yes	LK-116 is installed, but none of its settings are enabled	Secure	None
Yes	LK-116 is not installed	Not Secure	Labels the device value as “Not installed”

Supported Ultimate Settings

Shield Guard’s support for bizhub SECURE Ultimate is contingent on your Shield Guard license plan. If a setting or control does not appear in Shield Guard, your license plan does not support it. See the following table:

Shield Guard Plan	Shield Guard Support
Enterprise	Full monitoring of Ultimate settings, and remediation of applicable settings.
Business	Full monitoring of Ultimate settings.
Starter	Monitoring of the LK-116 Virus Scan i-Option to determine if it is licensed on the device.

Note: Your license plan affects only Shield Guard functionality. It does not affect the functionality of Ultimate Security settings on the device.

Step 6 - Save

The Save button is inactive until all required fields contain valid responses. If you click on this button when it is active, your current configuration is preserved and you return to the Policies page where the policy appears in the Policies table. To exit the page without saving, you can either navigate to another page or click on the browser’s Back button.

A Note on Required Fields and Saving Security Policies

On the Edit Policy page (and the Create a New Policy page, as well), fields requiring a valid response display in red. The following fields are required on the Policies page:

Name your policy - Each policy requires a unique name.
Additional Options - If you toggle on a setting for which additional options exist, the Additional Options field for that setting activates and becomes a required field for the policy.

In the illustration below, the Edit Policy page appears. Note the following:

The Name your policy field displays in red, indicating it is a required field awaiting a valid response.
The Auto Document Deletion setting has been toggled on, and the dropdown field displays in red, indicating it is awaiting a response.

Auto-Remediating Non-Compliant Device Security Settings

Most Shield Guard security policy settings have an automatic remediation option to automatically bring non-compliant device security settings into compliance with the policy. If such a policy setting is toggled on and its Automatic Remediation box is checked, then Shield Guard will automatically remediate the setting as part of its device assessment. If automatic remediation is not active for a setting, or the setting does not support automatic remediation, the setting must be changed manually, at the device, to return it to a compliant state.

Note: Automatic Remediation is supported only on:

The Enterprise plan.
i-Series devices, with the exception of Admin Password Configuration, which is supported on all MarketPlace devices. For devices that do not support automatic remediation, activating automatic remediation on a setting has no effect.

In the following illustration, note the following:

The Auto Document Deletion setting is toggled on.
The deletion frequency is set to 1 day.
The Automatic Remediation box is selected.

With this configuration, each Shield Guard assessment will ensure all devices in the policy have their Auto Document Deletion setting enabled and the document deletion frequency set to 1 day. Shield Guard will automatically remediate any non-compliant settings to a compliant state.

Note: The Overview topic includes a description of a sample custom policy that lists the basic steps Shield Guard performs when monitoring and maintaining security for devices assigned to a security policy, including the step in which automatic remediation is applied to a setting.

Editing a Policy

To edit a security policy, click on the Edit button for the policy in the Policies table. The Edit Policy page appears.

You can change the policy name and/or toggle on (or off) one or more security settings. Many settings have additional options allowing you to fine-tune your preferences. For details on the individual fields on the Edit a Policy page, click here.

Note: Any changes you make to security settings in an existing security policy are applied at the next server heartbeat sync. This includes changing the server heartbeat sync frequency itself.

The following illustration of the Edit Policy page shows a security policy called “Second Floor East” where the policy name has been changed to “Second Floor West” and the Auto Document Deletion security setting has been toggled off.