Managing Security Policies

19 minute read Last updated on July 13, 2022

To create and maintain Shield Guard security policies for your license group, click on Policies in the Navigation pane. The Policies page appears in the following illustration, showing three custom policies and the two sample security policies:

The Policies page provides access to the security policies in your license group. Each individual policy is capable of monitoring all security settings for supported Konica Minolta MFPs (multi-function peripheral devices) and SFPs (single-function peripheral devices), and each policy is fully customizable. In addition, most policy settings include an Automatic Remediation option to automatically bring the device’s corresponding setting into compliance with the policy setting.

About Security Policies

Shield Guard security policies enable you to remotely monitor and maintain the security settings for any device in a Shield Guard license group. You access the license group and its security policies via the Shield Guard Portal. Each license group can contain an unlimited number of security policies and devices.

Each Shield Guard security policy contains the same list of settings - settings that correspond to the security switches available in Konica Minolta devices. You customize your policies by enabling the policy settings you want Shield Guard to monitor and not enabling the policy settings you want Shield Guard to ignore. For each policy setting you enable, Shield Guard compares the setting with the device’s corresponding setting. If the policy setting matches the device’s setting, Shield Guard assesses that setting as compliant.

If Shield Guard assesses all device security settings as compliant with the policy, the device receives a security status of Secure.

If Shield Guard assesses one or more device settings as not compliant with the policy, the device receives a status of Not Secure. The Dashboard and Devices pages display a Not Secure status for the device, and the Logs page lists the individual settings assessed as Not Secure.

Once you assign a security policy to a device (or device group), Shield Guard can begin remote monitoring of the device(s). Once assigned, the policy runs continuously, communicating with the agent at user-defined intervals. The agent queries the portal for the current policy settings, then compares the device’s settings with the policy’s corresponding settings. If any issues are found, the portal updates with the information so you can take corrective action.

Notes:

For the Shield Guard Agent to communicate with the Shield Guard Portal (and the portal to communicate back to the agent), the agent must be running. The agent launches automatically when the Shield Guard screensaver is active on a device.
Any changes you make to settings in a security policy are applied at the first server heartbeat sync that occurs after the Shield Guard screensaver launches.
For a Shield Guard policy to monitor a security setting on a device, the setting must be enabled both in the policy and on the device. For information on enabling settings at the device, refer to the device’s documentation.
To help you get started, Shield Guard includes two sample security policies. You can use these policies in any way that meets your needs.

Device Restrictions

Shield Guard supports all bizhub devices supported by MarketPlace. However, the functionality of some Shield Guard policy settings is restricted to newer devices. Note the following:

Platinum settings are supported only on i-Series devices, with the exception of User Authentication, which is supported on all MarketPlace devices.
Automatic Remediation is supported only on i-Series devices, with the exception of Admin Password Configuration, for which automatic remediation is supported on all MarketPlace devices.
Due to device limitations, devices using microSD cards do not support all Shield Guard policy settings.

Sample Security Policies

Shield Guard includes two sample security policies, the Standard Policy and the Advanced Policy. You can use these policies in any way that meets your needs. The following illustration shows the Policies page listing the sample policies:

For the sample security policies, all security settings are included, and you have the following options:

View a policy’s current configuration.
Assign the policy to one or more devices as-is, without modifications.
Modify the security settings and assign the policy to one or more devices.
Rename the policy and assign it to devices under the new name, with or without modifications to security settings.

Notes:

You can also create a new policy from scratch.
The Overview topic includes a description of a sample custom policy.

Policies Table

The Policies table lists all policies in the license group. See the following illustration:

The Information bar at the top of the Policies page contains the following information, fields, and buttons:

Page Icon - The icon representing the current page.
Page Name - The name of the current page.
Total Policies - A running list of the total number of security policies in the current license group.
Search - A search filter you can use to restrict the policies displayed in the Policies table to a string you specify.
Create New Policy - This button provides access to the Create a New Policy page.

The Policies table provides information on, and action options for, each device, including the following:

Name - The name of the policy.
Last Modified - The date and time at which the policy was last modified.
Rows per page - This option appears at the bottom of the Policies table display. Use it to specify the number of policy rows to display per page. For example, if your license group contains many policies, you can specify a large number of policies per page, such as 25. The more policies per page, the less likely you will have to navigate to another page of policies.
Previous/Next buttons - If your license group contains more policies than the number of rows specified at the Rows per page field, these buttons (next to the Rows per page field) activate. Use them to navigate to other pages of the policies table.

Action Options in the Policies Table

In addition to information on each policy, the Policies table provides access to action options you can use to modify a policy and/or apply it to a device. Click on the associated button to access the action. The following table lists the action options available for each policy.

Action Icon	Function
	Assign Policy - Accesses the Assign Policy to Devices window.
	Show Policy - Accesses the View Policy page.
	Edit Policy - Accesses the Edit Policy page.
	Clone Policy - Creates a copy of the policy and displays it in the Edit Policy page where you can give the policy a unique name and modify it to suit your needs.
	Delete Policy - Deletes the policy.

Assigning a Policy to Devices or Device Groups

To assign a security policy to devices or device groups, click on the Assign Policy button for a policy in the Policies table. The Assign Policy to Devices or Groups window appears. The following illustration shows the window when the Devices tab is selected:

Assign Policy to Devices or Groups window

In the Available panel, all devices from your MarketPlace account appear, restricted to devices that have not yet been assigned to a group (whether by you or another user). Do the following:

In the Available panel, click on the selection box next to each device to which you want to assign the security policy. To select all available devices, click on the box in the panel header.
Once you select a box, the > button between the panels activates. When you have selected all the devices you are interested in, click on the > button. The devices appear in the Selected panel.
To remove one or devices from the Selected panel, click on their associated boxes and then click on the < button. The devices return to the Available panel.

Note: To exit the Assign Policy to Devices or Groups window without selecting any devices, click outside the window at any time.
When the Selected panel contains all the devices you are interested in, click on the ASSIGN POLICY button. You return to the Policies page. If you now access the Devices page, you can see the policy you assigned is now listed in the Policy Name column for each device you selected for policy assignment.

To assign the policy to all devices in a device group, click on the Groups tab and use the same procedure as described for the Devices tab.

Note: You can also assign a policy to the devices in a group using the Modify Device Group window on the Devices page.

Viewing Security Policies

The View Policy page appears when you click on the Show button for a policy in the Policies table. It displays a read-only version of the selected policy. The following illustration shows the top portion of a security policy called “Second Floor East”, in which the Default Admin Password Check setting has been enabled.

Creating Policies

To create a new, custom security policy, access the Policies page, where you have the following options when creating a policy:

Create a new policy from scratch - Click on the Create New Policy button to access the Create a New Policy page.
Rename an existing policy - On the Policies page, click on the Edit button associated with the policy you want to rename. The Edit Policy page appears where you can rename and otherwise modify the policy to suit your preferences. For example, you can modify and rename one of the sample policies.

Notes:

Not all devices support all Shield Guard security settings. For example, some older devices do not support some bizhub Platinum Security settings. If you enable a setting in Shield Guard that is not supported on a device, Shield Guard will assess the setting as Secure. That is, enabling the setting will not cause the device to fail its security assessment. For devices that do not support automatic remediation, activating automatic remediation on a setting has no effect.
The Overview topic includes a description of a sample custom policy.

Creating a New Policy

The Create a New Policy page accesses the policy template, which you use to create a new policy. The template includes Shield Guard policy settings corresponding with each of the security settings available in supported Konica Minolta MFPs (multi-functional peripheral devices) and SFPs (single-function peripheral devices). Each Shield Guard security setting can be enabled or disabled. Some settings include an Additional Options field. If you enable such a setting, the Additional Options field becomes a required field.

To create a new policy from scratch, access the Policies page and click on the Create New Policy button. The Create a New Policy page appears:

In the policy template, all settings are disabled by default. The Create a New Policy page consists of the following sections:

Policy Settings
Standard Security Settings
Platinum Security Settings

To create a new security policy, take the following steps:

Step 1 - Name your policy

Use the Name your policy field to specify a meaningful name for the policy. This is a required field.

Step 2 - Specify Policy Settings

Use this section to specify the frequency of communications between the Shield Guard Agent and the Shield Guard Portal for devices to which the current security policy is assigned. Specify the following:

Server heartbeat sync frequency - Specify the frequency by which you want the agent to communicate with the Shield Guard Portal to retrieve the latest changes (if any) to the security policy. The agent stores the latest settings until the next heartbeat sync.

Note: Once you apply this setting to a policy, if you later modify the setting, changes are applied at the completion of the previously scheduled sync. For example, if the current setting is 7 days and you change it to 15 minutes, the change will be applied at the next sync (7 days after the previous sync). Thereafter, syncs will occur every 15 minutes, until you change the setting again.
Check MFP local settings frequency - Specify the frequency by which you want the agent to run a “device check”. A device check records the current statuses of each of the device’s security settings for which the corresponding policy setting is enabled (and ignores the disabled settings). If any of the following occurred since the last device check, the agent notifies the portal:
- One or more settings on the device were modified.
- One or more device settings do not match their corresponding policy setting.
If the agent reports any issues to the portal, the portal runs an assessment of the policy to determine if any device settings are not compliant with the policy.

Notes:

The Shield Guard Agent communicates with the portal only when the Shield screensaver is active on the device. That is, once the screensaver activates on a device, the agent then communicates based on your settings here until the screensaver de-activates. For example, if you set the Check MFP local settings frequency to 5 minutes, then after 5 minutes expires, the policy will run a check on each device as soon as the screensaver runs on the device. If the screensaver is running as the 5 minutes expires, the device check begins immediately.
The Overview topic includes a description of a sample custom policy with a typical communication frequency configuration between portal and device.

Step 3 - Specify Standard Security Settings

Use this section to configure the Standard Security settings for the current policy. The Standard Security settings correspond with the bizhub SECURE Service settings supported by the device. Enable all settings you want the policy to monitor. Be sure to configure the additional options (if any) for the settings you enable. Disable all other settings.

The following table lists the Standard Security settings as well as descriptions of the device’s corresponding bizhub SECURE Standard Security settings and how Shield Guard assesses the setting. The settings include:

Security Setting	Functionality at the Device	Shield Guard Assessment	Automatic Remediation?
Admin Password Configuration	Updates the device admin password based on user-defined settings in Shield Guard.	Checks if the device admin password is due for an update and, if so, generates a new password and sends it to the device.	Y
Default Admin Password Check	Enables admins to change the device admin password.	Checks if the device admin password has been changed from the device default. Note: The Default Admin Password Remediation setting requires this setting (Default Admin Password Check) to be enabled in order to remediate admin passwords. Thus, if you attempt to disable this setting while the Default Admin Password Remediation setting is enabled, a warning message appears with two options. If you click on OK, both settings are disabled. If you click on Cancel, both settings remain enabled. No warning message appears if the Default Admin Password Remediation setting is not currently enabled, or if you are attempting to enable this setting (Default Admin Password Check).	N
Password Rules	Enables admins to apply password requirements for passwords configured on the device, for example, length and complexity requirements.	Checks if the Password Rules setting has been enabled on the device, requiring device admin passwords to meet length and/or complexity requirements.	N
Auto Document Deletion *	Automatically deletes stored data after a user-defined period expires, including data stored in personal or public user boxes, and system boxes.	Checks that the time period specified at the Document Delete Time setting on the device matches the Shield Guard policy setting.	Y
Encrypted PDF Deletion *	Automatically deletes stored encrypted PDFs after a user-defined period expires.	Checks that the time period specified at the Encrypted PDF Delete Time setting on the device matches the Shield Guard policy setting.	Y
ID + Print Deletion *	Automatically deletes stored secure print data in the ID & Print user box after a user-defined period expires.	Checks that the time period specified at the ID & Print Delete Time setting on the device matches the Shield Guard policy setting.	Y
Public Authentication	Enables admins to apply restrictions on public user access to the device. The following options are listed below:	Checks if the Public Authentication setting at the device matches the Shield Guard policy setting.	N
	Restricted - Restricts public users from logging in to the device. To log in, users must have a personal account.
	On with login - Activates the Public User shared account, enabling public users to log in with the public user password.
	On without login - Activates the Public User shared account, enabling public users to log in without the public user password.
Secure Document Deletion *	Automatically deletes documents stored in the Secure Print user box after a user-defined period expires.	Checks that the time period specified at the Auto Delete Secure Document setting at the device matches the Shield Guard policy setting.	Y
Temporary Data Overwrite **	Overwrites stored temporary data after it expires, in addition to deleting it, providing added security.	Checks if the Overwrite HDD Data setting has been enabled at the device.	N
Storage Encryption	Enables admins to encrypt the device’s storage device.	Checks if the device’s storage device (hard drive (HDD), solid-state drive (SSD), or microSD) has been encrypted.	N
Storage Lock Password *	Enables admins to require a password for users to access the device’s storage device.	Checks if the password requirement to access the device’s storage device has been enabled. Hard drive (HDD) or solid-state drive (SSD) only. MicroSD not supported.	N

* Not supported on microSD storage devices.
** Not supported on i-Series devices.

Step 4 - Specify Platinum Security Settings

Use this section to configure the Platinum Security settings for the current policy. Enable all settings you want the security policy to monitor. Be sure to configure the additional options (if any) for the settings you enable.

The following table lists the Platinum Security settings as well as descriptions of the device’s corresponding bizhub SECURE Platinum Security settings and how Shield Guard assesses the setting.

Note: With the exception of User Authentication, Platinum Security settings are supported only on i-Series devices. If you configure Shield Guard to monitor a setting on a device that does not support the setting, Shield Guard will assess the setting as Secure.

Security Setting	Functionality at the Device	Shield Guard Assessment	Automatic Remediation?
User Authentication	Enables admins to activate User Authentication at the device.	Checks if user authentication is enabled at the device. Note that this setting is available for use on all devices supported by Shield Guard.	N
Mode Using SSL/TLS	Enables admins to select an SSL/TLS mode to use on the device.	Checks if the setting has been enabled at the device, and whether the SSL/TLS mode matches the Shield Guard policy setting.	Y
SSL/TLS Version Setting	Enables admins to select the SSL/TLS versions to use on the device.	Checks if the range specified at the device for SSL/TLS versions matches the Shield Guard policy setting.	Y
Admin Mode Logout Time ***	Enables admins to specify an automatic Admin-mode logout time for the device. When the device is in Admin mode, if no device activity occurs for the specified period, the device logs out.	Checks that the time period specified at the device for automatic Admin-mode logout matches the Shield Guard policy setting.	Y
User Mode Logout Time ***	Enables admins to specify an automatic User-mode logout time for the device. When the device is in User (Public) mode, if no device activity occurs for the specified period, the device logs out.	Checks that the time period specified at the device for automatic User-mode logout matches the Shield Guard policy setting.	Y
FTP Server *	Enables admins to enable/disable the FTP Server function on the device.	Monitors and reports the status of the FTP Server function on the device.	Y
FTP TX *	Enables admins to enable/disable the FTP Transmission function on the device.	Monitors and reports the status of the FTP Transmission function on the device.	Y
Job Log	Enables admins to automatically transmit audit logs to a specified WebDAV server.	Checks if the Job Log setting has been enabled at the device.	Y
SNMP v1/v2c	Enables admins to enable/disable Simple Network Management Protocol (SNMP) v1/v2c on the device.	Monitors and reports the status of the SNMP v1/v2c setting on the device.	Y
SNMP v3	Enables admins to enable/disable Simple Network Management Protocol (SNMP) v3 on the device.	Monitors and reports the status of the SNMP v3 setting on the device.	Y

* Not supported on microSD storage devices.
*** Not accessible at the device. Must be accessed via the Web Connection app.

Step 5 - Save

The Save button is inactive until all required fields contain valid responses. If you click on this button when it is active, your current configuration is preserved and you return to the Policies page where the policy appears in the Policies table. To exit the page without saving, you can either navigate to another page or click on the browser’s Back button.

A Note on Required Fields and Saving Security Policies

On the Edit Policy page (and the Create a New Policy page, as well), fields requiring a valid response display in red. The following fields are required on the Policies page:

Name your policy - Each policy requires a unique name.
Additional Options - If you enable a setting for which additional options exist, the Additional Options field for that setting activates and becomes a required field for the policy.

In the illustration below, the Edit Policy page appears. Note the following:

The Name your policy field displays in red, indicating it is a required field awaiting a valid response.
The Auto Document Deletion setting has been enabled, and the dropdown field displays in red, indicating it is awaiting a response.

Auto-Remediating Non-Compliant Device Security Settings

Most Shield Guard security policy settings have an automatic remediation option to automatically bring non-compliant device security settings into compliance with the policy. If such a policy setting is enabled and its Automatic Remediation box is checked, then Shield Guard will automatically remediate the setting as part of its device assessment. If automatic remediation is not active for a setting, or the setting does not support automatic remediation, the setting must be changed manually, at the device, to return it to a compliant state.

Note: Automatic Remediation is supported only on i-Series devices, with the exception of Admin Password Configuration, which is supported on all MarketPlace devices. For devices that do not support automatic remediation, activating automatic remediation on a setting has no effect.

In the following illustration, note the following:

The Auto Document Deletion setting is enabled.
The deletion frequency is set to 1 hour.
The Automatic Remediation box is checked.

With this configuration, each Shield Guard assessment will ensure all devices in the policy have their Auto Document Deletion setting enabled and the document deletion frequency set to 1 hour. Shield Guard will automatically remediate any non-compliant settings to a compliant state.

Note: The Overview topic includes a description of a sample custom policy that lists the basic steps Shield Guard performs when monitoring and maintaining security for devices assigned to a security policy, including the step in which automatic remediation is applied to a setting.

Editing a Policy

To edit a security policy, click on the Edit button for the policy in the Policies table. The Edit Policy page appears.

You can change the policy name and/or enable or disable one or more security settings. Many settings have additional options allowing you to fine-tune your preferences. For details on the individual fields on the Edit a Policy page, click here.

Note: Any changes you make to security settings in an existing security policy are applied at the next server heartbeat sync. This includes changing the server heartbeat sync frequency itself.

The following illustration of the Edit Policy page shows a security policy called “South Wing Policy” where the policy name has been changed to “East Wing Policy” and the Default Admin Password Check security setting has been enabled.