Konica Minolta - CPA 2.0

Complete the requirements and follow the steps below to install the second-generation Control Panel Application (CPA) on Konica Minolta printers. For a list of supported devices, see PrinterLogic CPA.

Installation Requirements

Ensure all of the universal requirements are completed and functional prior to CPA setup. In addition, Konica Minolta also requires the following:

  • Konica Minolta has authorized the installation of the Virtual Appliance CPA on its devices in the North American, South American, and Caribbean regions. The installation fails when attempted in other regions.
  • To verify the firmware versions supported by Virtual Appliance, please consult the Virtual Appliance bEST Technology Suite, to ensure the correct functioning.
    • To see your local firmware version enter administrator mode and select Maintenance then ROM Version. The firmware version is the last 5 digits of the MFP Controller number.
  • Your printer be should be running a compatible function version.
    • To locate the function version go to the printer's control panel navigate to Menu then Utility then Device Info. The function version should be listed on the page.
  • Confirm the printer's region settings are correct.
  • Ensure the certificate has SHA256 encryption. See instructions in the Certificates section below.
  • Configure the network and WebDav settings as shown in the Network Settings section below.

Additional Port Information

CPA installation and uninstallation occur from the Service Client object to the printer over TCP 50003.

CPA operation requires two main communication paths:

  • From the printer to the Service Client object over TCP 31988.
  • From the printer to the Virtual Appliance instance (cpp-ui.FQDN_of_Virtual Appliance and cpa-api.FQDN_of_Virtual Appliance) over TCP 80/443.

Communication with WebDAV from the Service Client to the Virtual Appliance instance over TCP 443.

Everyday printing communication occurs from the workstation to the printer over TCP 9100 (or TCP 515 for LPR queues).

By default, Certificate Revocation List (CRL) checks occur over TCP 80 from the Service Client. The installation may fail if the CRL check cannot complete over Port 80.

Single Sign-On (SSO)

CPA installations in SSO Provider mode require the printer's Public User Access option set to Restricted.

Certificates

SHA1 certificates are no longer supported. A certificate with SHA256 encryption needs to be set as default.

  1. Log into the printers web interface as administrator.
  2. Go to Security then PKI Settings then Device Certificate Settings.
  3. Select New Registration.
  4. Select Create and install a self-signed Certificate and select OK.
  5. Fill in the certificate information.
  6. Under the Encryption Key Type dropdown select RSA-2048_SHA-256.
  7. Select OK.
  8. In the Device Certificate list select the radio button to set the new certificate as Default and select OK.

Network Settings

Multifunction Printer (MFP) devices may require a reboot after adjusting the settings below for them to take effect.

  • Under Network then WebDAV Settings then WebDAV Client Settings, enable the WebDAV TX setting, and set the SSL/Port Settings use SSL and not use a password.
  • Under Security then PKI Settings Enable SSL Version Mode Using SSL/TLS needs to be set to Admin Mode and User Mode, and enable TLS 1.2.
  • Under Network then TCP Socket Setting then Use SSL/TLS, select SSL Only or SSL/TLS.
  • Under Network then Open API Settings, OpenAPI must be Enabled, and SSL/TLS must be set to SSL Only or SSL/TLS.
  • Under Network then Web Browser Settings, enable Web browser.

Please note that Konica Minolta offers different web console user interfaces across various models. The information above is on the general locations where these settings are typically found. The actual location may vary depending on the model.

Multiple Queue Association

Some environments create multiple print queues for the same printer, attaching a black & white driver profile to one and a color profile to the other. This approach enforces printing restrictions tied to the profile but can limit printing on devices with the CPA installed.

With the CPA installed on the printer with the color driver profile, black & white secure release printing jobs sent to that printer would not show on the CPA because they do not align with the driver profile attached to the printer object. The same applies to color print jobs sent to a CPA-enabled printer with a black & white profile attached.

This behavior is essential to consider before installing the CPA on printers tied to multiple printer objects in the Admin Console.

General Authentication Options

What the CPA displays to the end user at the printer is determined by the authentication options on the TCP / IP printer. If you are using the same authentication options for all printers you can use the default settings. If you want to be able to set specific methods on a per-printer basis, you can choose which printer-specific options you want available to set up on individual printers.

Default Settings

Be aware that default authentication settings vary depending on the identity provider. The LDAP settings differ from settings available for an IdP such as Okta or Entra ID (Azure AD).

SSO Settings

If planning to use SSO, you must configure the following setting on the printer's web console:

  • Go to User Auth/Account Track then Account Track Settings then Print Without Authentication and set to Full Color/Black.

LDAP

  1. In the Identity Provider Settings section, ensure that LDAP is selected and that your LDAP credentials are configured correctly.

    Identity Provider Settings section of the Admin Console's General tab with the LDAP option selected.

  2. Scroll down to the CPA Specific Settings section and select the options that you want available on the Printer Apps tab.

    General tab's CPA Specific Settings section showing the different authentication methods that can be selected/enabled.

    Not all the options seen here may be available. The printer's Apps tab displays the manufacturer supported options.

  3. To set PIN Settings do the following:
    1. Set PINs to store in either the Virtual Appliance or Active Directory databases. Depending on your selection, enter the field names for the following:
    2. The field name containing User ID
    3. The field name containing PIN.

      If the Database option is selected, the end-user must set the PIN within the Self-service Portal. See User ID and Pin

  4. To set the Badge Settings do the following:
    1. Set badges to store in the Virtual Appliance or Active Directory databases.
    2. For Active Directory provide the field name that contains the badge ID attribute.

      The Database option makes badge registration mandatory. Administrators can manage badges individually through the badge management screen or in bulk by CSV. End-users also can set up their badge within the Self-service Portal. See Badge Self Registration Options.

  5. Scroll down to the Control Panel Application section. The configuration of these settings is optional.
    1. You can set a default Username and Password to access the printer's web interface on all printers where you're installing the CPA.

      General tab's Control Panel Application section showing the Default Single sign-on enable/disable setting.

      The credentials used MUST have administrative rights for the printer.

    2. Default Single Sign On settings — select from the following options:
      1. Enabled — the default option. This option requires users authenticate to gain access to the printer's control panel.

      2. Disabled — with this option selected, the users are only asked to authenticate when they select the PrinterLogic from the device's control panel.
  6. Scroll back to the top and select Save.

IdP

  1. In the Identity Provider Settings section, ensure that IdP is selected and that the credentials are configured correctly for your IdP.

    General tab's Identity Provider Settings section with the IdP option on the left enabled.

  2. Scroll down to the CPA Specific Settings section.

    General Tab's CPA specific settings section showing the IdP authentication methods, self-registration options, and badge management options.

    Not all the options seen here may be available. The printer's Apps tab displays the manufacturer supported options.

  3. Select the options you want available on the Printer Apps tab. 

    If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.

    1. Enable PIN Authentication — use this option to enable the PIN authentication at the printer level. the PIN gets stored in the IdP database and mapping to a PIN attribute gets completed within the IdPs admin console. If you do not use your IdP to manage PINs, you can select the following option.

      1. Enable self registration of PIN for IdPs — enable this option to allow end users to register their PIN using the Self-service Portal. The PIN is stored in the Virtual Appliance database. See User ID and Pin for end user instructions.

        Do not enable Enable self registration of PIN for IdPs, if you have a PIN attribute mapped through your IdP.

    2. Enable Badge Scan Authentication — use this option to enable badge authentication at the printer level. The badge number and associated user ID get stored in the IdP database. In this case, mapping to a badge attribute and user ID attribute is completed within the IdPs admin console. If you do not use your IdP to manage PINs, you can select the following option.

      1. Enable managing of badges in Virtual Appliance instead of in IdP — enable this option to manage the badge numbers in the Virtual Appliance database. You can register each badge on the badge management page or in bulk by CSV. End users can also register their badge within the Self-service Portal. Reference Badge Self-Registration Options for steps.

        If you Enable managing of badges in PrinterLogic instead of in IdP,Virtual Appliance ignores any badge mapping configured in the IdP admin console.

  4. Scroll down to the Control Panel Application section. The configuration of these settings is optional.
    1. You can set a default Username and Password to access the printer's web interface on all printers where you're installing the CPA. Konica Minolta requires the Username to be admin.

      General tab's Control Panel Application section showing the Default Single sign-on enable/disable setting.

      The credentials used MUST have administrative rights for the printer.

  5. Default Single Sign On settings are used to lock down the printer so that users must authenticate themselves first before getting access to the printer's control panel. Enabled is selected by default, and displays the following options on the Printer's App tab.
    1. SSO Provider — this mode displays the Virtual ApplianceCPA screen on the printer until the user authenticates.
    2. SSO Listener — this mode runs behind the scenes and listens for when another application acting as the SSO provider authenticates a user and passes that user info to the CPA. The user can select the PrinterLogic option from the device's default control panel.
  6. Scroll back to the top and select Save.

Install the CPA

These steps are to install the CPA on a single printer using the printer's Apps tab. To install the CPA on multiple printers in bulk, reference CPA Manager for steps.

  1. In the Admin Console tree structure, select the printer where you want to install the CPA.
  2. Select the Apps tab.
  3. In the Manufacturer field, select the printer manufacturer.

  4. Select the Service Client you want to use to install the CPA.
  5. Check the box for Install Application.
  6. Check the boxes for any additional apps you wish to install.
    1. Copy/Scan Tracking.
    2. QR Code Display.

Printer object's Apps tab with the Manufacturer drop-down expanded to show the manufacturers that support the control panel application.

CPA Authentication Options

The options presented in this section are based on what was selected in the identity provider settings above. Please note that authentication features may vary depending on the printer manufacturer.

Installation Credentials

  1. For the Credentials to use when installing PrinterLogic applications on this printer options select from the following:
    1. Use default printer administration credentials — with this option you can use the default name and password to access the printer's web interface for all printers See the identity provider instructions above for more details.
    2. Use printer-specific administrator credentials — with this option you can use the administrator credentials set on each printer.

      The credentials used MUST have administrative rights for the printer.

Credentials to use when installing application on this printer section of the Apps tab showing the bubbles where you select to use the default credentials or printer specific credentials.

End User Credentials

If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.

  1. Single Sign On — use this option to lock down the printer so that end users must authenticate before accessing the device's control panel. Select from the following options:
    1. Disabled — the device does not require authentication.
    2. Enabled as a Provider — the device displays the default Virtual ApplianceCPA screen requiring users to authenticate to use the device.
    3. Enabled as a Listener — the CPA runs in the background and when users authenticate using another device application, they can select the PrinterLogic option from the devices application panel.
  2. In the CPA Authentication section, select from the following:

    1. Enable User ID with PIN Authentication — with this option enabled, users enter their User Id and PIN.

    2. Enable Badge Scan Authentication — with this option enabled, users must scan their badge, card, or dongle.

      Konica Minolta only supports Badge Scan Authentication in SSO Provider Mode.

      The user is prompted for their network credentials upon first scan to validate the badge.

      1. Require PIN (beta) — with this option enabled, end users are prompted to enter their PIN after scanning a badge.

        This feature is incompatible if the SSO option enabled.

  3. Extended debug — this is an optional setting. When enabled, the following options become available:
    1. Certificates — link to download the Virtual Appliance certificate for CA.
    2. PrinterLogic Control Panel Application manual install URL
  4. Select Save to start the installation.

CPA authentication section of the printer object's Apps tab with the Single Sign-on options, and the authentication options for user ID with pin and enable badge scan authentication showing.

On most Konica Minolta MFPs, you can configure the start and end dates for DST. Certain MFP models come with predefined DST dates already programmed.

Having the correct date, time, and time zone settings on your Konica Minolta Multifunction Printer (MFP), including Daylight Savings Time (DST) information, is crucial to ensure accurate reporting.

On specific models, time stamps in Virtual Appliance reports may display an incorrect hour during the transition periods at the start and end of Daylight Saving Time (DST). To address this issue you can adjust the MFP's time zone by one hour during those particular weeks to maintain accurate time stamps during DST transitions.

Uninstall the CPA

  1. Open the Apps tab for the printer where you want to uninstall the CPA.
  2. Uncheck the features you want to uninstall from the printer.

  3. Select Save.

Troubleshooting Help