Letting home workers have any printer - risks?

Linkex · 15 Mar 2012 at 13:29

Not sure where to put this, but it seems like this forum will have the right people to answer the question

My company has a strict hardware control policy in place - if its not on the approved list (Which is controlled by our parent company), you have to go through the rigmoral of trying to get an exception, which is a painful and long process, which usually end up with me dealing with JFDIs from senior management, so the process gets ignored anyway.

I have been tasked with trying to improve this process if I can, and I am wondering how much damage a user can do with a printer. One of the most common questions we get is "I went out and bought printer xyz on my company credit card, please can I install it"? As it stands the answer is "No - go and request an exception from parent companys slient standardisation team". I think this is one of those things thats done because its always been done and I'm wondering about creating a blanket approval for certain brands of printers.

So, my question is - if I allowed any user to have any major brand printer installed by desktop support (Drivers only, not additional software), what risks would this create?

Bry · 15 Mar 2012 at 17:31

wired only, no wifi or other form of wireless printing - including cloud printing.
Drivers only as you say no additional software.

To save money I would avoid printers with lcd screens and memory card slots.

Main reasons for no wifi/cloud printing is there was a case with HP web printers and they got hacked - queue anyone being able to print to the printers...

Deleted member 77746 · 15 Mar 2012 at 17:38

Allowing staff to buy printers or any other IT devices on the company card ! wow what a relaxed company I wish I had a company credit card! Just force them either this printer or nothing. Is the company going to fit the ink/toner bill aswell? .....

Risk? there is no risk involved.

sidethink · 15 Mar 2012 at 19:24

The issue is one of increased workload supporting these users with their random printers. Why not compromise and just put out a short list of printers you will support (and ones that can be bought easily) and restrict them to that.

kerrgreg · 15 Mar 2012 at 20:01

If you were to do this i would recommend a HP or similar range which uses a generic printer to improve compatibility.

Personally I wouldn't allow users to have printer's at home, more so if they have Vpn there is then access they are able print off company documents which could be used against the business if the employee went rouge. Depends on if this is a concern for you.

Deathwish · 15 Mar 2012 at 22:35

kerrgreg said:
If you were to do this i would recommend a HP or similar range which uses a generic printer to improve compatibility.

Personally I wouldn't allow users to have printer's at home, more so if they have Vpn there is then access they are able print off company documents which could be used against the business if the employee went rouge. Depends on if this is a concern for you.

We don't allow home workers to print due to this as well. Don't want to have employees printing confidential documents at home and leaving them lying around.

Yes, I know they can just print them at work and take them home, but lets not just give them another method of taking documents offsite.

Ev0 · 15 Mar 2012 at 23:27

mrbell1984 said:
Risk? there is no risk involved.

Risk is always there, just depends how much

Linkex · 16 Mar 2012 at 09:00

mrbell1984 said:
Allowing staff to buy printers or any other IT devices on the company card ! wow what a relaxed company I wish I had a company credit card! Just force them either this printer or nothing. Is the company going to fit the ink/toner bill aswell? .....

Risk? there is no risk involved.

We don't actually have company credit cards (Or at least very few). We do have a couple of approved IT suppliers that anyone can raise purchase orders against, and they stock printers other than our approved ones. Basically, if a user goes to order without checking with us, and supply chain don't catch it, then they can (and do) manage to get non-approved printers from time to time. Its rare, but it happens. I said company credit cards because it was simpler than explaining all that.

sidethink said:
The issue is one of increased workload supporting these users with their random printers. Why not compromise and just put out a short list of printers you will support (and ones that can be bought easily) and restrict them to that.

As mentioned in my first post, we do have a list of approved and supported printers. This is what to do when a user goes out and buys something that isn't on the list

kerrgreg said:
If you were to do this i would recommend a HP or similar range which uses a generic printer to improve compatibility.

Personally I wouldn't allow users to have printer's at home, more so if they have Vpn there is then access they are able print off company documents which could be used against the business if the employee went rouge. Depends on if this is a concern for you.

We are a large (8000+ employee) parented by a large multinational. Users with a valid requirement to print from home are allowed to do so, its not something I have control over, and frankly I wouldn't want the heat that would come down if I could and did stop it

Thanks for the recommendation, but as I mentioned, we have a catalogue of approved gear, this is about what to do when end users buy the wrong kit because they didn't check first. Bear in mind, I have to be pragmatic, I can't just say "No non-approved hardware". It would be nice, but in the real world it just gets escalated to senior managers who may not understand the implications, and then I get instructed to allow it anyway.

To clarify further, the situation is this - there is a process to allow these users to get use the printers installed, but it is an utter ballache for them, and adds workload onto various teams. My intention is to change the rules, to basically be:
"I bought this printer, can I use it"
"Yes, but other than installing the drivers for it, you will get no support. If you need a supported device, please go and procure one from the published list."

My question is - is there anything wrong with this approach? What risk am I putting the business at by allowing users to have any printers drivers installed?

Little_Crow · 16 Mar 2012 at 09:49

Linkex said:
My question is - is there anything wrong with this approach? What risk am I putting the business at by allowing users to have any printers drivers installed?

The most problematic scenario is a user buying a printer/fax/photocopier combo, and installing from the provided CD along with every single piece of free software provided on it.
I think Laserjets are mostly free from this, but inkjets certainly aren't.

Unless you have policys in place to prevent installation of software, which will then probably prompt a call asking why they can't "make their printer go now"?

Also, the drivers on the CD are rarely the latest - generally not a problem but I always prefer to grab the up to date files.

edscdk · 16 Mar 2012 at 09:57

Linkex said:
I have been tasked with trying to improve this process if I can, and I am wondering how much damage a user can do with a printer. One of the most common questions we get is "I went out and bought printer xyz on my company credit card, please can I install it"? As it stands the answer is "No - go and request an exception from parent companys slient standardisation team". I think this is one of those things thats done because its always been done and I'm wondering about creating a blanket approval for certain brands of printers.

So, my question is - if I allowed any user to have any major brand printer installed by desktop support (Drivers only, not additional software), what risks would this create?

you work for a big company?
you get a fairly steady flow of requests for printers?
the printers are small for single users / groups?

execute all the bean counters, buy 3 identical standard printers, every time a user wants a printer give them one of the "standard printers" and replace your stock.

(you have to execute all the bean counters because they will not understand why you are purchasing 3 printers when no one wants one).

My way is the right way but its not the corperate way we had 400 users and were not aloud to keep ANYTHING spare.. not a spare workstation, laptop or mouse it all had to be purchased when need meaning people were without laptops for weeks when they broke

anything I don't mind · 16 Mar 2012 at 11:54

With home users we have a strict policy on support. We don't support home users hardware that was not purchased through the corporation. We support remote access in to corporate offices of course. If home users purchase a laptop or other hardware through the corporation then we purchase it for them and set it up for them and will support it remotely, if that is within the contract. But it rarely is. Printers are so easy to set up these days that we generally just tell home users to buy what printer they want and set it up themselves, which usually involves putting in a cd and clicking next. It can become a total waste of time to get too involved with home hardware, so you think you are saving support time by mandating specific hardware, but in the end it actually back fires as you have to support it.

But often ill fix peoples home laptops as favor because it goes down well with clients and when you sort out someones personal laptop for them and then you mess up later on, you can get away with the small mistakes because you did that bit extra. But policy wise, we don't support home users laptops and printers, only remote access. But it doesn't stop them phoning up and asking for help with their printer. This is where I usually help them if its quick but if its going to take a while then it gets a low priority.

Sp00n · 16 Mar 2012 at 13:33

Terminal services drivers could possibly be an issue if indeed you use TS.

kerrgreg · 16 Mar 2012 at 16:17

If possible I would look to deploy as the OP suggests.

Failing that or if possible although it might not be, you should try and team up with the laptop deployment and preparation team and see if you can get them to stock a limited line of printers of which the drivers could be pre installed into your laptop image or sys-prep.

There fore avoiding most of your problems.

Deleted member 77746 · 16 Mar 2012 at 16:48

Ev0 said:
Risk is always there, just depends how much

Risks of what though, you buy a printer, you give it to them, it gets installed, they use it... then what?

Deleted member 77746 · 16 Mar 2012 at 16:53

Linkex said:
My question is - is there anything wrong with this approach? What risk am I putting the business at by allowing users to have any printers drivers installed?

Possibly, they will blame support of their laptop breaks... 'it was because you put the printer driver on' something along the lines of this.

So who purchases the toner then?....

ashrobbo · 17 Mar 2012 at 11:45

as edscdk said,

Carry stock of reccomended printers, users who require a printer come to you rather then ordering,

send printer = easy.

Essexraptor · 17 Mar 2012 at 12:54

I'll fess up straight away and say that I have NO knowledge of this corporate level stuff

.... but surely commonsense would say limit it the choice to say... 3 models of a single brand or provider which can be cleared in advance through your hardware approved listing. This in turn would streamline the driver issue and also limit the costing on the toner/replacement carts. side of things as well ?

As for buying a printer NOT on the approved list .... a straight " No .......sorry"

Stolly · 18 Mar 2012 at 13:48

ashrobbo said:
as edscdk said,

Carry stock of reccomended printers, users who require a printer come to you rather then ordering,

send printer = easy.

This.

Linkex · 19 Mar 2012 at 10:23

Damn it, I replied to this thread a couple of days ago, from my mobile, obviously didn't take.

I agree with everyone who is saying to stop the non-approved printers, but thats the problem, I can't. There are over 8000 employees in this business, all in departments with thier own budgets, ordering from various suppliers. This is not a case or just saying "Don't order anything we don't allow", because thats what we already do. The problem is that users are idiots and blindly order IT gear without thinking to check with anyone first. I am trying to solve the problem of what to do in this case - just saying "No - go order something correct" is not practical, as this means the business is out of pocket for a useless printer. As I mentioned in the first post, there is already a process, users can already get an exemption, its just a pain for them, and wastes the time of several teams.

In addition, I can't maintain a stock of the correct printers, as users don't come to IT for a printer, they purchase them out of thier departments budget.

Just to be clear on this, simply saying "No" is just not an option I have - these people WILL buy the wrong printers and they WILL be allowed to use them, I can't change that. The only thing I can do is simplify the process by saying - "Fine, you can use whatever printer, but its drivers only, and you have to wait until desktop support can install them and no support beyond driver installs". Hence, I need to know what risk I put the business at by doing this.

bigredshark · 19 Mar 2012 at 13:13

Linkex said:
Damn it, I replied to this thread a couple of days ago, from my mobile, obviously didn't take.

I agree with everyone who is saying to stop the non-approved printers, but thats the problem, I can't. There are over 8000 employees in this business, all in departments with thier own budgets, ordering from various suppliers. This is not a case or just saying "Don't order anything we don't allow", because thats what we already do. The problem is that users are idiots and blindly order IT gear without thinking to check with anyone first. I am trying to solve the problem of what to do in this case - just saying "No - go order something correct" is not practical, as this means the business is out of pocket for a useless printer. As I mentioned in the first post, there is already a process, users can already get an exemption, its just a pain for them, and wastes the time of several teams.

In addition, I can't maintain a stock of the correct printers, as users don't come to IT for a printer, they purchase them out of thier departments budget.

Just to be clear on this, simply saying "No" is just not an option I have - these people WILL buy the wrong printers and they WILL be allowed to use them, I can't change that. The only thing I can do is simplify the process by saying - "Fine, you can use whatever printer, but its drivers only, and you have to wait until desktop support can install them and no support beyond driver installs". Hence, I need to know what risk I put the business at by doing this.

Well if you feel that's where you are then that's where you are. You're buying a heap of support overhead though.

Just saying no and when they ignore you making their lives as hard as humanly possible tends to correct the behaviour with time if your management don't have the required ability (and this is a management problem - standardising hardware is about as simple and obviously beneficial an idea as exists, if they cannot explain this to the relevant people and have it implemented as policy they're rubbish at their jobs).

So basically, either say no and make it stick or make their lives sufficiently hard that it's easier to give up and do as they're told (That is - 'oh, you bought a non standard printer, the drivers aren't in our standard build so it will be a while before we can security test them and send somebody to roll them out' or 'we're rolling out remote printing from terminal services etc but I'm afraid we can only support approved printers'). Give people a reason to use approved hardware and make it easy for them to do so and they generally will.

When it comes to actual security risk, well not much but some exists with anything. Less permutations of hardware/software will always be statistically more secure than more....