Set up Control+ device management

Before you can manage devices, you’ll need to check your SI-agent is working. The SI-agent is responsible for collecting device information. The SI-agent starts when you’ve [registered a device to your tenant](LINK to device registration section).

SI-agent forwards information every 5 minutes back to RSI-cloud and is a SOP native application which retrieves the device information via Smart SDK API and Android SDK (SOP OS) API.

You cannot disable SI-Agent functionality from a connected device but when the device is disconnected, no more device information is collected or sent to RSI-cloud.

Access web user interface (web UI)

Before accessing device management, you’ll need to have:

Set up an SI-agent to enable collecting device information as outlined previously
A contract for RSI-Cloud

To access web UI for device management, you can do one of the following:

Access the device management URL.
Select the device-management icon on the Common Settings Site (you’ll need to enable Admin mode to see this)

View system information, error status and recent activities

Once you’ve accessed the web UI, you can select Device Management Top on the left hand navigation to view system information, error status and recent activities.

The dates will be listed in descending order. Dates within 1 year will display in the list.

Any planned system maintenance will also show here.

Access device overview and error alerts

Once you’ve accessed the web UI, you’ll see the Device Monitoring box underneath the Information box.

Here, you’ll be able to see an overview of the devices in the tenant (management unit).

Managed devices shows the number of registered devices in the tenant.
- Supported devices are multi-function printers (MFP), line printers (LP) and interactive whiteboards (IWB).
Error/alert devices shows the number of errors/alerts reported from MFP and LP devices.
- If there are no registered devices or only IWB are registered, a hyphen (“-”) will be displayed. When you click on the number, the devices with error or alert status will display. You can see more information on error or alert causes below.

View and edit device information

You may need to confirm device information. To do this:

Go to Device List on the left hand navigation.
Here you can search for devices – both multifunction printers and interactive whiteboards will be listed on this page.

Display Name is the model name + IP address, for example ‘MP C407(192.158.1.38)’. No character is prohibited. The IP address will be the one linked to Web Image Monitor.

Note:

Status will only display MFP, not IWB.
Firmware Version will display IWB controller information (no information is displayed for MFP)
Register Date format will change depending on your browser’s language setting:
- English (UK): DD/MM/YYYY HH:MM
- English (Others): MM/DD/YYYY HH:MM
- Other languages: DD/MM/YYYY HH:MM
- Japanese, Simplified Chinese: YYYY/MM/DD HH:MM
Edit Column on the right hand side of the screen will allow you to modify the columns visible.

You can also create a Custom field for any kind of labels or set any values you want. The character limit is 128 characters maximum. The custom property affects the set tenant. For example, even if multiple tenants are owned by one customer, the custom property cannot be shared.

Edit device information

You can edit some fields. To edit:

Go to Device List on the left hand navigation.
Double-click on the field you want to edit.
If it’s editable, a text field will open up and you can edit.
To save, select the tick icon.

Delete a device

Check you’re on the Device List tab on the left hand navigation.
Check the box(es) of the device(s) you want to delete.
Go to the icon to the right of the Search bar, labelled Delete Device (note, if you have not selected any boxes, this icon will remain greyed out).
When prompted, select Yes.

Group devices

You may want to group devices.

There are two layers to grouping:

A parent group (for distinguishing between the groups, we call the parent group “Category”)
Child groups

A device cannot belong to multiple groups within the same category.

If you move a device to another group, the information about the group to which the device originally belonged is automatically deleted.

One group (device-type) will automatically generate using the device properties. When you expand this device-type category, it will include these groups:

MFP/LP
Interactive White Board (IWB)

Create device groups

Before you can create groups, you’ll need to create a manual category. You can create one manual category.

Check you’re on the Device List tab on the left hand navigation.
Select Group Operation on the left hand navigation.
Select Add Manual Group.
Double-click the category name to edit the name of the manual category (maximum 128 characters).

Now you’ve created a category and also loaded the automatically-generated category device-type, you can create groups to add to these categories.

Check you’re on the Device List tab on the left hand navigation.
Navigate to the category you want to create a group for.
Select the ‘+’ button to add groups.

Delete categories and groups

To delete the category or groups, select one or more check boxes near the items
Press the delete (bin) icon.
A confirmation pop-up will show. Select OK.
If you select the parent group to delete, all the groups belonging to the parent group will be automatically selected too.

Set up an authentication server

You may want to configure an on-premise active directory (AD) or LDAP authentication server. This will allow SI-Auth to authenticate with the AD/LDAP server and register your users’ information to device address book.

The configuration of the authentication server is applied automatically to all registered multifunction printers.

This feature is only available with a reporting licence.

Enable AD/LDAP authentication

Log into the RSI portal.
Select Device Management.
Select Options from the left-hand navigation.
In the AD/LDAP Authentication Settings option, select Enable.
1. Once you have enabled AD/LDAP authentication, AD/LDAP Authentication Settings will be visible in the left-hand navigation menu.
Select AD/LDAP Authentication Settings from the left-hand navigation menu.
Select Change.
Choose whether you want an Active Directory (AD) or LDAP server as the authentication server.
Select Save.
Select Registration of Authentication Server Information.
1. The Authentication Server Registration wizard will appear.
2. Contents of the wizard will change depending on the type of authentication server selected.
Complete the registration details of the authentication server.
1. There’s further [guidance on completing registration details for AD (active directory)](LINK to below section).
2. There’s further [guidance on completing registration details for LDAP server](LINK to below section).
Select Next.
Finish inputting all required information on the wizard.
Select Save.
After completing registration of the AD or LDAP authentication server, you can view the registered server information in AD/LDAP Authentication Settings.

Complete the registration wizard for AD (active directory)

Only complete this section if you chose to register the authentication server using AD.

Item Name	Required	Description
Domain Name	Required	Enter domain name, for example http://mycompany.com. Must be 1 to 255 characters. Values must not contain spaces at the beginning or end of the domain name.
Domain Controller Name	Required	Enter domain controller name, for example http://mycompany.com. Must be 1 to 255 characters. You can use letters, numbers, hyphens and underscores.
Communication Protocol	Required	Choose a communication protocol from LDAP or LDAPS. The default is LDAP. If you choose LDAPS you’ll need to import a certificate store in the following step.
Port Number	Required	Enter the port number. Default if using LDAP: 389 Default if using LDAPS: 636 You can enter a port number between 1 and 65535. Make sure to not include spaces at the beginning or end of the port number.
Search Start Position	Required	Enter search base domain name (DN) which is the starting point in your LDAP tree after binding. (E.g. `ou=member,dc=mycompany,dc=com`) Must be 1 to 512 characters You need to escape the following characters by adding a backslash (\) before you input one of these characters: \, "",=, +,<,>,#,; Some LDAP clients show the already-escaped string. In this case, enter the string just displayed.

Proxy User Name	Required	Enter a proxy user name. The system needs to connect to the AD by using an administrative user ID and password, otherwise known as a ‘bind user’. The system will use this when logging in to the device without a password. The user must at least have permission to query. This must be 1 to 128 characters. Make sure to not include spaces at the beginning or end. When including the following characters, enter the user name in sAMAccountName. /, \, [, ], ;, :, +, *, ?, <, >, @, """
Proxy User Password	Required	Enter a proxy user password for a bind user to connect to the authentication server. Must be 1 to 128 characters. This is required during registration. When editing, the registered password is saved even if the value is empty.
Folder Access User Name	Not required	Enter a user name used for the Scan to My Folder function. When Folder Access User Password is entered, the value is required. The user must at least have permission to write to the folder. From 1 to 64 characters. (The spec is based on the one for device address book.) Make sure to not include spaces at the beginning or end.
Folder Access User Password	Not required	Enter password for a folder access user. The value must be entered when Folder Access User Name is entered. When editing, the registered password is saved even if the value is empty. Must be 1 to 64 characters.

Select Next.
Select the Authentication Method.
1. Simple Authentication (default): authenticate by LDAP bind.
2. Kerberos Authentication: obtain ticket using Kerberos Authentication and LDAP bind
Select Next and go to next page.
If you selected LDAPS for the Communication Protocol, you’ll need to upload a certificate store used for SSL/TLS communication between a device and the authentication server.
1. File format : BKS
2. File size : up to 100kbyte
Select Next and go to next page.
Select Back and go back to the previous page.
Select Cancel and close the wizard.

Set attribute names (Attribute Name Setting) for AD

Item Name	Required	Description
Login User Name	Required	By default, the Login User Name is sAMAccountName. This is not editable.
Card ID	Required	Enter the attribute name for Card ID. By default this will be sAMAccountName. This must be between 1 to 128 characters. You can use letters, numbers, hyphens and underscores. Make sure to not include spaces at the beginning or end.
Email Address	Not required	Enter the attribute name for the email address. By default this will be mail. This must be between 1 to 128 characters. Make sure to not include spaces at the beginning or end.
Fax Destination	Not required	Enter the attribute name for the Fax recipient. By default this will be facsimileTelephoneNumber. This must be between 1 to 128 characters. Make sure to not include spaces at the beginning or end.
Key Display Name	Not required	Enter the attribute name for the key display name. By default this will be displayName. This must be between 1 to 128 characters. Make sure to not include spaces at the beginning or end.

Item Name	Required	Description
Name	Not required	Enter the attribute name for Card ID. By default this is name. This must be between 1 to 128 characters. Make sure to not include spaces at the beginning or end.
Folder Path	Not required	Enter the attribute name for folder path. By default, this is empty. This must be between 1 to 128 characters. Make sure to not include spaces at the beginning or end. For example: homeDirectory. If homeDirectory is chosen, you’ll need to specify Connect drive.
Permissions	Not required	Enter the attribute name for permission. By default this is empty. If left empty, full permissions are granted. There’s further [guidance on how to permissions](LINK). This must be between 1 to 128 characters. Make sure to not include spaces at the beginning or end.

Fill in the required fields and select Next.
Select Back to go back to:
1. 2nd page if you chose LDAP as Communication Protocol
2. 3rd page if you chose LDAPS as Communication Protocol
Select Cancel and close the wizard.

Configure Sender Email Address to use Scan to E-mail for AD

For your users to be able to use Scan to E-mail, you’ll need to configure Sender Email Address.

Enter in the Sender Email Address details in the registration wizard.

Item Name

Required

Description

Sender Email Address

Not required

Enter the email address to use for the Scan to E-mail function when the login user’s mail address is not set.

This must be between 1 to 128 characters.

You can use letters, numbers and any combination of .!#$%&'*+/=?^_`{|}~- @

Select Next and finish the registration of the authentication server.
Select Back to go back to the previous page.
Select Cancel and close the wizard.

Complete the registration wizard for LDAP/LDAPS server

Only complete this section if you chose to register the authentication server using LDAP or LDAPS.

Item Name	Required	Description
Server Name	Required	Enter an authentication server name. By default, this is left empty. You can use letters, numbers, hyphens and underscores. Must be 1 to 255 characters. Values must not contain spaces at the beginning or end of the domain name. For example: 192.168.1.100
Communication Protocol	Required	Choose a communication protocol from LDAP or LDAPS. The default is LDAP. If you choose LDAPS you must import a certificate store in the following step.
Port Number	Required	Enter port number. The default is: 389 for LDAP 636 for LDAPS The value must be between 1 and 65535. Values must not contain spaces at the beginning or end of the domain name.
Search Start Position	Required	Enter search base DN which is the starting point in your LDAP tree after binding. (E.g. `ou=member,dc=mycompany,dc=com`) Must be 1 to 512 characters You need to escape the following characters by adding a backslash (\) before you input one of these characters: \, "",=, +,<,>,#,; Some LDAP clients show the already-escaped string. In this case, enter the string just displayed.
Search Query	Required	Enter a search query. For example (`&(objectClass=organizationalPerson)(cn=^`) By default, this is left empty. This must be between 1 to 256 characters. Values must not contain spaces at the beginning or end of the domain name.

Proxy User Name	Required	Enter a proxy user name. This must be between 1 to 128 characters. Values must not contain spaces at the beginning or end of the domain name. You need to escape the following characters by adding a backslash (\) before you input one of these characters: \, "",=, +,<,>,#,; Some LDAP clients show the already-escaped string. In this case, enter the string displayed.
Proxy User Password	Required	Enter a proxy user password Must be between 1 to 128 characters. This is required during registration. When editing, the registered password is automatically saved even if the value is empty.
Folder Access User Name	Required if you've set Folder Access User Password	Enter a user name used to Scan to My Folder function. If you’ve entered a password for Folder Access User Password, this value is required. The user must at least have permission to write to the folder. From 1 to 64 characters. Values must not contain spaces at the beginning or end of the domain name.
Folder Access User Password	Required if you've set Folder Access User Name	Enter password for a folder access user. If you’ve entered a name for Folder Access User Name, this value is required. When editing, the registered password is saved even if the value is empty. From 1 to 64 characters.

Select Next.
If you selected LDAPS as Communication Protocol, you’ll need to fill in details for the Certificate Store (if you selected LDAP you this step will be automatically skipped).

Item Name

Required

Description

Certificate Store

Required if you chose LDAPS as the Communication Protocol

Upload a certificate store to use for SSL/TLS communication between a device and the authentication server.

File format : BKS
File size : up to 100kbyte

Upload the certificate store and Select Next.
Select Back to go back to the previous page.
Select Cancel and close the wizard.

Set attribute names (Attribute Name Setting) for LDAP/LDAPS

Item Name	Required	Description
Login User Name	Required	The attribute name for login user name is specified. By default, this is cn. This must be between 1 to 128 characters. Values must not contain spaces at the beginning or end of the domain name.
Card ID	Required	Enter the attribute name for Card ID. By default this is description. This must be between 1 to 128 characters. Values must not contain spaces at the beginning or end of the domain name. You can use letters, numbers, hyphens and underscores.
Email Address	Not required	Enter the attribute name for the email address. By default this is mail. This must be between 1 to 128 characters. Values must not contain spaces at the beginning or end of the domain name.
Fax Destination	Not required	Enter the attribute name for the Fax recipient. By default this is facsimileTelephoneNumber. This must be between 1 to 128 characters. Values must not contain spaces at the beginning or end of the domain name.
Key Display Name	Not required	Enter the attribute name for the key display name. By default this is displayName. This must be between 1 to 128 characters. Values must not contain spaces at the beginning or end of the domain name.

Item Name	Required	Description
Name	Not required	Enter the attribute name for Card ID. By default, this is name. This must be between 1 to 128 characters. Values must not contain spaces at the beginning or end of the domain name.
Folder Path	Not required	Enter the attribute name for folder path. By default this is empty. This must be between 1 to 128 characters. Values must not contain spaces at the beginning or end of the domain name. For example homeDirectory.
Permissions	Not required	Enter the attribute name for permission. By default this is empty. If left empty, full permissions are granted. There’s further [guidance on how to set permissions](LINK). This must be between 1 to 128 characters. Values must not contain spaces at the beginning or end of the domain name.

Fill in the required fields and select Next.
Select Back to go back to:

2nd page if you chose LDAP as Communication Protocol
3rd page if you chose LDAPS as Communication Protocol

Select

Cancel and close the wizard.

Configure Sender Email Address to use Scan to E-mail for LDAP

For your users to be able to use Scan to E-mail, you’ll need to configure Sender Email Address.

Enter in the Sender Email Address details in the registration wizard.

Item Name

Required

Description

Sender Email Address

Not required

Enter the email address to use for the Scan to E-mail function when the login user’s mail address is not set.

This must be between 1 to 128 characters.

You can use letters, numbers and any combination of .!#$%&'*+/=?^_`{|}~- @

Select Next and finish the registration of the authentication server.
Select Back to go back to the previous page.
Select Cancel and close the wizard.

Set permissions

When using AD and LDAP, the value in the Permissions attribute will decide the function usage restriction.

This function usage restriction is a five-digit number.

Digit placement	Function	Corresponding number
1	Copier	1: No permission 2: Black & White 3: Single Color / Black & White 4: Two Color / Single Color / Black & White 5: Color (auto select) / Two Color / Single Color / Black & White 6: Full Color / Color (auto select) / Two Color / Single Color / Black & White
2	Printer	1: No permission 2: Black & White 3: Color / Black & White
3	Document Server	1: No permission 2: All permission
4	Fax	1: No permission 2: All permission
5	Scan	1: No permission 2: All permission

For example 1: In the authentication server, 53212 is set in the Permissions attribute.

The user is allowed to use the following functions:

Copier: Color (auto select) / Two Color / Single Color / Black & White
Printer: Color / Black & White
Document Server: All permission
Fax: No permission
Scan: All permission

For example 2: In the authentication server, 63222 is set in the Permissions attribute. If the Permissions attribute is left empty, full permission is granted.

The user is allowed to use the following functions:

Copier : Full Color / Color (auto select) / Two Color / Single Color / Black & White
Printer : Color / Black & White
Document Server : All permission
Fax : All permission
Scan : All permission

Edit or switch AD/LDAP authentication

After completing registration of the AD or LDAP authentication server, you can view the registered server information in AD/LDAP Authentication Settings (visible in the left-hand navigation menu).

To edit:

Go to AD/LDAP Authentication Settings from the left hand navigation menu.
Select Edit in the right hand column of the table.
The registration wizard will appear again and you can edit the registered authentication server information.

To switch:

Go to AD/LDAP Authentication Settings from the left hand navigation menu.
Go to the sentence Set an AD/LDAP server as the authentication server of user information and select Change.