Arivia MFP Security Features

The Arivia platform addresses seven recognized security threats for office MFPs — covering data breach, data tampering, and unauthorized access. Each threat maps to a specific set of built-in countermeasures.

1. Unauthorized operations by other users — solved by user authentication and permissions
2. Eavesdropping and tampering of communication data — solved by encrypted communications
3. Unauthorized access to administration functions — solved by admin protections and account lockout
4. Software tampering and unauthorized rewriting — solved by secure boot and software integrity checks
5. Audit log tampering — solved by protected, immutable audit logs with SIEM integration
6. Breach of stored document data — solved by AES-256 encryption and secure erase
7. Data breach from careless mistakes — solved by fixed destinations, fax controls, and forced annotations

Authentication Features

Operations by unauthorized users are prevented with the built-in authentication system. The device identifies and manages individual users, accounts usage by user from job history, and supports multiple authentication methods.

Remote Server Authentication: By registering smart card information with Active Directory or the LDAP server, you can use user information managed by the server for user authentication when operating the device or printer.

Feature Access Permissions

Function Access Control restricts MFP functions at three levels — only the system administrator can configure these settings:

• Device Access Control: Controls panel operation — a login UI appears at startup
• Service Access Control: Controls individual services including Copy, Fax/Internet Fax, Scan to Folder, Scan to PC, Scan to Email, Folder Operation, Job Flow, Print by Media, External Access, and Print. Service icons can also be hidden.
• Per-User Access Control: Function access and print/copy quota control can be set per user. When volume exceeds the registered limit, the function is disabled.

Additional Authentication Features

• Password-Protected MFP Folders: Set passwords on folders where scanned/faxed documents are stored
• Automatic Logout: If the device is idle for a set period, it automatically logs out and returns to the initial state
• Secure Print: Holds print jobs in the device until you enter a password at the panel — prevents unauthorized access to printed documents

Encrypted Communication (SSL/TLS/IPSec)

All communication between the device and servers or client PCs can be encrypted. By default, only TLS 1.2 is enabled — TLS 1.3 can also be activated. Encrypted communication paths include:

• IPP Print Jobs: Encrypts Internet Printing Protocol communication to prevent eavesdropping on print data
• HTTP/HTTPS: Secure browser access to Internet Services on the MFP
• LDAP Server: Encrypts address book search and authentication communication
• SMTP Server: Encrypts email transmission to prevent eavesdropping
• POP Server: Encrypts email reception communication
• SFTP: Secure file transfer using the secure shell method
• SMBv3: Newly added communication encryption for secure file sending
• IPSec: Prevents tampering and eavesdropping at the IP packet level between devices
• IEEE 802.1X: Network device authentication that restricts which devices can connect to the network

Digital Certificate Validation

Certificate validation checks the certificate chain, revocation status, and validity period. Supports automatic certificate delivery via Windows Server NDES and SCEP (Simple Certificate Enrollment Protocol) for automated certificate updates.

Document Encryption

• Encrypted Scanned PDFs: Password-protect scanned documents with printing and editing restrictions
• Digital Signatures: Import certificates and private keys to detect data tampering by third parties
• Direct Print of Encrypted PDFs: Decrypt and print encrypted PDF files directly from USB memory
• S/MIME Email Encryption: Encrypt emails (including attachments) so only the intended user can open them
• S/MIME Email Signatures: Attach digital signatures to prove sender identity and detect tampering

Interface-Level Protection

• Fax Line: Only fax protocol communication is accepted — malware in fax data cannot affect MFP behavior
• Wireless LAN: Supports WPA3-SAE with KRACKs countermeasures. No routing between network interfaces
• USB Port: Data handled as PJL and image data only — non-conforming data causes a job error
• USB Memory: MFPs do not access files on USB memory during scan jobs; print jobs treat files as image data only. Malicious programs cannot auto-execute

• Default Password Warning: A warning message prompts the administrator to change the password when logging in with default credentials
• Account Lockout: After a predetermined number of consecutive login failures, login attempts are blocked until the device is restarted
• Customer Engineer Restrictions: Operations by customer engineers with special permissions can be restricted by the system administrator. A password is required to enter customer engineer mode.

Secure Software Updates

Digital signature verification prevents unauthorized firmware from being installed. If tampering is detected, the event is recorded in the audit log without starting the MFP. The software update function can also be disabled from the network as an additional security measure.

Secure Boot (Tampering Detection at Startup)

When booting, the MFP verifies the electronic signature of the controller software. If falsification is detected, it automatically recovers from the golden master (resilience). Uses Hardware Root of Trust with immutable hardware at the reliable starting point.

Runtime Integrity (White List Protection)

Monitors controller operation based on a White List to prevent suspicious applications from executing. Unexpected network access can be blocked using IP address restriction functions.

Comprehensive Audit Logging

Downloadable via Internet Services, the audit log records:

• Status Changes: Power on/off, start/end of user operations
• Login Status: User login, logout, administrator authentication lockout
• Job Status: Job completion events
• Setting Changes: Time settings, security settings, user information, folder access
• Data Changes: Certificate changes, Address Book changes
• Configuration Changes: Storage replacement, ROM version changes
• Communication Results: Communication errors

Audit Log Protection

• No interface exists to edit or delete audit logs
• Only administrators can access logs, and encrypted SSL/TLS communication is required to download them
• Audit log data is protected by storage encryption even if the drive is physically removed

SIEM Integration

MFP audit logs can be transferred externally using the Syslog protocol for collective management and analysis with SIEM (Security Information and Event Management) products — enabling early detection and analysis of security threats.

Additional Log Features

• Job Information Display Restrictions: Unauthenticated users cannot view job status; authenticated users see only their own jobs
• UUID Printing: Print a Universal Unique Identifier on every copy, print, or fax document to trace “when,” “by whom,” and “how” documents were handled

AES-256 Storage Encryption

All data written to the SSD is encrypted with AES-256. The cryptographic key is not stored in non-volatile memory — it is generated fresh every time the MFP boots. Even if the storage is physically removed, the data cannot be analyzed.

On supported models, the encryption key is further encrypted with a root encryption key inside the TPM (Trusted Platform Module) security chip. The root key is protected by TPM tamper resistance and cannot be read externally.

Batch Data Deletion (Secure Erase)

Administrators can delete all registered information and settings when disposing of or relocating the MFP. For SSD-equipped machines, data is erased via Secure Erase. When encrypted data is present, the encryption key is also deleted — making the encrypted data unreadable (Cryptographic Erase).

Global IP Address Warning

If a global IP address is assigned and no login is required, a warning message prompts the administrator to change the IP address or enable user authentication.

Scan to Fixed Destination

Automatically fixes the destination to the authenticated user’s own email address — preventing wrong email transmission. Documents can also be stored to a fixed folder on the user’s PC.

Fax Security Controls

Compliant with FASEC 1 guidelines for business fax security:

• Fax Number Re-entry: Requires entering the destination twice for verification
• Address Book Restriction: Prohibits sending faxes to numbers not in the address book
• Forced PC Fax Prohibition: Blocks fax transmission from PC
• Confirmation Window: Displays a confirmation screen before sending
• Broadcast Fax Controls: Delete or correct destinations for multi-recipient faxes
• Block Fax Reception: Reject junk faxes by number (up to 50) or block unknown senders

Print & Document Controls

• Print Prohibited Time Period: Disable printing during off-hours to prevent uncollected documents
• Annotations: Add stamps like “DO NOT COPY” to inform others of document significance
• Force Annotation: Automatically print user ID, date, and time on all copied, printed, or faxed documents
• Analog Watermark: Print control numbers or watermarks that appear when documents are copied — preventing unauthorized reproduction

• Arivia MFP Security Features Whitepaper (PDF)
• Full Line Brochure (PDF)
• Warranty Brochure (PDF)
• Drivers & Manuals (Katun Resources Portal)