Easy (and secure) Remote Printing
Andrew Ward
Digital Services Librarian
Troy Public Library
https://codeberg.org/Pribrariam/SandboxPrinting
Digital Services Librarian
Troy Public Library
https://codeberg.org/Pribrariam/SandboxPrinting
An old problem:
A patron walks in to the library and comes up to the service desk. They show their phone and say, "I need to print this."
What are our options?
An old problem:
What are our options?
We get them on a public computer.
An old problem:
What are our options?
We get them on a public computer.
- Do they have a library card?
- Will they be able to log in?
- Do they remember their email password?
- Can they pull up the document?
An old problem:
What are our options?
We say, "Email the reference account, reference@publiclibrary.org"
- We open the file, print it, and they're on their way.
What's the harm?
We've saved time, both on behalf of ourselves and the patron.
We've avoided potential frustration at library systems and infrastructure.
And library workers don't have to be drawn away troubleshooting technical problems.
What's the harm?
We've saved time, both on behalf of ourselves and the patron.
We've avoided potential frustration at library systems and infrastructure.
And library workers don't have to be drawn away troubleshooting technical problems.
But, of course, there are potential harms.
And we just exposed ourselves to a lot of them.
What's the harm?
But, of course, there are potential harms.
And we just exposed ourselves to a lot of them.
- We're opening who-knows-what on a staff machine.
- That machine is most likely mission-critical.
- It's also probably networked to other staff machines.
- The services that staff machine runs are exposed as well.
Windows Sandbox
A temporary lightweight desktop environment to safely run applications in isolation.
Assume breach
Building systems based on the assumption that a breach will happen.
Windows Sandbox
Overview
Part of Windows: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
Pristine: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
Disposable: Nothing persists on the device. Everything is discarded when the user closes the application.
Secure: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
Efficient: Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
Windows Sandbox
Requirements
- 64-bit CPU with 2 cores (4 cores recommended)
- VT-x or AMD-V virtualization extensions
- 4 GB RAM (8 GB recommended)
- 1 GB disk space (SSD recommended)
- Windows 10 Professional/Enterprise/Education build 18305 or later or Windows 11
Windows Sandbox
Installation
- Settings → Apps → More Windows Features
- ☑ Windows Sandbox
Windows Sandbox
Configuration
Configuration is done through a .wsb file written in XML. The file is then also used to launch the sandbox either as a desktop shortcut or invoking it through the command line.
The parameters and their values are documented on the Microsoft Docs site.
Windows Sandbox
Configuration
Windows Sandbox
What about Microsoft Defender Application Guard?
An instance of Microsoft Edge running natively in a Hyper-V isolated container.
- Lightweight hardware isolation built on same technologies as Windows Sandbox.
- Runs as a single application, not a whole OS.
- Can be controlled through the Windows Security GUI.
Microsoft Defender Application Guard - Windows security | Microsoft Docs
Windows Sandbox
What about Microsoft Defender Application Guard?
MDAG is built for enterprise environments.
Microsoft envisions using it as part of a specific IT environment where a sysadmin defines trusted vs. untrusted sites.
- No simple way to launch it independently.
- Use in a mixed environment (trusted and untrusted) is more difficult.
- Container lifespan is tied to the user session.
Microsoft Defender Application Guard - Windows security | Microsoft Docs
Google Workspace
Gmail
We use a dedicated printing email through our Google Workspace account.
- Google's spam filters and automatic virus scanners.
- Scripting ability through Google Apps Script.
Google Workspace
Apps Script
A scripting platform based on Javascript that includes libraries for interacting with Google workspace applications.
Google Workspace
Apps Script
Two functions that run every night at 1am:
- autoDeletePrints()
- Finds all emails in the inbox, outbox, all mail, and spam
- Deletes them from the account
- autoDeleteDrive()
- Finds all files in Drive that aren't starred
- If the file is owned by the account, delete it.
- If the file is shared with the account, remove all permissions.
- If the file is publicly visible, do something so the account doesn't see it anymore.
Making it even easier
QR Code
The QR code is a mailto: link to our printing email, so when a patron scans the picture, their email client should open with the to: field already populated.
Making it even easier
Wordpress & Contact Form 7
Our website runs on Wordpress, so we use a free plugin called Contact Form 7 to allow patrons to submit their documents using a web form.
They fill out an ID, whether they want black & white or color, how many copies, and the file gets emailed right to the printing address with all the information populated in the subject line.
The process is more private because the document is not sent from the patron's email.
Back end (Form template)
Thank you!
Andrew Ward
warda@thetroylibrary.org
https://codeberg.org/Pribrariam/SandboxPrinting