Overview of the HP Workforce Experience Platform
The HP Workforce Experience Platform (WXP) is a cloud-based enterprise solution that helps IT teams reduce digital friction, enhance security, and proactively resolve device issues. It provides centralized visibility and management of an organization’s PC fleet, such as desktops, laptops, and other connected assets, through a secure, scalable platform.
WXP analyzes near real-time telemetry data from devices and applications to identify issues, monitor health, and recommend remediation. IT administrators can view device status, define policies, generate reports, and initiate remote actions to support operational and security needs.
This document outlines WXP’s security and privacy architecture, focusing on managed print devices. It explains how print data is collected, transmitted, stored, and protected. Other physical assets, such as PCs or peripheral devices, may have additional or differing security considerations that are not discussed here.
The intended audience includes IT administrators, service providers, and security reviewers assessing the platform’s data handling and security practices. It includes recommendations for securing the printer fleet inside a customer firewall as well as outside via the WXP portal.
HP WXP Architecture
WXP can onboard and connect eligible HP devices to the HP cloud in two ways:
Onboarding cloud-connected devices directly in the cloud.
Onboarding Web Jetadmin managed devices via one or more Print Fleet Proxies.
The connection from the printer to the cloud uses the following protocols for communication:
The printer periodically sends messages to the HP cloud to identify whether there are notifications for it. This type of communication requires lightweight communication that uses UDP and TCP protocols with authenticated confidentiality.
The printer uses HTTPS communication for bidirectional exchange of device information, meters, and supplies. HTTPS ensures data integrity and data confidentiality.
Role-based User Access Control
Roles in WXP are defined as sets of permissions. WXP defines several built-in roles. The following roles are some of the pre-defined built-in roles currently available for WXP that can be assigned to admins who are managing aspects of the printer fleet.
Assigning more specific roles to users limits the exposure of data within the WXP portal. Users can only view data related to the scope of their assigned roles; all screens outside of that scope are hidden and not accessible.
IT Admin: Has full access to all features of the WXP portal, including inviting users to the platform, assigning roles, and all administrative and management tasks for PCs, printers, peripherals, and third-party configurations.
Printer Admin: Has the ability to perform all print administration tasks.
Report Admin: Has the ability to run reports.
HP Workforce Experience Platform
Currently, the Print Fleet Management service of WXP is hosted in Amazon Web Services (AWS) in the United States (AWS-OR), with other regions potentially being added in the future. IT administrators access WXP through a web browser, which provides interfaces for device enrollment, authentication, and communication.
In addition to the Core WXP platform security and privacy details around multi-tenancy, identity and session management, and authorization (as discussed in the WXP Core Security and Privacy Technical Document), WXP Print Fleet management also has the following printer-specific data and network security considerations.
Data at Rest
Data Collected
Data collection for printers is limited by the scope of the customer’s contract with HP. HP collects the telemetry required to support the services and solutions that it is contractually obliged to provide the customer with, and collects it under the lawful basis of the contract. In some cases, HP may, with the consent of the user, collect additional data for an explicitly stated purpos,e such as the improvement of HP products and services.
Some of the data attributes collected by HP may include:
Purpose of Data Collection | Data Collected | Description Of Data Collected |
|---|---|---|
Account management | Account data | Information related to customer purchases or sign-up for WXP services, support history with respect to incidents generated by WXP, and anything else relating to the WXP account to perform transaction services like account management. |
Account setup, identity management, and entitlement validation | Contact data | Personal and/or business contact data, including first name, last name, mailing address, telephone number, email address, region, badge login, and other similar contact details used for WXP customer account setup and validation, and service entitlement. |
Deliver proactive IT service maintenance and management, and customer-centric reports/dashboards | Device data | Basic device information, such as device name, model number, firmware version, region setting, language setting, account identifier, capabilities, and additional technical information that varies by model. Enterprise Manageability settings, as well as some Smart Device Service (SDS) telemetry, such as lifetime counters, supply data, and other print engine statistics. Settings for various feature categories that enable WXP to manage the functionality of the device and to assess and remediate setting values to ensure that each printer in the fleet is in compliance with the security and feature policies defined by the customer. Collected settings include Copier settings, Digital Sending settings, Fax settings, File System settings, Network settings, Security settings, Solutions settings, and Web Services settings, among others. |
Data Retention
HP’s data retention policy incorporates the following data retention best practices:
Maintaining data for shorter than necessary periods can violate contractual or legal requirements or affect security.
Maintaining data for longer than necessary periods can violate privacy regulations and is a priority concern for customers.
Once data is deleted, there is no obligation to provide it to the customer or law enforcement.
Since the WXP application’s analytics package is a singular shared package across many HP applications, the data in the U.S. Analytics data center may not be deleted permanently if a customer is inactivated from WXP because the same customer may be enrolled in other HP applications.
Note: Telemetry data transmitted to the U.S. Analytics data center is linked to device serial numbers and system-generated IDs. This data is encrypted at rest and handled in accordance with HP’s data protection and security standards.
Data Storage
Data storage for WXP is limited to the customer and device information of paying subscribers.
All databases in the U.S regional datacenters that store personal data are encrypted.
All databases in the U.S. Identity management datacenters that store personal data are encrypted.
All databases and unstructured storage in the U.S. Analytics datacenter are encrypted.
Databases
WXP uses relational and non-relational databases to store onboarded user and printer information. The database storages are also encrypted on disk, and access is limited by isolating the database in a secure environment accessible by only the abstraction layer. WXP uses these databases to store information such as:
user profile data (first name, last name, locale, IDM identifier, and account identifier)
printer profile data (cloud identifier, model, name, email address, account identifier, and capabilities)
account information and account settings attributes (name, address, region, job accounting, and badge login)
Data in Transit -- Network communication
Cloud-connected printers
All communication between WXP and cloud-connected printers is secured in two ways:
Communication occurs using Transport Layer Security version 1.2 (TLS 1.2). TLS 1.2 uses 2048-bit level RSA encryption and certificate validation to establish a subsequent 256-bit secure channel.
TLS helps to secure data at several levels, providing server authentication, data encryption, and data integrity. Because TLS is implemented beneath the application layer, it is a passive security mechanism that does not rely on additional steps or procedures from the user.
Every payload is additionally wrapped in HP’s proprietary encryption layer.
Print Fleet Proxy Connected Printers
Communication between WXP and Web JetAdmin-managed printers is facilitated by the Print Fleet Proxy, which communicates to the entire fleet of printers over a Secure Web Socket connection.
Using Printer Policies to Configure and Enforce Printer Security
WXP supports the management of a wide range of printer policy settings designed to help administrators enforce the security of their printer fleets. These settings fall into two categories:
Certificates: Certificates help to ensure secure communication between the printer and other network resources. You can configure two types of certificates for use with your printers: a CA Certificate, which validates the identity of an entity; and an ID Certificate, which authenticates a claimed identity.
Secrets and Passwords: Every HP printer has several passwords, passphrases, or access codes that you can set to secure various features of the printer. These include the embedded web server (EWS) password, Printer Job Language (PJL) password, SNMP passphrases, LDAP Admin password for Sign in Setup, and others. HP strongly recommends securing each of these features with a password or disabling them if they are not required.
WXP lets IT administrators define or supply secrets and passwords within printer policies for certificates and settings that permit, limit, or block access to certain features or functionality on printers in their fleet. WXP uses these values to assess and remediate the compliance of printers across the fleet.
To achieve the level of security required in handling this sensitive data, HP has enhanced the architecture of the WXP Policy Engine, adding an extremely secure method of handling customer secrets and passwords, both in transit and at rest. Essentially, HP has added a level of encryption beyond TLS 1.2 (2048-bit RSA encryption and certificate validation) that is used to secure the communication channel.
With this multi-level encryption, WXP enables IT administrators to securely configure, assess, and remediate secrets and passwords on printers using printer policies, virtually eliminating the need for manually configuring these sensitive settings on a printer-by-printer basis.
Network Ports and Firewall Requirements
Firewall software can be configured to block both inbound and outbound internet traffic. HP printers ONLY require outbound communications with HP web services, also known as HP cloud connection. HP web services will never initiate communication with HP printers in a customer environment; therefore, there is no need to whitelist inbound HP URLs.
All HTTPS communication defaults to port 443. Port 631 will be used as a secondary option if 443 is not available.
Firewall Configuration: Cloud-connected printers
For cloud-connected printers, the following URLs must be configured in the firewall software for outbound (printer-initiated) internet communication:
HP Web Services URLs
https://*.avatar.ext.hp.com:443
http://*.avatar.ext.hp.com
udp://*.avatar.ext.hp.com:9930
wss://*.avatar.ext.hp.com:443 (web socket protocol)
https://*.id.hp.com:443
https://*.ipp.ext.hp.com:443
https://*.wpp.api.hp.com:443
https://*.api.hp.com:443
Device Onboarding URLs
https://*.api.ws-hp.com:443
Firmware Update URLs
http://h10141.www1.hp.com/pub/inkjet/updates
HP Cloud Sign In Once (SIO)
https://*.mymfpprogram.com:443
Firewall Configuration: Print Fleet Proxy Connected Printers
Printers connected via a Print Fleet Proxy require your firewall to allow outbound HTTPS requests over port 443 to the following endpoints:
WXP Print Fleet Management Privacy
Data Privacy
HP has a long-standing history of industry leadership in privacy and data protection. Together, with our robust portfolio of products and services, we support our customers' and partners' efforts in protecting personal data. With respect to WXP Personal Data processed in connection with WXP, HP acts as a Data Processor. Please refer to the Data Processor section on HP Privacy Central. As a global company, it is possible that any information you provide may be transferred to or accessed by HP entities worldwide in accordance with the HP Privacy Statement and based on the International Privacy Programs listed in the International Data Transfers section.
HP’s privacy practices and principles are set forth in the HP Privacy Statement. The Privacy Statement is updated periodically and covers the following topics:
Our Privacy Principles
International Data Transfers
How We Use Data
What Data We Collect
Children's Privacy
How We Retain and Keep Your Data Secure
How We Share Data
Non-discrimination and Loyalty Programs
HP Communications
Exercising Your Rights and Contacting Us
Changes to Our Privacy Statement
Contact Us
For any assistance, create a support case or email support@wxp.hp.com.