Articles on: Users, teams & access

Approved devices and IP restrictions, explained

Approved devices and IP restrictions, explained


SimplyPrint can restrict who is allowed to load a page, start a print, control a printer or watch a camera, based on two things: the network a person is on, and whether the computer they are using has been approved. This article is the deep-dive reference for those two building blocks - what they really are, how SimplyPrint checks them, and where each one works well or falls down. It is the technical companion to the step-by-step setup guides, so if you just want to switch the feature on, start with one of the workflow articles linked at the bottom and come back here when you want to understand exactly what is happening.


Access restrictions are part of the Print Farm (Hub only), School and Enterprise plans. This article explains the mechanics; the setup guides cover which surface to use on your plan.


On this page

  • The two building blocks
  • IP restrictions and ranges
  • What an IP address actually is
  • Public IP versus local IP
  • Finding your current IP
  • IPv4, IPv6 and dual-stack
  • CIDR ranges
  • The VPN caveat
  • What this means on a campus or large network
  • Approved devices
  • What "approved" is tied to
  • What breaks an approval
  • Why approval is bound to the browser and operating system
  • How the two combine
  • Block levels, in brief
  • Exemptions and why you cannot lock yourself out
  • Related articles


The two building blocks

Every access restriction in SimplyPrint is built from at most two requirements:


  • An IP allow-list - a list of networks that are allowed. A person qualifies if the address their connection appears to come from is on the list.
  • An approved-device requirement - a per-browser "this is a trusted machine" marker. A person qualifies if they are using a browser that has been approved.


You can use either one on its own, or both together. When you use both, you decide whether passing one is enough or whether a person must pass both. The same two blocks power the Hub and the full panel, so once you understand them here you understand them everywhere. The rest of this article takes each block apart in turn.


IP restrictions and ranges

An IP allow-list is the network-based half of access restrictions. You give SimplyPrint one or more addresses, and only connections coming from those addresses qualify. It is the right tool when you want to tie access to a place - a building, a lab, a printer room - rather than to specific computers, because it covers every device on that network at once without you touching each one.


To make good use of it, you need to understand what an IP address is, which IP SimplyPrint actually checks, and why "the network you are on" is not always as specific as you would like.


What an IP address actually is

An IP address is the number that identifies a device on a network, the way a postal address identifies a building. When your computer talks to SimplyPrint, every message it sends carries an address so the reply knows where to come back to. SimplyPrint reads that address on each request and compares it against your allow-list.


The complication - and the source of almost every "but it did not work" question - is that a device usually has more than one IP address, and they are not the same kind of thing.


Public IP versus local IP

Most networks have an inside and an outside, and each side has its own address.


  • A local (private) IP is the address a device uses inside its own network. A Raspberry Pi running your printer might be 192.168.1.50 on the office network. Your laptop might be 192.168.1.51. These numbers only mean anything inside that network, and many networks reuse the same private ranges (192.168.x.x, 10.x.x.x), so they are not unique to you.
  • A public IP is the single address your whole network shows to the outside world. When anything on your network reaches out to the internet, the router rewrites the message so it appears to come from this one public address. The reply comes back to the router, which passes it to the right device inside.


The key consequence: SimplyPrint sees your public IP, not your local one. It has no view of the private 192.168.x.x address of the machine in front of you - it only sees the address your network presents to the internet. And because everyone on the same network shares that one public address, two people on the same office or school Wi-Fi look identical to SimplyPrint. They come from the same place as far as the allow-list is concerned.


This is exactly what makes IP restrictions useful: if your printer room or building has its own public IP, you allow that one address and only people physically on that network qualify. It is also why you should never enter a printer's local IP (like 192.168.1.50) into the allow-list - SimplyPrint will never see that address, so it would match nobody.


Finding your current IP

You do not have to go hunting for your public IP. When you open the access-restriction settings, SimplyPrint detects the address your connection is coming from and shows it to you: "It looks like your current IP is ...", with an "Add it to the list" button next to it. One click adds the network you are sitting on right now. The settings screen also tells you live whether your current IP matches what is in the list, so you can see at a glance whether the address you typed is the one you are actually on.


If you want to check an address from a device that is not in the settings - for example to compare the printer room against somewhere off-site - open a "what is my IP" website (such as whatismyipaddress.com) on each device and compare the numbers. If they differ, the two locations have different public IPs and IP restrictions can tell them apart. If they are the same, IP restrictions cannot separate those two places.


IPv4, IPv6 and dual-stack

There are two formats of IP address in use today, and SimplyPrint accepts both.


  • IPv4 is the older, familiar four-number format, like 203.0.113.42.
  • IPv6 is the newer, longer format written with colons and hexadecimal, like 2001:db8:85a3::8a2e:370:7334. It exists because the world ran out of IPv4 addresses.


Many modern networks are dual-stack, meaning the same connection can present an IPv4 address one moment and an IPv6 address the next, depending on how it reaches a given website. This matters for allow-lists: if your network is dual-stack and you only add your IPv4 address, a person whose browser happens to connect over IPv6 will not match, and the other way around. On a dual-stack network, add both your IPv4 and IPv6 ranges so you are covered either way. If you are unsure whether your network is dual-stack, your IT team will know, or the "what is my IP" check above will often show both an IPv4 and an IPv6 address when it is.


CIDR ranges

You do not have to list every address one by one. SimplyPrint accepts CIDR ranges, a compact way to write a whole block of addresses at once. A CIDR range is an address followed by a slash and a number, like 10.0.0.0/24. The number after the slash says how many addresses the block covers - the smaller the number, the bigger the block.


  • 10.0.0.0/24 covers 256 addresses, from 10.0.0.0 to 10.0.0.255 - a typical single office subnet.
  • 10.0.0.0/16 covers 65,536 addresses - a whole large site.
  • A single address with no slash (like 203.0.113.42) means just that one address.


You enter addresses and ranges comma-separated, mixing IPv4, IPv6 and CIDR freely, for example: 203.0.113.42, 10.0.0.0/24, 2001:db8::/32. Use a range when your network hands out public addresses from a block rather than a single fixed one - your IT team can tell you the exact block to enter.


The VPN caveat

A VPN (virtual private network) changes the address a device appears to come from. Instead of presenting your network's public IP, traffic goes out through the VPN provider's servers and arrives at SimplyPrint carrying their address. So a person connected to a VPN will not match your allow-list, even if they are physically sitting in your lab. The reverse is also true: someone at home on a corporate VPN that exits through the office could match the office IP from miles away. If your users run VPNs, IP restrictions become unreliable for them, and the approved-device requirement is usually the better fit.


What this means on a campus or large network

On a small, single-site network, IP restrictions are wonderfully precise. On a large organization they depend entirely on how the network is laid out, and you need to know which case you are in before you rely on them.


  • Some campuses route the entire site - labs, offices, dorms, every building - through one shared public IP. Allowing that IP then allows everyone, including a student in their dorm. The lock no longer means "in the lab", it means "anywhere on campus, including off-site housing".
  • Others give different segments their own public IP, or can put printers and the people who use them on a dedicated network (sometimes called a VLAN, or an IoT/"3D printing" network) with its own address. In that case allowing one IP genuinely isolates one area.


There is no way to tell which from inside SimplyPrint - it only ever sees the public IP that arrives. The answer lives with your IT team. Ask them what public IP your printer area appears to come from, whether that IP is shared with the rest of the site, whether it is fixed or can change over time, and whether the printer area can be given its own network segment. Their answer decides whether IP restrictions will do what you want, or whether you should lean on approved devices instead.


Approved devices

The approved-device requirement is the device-based half of access restrictions. Instead of trusting a network, you trust specific computers. You open SimplyPrint on a computer you want to trust, click "Approve this device", and from then on that browser qualifies. It is the right tool when access should be tied to one or two fixed machines - the PC next to the printers, an operator station - rather than to a whole network.


The important thing to understand is precisely what "this device" means, because it is narrower than it sounds.


What "approved" is tied to

When you approve a device, SimplyPrint stores the approval in the browser you are using, not on the physical machine. Approval is remembered in that one browser, on that one device. A separate browser, or a separate operating-system login on the same hardware, is a different "device" as far as the approval is concerned, because each one keeps its own private browser storage that the others cannot see.


This is not a SimplyPrint quirk - it is how web browsers work. A website is only ever allowed to see its own data inside the browser making the request, and it has no reliable way to know that two different browsers, or two different OS logins, are running on the same box. So "approve this device" really means "approve this browser session", and that distinction drives everything below.


What breaks an approval

Because the approval lives in one browser's storage, anything that wipes or bypasses that storage loses it. An approved browser stops being approved when:


  • Its cookies or site data are cleared.
  • It is used in a private or incognito window (that storage is discarded when the window closes).
  • A different browser is opened on the same computer (approved in Chrome, but someone opens Edge).
  • A different operating-system or single-sign-on account logs into the same machine - each login has its own separate browser storage.


The case that trips people up most is the shared lab computer where every student signs into their own Windows or SSO account. The machine was approved under one login, but each student gets a fresh, separate browser profile with no approval marker, so the computer reads as "not approved" for all of them. Their browser data is deliberately kept apart from one another, which is good for privacy but means there is no shared "this machine is approved" state across logins.


The setup that holds up is one shared, always-signed-in browser session on the kiosk computer: a single generic login (for example a "3D print station" account), signed into SimplyPrint once, approved once, and left signed in. As long as everyone uses that same session, the approval sticks. If you cannot keep one shared login, use an IP allow-list instead, because that is tied to the network and survives any browser or login change.


Why approval is bound to the browser and operating system

For security, an approval is also bound to the browser and operating system it was made on. SimplyPrint records a fingerprint of the browser and OS family when you approve, and checks that the marker is being presented from the same kind of browser and OS later. If the same marker somehow turned up from a different browser or a different operating system, it would be rejected rather than trusted.


In practice this means an approval cannot be lifted off one machine and reused on another, and it is another reason switching browsers loses the approval - the new browser is not the one the marker was bound to. If you move to a different browser or operating system, you simply re-approve there; it takes one click. Approvals made before this binding was introduced keep working as they did, so nothing you already approved suddenly stops.


How the two combine

When a restriction has both an IP allow-list and an approved-device requirement, you choose how they are combined:


  • Allowed IP or approved device - either one is enough. A person on your network qualifies, and so does a person on an approved device, even if they are not on your network. This is the more forgiving option and the default. It is handy when, say, an approved printer-room PC should always work and anyone on the building Wi-Fi should also work.
  • Allowed IP and approved device - both are required. A person must be on your network and on an approved device. This is the strictest option, and it carries the highest chance of an accidental lockout (for instance if an approved machine's public IP changes), so reserve it for the cases that genuinely need both.


When only one of the two is configured, that single requirement always decides and the combine choice does not appear - there is nothing to combine. Setting a requirement does not block anything by itself; it defines who qualifies. You still choose what is blocked for everyone who does not qualify, which is the next part.


Block levels, in brief

Once you have decided who qualifies, you pick what is withheld from everyone who does not. The levels range from blocking everything (no access at all) down to blocking just one thing, such as starting prints or viewing the camera, and they nest sensibly - blocking a broader level implies the narrower ones beneath it. The full panel has one extra level the Hub does not (blocking the Printers page), because the Hub is itself the printer view and has nothing broader to hide.


The exact level-by-level breakdown, and which to choose for a "students can only print on-site" setup, is covered in the setup guides rather than repeated here. See the kiosk guide and the Hub guide linked below for the full list and worked examples.


Exemptions and why you cannot lock yourself out

Access restrictions never apply to everyone equally, and that is on purpose - it is what stops an admin from locking themselves out of their own account.


  • The account owner is always exempt. This cannot be turned off. The owner can always reach settings to fix or remove a restriction, no matter what the rules say, so a mistake is always recoverable.
  • User groups can be exempted. On each user group you will find two independent toggles: "Exempt from IP restrictions" and "Exempt from device approval". The first lets a group through regardless of the network they are on; the second lets a group through without an approved device. Because they are separate, a group can be exempt from one and still held to the other - for example required to be on an approved device but allowed in from any network, or the reverse. Administrators and teachers are exempt by default, which is why a typical school setup restricts students while staff keep working from anywhere.


This is the practical reason you can experiment with restrictions without fear: the owner is always a safe way back in, and you exempt staff at the group level so the lock falls only on the people it is meant for. The settings screen also warns you live, before you save, if the rule you are building would block your own current connection or device, so accidental self-restriction is caught early.



Updated on: 26/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!