Secure Scanning Basics

Welcome to the Secure Scanning Basics Guide. This guide aims at getting you up and running as quickly as possible with Secure Scanning from your Canon devices.


Benefits of this service

  1. Security: end-to-end encrypted delivery of scanned documents.
  2. Control: limit and/or revoke access to scanned documents sent over email.
  3. Tracking: be notified in real-time of recipient delivery of scanned documents sent over email.
  4. Enablement: send scanned documents of up to 100Mb in size to anyone without concern of traditional 10mb email file size restrictions.

What you will need for this guide

  1. Login credentials for your mxHero Dashboard account
    • These credentials are sent to the administrator email registered in the Secure Scanning order. If you do not find them check your 'Spam' or 'Junk' email folder or contact your Canon representative.
  2. Administrative access to a Canon Device (see supported Canon devices below)
  3. Cloud Storage account. The following cloud storage services are supported:
    1. Box (
    2. Egnyte (
    3. Google Drive (
    4. Microsoft OneDrive (


How mxHero Secure Scanning Works 

Secure Scanning takes advantage of existing best-of-breed cloud storage services, so you don't have to deal with managing yet another file repository. The service will allow you to secure, control, and track documents you scan to email. This is achieved through intelligent upload and sharing of scanned documents through secure cloud storage links. When you scan a document, that document is first routed with encryption to mxHero's Secure Scanning service. Based upon your configuration, the service moves the scanned document to your cloud storage service. The service then sends an email with a secure cloud storage share link to the original destination of the scanned document.





Setting up your first Secure Scanning Rule

The process of configuring secure scanning involves a) creating a secure SMTP Authenticated connection to be used by your Canon devices, and b) configuring your Secure Scanning rule on how to file and securely share uploaded attachments.


1. Login to your mxHero dashboard

Use the credentials you received from the service registration process. 


2. Create a new 'Secure Scanning' rule.

From the dashboard home page scroll down to the 'Secure Scanning' app and click on 'ADD NEW'.



3. Copy credentials

Click on the clipboard icon to copy the secure SMTP username and password for the rule you are about to configure...



4. Click on the cloud storage selector field

Select your cloud storage and authenticate your account.


Some considerations regarding cloud storage accounts:

  • Box Service Account, Google Apps Drive and OneDrive for Business
    • Select these options for Box, Google Drive, or OneDrive service, respectively if you are the administrator of these services for your company. The use of these accounts permits the service to automatically save attachments on a per-user bases (e.g. scans from can be saved to cloud storage as Mary) and creates a more robust service offering as these storage admin accounts are intended for domain-wide services.



5. Click on the auto-filing field

This will determine where scanned documents are filed within your cloud storage.


upon clicking a section will open up below:


In the default scenario, your attachments will be saved in your cloud storage account (see note below) in the folder "Email Attachments" / "Email Address of the Recipient" / "Subject" of the email.

Note: if you used an admin account when configuring the Secure Scan rule, an additional configuration will allow the system to save scanned documents to the sender's storage account without needing to pre-authenticate.

In the following example, a document scanned to the email address '' with the subject set to 'Scanned Document' will be stored in the folder hierarchy: 

Email Attachments /  / Scanned Document

You can type in and drag folder names and dynamic variables. Dynamic variables can be accessed by first typing a brace '{' then selecting from the drop-down menu that appears. There are a number of default variables. These variables are filled in based on the content of the scan email, e.g. "recipient's email address" which can vary from one scan to the next. The system supports the ability to create custom variables, including accessing external databases to provide very powerful control of auto-filing.

Below demonstrates how you can alter the auto-filing path. Here we will save the scanned file in the folder hierarchy:

Scans / {recipients email address} / {dateStamp}

As such, a document scanned to on May 20, 2020, at 12:30 pm would be saved to the folder:

Scans / / 20200520_1230



6. Set your tracking preference

If you want to track the delivery of the scanned document, select one of the tracking options:


Tracking will send an email back to the configured sender of the scan email as soon as the recipient accesses the scanned document.


7. Save your Secure Scan rule

When you are satisfied with your Secure Scanning rule configuration, click on the 'Create this rule' button





Once you have concluded the creation of your Secure Scanning rule you should configure your Canon MFP. To do this, consult the documentation of your device. Use the following information:

  • SMTP:
  • Port: 587
  • Security: STARTTLS
  • Username: use the user name collected from step 3 above
  • Password: use the password collected from step 3 above

Once your device is configured, you should be able to scan to email and have the scanned document automatically saved and filed to your cloud storage folders. The recipient should receive an email with a link to that file.

The advanced configurations in the rule creation screen will allow you to set additional filing and security permissions, including dynamically filing and securing content based on sender, recipient, scanned content, and more.


Secure Scanning Device Administration


To enable and administer your Canon devices for Secure Scanning, enter the "Manage Devices" link.





To manage devices for secure scanning, you must first configure the device for Secure Scanning and send a test Secure Scan. If you do not do this, the device will not register with the Secure Scanning service.

TIP: when sending your first secure scan to email, configured as per above, you can add a subject to help you identify the device. The subject of the first email will appear in the "Notes" field of the device listing. You can then edit the note if so desired.

The first scans of each device will create and "Enable" a Secure Scanning Device entry. For example, if you have 5 licenses of secure scanning, the first five devices to send secure scans will create five "Enabled" device entries in the device listing. Secure Scans for new devices beyond the license count will be created as "Disabled". In the example of five device licenses, the 6th device will be added as a "Disabled" entry. If enabling a device takes you beyond your license count, you must first disable an enabled device.




Scan to Email when device rules are disabled

If a device is configured to send email through but its Secure Scan rule is disabled, the scan to email will still be forwarded to its original destination, however, without securing the scanned document (i.e. forwarded without alteration).


Advanced Topics

Revoking access to scanned documents

Unlike standard scan to email, Secure Scanning does not deliver the scanned document, rather a link to the scanned document that you control. You can revoke access to the document by simply going to the location of the saved document in your cloud storage and either deleting the file or removing access privileges. Note, if the recipient has already downloaded the scanned document, they will have access to their downloaded copy, however, any subsequent access through the link will be tracked and denied (which is important if the email is forwarded or your recipient's systems are breached). Alternatively, you can configure Secure Scan to only deliver a preview link. A preview link allows the recipient to view the document, but not download it.

Security Tip: the vast majority of data loss/exposure issues arise from the persistence of email attachments, commonly stored in your recipients' email servers for years. Any eventual breach of an email account, server, or archive will expose your documents if sent as standard attachments (i.e. common scan to email). By configuring Secure Scan to deliver documents with self-expiring links (e.g. 7 days), you will greatly reduce your data exposure (also known as 'threat surface') even when you configure secure scanning to deliver the links as public/open links requiring no end-user authentication. Your data breach risk is reduced from all scans ever sent to the breached recipient to just those sent in the last week (or whatever time limit you configure for auto-expiration). 

Have more questions? Submit a request


Powered by Zendesk