Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support

How can we help?

PaperCut's AI-generated content is continually improving, but it may still contain errors. Please verify as needed.

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

* PaperCut is constantly working to improve the accuracy and quality of our AI-generated content. However, there may still be errors or inaccuracies, we appreciate your understanding and encourage verification when needed.

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Help center

FAQs
Conversation bubbles

Contact us

Prepare for Integrated Scanning implementation

This page applies to:

PaperCut NG PaperCut MF PaperCut Pocket PaperCut Hive

Last updated January 30, 2026

Before you set up PaperCut MF Integrated Scanning, perform the following tasks:

  1. (Optional) Set up user groups.
  2. (Scan to Folder action only) Provide access to network folders.
  3. Add scan destination details.
  4. Configure PaperCut MF to send scan notifications to users via email.

(Optional) Set up user groups

Groups let you organize which users can access which scan actions. Users can be added to a group either when they are first added into PaperCut MF, or before you set up your scan actions.

Identify the user groups that you want each scan action to be able to access.

For more information and steps on how to set up groups, see Groups in PaperCut NG/MF .

Example education scenario

For educational sites, you might want to have one user group for all students and another user group for all teachers.

The students group could access a Scan to My Email scan action. The teacher group could access a Scan to my Home Folder, Scan to Cloud Storage, and a Scan to My Email scan action.

Example corporate scenario

For corporate sites, you could set up a group for executives so they can scan confidential documents to a network folder that has restricted access.

(Scan to Folder action only) Provide access to network folders

If you want to create scan actions that deliver scan jobs to a predefined network path:

  1. Determine and/or set up the scan delivery folders
  2. Create a new service account
  3. Replace the original service account with your new service account.

Step 1: Determine and/or set up the scan delivery folders

Before you set up scan actions, identify the folders where you want to store the scan jobs. Depending on your environment, the folders might include:

  • each user’s home directory (home folder) — this must be set up in each user’s details in the Home folder field. If all of the folders for all of the users are under one root folder, use an inherited permission for that folder
  • network folders — these must exist in the network so they can be linked to in PaperCut MF scan actions settings.

Step 2: Create a new service account

So that PaperCut MF can deliver scan jobs, the service account that runs PaperCut MF needs to have read/write access to the network folders or Network Attached Storage (NAS).

By default, the service account that runs the PaperCut MF service is:

  • Windows—SYSTEM account
  • Mac—papercut account
  • Linux—papercut account

However these accounts do not have read and write access to network folders! That means you need to create a user account that can run the same types of services as the system account but also has read/write access to all of the required folders, then set up the PaperCut MF service to run as the new account. For additional information see: Run PaperCut Services with a Domain User Account .

Step 3: Replace the original service account with your new service account

On Windows
  1. In the Services console, stop the PaperCut MF Application Server service.
  2. Right-click the PaperCut MF Application Server service, then select Properties.
  3. Click the Log On tab.
  4. Select This account.
  5. Enter the new service account name and password.
  6. Click OK.
  7. Start the PaperCut MF Application Server service.
On Linux and macOS
On Linux and macOS PaperCut servers, make sure the network shares are mounted and the PaperCut account has read and write access to the mounted drive.

The exact steps will depend on the operating system of your PaperCut server and network storage. We advise referring to your operating system documentation for more information, but we've included an example below.

In the case of a Linux PaperCut server uploading files to a Windows file share, you can use the mount.cifs command like so: 

sudo mount.cifs //winserver.domain.local/SCANS$/ -o user=scans@domain.local /mnt/scans/

In this example:

  • //winserver.domain.local/SCANS$/ is the path to the Windows shared folder.

  • scans@domain.local is the user account with access to the shared folder.

  • /mnt/scans/ is the mount point on your Linux system. You'll need to ensure the PaperCut account has read/write access to this directory.

Verify users’ scan destination details

The scan action destination details might have already been set up for each user when they were first added to PaperCut NG/MF. However if they weren’t, set them up in PaperCut MF for each scan action you are going to create:

  • Scan to Cloud Storage — Users require an email address. PaperCut Cloud Service sends an authorization email to the user’s primary email address configured in PaperCut to authorize PaperCut scans. In the case of scanning to a shared folder in Sharepoint Online, make sure the folders exist in Sharepoint and that the user has been granted permissions to access.
  • Scan to Folder — set up each user’s home folder and/or create one or more network folders for scans to be stored in.
  • Scan to Email — set up each user’s email address and/or set up one or more generic email addresses for scans to be sent to; set up the SMTP Server Options (see Configure email ).
  • Scan to Fax — if you are using the Generic SMTP connector to send scans via email, set up the fax provider email gateway details. In the case of send via APIs using the API connectors, refer to the fax provider documentation.

You can set up or update users’ details in the following ways:

Configure PaperCut MF to send scan notifications to users via email

If you want scan actions to send users emails containing information about their scan jobs, configure PaperCut MF for email notifications.

For more information and steps, see Set up system notifications and emails .

Enforce Registered Email for OneDrive Scanning

Feature Overview
To enhance security and prevent data leakage, administrators can now enforce strict email matching for Scan to Cloud (OneDrive for Business). When enabled, this feature ensures that the Microsoft account a user links for scanning matches their primary email address registered in PaperCut MF.

Why use this feature?
By default, the standard OAuth authorization flow allows a user to switch accounts during the login process. This creates a potential security risk where a user could navigate back in the browser and authenticate with a personal email address (e.g., a personal Outlook or Hotmail account) instead of their corporate identity.

Enabling this configuration key prevents this scenario by validating the email address returned by the Microsoft API against the PaperCut MF user. If a user attempts to link a personal account that does not match their PaperCut profile, the authorization will be rejected, ensuring documents are only ever scanned to the organization’s sanctioned OneDrive storage.

How to Enable: This feature is managed via a configuration key.
To enable it, Options -> Config Editor, and search “onedrive.scan.cloud.verify-registered-email

User Experience & Behaviour Once enabled, the system enforces validation on both new and existing Scan to Cloud tokens:

1. First-time users: When a user attempts to link their OneDrive for Business account, the system checks the authenticated email. If it matches their PaperCut primary email, the link is successful. If they attempt to use a different account, the process is blocked.

2. Existing users: For users who have already linked an account, validation is performed on their existing token the next time they submit a scan job.

  • The system checks for a specific parameter confirming the email has been verified.
  • If this attribute is missing (which is expected for links created prior to enabling this feature), the user will be prompted to re-authorise via the standard email linking process to prove their identity. This process will be identical to the first time user linking process where an email is sent to the user to authenticate and link the account.

Note: even if the correct Papercut-linked email address was used this linking process will need to occur as the existing token will need to be updated with this secure linked attribute for the users scan token.

 

Comments