HiFi Print Docs & FAQ

What HiFi Print is

HiFi Print is a lightweight, self-hosted enterprise print management platform built for IT teams in healthcare, education, and professional services. It replaces manual printer deployments with a centralised server that pushes drivers, configures printer queues, and reports on print activity — all without requiring cloud connectivity or a print server appliance.

The server runs on any Windows machine and communicates with enrolled endpoint agents over mutually-authenticated TLS (mTLS), keeping every connection cryptographically verified.

Architecture

One server, N agents, no cloud. Drivers live on the endpoint; print jobs go direct to the printer.

┌─────────────────────────────────────┐
│           Admin Browser             │
│      Single-page admin UI           │
└────────────┬────────────────────────┘
             │ HTTPS
┌────────────▼────────────────────────┐
│        HiFi Print Server            │
│  FastAPI · SQLAlchemy · SQLite      │
│  Internal CA · mTLS · LDAP          │
└────────────┬────────────────────────┘
             │ WSS (mTLS)
    ┌────────┴────────┐
    ▼                 ▼
┌────────┐       ┌────────┐
│ Agent  │       │ Agent  │   ... N endpoints
│Win 10/11│      │Win 10/11│
└────────┘       └────────┘

Server

FastAPI application running as a Windows service (NSSM). Serves the admin UI and WebSocket endpoint. All data stored in a local SQLite database.

Agent

Lightweight Python service installed on each managed endpoint. Connects to the server via an authenticated WebSocket, installs drivers, creates printer queues, and reports status.

Tray icon

Optional system tray process showing connection status, installed printers, and active install tasks for the local user.

Environment requirements

Server: any Windows machine, ~200 MB disk, ~512 MB RAM. No SQL Server, no IIS.
Agent: Windows 10 or Windows 11. Works on workgroup or domain machines.
Network: outbound WSS from agent to server. No inbound ports required on endpoints.
Directory: optional Active Directory / LDAP for sign-in and group-to-role mapping.
Internet: not required. Fully air-gap compatible.

Security model

Agent private keys never leave the endpoint — only the CSR is sent to the server at enrollment.
Internal CA issues a signed certificate to each agent; the admin console can revoke any cert in one click.
Revoked agent certs are cached in memory on the server and refreshed every 60 seconds.
All admin passwords are stored as bcrypt hashes; the local admin account always works regardless of LDAP status.
SQLite database is stored under C:\ProgramData\HiFiPrint\ by default.
Configurable agent certificate expiry — N years, or indefinite for static environments.

Frequently asked questions

Does HiFi Print require cloud or internet access?＋

No. The server, agents, and subscription key validation all work fully offline. Updates are downloaded out of band.

Do I need Active Directory?＋

No. HiFi Print works on workgroup and domain machines alike. AD/LDAP integration is optional and used only for sign-in and role mapping.

How does it compare to a Windows Print Server?＋

HiFi Print eliminates the print server entirely. Drivers live on the endpoint and print jobs go direct to the printer. A spooler crash affects one machine, not a floor.

What about VDI and non-persistent desktops?＋

Hostname wildcard rules detect a new VDI session, match it to the right printer profile, and push the correct printers automatically — typically before login completes.

How are drivers managed?＋

Upload printer driver ZIPs to the central library. Define printer profiles (name, IP, driver, port, duplex, SNMP, comment) and assign them to groups or specific endpoints.

What logging is included?＋

Every push job, driver install, and admin action is logged with timestamp and user. Per-endpoint print history and full user activity reports are available with CSV export.