How to get a USB MFP printer/scanner working in R4.2

It took me a while to figure this out myself but I eventually got it working and thought this might also be helpful for others.


  • Due to security concerns, CUPS is not running by default anymore
  • Therefore the CUPS service needs to be manually activated
  • USB printers seem to need some extra steps to work (see below)
  • I personally have a MFP (multifunction printer - scanner + printer) from Brother and the below steps worked well for me. Not sure how well this works for other printers.
  • Other related discussions are here and here.
  • If I recall correctly, this only works with an USB Qube (at least I don’t remember that I ever got this working without one)


  1. When using templates like the most recent fedora-39-xfce template, CUPS and other printing/scanning tools need to be installed manually: sudo dnf install cups ipp-usb simple-scan
  2. Stop the VM
  3. Go into he settings of the VM and to the tab “Services”. Select “cups” from the drop-down list and add it as a service for that VM.
  4. Start the VM and observe that the CUPS service is running now: sudo systemctl status cups.service
  5. Connect the USB printer (which should be recognized automatically by sys-sub) and then attach it to the VM where you want to print/scan
  6. For printing: The printer should appear automatically in the printing menue of all the applications (e.g. Libreoffice, text editors, PDF viewers,…)
  7. For scanning: Start the tool “simple-scan”, which should also automatically recognize the printer

Side note:
There was something that does surprise/concern me however: While trying to get this to work, I got into a state where I didn’t activate the “cups” service in the Qubes GUI. I only had the “cups” package installed and tried to star the service with sudo systemctl start cups.service. I then noticed that the service showed this error message and didn’t start: cups.service - CUPS Scheduler was skipped because of an unmet condition check (ConditionPathExists=/var/run/qubes-service/cups).

I then simply created that directory: sudo mkdir /var/run/qubes-service/cups and was then able to successfully start the service from within the VM with sudo systemctl start cups.service.

In other words: A potential attacker inside the VM has the ability to start the CUPS service even without the user outside of the VM actively giving permission to have CUPS activated. My understanding here might be a bit off, but at least when activating services in the GUI in the VM settings, it seemed to imply to me that the VM cannot break out of those settings. Just like the VM (hopefully) cannot change its own name, or its assigned Template or RAM or storage,…

Is that worth a ticket?