Chapter 21. Mac Printing in Detail

Table of Contents

Mac hosted print queues
Step 1: Installing the printers on the server
Step 2: Enable Printer Sharing
Step 3: Set up the printers (shared queues) on the workstations
Publishing the printer via Workgroup Manager
Unauthenticated systems (e.g. Laptops)
Windows hosted print queues
Scenario One: My Own Mac (Single User)
Scenario Two: The Multi-User Mac with Popup Authentication
Scenario Three: Multi-user Macs using LDAP or Active Directory authentication
Scenario Four: Mac OS X Server
Additional information and tips

Apple Mac printing is a complex topic and deserves its own chapter. The developers started on PaperCut MF for the Mac in 2006. Developing software on the Mac was an enjoyable experience and presented very few technical challenges. The challenges instead came in the area of general printer setup and idiosyncrasies with printer configuration. Mac administrators will be all too familiar with these challenges! This chapter addresses Mac printer setup (on both the client and server) and presents solutions for common setup and deployment scenarios. The Chapter is split into two sections:

In most cases only one section will apply on your network. Jump to the relevant section as appropriate.

Mac hosted print queues

This section discusses printer setup on systems where the print queues are hosted on a Mac system. For example, PaperCut MF is installed on a Mac system such as Mac OS X Server. See the next section if your print queues are hosted on a Windows server.

This section assumes Mac OS X Server (e.g. Leopard Server), however PaperCut MF also supports running on the workstation version of Mac OS X. These notes apply in part to both operating systems. The term 'server' is used to represent the system hosting the PaperCut MF software, and not necessarily the edition of Mac OS X.

Before we delve into configuring server based print queues in a Mac environment, we'll first take a few moments to discuss common terminology:

Note

Print Queue: There are typically two ways of providing shared multi-system access to a printer:

  1. Configure each system to print directly to the device. The device needs to be networkable (e.g. have an Ethernet connection) and support multiple connections.

  2. Configure a shared print queue. In this setup, only one system connects directly to the device (e.g. a server) and in turn the device is shared on the network via a print queue. Other systems on the network print to the shared queue rather than directly to the device.

Option 2 is regarded as a better solution on multi-user networks as it provides a higher level of scalability, allows for centralized administration, and allows administrators to move or remap devices without needing to propagate changes to workstations. PaperCut MF requires a shared print queue as it works by intercepting the jobs as they pass through the server's queue.

CUPS: CUPS is the print queue system used by Mac. This is the same queue system used by many other UNIX based platforms including popular Linux distributions. Apple is a major supporter of CUPS.

IP Printing: This is a generic term used to describe a number of print protocols that are used to exchange print documents between a computer, a server queue, or a physical printer. (Note: This term is also occasionally used incorrectly to describe the "JetDirect" print protocol discussed below)

IPP: This is an acronym for Internet Printing Protocol. This is the "native" print protocol used by CUPS and hence the Mac. It's a modern protocol designed to work well on modern networks including local networks, or even over the internet or a WAN.

LPR: LPR/LPD is the traditional UNIX based print protocol.

JetDirect/Socket: This is a very simple print protocol used to transmit print jobs to a physical printer on a TCP network. The printer simply accepts connections on port 9100. In Windows, this print protocol is often referred to as a Standard TCP/IP Port, and in some cases generally as IP Printing. Almost all network printers support this method.

Bonjour Printing: This is not a print protocol, but instead is a way of publishing printers on a network so workstations can locate the device/queue.

Where possible we have designed PaperCut MF to work with all print protocols, however we do recommend some over others. The following setup procedure highlights methods that have shown to work in most environments.

The PaperCut MF compatible setup procedure can be summarized as follows:

  1. Step 1: Install the printers on the server using a compatible driver

  2. Step 2: Enable Printer Sharing

  3. Step 3: Set up the printers on the workstations to point to the server's shared queue

Each one of these steps is discussed in detail below:

Step 1: Installing the printers on the server

Install the printer on the system running PaperCut MF using a compatible driver. For example, a driver supplied by Apple or the manufacturer. If there is a choice of driver, opt for a Postscript or PPD based driver. Follow the manufacturer's suggested setup procedure, or Apple's recommended Queue setup procedure (Apple Print Services Administration Guide) if running on 10.5 Server. If the manufacturer supports various connection methods, we recommend using JetDirect/Socket if possible. Here is an example of a procedure that will set up a standard printer using a plain JetDirect/Socket connection on all Mac versions (server/workstation 10.4/10.5):

  1. From the Apple Menu select System Preferences...

  2. Select Print & Fax

  3. Click on the + button to add a new printer

  4. Click on the IP icon on the toolbar

  5. Select HP Jetdirect - Socket in the Protocol list

  6. Enter the printer's assigned IP address

  7. For convenience, give the printer a simple name without spaces

  8. Select the driver or printer model from the list and press Add

Setting up a printer (direct) on Leopard server using Jetdirect

Figure 21.1. Setting up a printer (direct) on Leopard server using Jetdirect

Test printing using a local application (e.g. Print a web page from Safari). Confirm that printing works as expected.

Important

For new printers it is necessary to configure PaperCut MF to monitor the new printer. This is discussed in the section called “Adding and Removing/Deleting/Ignoring Printers”.

Important

Continue to the next step only after printing from the server is working. If you have problems, see the troubleshooting section below.

Optional Hardware Configuration

Some high-end printer models support other connection methods such as LPR, IPP or even direct AppleShare or Boujour printing. If the printer offers the option to disable these protocols, e.g. via a web based configuration page, take the time to turn these off. This will minimize the chance of incorrect future configuration, and minimize the chance of a workstation user discovering the printer directly. Some printers also support access control via IP addresses. If available, consider setting access control so only the server IP can submit print jobs to the physical printer.

Notes & Troubleshooting

  • If your printer does not support JetDirect/Socket, consider using LPR as the 2nd choice.

  • Some printers support proprietary connection methods (e.g. selected Epson printers). Always try Jetdirect/Socket first and use proprietary methods as a last resort.

  • If you're not able to install or find a driver for your printer, try the Generic Postscript Driver/Printer.

Step 2: Enable Printer Sharing

By default locally installed printers are not shared as public print queues. Printer sharing needs to be manually enabled. If you're running the workstation version of Mac OS X, this is done by enabling "Printer Sharing" under System Preferences. On Mac OS X Server, use the following procedure:

  1. Open Server Admin, and select your server.

  2. Select Settings, then Services and enable the Print service.

  3. Save the change.

  4. In the server list on the left, select your server, expand, and highlight the newly created Print service.

  5. Select Queues from the toolbar. Your newly installed printers should be listed.

  6. Select each printer and ensure that at least the IPP protocol is selected. It may also be useful to enable LPR and expose via Bonjour.

  7. Ensure "Enforce Quotas for this queue" is turned off as PaperCut MF manages this.

  8. Click the Save button or save when prompted.

    Enable IPP on each queue via Server Admin

    Figure 21.2. Enable IPP on each queue via Server Admin

  9. Restart the Print Service by pressing Stop Print followed by the Start Print. Note: In some cases we've seen issues where server admin changes have not been immediately picked up. If you suspect this, and can afford the downtime, schedule a system restart now.

Step 3: Set up the printers (shared queues) on the workstations

Once the printers are set up on the server and shared, the next step is to install the printers on the workstations. In the Windows world this is an easy process - the user just double-clicks on the print queue and the drivers are automatically deployed and configured. The process is a little more manual on the Mac, but we'll also discuss a method of automating deployment via the Workgroup Manager. First, we'll address manual setup.

The goal is to add the printer on the workstation so it communicates with the server rather than directly to the printer. Protocols include, IPP, LPD, or LPD added via Bonjour. The recommended setup is to use IPP as this is the native protocol.

Recommended Manual Setup

  1. Log onto a workstation

  2. Open the Printer Setup Utility or if on Leopard System PreferencesPrint & Fax

  3. Click the add new printer button (or +).

  4. Select IP as the type and select IPP as the Protocol.

  5. Enter your server name (or the server's IP Address) in the Address field and the printer name prefixed with printers/ in the Queue field. The name of the printer will be the same as configured on the server. For example: printers/my_office_printer. Note: if you have selected LPR as the connection method, the printers/ prefix will not be required (see followin section).

  6. Select the appropriate printer model. If this is not listed, you may need to install the manufacturer's driver, then repeat steps 2 through 6.

  7. Take some time to print from the workstation and confirm that printing succeeds.

Setting up a workstation printer on Leopard

Figure 21.3. Setting up a workstation printer on Leopard

If you have problems obtaining a driver for your printer, try the Generic Postscript Driver. This option will work with most printers. If after a test print the printer stops with a connection error, check the printer sharing permissions on the server or try the alternate method discussed below.

Alternate Manual Setup (LPD/LPR)

  1. Log onto a workstation

  2. Open the Printer Setup Utility or if on Leopard System PreferencesPrint & Fax

  3. Click the add new printer button (or +).

  4. Select IP as the type and select LPD as the Protocol.

  5. Enter your server name (or the server's IP Address) in the Address field and the printer name in the Address field. The name of the printer will be the same as configured on the server.

  6. Select the appropriate printer model. If this is not listed, you may need to install the manufacturer's driver, then repeat steps 2 through 6.

  7. Take some time to print from the workstation and confirm that printing succeeds.

Publishing the printer via Workgroup Manager

Manually installing the printer on each desktop on a large network may be tedious. Large networks using Open Directory may benefit from automating the process using Workgroup Manager. The key to successfully deploying/publishing printers via the Workgroup Manager is to publish the configuration from a working workstation rather than the server itself. This is counter intuitive as normally administration is conducted by running Workgroup Manager on the server itself. This however would publish the server's printer configuration (the server is configured to print direct to the device and not to the queue hence this is why it's not appropriate to publish its configuration). Instead we need to install the Workgroup Manager software on a configured workstation/client and publish its known configuration. Use the following procedure:

  1. Select one workstation on your network. Follow the manual setup procedure as discussed above.

  2. Test and confirm this workstation is configured and printing correctly. Also choose other settings as appropriate such as tray, duplex and other defaults.

  3. Install the Workgroup Manager on this client workstation (found on the Mac OS X Server install disk).

  4. Open the Workgroup Manager, connect to your directory and select an appropriate user group or computer group used to manage client settings.

  5. Enter the Settings/Preferences area and select Printing.

    Printing settings via the Workgroup manager

    Figure 21.4. Printing settings via the Workgroup manager

  6. Select Manage Always and add printer(s) set up in step 1.

    Add printer appropriate to the container (users, group, or computer)

    Figure 21.5. Add printer appropriate to the container (users, group, or computer)

  7. Save settings and exit (e.g. click Done).

  8. Log onto another workstation and confirm that printer settings are being published as expected.

Tip

  • Only publish the printer configuration after it's been tested.

  • If you have problems with the manufacturer supplied driver, try the "Generic Postscript Printer"

  • Always publish the printer config from a tested client workstation and never from server itself.

Unauthenticated systems (e.g. Laptops)

The print queues in current Mac OS X server releases (both Tiger 10.4 and Leopard 10.5), are unfortunately unauthenticated (editor's note: CUPS supports authentication, however Apple have decided not to expose/support this feature). Authentication in an Open Directory environment is instead performed at the time of system login. Unauthenticated systems such as laptops however fall outside this check. The introduction of unauthenticated systems on your network mandates the need for an extra layer of authentication. PaperCut MF offers two options:

  1. Popup authentication via the client software, or

  2. authentication via a release station or the web based release interface (end-user login -> Jobs pending release).

Network administrators must decide if the authentication policy/procedure is to be applied to all network systems, or just "untrusted" laptops.

Network-wide policy

This is the simplest solution and provides a consistent procedure/policy across all your users irrespective of their access method (workstation or their own laptop). Select your authentication method such as popup authentication or hold/release queue and enable this option on ALL print queues. The setup procedure for both methods is summarized as follows:

Using Popup Authentication:

  1. Select the Unauthenticated printer option on all printers

  2. Ensure that all workstations have the client software installed. This includes both authenticated lab systems and laptops. The client must be running to have printer access.

  3. Instruct users that they will need to enter their username/password in the client when requested.

Using Hold/Release Queue Authentication:

  1. Check the Enable the hold/release queue option on all print queues. Jobs will not print until a user has authenticated and released the job.

  2. Set up release stations, or ensure the Jobs pending release option is enabled in the end-user web interface.

  3. Instruct users on how to release their jobs. This procedure must be followed by all users.

Laptop Only Policy (Advanced)

One problem with the network-wide policy discussed above is that it the authentication method (e.g. client popup or hold/release queue) also applies to authenticated systems. In some ways this is a positive (i.e. provides a consistent policy), while in other ways it can be viewed as an unnecessary on trusted authenticated systems. This section discusses a solution appropriate for larger sites.

The solution is to set up two servers. One server hosts a set of queues for authenticated systems, while the other server provides queues for unauthenticated systems. Network router or firewall rules are used to ensure that only authenticated systems have access to the authenticated queues. Laptops systems must use the other queues. This is best done with partitioned IP address ranges and/or subnets. An experienced network administrator will be able to assist with restricted server access by IP address.

Future Plans

The Laptop Only Policy is best described as a "hack" and is only suitable for larger sites with good network administrators. In the current release this is a supported solution. The developers do however have some ideas to streamline the setup. These include:

  • An ability to "endorse" the authenticated systems so the username is trusted by default. For example, a special file can be copied to these systems (readable only by the root user).

  • An IP address range filter restricting systems that can use a given priter.

If you are using this method please take the time to write to the developer team to share your thoughts and ideas.