Mac printing in detail
This section of the manual is split into different sections for ease of use, one section covering Mac OS 10.8+ installations, and another covering Windows hosted print queueA print queue displays information about documents that are waiting to be printed, such as, the printing status, document owner, and number of pages to print. You can use the print queue to view, pause, resume, restart, and cancel print jobs. setup. In most cases only one section applies on your network. As Mac systems have become more popular recently, many sites are opting for Mac print servers to support their Mac workstations. You can install PaperCut directly on a Mac print serverA print server is a system responsible for hosting print queues and sharing printer resources to desktops. Users submit print jobs to a print server rather then directly to the printer itself. A print server can be a dedicated server but on many networks this server also performs other tasks, such as, file serving, offering native, end-to-end Mac printing.
Terminology
Below is an overview of the common terminology.
Print queue: There are typically two ways of providing shared multi-system access to a printer:
Configure each system to print directly to the device. The device needs to be networkable (e.g. have an Ethernet connection) and support multiple connections.
Configure a shared print queue. In this setup, only one system connects directly to the device (e.g. a server) and in turn the device is shared on the network via a print queue. Other systems on the network print to the shared queue rather than directly to the device.
CUPSCommon User Printing System (CUPS) is a printing system for Unix operating systems that allows a computer to act as a print server. A computer running CUPS is a host that can accept print jobs from client computers, process them, and send them to the appropriate printer.: CUPS is the print queue system used by Mac. This is the same queue system used by many other UNIX based platforms including popular Linux distributions. Apple is a major supporter of CUPS.
IP PrintingIP Printing is a generic term used to describe a number of print protocols that are used to exchange print documents between a computer, a server queue, or a physical printer.: This is a generic term used to describe a number of print protocols that are used to exchange print documents between a computer, a server queue, or a physical printer. (Note: This term is also occasionally used incorrectly to describe the "JetDirect" print protocol discussed below)
IPPThe Internet Printing Protocol (IPP) is an Internet protocol for communication between a print server and its clients. It allows clients to send one or more print jobs to the server and perform administration such as querying the status of a printer, obtaining the status of print jobs, or cancelling individual print jobs. IPP can run locally or over the Internet. Unlike other printing protocols, IPP also supports access control, authentication, and encryption, making it a much more capable and secure printing mechanism than older ones.: This is an acronym for Internet Printing Protocol. This is the "native" print protocol used by CUPS and the Mac. It's a modern protocol designed to work well on modern networks including local networks, or even over the internet or a WAN.
LPRThe Line Printer Remote protocol (LPR) is a network protocol for submitting print jobs to a remote printer. A server for the LPD/LPR protocol listens for requests on TCP port 515. A request begins with a byte containing the request code, followed by the arguments to the request, and is terminated by an ASCII LF character. An LPD printer is identified by the IP address of the server machine and the queue name on that machine. Many different queue names may exist in one LPD server, with each queue having unique settings. The LPR software is installed on the client device.: LPR/LPDThe Line Printer Daemon protocol (LPD) is a network protocol for submitting print jobs to a remote printer. A server for the LPD/LPR protocol listens for requests on TCP port 515. A request begins with a byte containing the request code, followed by the arguments to the request, and is terminated by an ASCII LF character. An LPD printer is identified by the IP address of the server machine and the queue name on that machine. Many different queue names may exist in one LPD server, with each queue having unique settings. The LPD software is stored on the printer or print server. is the traditional UNIX based print protocol.
JetDirect/Socket: This is a very simple print protocol used to transmit print jobs to a physical printer on a TCP network. The printer accepts connections on port 9100. In Windows, this print protocol is often referred to as a Standard TCP/IP Port, and in some cases generally as IP Printing. Almost all network printers support this method.
BonjourBonjour is Apple's implementation of zero-configuration networking (zeroconf), a group of technologies that includes service discovery, address assignment, and hostname resolution. Bonjour locates devices such as printers, other computers, and the services that those devices offer on a local network using multicast Domain Name System (mDNS) service records. Printing: This is not a print protocol, but instead is Apple’s method of publishing printers on a network so workstations can locate the device/queue.
Where possible PaperCut NG works with all print protocols, however, we do recommend some over others. The following set up procedure highlights methods that have shown to work in most environments.
PaperCut’s recommended setup procedure is:
Install the printers on the server using a compatible driver.
Test printing from the server.
Share your printers.
Set up the workstations to connect to the server's shared print queues.
Optional hardware configuration
Some printer models support several of the connection methods listed above. If the printer offers the option to disable these protocols through their web administration page, you should turn off all except the connection method that you will use. This minimizes the chance of incorrect configuration, and the chance of a workstation user discovering the printer directly. Some printers also support access control via IP address. If this is available, consider setting access control so only the server IP can submit print jobs directly to the printer.
Handling unauthenticated systems (e.g. laptops)
Print queues in Mac OS X by default are unauthenticated. Authentication in an Open Directory environment is instead performed at the time of system login. Unauthenticated systems such as laptops fall outside this. The introduction of unauthenticated systems on your network mandates the need for an extra layer of authentication. To address this need, PaperCut offers two options:
-
Popup authentication via the PaperCut client software.
It is your decision whether or not the authentication policy/procedure is to be applied to all systems on the network, or just "untrusted" laptops.
Network-wide policy
This is the simplest solution and provides a consistent procedure and policy across all your users irrespective of their access method (such as via workstation or their own laptop). Select your authentication method and enable this option on ALL print queues. The set up procedure for both methods is summarized as follows:
Using popup authentication
-
Select the Unauthenticated printer option on all printers. You can apply this to multiple printers via Copy settings from Printer to Printer.
-
Ensure that all workstations have the PaperCut client software installed. This includes both authenticated lab systems and laptops. The PaperCut client must be running to be able to print successfully.
-
Instruct users that they need to enter their username and password in the PaperCut client. You you can set PaperCut NG to save the credentials for a defined period of time if required.
Using hold/release queue authentication
-
Select the Enable the hold/release queue check box on all print queues. Jobs do not print until a user has authenticated and released the job.
-
Set up Release Stations, or, on the Options tab in the PaperCut Admin web interface, select the Allow users to view held jobs check box.
-
Instruct users on how to release their jobs. This procedure must be followed by all users.
Laptop only policy (advanced)
One problem with the network-wide policy discussed above is that the authentication method (e.g. client popup or hold/release queue) also applies to authenticated systems. In some ways this is a positive (i.e. provides a consistent policy), while in other ways it can be viewed as an unnecessary on trusted authenticated systems. This section discusses a solution appropriate for larger sites.
The solution is to set up two servers. One server hosts a set of queues for authenticated systems, while the other server provides queues for unauthenticated systems. Network router or firewall rules are used to ensure that only authenticated systems have access to the authenticated queues. Laptops systems must use the other queues. This is best done with partitioned IP address ranges and/or subnets. An experienced network administrator can assist with restricted server access by IP address.
Eliminating popup authentication via Mac Login Hook
You can use popup authenticationPopup authentication involves matching the source IP address of the print job with the user confirmed to be operating from the popup client IP address. Authentication is provided by the PaperCut NG client software in the form of a popup dialog requesting a username and password. To print with popup authentication the client software must be running on the workstations or laptops. to provide a secure environment. For example, there might be a mix of lab systems and unauthenticated laptops. The lab systems are managed and secured via authentication against a central user directory source, while the unmanaged systems (e.g. laptops) are limited to local user authentication only so user identity is indeterminate. Use popup authentication at the print queue level to provide an added level of user verification.
This is an advanced topic and is targeted at experienced Mac administrators with command-line knowledge. The double-authentication is eliminated by having the system login also perform the PaperCut log in via the system login hook. After the administrator has confirmed that the workstation is securely authenticating via a central directory service, they endorse the system by copying a shared secret file onto the workstation. To perform this endorsement, follow these steps:
-
Setup the PaperCut client on the workstation and configure it to start via the login hook as explained in detail in Multi-User Install.
-
Use a secure method (e.g. USB key or scp) to copy the file located on the PaperCut primary server at:
[app-path]/server/data/pc-shared-secret.dat
to the workstation in either of the following locations:
/etc/pc-shared-secret.dat or /Library/PCClient/pc-shared-secret.dat
-
Set ownership and permissions on the file using the command line as follows:
sudo chown root /etc/pc-shared-secret.dat sudo chmod 600 /etc/pc-shared-secret.dat
-
Test login and verify that PaperCut popup authentication step has been eliminated by printing to an unauthenticated printer. Confirm that the job prints and logs as expected.
-
Repeat the steps above for each trusted directory authenticated system (e.g. lab system) on the network, or use system imaging processes.