Mac printing in detail
This section of the manual is split into different sections for ease of use, one section covering Mac OS 10.8+ installations, and another covering Windows hosted print queue setup. In most cases only one section applies on your network. As Mac systems have become more popular recently, many sites are opting for Mac print servers to support their Mac workstations. You can install PaperCut NG/MF directly on a Mac print server, offering native, end-to-end Mac printing.
Below is an overview of the common terminology.
Print queue: There are typically two ways of providing shared multi-system access to a printer:
Configure each system to print directly to the device. The device needs to be networkable (e.g. have an Ethernet connection) and support multiple connections.
Configure a shared print queue. In this setup, only one system connects directly to the device (e.g. a server) and in turn the device is shared on the network via a print queue. Other systems on the network print to the shared queue rather than directly to the device.
Option 2 is regarded as a better solution on multi-user networks as it provides a higher level of scalability, allows for centralized administration, and allows administrators to move or remap devices without needing to propagate changes to workstations. PaperCut NG/MF requires a shared print queue as it works by intercepting the jobs as they pass through the server’s queue.
CUPS: CUPS is the print queue system used by Mac. This is the same queue system used by many other UNIX based platforms including popular Linux distributions. Apple is a major supporter of CUPS.
IP Printing: This is a generic term used to describe a number of print protocols that are used to exchange print documents between a computer, a server queue, or a physical printer. (Note: This term is also occasionally used incorrectly to describe the “JetDirect” print protocol discussed below)
IPP: This is an acronym for Internet Printing Protocol. This is the “native” print protocol used by CUPS and the Mac. It’s a modern protocol designed to work well on modern networks including local networks, or even over the internet or a WAN.
LPR: LPR/LPD is the traditional UNIX based print protocol.
JetDirect/Socket: This is a very simple print protocol used to transmit print jobs to a physical printer on a TCP network. The printer accepts connections on port 9100. In Windows, this print protocol is often referred to as a
Standard TCP/IP Port, and in some cases generally as IP Printing. Almost all network printers support this method.
Bonjour Printing: This is not a print protocol, but instead is Apple’s method of publishing printers on a network so workstations can locate the device/queue.
Where possible PaperCut NG/MF works with all print protocols, however, we do recommend some over others. The following set up procedure highlights methods that have shown to work in most environments.
PaperCut’s recommended setup procedure is:
Install the printers on the server using a compatible driver.
Test printing from the server.
Share your printers.
Set up the workstations to connect to the server’s shared print queues.
Some printer models support several of the connection methods listed above. If the printer offers the option to disable these protocols through their web administration page, you should turn off all except the connection method that you will use. This minimizes the chance of incorrect configuration, and the chance of a workstation user discovering the printer directly. Some printers also support access control via IP address. If this is available, consider setting access control so only the server IP can submit print jobs directly to the printer.
Print queues in Mac OS X by default are unauthenticated. Authentication in an Open Directory environment is instead performed at the time of system login. Unauthenticated systems such as laptops fall outside this. The introduction of unauthenticated systems on your network mandates the need for an extra layer of authentication. To address this need, PaperCut offers two options:
Popup authentication via the PaperCut client software.
Authentication via a Release Station or the web-based release interface (end user login > Jobs pending release).
It is your decision whether or not the authentication policy/procedure is to be applied to all systems on the network, or just “untrusted” laptops.
This is the simplest solution and provides a consistent procedure and policy across all your users irrespective of their access method (such as via workstation or their own laptop). Select your authentication method and enable this option on ALL print queues. The set up procedure for both methods is summarized as follows:
Using popup authentication
Select the Unauthenticated printer option on all printers. You can apply this to multiple printers via Copy settings from Printer to Printer.
Ensure that all workstations have the PaperCut client software installed. This includes both authenticated lab systems and laptops. The PaperCut client must be running to be able to print successfully.
Instruct users that they need to enter their username and password in the PaperCut client. You you can set PaperCut NG/MF to save the credentials for a defined period of time if required.
Using hold/release queue authentication
Select the Enable the hold/release queue check box on all print queues. Jobs do not print until a user has authenticated and released the job.
Set up Release Stations, or, on the Options tab in the PaperCut Admin web interface, select the Allow users to view held jobs check box.
Instruct users on how to release their jobs. This procedure must be followed by all users.
Laptop only policy (advanced)
One problem with the network-wide policy discussed above is that the authentication method (e.g. client popup or hold/release queue) also applies to authenticated systems. In some ways this is a positive (i.e. provides a consistent policy), while in other ways it can be viewed as an unnecessary on trusted authenticated systems. This section discusses a solution appropriate for larger sites.
The solution is to set up two servers. One server hosts a set of queues for authenticated systems, while the other server provides queues for unauthenticated systems. Network router or firewall rules are used to ensure that only authenticated systems have access to the authenticated queues. Laptops systems must use the other queues. This is best done with partitioned IP address ranges and/or subnets. An experienced network administrator can assist with restricted server access by IP address.
You can use popup authentication to provide a secure environment. For example, there might be a mix of lab systems and unauthenticated laptops. The lab systems are managed and secured via authentication against a central user directory source, while the unmanaged systems (e.g. laptops) are limited to local user authentication only so user identity is indeterminate. Use popup authentication at the print queue level to provide an added level of user verification.
This is an advanced topic and is targeted at experienced Mac administrators with command-line knowledge. The double-authentication is eliminated by having the system login also perform the PaperCut log in via the system login hook. After the administrator has confirmed that the workstation is securely authenticating via a central directory service, they endorse the system by copying a shared secret file onto the workstation. To perform this endorsement, follow these steps:
Setup the PaperCut client on the workstation and configure it to start via the login hook as explained in detail in Multi-User Install.
Use a secure method (e.g. USB key or
scp) to copy the file located on the PaperCut primary server at:
to the workstation in either of the following locations:
/etc/pc-shared-secret.dat or /Library/PCClient/pc-shared-secret.dat
Set ownership and permissions on the file using the command line as follows:
sudo chown root /etc/pc-shared-secret.dat sudo chmod 600 /etc/pc-shared-secret.dat
Test login and verify that PaperCut popup authentication step has been eliminated by printing to an unauthenticated printer. Confirm that the job prints and logs as expected.
Repeat the steps above for each trusted directory authenticated system (e.g. lab system) on the network, or use system imaging processes.