Eliminating PopUp Authentication via Mac Login Hook

In large mixed Mac environments there may be the requirement to use popup authentication to provide a secure environment. For example there may be a mix of lab systems an unauthenticated laptops. The lab systems are managed and secured via authentication against a central user directory source, while the unmanaged systems (e.g. laptops) are limited to local user authentication only and hence user identity is indeterminate. Popup authentication at the print queue level can be used to provide an added level of user verification. The downside to this is that this policy also affects the managed authenticated lab systems. This can frustrate users as they are forced to login twice: Once for system login and then once for printing (via PaperCut). This double authentication can be eliminated by leveraging the lab system's login hook.

This is an advanced topic and is targeted at experienced Mac administrators with basic command-line knowledge.

The double-authentication is eliminated by having the system login also perform the PaperCut login via the system login hook. After the administrator has confirmed that the workstation is securely authenticating via a the central directory service, they endorsed the system by copying a shared secret file onto the workstation. To perform this endorsement, follow these steps:

  1. Setup the PaperCut client on the workstation and configure it to start via the login hook as explained in detail here the section called “Multi-User Install”.

  2. Use a secure method (e.g. USB key or scp) to copy the file located on the PaperCut primary server at:

        [app-path]/server/data/pc-shared-secret.dat
                            

    to the workstation in either of the following locations:

        /etc/pc-shared-secret.dat
          or
        /Library/PCClient/pc-shared-secret.dat
                            

  3. Set ownership and permissions on the file via the command line as follows:

        sudo chown root /etc/pc-shared-secret.dat
        sudo chmod 600 /etc/pc-shared-secret.dat
                            

    Take care to ensure this step is completed successfully.

  4. Test login and verify that PaperCut popup authentication step has been eliminated by printing to a unauthenticated printer. Confirm that the job prints and logs as expected.

  5. Repeat steps above for each trusted directory authenticated system (e.g. lab system) on the network, or use system imaging processes.