Table of Contents
This chapter of the manual is split into different sections for ease of use, one section covering Mac OS 10.8+ installations, and another covering Windows hosted print queue setup. In most cases only one section will apply on your network. As Mac systems have become more popular recently, many sites are opting for Mac print servers to support their Mac workstations. PaperCut can be installed directly on a Mac print server, offering native, end-to-end Mac printing.
Before we move on to configuring server-based print queues in a Mac environment, we'll first cover common terminology.
Print Queue: There are typically two ways of providing shared multi-system access to a printer:
Configure each system to print directly to the device. The device needs to be networkable (e.g. have an Ethernet connection) and support multiple connections.
Configure a shared print queue. In this setup, only one system connects directly to the device (e.g. a server) and in turn the device is shared on the network via a print queue. Other systems on the network print to the shared queue rather than directly to the device.
Option 2 is regarded as a better solution on multi-user networks as it provides a higher level of scalability, allows for centralized administration, and allows administrators to move or remap devices without needing to propagate changes to workstations. PaperCut NG requires a shared print queue as it works by intercepting the jobs as they pass through the server's queue.
CUPS: CUPS is the print queue system used by Mac. This is the same queue system used by many other UNIX based platforms including popular Linux distributions. Apple is a major supporter of CUPS.
IP Printing: This is a generic term used to describe a number of print protocols that are used to exchange print documents between a computer, a server queue, or a physical printer. (Note: This term is also occasionally used incorrectly to describe the "JetDirect" print protocol discussed below)
IPP: This is an acronym for Internet Printing Protocol. This is the "native" print protocol used by CUPS and hence the Mac. It's a modern protocol designed to work well on modern networks including local networks, or even over the internet or a WAN.
LPR: LPR/LPD is the traditional UNIX based print protocol.
JetDirect/Socket: This is a very simple print protocol used to transmit print
jobs to a physical printer on a TCP network. The printer simply accepts connections on port 9100.
In Windows, this print protocol is often referred to as a Standard TCP/IP Port,
and in some cases generally as IP Printing. Almost all network printers support this method.
Bonjour Printing: This is not a print protocol, but instead is Apple’s method of publishing printers on a network so workstations can locate the device/queue.
Where possible we have designed PaperCut NG to work with all print protocols, however we do recommend some over others. The following setup procedure highlights methods that have shown to work in most environments.
PaperCut’s recommended setup procedure can be summarized as follows:
Install the printers on the server using a compatible driver.
Test printing from the server.
Share your printers.
Set up the workstations to connect to the server's shared print queues.
Some printer models support several of the connection methods listed above. If the printer offers the option to disable these protocols through their web administration page, you should turn off all but the connection method that you will use. This will minimize the chance of incorrect configuration, and the chance of a workstation user discovering the printer directly. Some printers also support access control via IP address. If this is available, consider setting access control so only the server IP can submit print jobs directly to the printer.
Print queues in Mac OS X by default are unauthenticated. Authentication in an Open Directory environment is instead performed at the time of system login. Unauthenticated systems such as laptops fall outside this. The introduction of unauthenticated systems on your network mandates the need for an extra layer of authentication. To address this need, PaperCut offers two options:
Popup authentication via the PaperCut client software.
Authentication via a release station or the web-based release interface (end-user login -> Jobs pending release).
It is your decision whether or not the authentication policy/procedure should be applied to all systems on the network, or just "untrusted" laptops.
This is the simplest solution and provides a consistent procedure and policy across all your users irrespective of their access method (such as via workstation or their own laptop). Select your authentication method and enable this option on ALL print queues. The setup procedure for both methods is summarized as follows:
Using Popup Authentication
Select the Unauthenticated printer option on all printers. (This can be applied to multiple printers via Copy settings from Printer to Printer.)
Ensure that all workstations have the PaperCut client software installed. This includes both authenticated lab systems and laptops. The PaperCut client must be running to be able to print successfully.
Instruct users that they will need to enter their username and password in the PaperCut client, which can be set to save their credentials for an X amount of time if required.
Using Hold/Release Queue Authentication
Check the Enable the hold/release queue option on all print queues. Jobs will not print until a user has authenticated and released the job.
Set up release stations, or ensure the Allow users to view held jobs option is enabled on the Options tab in the PaperCut administration console.
Instruct users on how to release their jobs. This procedure must be followed by all users.
One problem with the network-wide policy discussed above is that it the authentication method (e.g. client popup or hold/release queue) also applies to authenticated systems. In some ways this is a positive (i.e. provides a consistent policy), while in other ways it can be viewed as an unnecessary on trusted authenticated systems. This section discusses a solution appropriate for larger sites.
The solution is to set up two servers. One server hosts a set of queues for authenticated systems, while the other server provides queues for unauthenticated systems. Network router or firewall rules are used to ensure that only authenticated systems have access to the authenticated queues. Laptops systems must use the other queues. This is best done with partitioned IP address ranges and/or subnets. An experienced network administrator will be able to assist with restricted server access by IP address.
There may be the requirement to use popup authentication to provide a secure environment. For example, there may be a mix of lab systems and unauthenticated laptops. The lab systems are managed and secured via authentication against a central user directory source, while the unmanaged systems (e.g. laptops) are limited to local user authentication only and hence user identity is indeterminate. Popup authentication at the print queue level can be used to provide an added level of user verification.
This is an advanced topic and is targeted at experienced Mac administrators with command-line knowledge. The double-authentication is eliminated by having the system login also perform the PaperCut login via the system login hook. After the administrator has confirmed that the workstation is securely authenticating via a central directory service, they endorse the system by copying a shared secret file onto the workstation. To perform this endorsement, follow these steps:
Setup the PaperCut client on the workstation and configure it to start via the login hook as explained in detail here the section called “Multi-User Install”.
Use a secure method (e.g. USB key or scp) to copy the file located on the
PaperCut primary server at:
[app-path]/server/data/pc-shared-secret.dat
to the workstation in either of the following locations:
/etc/pc-shared-secret.dat
or
/Library/PCClient/pc-shared-secret.dat
Set ownership and permissions on the file via the command line as follows:
sudo chown root /etc/pc-shared-secret.dat
sudo chmod 600 /etc/pc-shared-secret.dat
Test login and verify that PaperCut popup authentication step has been eliminated by printing to an unauthenticated printer. Confirm that the job prints and logs as expected.
Repeat steps above for each trusted directory authenticated system (e.g. lab system) on the network, or use system imaging processes.
© Copyright 1999-2015. PaperCut Software International Pty Ltd. All rights reserved.