Skip to main content

Hello Casper admins!



I'm relatively new to both the Mac world and JSS computer management. We are primarily a windows shop but as of this summer we will be offering Macs to users (due to popular demand). I have been tasked with coming up with a workflow to add our printer fleet to JSS and map them to their respective users, perhaps using self service (hopefully using Active directory OUs) I have no idea how to do any of this AD integration is even possible with JSS. Also I don't know if its possible for the endpoints to print to the print server rather than printing directly to the printer.



My hope is to get some insight on some of what you guys are doing out there in the wild, perhaps get some information on how you did it. Also what the requirements are in terms of getting this up and running?



Thanks in advance,



Sincerely a Noob Mac admin

On the Windows side of the house, we map printers using AD groups. I mirrored that - I created a printer in the JSS (using the smb:// path to the object on the print server), then created a policy to map that printer at login and scoped it to the same AD group that the Windows machines use.

The first step is to make sure you have LDAP servers set up in the JSS. This is under System Settings>LDAP Servers. The actual set up is pretty self explanatory, but it's an easy step to miss.



Unfortunately, you cannot, as far as I know, scope based on OUs, but you can scope based on AD group membership. This is done, as limitation, not a target, so you'll target a smart that contains the computers you want, then limit it to specific AD groups.



Also, if the drivers for your printers aren't included in MacOS, you may want to set up some logic to ensure the drivers are installed before they can install the printers. We currently accomplish this using a smart groups that look for an install receipt for the driver install package. Those that don't have it only see the driver install policy in the Printers section of self service. Once they install it (the policy includes an inventory update to make sure they get moved to the "driver installed" smart group), they get printers scoped to them based on AD group membership, and the printers appear in self service.

You can absolutely scope policies to AD OU's but it does require you use an Extension Attribute and a Smart Group to make it happen. Below is my Extension Attribute to create the OU path for the machine. You will have to modify it a little bit for your environment, but it should get you pretty close. Then you just create a smart group that has something along the lines of "AD Path 'is like' /AD/OU/org/dept/group"



#!/bin/sh

ADPath() {

    ADConnectionCheck=$(dsconfigad -show)

    ADComputerName=$(dsconfigad -show | grep "Computer Account" | awk '{print $4}')

    ADComputerOU=$(dscl /Search read /Computers/"$ADComputerName" dsAttrTypeNative:distinguishedName 2> /dev/null | sed -e 's/dsAttrTypeNative:distinguishedName://g' | tr -d "

" | sed -n 's/OU=//gp' | sed -n 's/DC=//gp' | sed -n 's/CN=//gp')



    if [[ -n "$ADConnectionCheck" ]]; then



        if [[ -n "$ADComputerOU" ]]; then



            IFS=',' read -r -a ADArray <<< "$ADComputerOU"

            for (( i=${#ADArray[@]}-1,j=0 ;i>=1;i--,j++ ));

            do

                ADReverseArray[j]="/"${ADArray[i]}

                unset ADReverseArray[0]

                unset ADReverseArray[2]

            done

            ADPath="$(echo ${ADReverseArray[@]} | tr -d " ")"



            echo "<result>$ADPath</result>"

        else

            echo "<result>Location Error</result>"

        fi

    else

        echo "<result>Bind Error</result>"

    fi

}



ADPath
Terms & ConditionsCookie settings