10.11 non admin user can't print PrinterProxy (Printer Proxy)

We are currently running into the same issue. The printers work fine on Mavericks and Yosemite, but once the system is upgraded to El Capitan the error pops up. At this point we are even allowing execution of applications from ~/Library/

I have contacted support and they are looking into a solution hopefully.

For the time being we have two major printers we need students to use so I have the temp fix in place.

• Policy set to once per user per computer
• Symlink ~/Library/Printers to /Applications/Printers
• Install both Library Print Queues into /Applications/Printers (Packages for the two Printers)
• Set permission so students can’t write to Applications/Printers

Hi all,

Looks like there's a fix outlined here on Apple's discussion boards -

https://discussions.apple.com/thread/7285187?start=0&tstart=0

I had a look at that post before I contacted support, however I can confirm that we do not have parental controls enabled on the user's account.

I got the following response back from the guys at support:

The QA team is going to be looking into; this workaround that is in place is the best available solution for the time being.

What about adding each user to the local print admin group? We do that so users can add home printers.

dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin

@ooshnoo The student has access to the System Preferences Pane and can add printers with no problems. However when they try and open the print queue I get the error " You don't have permission to use the application "PrinterProxy"

These machines are for our Junior School students so they do not have admin rights and using profiles we have set a restriction to Disallow Folders at /Users. This has always worked for out 10.10 clients and I am only seeing this error under 10.11 clients.

Although my work around has this working for our two main printers in the Library, I will not be able to manage this for the students personal home printers.

@pnbahry We just released El Cap to all our students and just ran into this problem. Have you had any success with a permanent solution?

@rcastorani The last email I received from JAMF support was:

"You'll be able to track the progress on this issue with a issue number that we'll receive when they begin to investigate; we can send that your way once it's available, and the release notes will contain updates about whether or not it's been resolved,"

I have not received anything back from them, however the more people that report the problem might help with a solution.

We are seeing the same error when students print, but the printer still prints their job. Some students don't bother to check the printer because of the error so for us it is more of an annoyance.

@dentlerb We are seeing the exact same thing. I'm going to try to set up a new machine, enroll it, and then start adding config profiles one by one until I figure out which one is triggering the parental controls. If anyone has already done this I'm all ears to hear about it!

We are currently testing 10.11.3 with a restricted student account ready for roll out during the summer holidays and we too are getting this permissions error.

There is no way we can enable students access to all apps so a fix by JAMF or Apple would be more than welcome!

I got a chance to mess with this a little more last week and got it working.

We have a configuration profile with application restriction configured similar to those at the beginning of this discussion. Based on my experiments I think that if you add paths to the Allow Folders list it restricts applications to only run from those folders. In other words, by creating a whitelist everything else is blacklisted. I changed our configuration thusly:

Allow Folders:
/Applications/
/System/Library/
/Library/
/usr/
/bin/
/private/
/sbin/
~/Library/

Disallow Folders:
~/Applications/
~/Downloads/
~/Desktop/

I don't think I need the disallow folders, but I'm going to leave it because it works. With this configuration applications won't run from USB drives, ~/Scripts/, folders that users create in their own home folder, etc. By allowing ~/Library/ we no longer get the printerproxy error or any of the other errors that would come up from time to time. That's the only folder in the list non-admin users can write to, but since ~/Library/ is hidden in finder most of my users won't even know it exists.

That will not work for us, I even need to run a script to check for any read/write areas in the OS because the students will find any read/write areas within the build to copy games to.

We do not allow anything to run from /Users and at this stage this is not something we can change.

@dentlerb

@pnbahry Gotta love their ingenuity though! Off-topic, but are they checking via a script or just brute force? I have a ton of hidden places that they don't know they can write to simply to remove the incessant nagging permission popups.

@dentlerb Thanks for taking the time to write that out. We're having the same issues and since we have the same config profile system in place I'm going to take your advice and give those folders a shot.

@rcastorani Let us know how that works for you. All I'm going by is my experience from making those changes so your mileage may vary. Any information that can help us sort this out is valuable.

@pnbahry I think you must have some clever students. I am going to check on some of my more clever students and see if they have figured it out.

.

Same problem here! Haven't found a solution yet. Adding directories above hasn't helped here. Note I am still using MCX here.

UPDATE:
Only way I can get it to work is allow / or /Users or /Users/usersusernamehere
Putting ~/Library or any other folder doesn't seem to work.

Previously I had Disallow:
~/
And various apps in /Applications and /Utilities

And only allow was:
/Applications
/Library

Now I have it like this:
Disallow:
Various apps in /Applications and /Utilities
~/Applications
~/Desktop
~/Documents
~/Downloads
~/Music
~/Pictures
~/Public

Allow:
/Applications
/Library
/Users

So users could run apps from root of their home but nothing under it. Odd behavior!

Pretty sure this has always been a thing. Checked my profiles from 10.8 to 10.11, /Users/ blacklisted and ~/Library/Printers/ whitelisted, works like a charm.

Not here I have always used the following setup, 10.8.5 clients are currently running fine with this setup. I was skipping straight up to 10.11.4 and ran into this problem:

Previously I had Disallow Blacklisted:
~/
And various apps in /Applications and /Utilities

And only allow whitelisted was:
/Applications
/Library

I did try to whitelist ~/Library/Printers and ~/Library and made no difference for me. Verified the settings where in /Library/Managed Preferences/ as well. I'm still using MCX instead of Profiles, but wouldn't think that would be it.

I have run into this same issue and as described by @pnbahry on 1/11/16, JAMF Support has recommended that anyone with this use/case scenario go ahead and create the symbolic link.

• Policy set to once per user per computer
• Symlink ~/Library/Printers to /Applications/Printers
• Install both Library Print Queues into /Applications/Printers (Packages for the two Printers)
• Set permission so students can't write to Applications/Printers

Non-admin users were able to print but continued to have issues with the prompt; "You do not have permission to run PrinterProxy..."

INSTEAD, I changed the process to include the following:

• Added the printers into some_user_account
• Copied the list of ~/Library/Printers/some_printer.app into a directory called /Library/Printers/Installed_Printers
• Created a symbolic link between /Library/Printers/Installed_Printers/some_printer.app and placed it in ~/Library/Printers

Non-admin users are now able to print without a prompt.

JAMF has also opened a RADAR ticket with Apple as, according to JAMF Support, "it was also replicated with Profile Manager with our internal testing". JAMF Support has shared their RADAR ticket number, 26297653, for anyone to leverage and create a ticket as well -- maybe we can get some momentum with Apple providing a fix.

Just saw this myself, put in an enterprise ticket with apple referencing the RADAR above. Thanks for posting the info @gcash - Did you try doing a symbolic link for the whole ~/Library/Printers folder? We support so many printer models it'll get ugly to do them all one by one.

Edit - nevermind reread your post and understand what you were doing now. Will try that as workaround.

Yes. In my investigation of this issue (we restrict execution from ~/) I found the same. The issue being if you whitelist under a blacklisted folder, results are random. This has been an issue since OSX..... well, since OSX.

I'm not holding my breath. Symlinks to a whitelisted non-writable folder seems a more viable solution than waiting on Apple Developers to break their way out of the wet paper bag they're trapped in.

@gcash @CasperSally

What was your final workaround for the PrinterProxy permissions error? I dont appear to be able to delete the ~/Library/Printers folder to redirect the whole thing, and I'm hoping I dont have to create a symlink for each separate printer in that folder...

+1.... Anyone with a final repair (maybe one that does not include whitelist access of ~/Library/Printers/ ?)

This has not been resolved in 10.12