Shock?

@plawrence @Sean_M_Harper sorry i missed the notification on this thread. i'm running following Once per user per computer - at login

edit: modified script to remove erroneous space

#!/bin/sh



rm -rf /Users/$3/Library/Printers



ln -s /Library/Printers/Installed_Printers /Users/$3/Library/Printers

+1 for @CasperSally script (after removing the space from line1= "#!/bin/sh").

I use a local account with parental controls which was seeing the "printer proxy" issue. This script did the trick even on a parental control account.

Thanks!

@CasperSally Thank you for your post. I am now able to print with non admin users. However, the printer proxy application for the printer (IE the printer queue app) is not launching. This means a user would not be able to delete jobs or resume a queue that had been paused. Any ideas? Is write access required?

Also, I found I had to manually create the /Library/Printers/Installed_Printers directory. The symlink file had no valid path to point to.

@TJ.Edgerly thanks i removed the space.

@gibbo1 - good point! I forgot that part of my post image script creates that directory for all machines 10.11.

@gibbo1

Did you manually create the directory by creating an Installed_Printers folder in ~Library/Printers?

We implemented the solution suggested by @gcash and created a script similar to @CasperSally to create the symlinks for our 4 printers. However, we are now encountering circumstances where the system will write a new printer app inside ~/Library/Printers/ even though the proper symlink is present. It will generally add " - 1" after the printer name, since it recognizes that the symlink is there. This happened quite a while after we implemented the fix (that is, it seemed to be working initially). We have not been able to determine the circumstances under which the workaround is itself circumvented, since the users tend not to report such errors on occurrence. As stated by others, opening up a security hole as a workaround is not acceptable in our circumstance. So just reporting that the workaround may not be permanent in some situations, or that there are some assumed details (POSIX permissions, for example) that need to be handled for successful deployment.

I have been able to get this to work for all of my student computers by allowing access to ~/Library/ because the students have local home directories. However my teachers have their home directories on a local server. I have tried various mappings to allow access, i.e., Volumes/Users/~/Library/ or servername/Users/~/Library/ No Go. Any thoughts?

@pnbahry Were you able to get this resolved? I'd love to talk with you if you were, we are having the same issue now. Thanks in advance!

Resolved this issue with the settings in the attached image using a Configuration Profile applied at the Computer Level.

Allowing to execute programs from ~/Library is a very bad idea.
User can paste any app in that folder abd execute it.
Is it not a purpose of pernitted app list to limit allowed apps?

We gave up. Users can execute whatever they want. We'll just fire them when they break the rules. shrug

I've still been scripting sym link and printers to other locations... and had teacher question something which made me test if it's still necessary and I no longer get printerproxy prompts anymore even without allowlisting anything in /Users.

If I copy the printerproxy executable to my desktop, it is blocked, but not when it's in the native printer location.   I put a ticket in with Apple who said "According to my research an exception is made to allow the PrintProxy binaries. I know there were issues in the past where  this payload would block users from printing. "

Just replying back in case others are still scripting this thinking it's still necessary, it may not be.  We are going to do some more testing here.

Hi, could you please share your script with me?

I have a similar scenario where I need the students to not have access to any local folders.

Could you please share your script with me? I have a similar scenario where I want to restrict write permission, so the students don't access local folders.