Skip to main content
Question

Allow Non Admin Users to Add Printers At Home


Forum|alt.badge.img+6

Hey!

I work in a school district where we have given teachers MacBooks. We have restricted the teachers from adding printers because we would really like to cut down on the insane amount of printing that they were doing. Before we had done this, a lot of the teachers had brought their own personal computers and added our IP base network printers. So we were thinking that they would do the same with their new district issued MacBooks and blocked the addition of printers behind admin credentials.

We have given them the option to all print to the district's Xerox machines and that's it. However, a lot of these users would like to add their own personal printers. I was wondering if there was a way to allow the users to add their own personal home printers while still restricting them from adding a IP based network printer?

I've seen some scripts that would add the user to a specific group that would allow them to add printers, but I am nervous that this would allow them to start adding printers here within the district?

Any help would be appreciated!

Thanks!

23 replies

Forum|alt.badge.img+21
  • Valued Contributor
  • 322 replies
  • February 21, 2018

Adding the users to the lpadmin group should do the trick.


Forum|alt.badge.img+6
  • Author
  • Contributor
  • 13 replies
  • February 21, 2018

I was reading about the lpadmin group, but could use some clarification.
This would allow them to add a printer from home but not allow them to enter ip addresses for network printers? Is there more to it than that?

Also, I appreciate the response!

Thanks!


Forum|alt.badge.img+6
  • Contributor
  • 18 replies
  • February 21, 2018

rqomsiya
Forum|alt.badge.img+12
  • Honored Contributor
  • 226 replies
  • February 22, 2018

I'm not sure you can limit the user to adding printers without IP. Most home/personal use printers are Wi-Fi based and the easiest way to set those up is via IP.

On another note, this is what we use in house...

#!/bin/bash

# Allow staff to add printers and manage print queue without administrative rights
/usr/sbin/dseditgroup -o edit -a everyone -t group lpadmin

exit 0

dsavageED
Forum|alt.badge.img+8
  • New Contributor
  • 172 replies
  • February 22, 2018

We use -

#!/bin/bash
# Workaround as shown in https://www.jamf.com/jamf-nation/discussions/19050/add-wifi-networks-without-admin-privileges
# Allows non-admin users to add printers and manage their WiFi configuration.

#For WiFi

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

#For printing

/usr/bin/security authorizationdb write system.preferences.printing allow
/usr/bin/security authorizationdb write system.print.operator allow
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin

exit 0;

Forum|alt.badge.img+3
  • New Contributor
  • 17 replies
  • April 14, 2022
dsavageED wrote:

We use -

#!/bin/bash
# Workaround as shown in https://www.jamf.com/jamf-nation/discussions/19050/add-wifi-networks-without-admin-privileges
# Allows non-admin users to add printers and manage their WiFi configuration.

#For WiFi

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

#For printing

/usr/bin/security authorizationdb write system.preferences.printing allow
/usr/bin/security authorizationdb write system.print.operator allow
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin

exit 0;

Perfect solution, Thanks @dsavageED !


Forum|alt.badge.img+3
  • New Contributor
  • 8 replies
  • April 14, 2022
rqomsiya wrote:

I'm not sure you can limit the user to adding printers without IP. Most home/personal use printers are Wi-Fi based and the easiest way to set those up is via IP.

On another note, this is what we use in house...

#!/bin/bash

# Allow staff to add printers and manage print queue without administrative rights
/usr/sbin/dseditgroup -o edit -a everyone -t group lpadmin

exit 0

This worked great for me, Thanks


Forum|alt.badge.img+2

All the suggestions don't work on Ventura, and probably Monterey and Big Sur.

I'm running MacOS Ventura and Jamf 10.45.1, and there is a solution.

In Jamf Configuration Policies, under Printing, click Allow user to modify printer list, AND Allow printers that connect directly to the user's computer.

After checking those two boxes and making sure the affected computers have picked up the new profiles, the standard and mobile users are now able to add printers.


BL-ay
Forum|alt.badge.img+2
  • New Contributor
  • 11 replies
  • April 3, 2024
boblauterbach wrote:

All the suggestions don't work on Ventura, and probably Monterey and Big Sur.

I'm running MacOS Ventura and Jamf 10.45.1, and there is a solution.

In Jamf Configuration Policies, under Printing, click Allow user to modify printer list, AND Allow printers that connect directly to the user's computer.

After checking those two boxes and making sure the affected computers have picked up the new profiles, the standard and mobile users are now able to add printers.


Is there any other solution for macOS Sonoma version 14.4 and higher?
Since version 14.4. our users get the admin prompt again...
We use the same profile settings, @boblauterbach provided.


Forum|alt.badge.img+7
  • Contributor
  • 11 replies
  • April 3, 2024
BL-ay wrote:

Is there any other solution for macOS Sonoma version 14.4 and higher?
Since version 14.4. our users get the admin prompt again...
We use the same profile settings, @boblauterbach provided.


Has anyone been able to get this to work on Sonoma 14.4 and higher. We are being asked for admin rights..


Forum|alt.badge.img+19
  • Valued Contributor
  • 568 replies
  • May 13, 2024
karengarner wrote:

Has anyone been able to get this to work on Sonoma 14.4 and higher. We are being asked for admin rights..


I tested the script and the profile posted above by @dsavageED and @boblauterbach 

 and neither option works on my Sonoma 14.4 test Macs.


Forum|alt.badge.img+3
  • New Contributor
  • 8 replies
  • May 15, 2024
boblauterbach wrote:

All the suggestions don't work on Ventura, and probably Monterey and Big Sur.

I'm running MacOS Ventura and Jamf 10.45.1, and there is a solution.

In Jamf Configuration Policies, under Printing, click Allow user to modify printer list, AND Allow printers that connect directly to the user's computer.

After checking those two boxes and making sure the affected computers have picked up the new profiles, the standard and mobile users are now able to add printers.


One note- it's a Configuration Profile- not a Policy.  But it >is< in there- thanks!!


Forum|alt.badge.img+1
  • New Contributor
  • 2 replies
  • May 15, 2024
dstranathan wrote:

I tested the script and the profile posted above by @dsavageED and @boblauterbach 

 and neither option works on my Sonoma 14.4 test Macs.


This microsoft guide might work, havent tried yet...
https://learn.microsoft.com/en-us/universal-print/macos/universal-print-macos-guide-remove-admin-requirement?tabs=original#instructions

By default, installing printers on macOS requires users to be administrators. This default is controlled by the policy settings in /etc/cups/cupsd.conf and can be changed.

  1. Update the <Limit> directive on line 59 to add CUPS-Add-Modify-Printer. This tag is the default access group with no Require clause, so making this change allows any user to install/delete/modify printers.
  2. Update the <Limit> directive on line 75 to remove CUPS-Add-Modify-Printer. This access group requires @system11 permissions, so we want to remove that requirement.

Forum|alt.badge.img+3
  • New Contributor
  • 8 replies
  • May 15, 2024
BL-ay wrote:

Is there any other solution for macOS Sonoma version 14.4 and higher?
Since version 14.4. our users get the admin prompt again...
We use the same profile settings, @boblauterbach provided.


The Jamf Configuration Profile worked for us on Sonoma...


Forum|alt.badge.img+3
  • New Contributor
  • 8 replies
  • May 15, 2024
karengarner wrote:

Has anyone been able to get this to work on Sonoma 14.4 and higher. We are being asked for admin rights..


Yep- the Jamf Configuration Profile worked for us on Sonoma...  Create a new Config Profile and edit the printing option...


Forum|alt.badge.img+3
  • New Contributor
  • 8 replies
  • May 15, 2024
RKilburn1 wrote:

One note- it's a Configuration Profile- not a Policy.  But it >is< in there- thanks!!


Oh, and it worked for us on Sonoma.


Forum|alt.badge.img+7
  • Contributor
  • 11 replies
  • May 15, 2024

I have this setup on my system as a configuration profile, however it is still asking for administrators name to allow adding a printer


Forum|alt.badge.img+3
  • New Contributor
  • 8 replies
  • May 15, 2024
karengarner wrote:

I have this setup on my system as a configuration profile, however it is still asking for administrators name to allow adding a printer


Weird- you sure it is scoped to your test device?  I had the same issue to solve today and it's working on two machines.  If you can't get it to work, I'd open a support ticket with JAMF

 


Jacek_ADC
Forum|alt.badge.img+7
  • Valued Contributor
  • 93 replies
  • June 17, 2024

Good Day

I like to try this config on our macbooks: Allow non-administrator users to install printers on macOS | Microsoft Learn

but when you are talking about config profile. Which config profile should it be. When i am trying to paste this config file from microsoft in jamf pro Application & Custom Settings - Upload it seems not to work. Its not a plist. So maybe a dumb question, but how to replace the cupsd.conf on the local system with jamf pro and a configuration profile?


Jacek_ADC
Forum|alt.badge.img+7
  • Valued Contributor
  • 93 replies
  • June 25, 2024

Read to fast the article here the last time. 

Have tried now the CP from Jamf and its working flawless and M1/M2/M3 MacBooks on Sonoma 14.5

 


Jacek_ADC
Forum|alt.badge.img+7
  • Valued Contributor
  • 93 replies
  • June 25, 2024
Jacek_ADC wrote:

Read to fast the article here the last time. 

Have tried now the CP from Jamf and its working flawless and M1/M2/M3 MacBooks on Sonoma 14.5

 



DavidSpribe
Forum|alt.badge.img+5
  • Contributor
  • 25 replies
  • November 5, 2024

Tried Configuration Profile method, but it doesn't work...


Jacek_ADC
Forum|alt.badge.img+7
  • Valued Contributor
  • 93 replies
  • January 14, 2025

Hi there,
Has someone tested the solution from @JBPiper https://learn.microsoft.com/en-us/universal-print/macos/universal-print-macos-guide-remove-admin-requirement?tabs=original#instructions
and can help me here with this. I want try this out but what is the best way to change the settings in the original cupsd.conf?
Are you guys creating completely a new file and replacing it with the original with some script?

Creating a pkg with composer with the changed file?

Or just some script which writes the correct code in the existing cupsd.conf file?

 

With the configuration profile from jamf i am not sure, how i can proceed and prohibit the installation of printer drivers on a macbook when its connected via airprint. 
This for the reason, i am unsure if the non admin user can update the drivers later or uninstall. And when the drivers are no more compatible with for example the next major upgrade for macos i need to react. This is not what we want.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings