Best Follow me Printing Solution for Mac environment

SarahK
New Contributor

Hi All,

What's is the most stable and secure follow me printing solution of Mac environment ? (the users are managed by Jamf)
Have anyone used PrinterLogic ? DO YOU RECOMMEND IT ?

Thanks !

38 REPLIES 38

PhillyPhoto
Contributor III

We use Equitrac with our Ricoh printers. It works well, everything gets sent to a single queue, and the jobs are released by an employees RFID badge.

I didn't work on the backend, so I can't speak to that part of things, but the only issue we ran into was when Microsoft released the security patched that killed SMB communication a year or so ago. That took the queue offline for Macs for a while until it was fixed, although printing directly to a printer's IP address worked as a workaround. That's not really an Equitrac issue, more on MS and their Server software.

Chris_Hafner
Valued Contributor II

I manage our Papercut environment. Works fine for us but you are still dealing with Windows Print Queues. I had looked into PritnerLogic as I've heard many places really like it... however, I've also read the following post:

https://www.jamf.com/jamf-nation/discussions/14100/printer-logic-printer-installer

I have no first-hand experience though.

ferrispd
New Contributor III

PhotoPhilly, we also have Equitrac, but with Mojave we get the "Not optimized..." error when the EQloginController and EquitractPrintUtilityX are installed. What version are you using? I can't seem to get any straight info from our rep or access to these software downloads.

tnielsen
Valued Contributor

Papercut isn't bad. AD authentication passthrough works fine. The only issues we ever have are with brand-name drivers. EFI fiery etc.

DBrowning
Valued Contributor

@PhillyPhoto , do you have multiple buildings or are you all in one building?

My company has started to implement equitrac without reaching out to other teams and we are having massive spooling times (20+ minutes) when some jobs are sent from our remote offices. Have you run into anything like this on the macs?

tnielsen
Valued Contributor

@ddcdennisb You should have local print queues. Having print jobs sent across a WAN is not going to be fun for your users.

DBrowning
Valued Contributor

@tnielsen , I understand that, its getting that idea through to our printer admins. lol

PhillyPhoto
Contributor III

@ferrispd We don't install any clients on the Macs themselves, everything is done through a print queue added through the Printers preference pane.

@ddcdennisb We have servers in different regions that we connect the print queue to. They do all connect on the back end, so technically you can print to one across the country and it will be available in your office, but there may be a delay involved.

DBrowning
Valued Contributor

@PhillyPhoto What kind of delay times are your folks seeing if they print a larger PPT or PDF?

olamike
New Contributor III

@Chris_Hafner - I was wondering if you could share with me how you deploy your printers. we use papercut for our windows devices and I have been trying to deploy this to the macs and cannt seem to get it to work.

tjhall
Contributor III

@bodeo Check this one out: https://www.jamf.com/jamf-nation/discussions/31539/mac-can-t-connect-with-printer-queue-any-pointers

PhillyPhoto
Contributor III

@ddcdennisb I haven't heard of any specific delay times, just more of a theoretical delay at this point due to the network hops involved.

olamike
New Contributor III

@tjhall thanks for that. I didn't really give full details.

So at the moment I have got the printer deployed to the macs, but when you send a print the print queue goes to "pause" and even if you click on resume, it spins and goes back to the pause state. I can add print queue manually to the macs going through settings etc and when you print it sends the job to the printer and the user access it ok using their badge. However I just cannot get it to work the same when deployed via jamf

tjhall
Contributor III

@bodeo And is that installed with a post script that authenticates?

It requires an authentication for it to work (printername needs to be the same as the custom queue)
sudo lpadmin -p "printername" -o auth-info-required=username,password
sudo lpadmin -p "printername" -o auth-info-required=username,password

nmanager
New Contributor III

We use Uniflow and after some tweaking we got it to work for most jobs without issues. We did have some issues with AD authentication and ended up needing to install Enterprise Connect (or Nomad) to keep the kerberos tickets alive. We also ran into huge issues with some PDFs. Depending on how they are rendered certain PDFs could take 20 to 30 minutes for a few pages. We ended up having allow direct IP print for users running into that issue and if they needed to choose a paper tray.

RaymoJamf
New Contributor II

PaperCut in our environment is pretty stable...as long as your AD structure has built-in mechanisms for removing obsolete user accounts.

olamike
New Contributor III

@tjhall no it isn't installed with a post script. I just literally fill up the printer detail in "Printer" and deploy it as a policy

629966390e3241eaa8e15825778a14f7

e9efec9adcbb41308faa1dd20b7dd6c2

tjhall
Contributor III

@bodeo
That looks like you are printing directly, not via PaperCut?
If you run lpstat -s in Terminal does it correspond to the right queue?

This is the way I set it up (then just added the printer in Jamf Admin + the authentication script since it's required for users to log on to the spool volume)

Click “Advanced”
Type: Windows printer via spools
Device: Another Device
URL: smb://IP address/name
Name: "Printer Name"
Location: Floor/Building
Use: select software; Select the apprpriate PPD (pre install if necessary)
Click “Add”

olamike
New Contributor III

@tjhall no thats tthru PaperCut. the ip address on the screenshot is to the papercut queue server.

when I run lpstat - s i get the following:

system default destination: Secure_Print
device for printername: ///dev/null
device for Secure_Print: lpd://10.1.1.61

One thing of notice is that there is an "_" added to the name which shouldn't be there.

As i said previously, when I setup the printing on a mac manually using the settings, the PaperCut secure printing works perfectly, I just go to any of the printers and use my id card to release the print.

is this the right format for the script?

01525680aeb6485cadf12b04678edf24

olamike
New Contributor III

eff5fbd2f11446b0b5f9abbef3faeb50

tjhall
Contributor III

@bodeo ] Yes, in your case it would be: sudo lpadmin -p Secure_Print -o auth-info-required=username,password
The user should be prompted to authenticate the first time they print (or after the click resumne).

Might be work right-click and "reset print system" in system prefs/printers first (or lpstat -p | awk '{print $2}')

olamike
New Contributor III

@tjhall should the fact it is "Secure Print" and not "Secure_Print" matter then?

tjhall
Contributor III

@bodeo It needs to be the exact name (whatever name you've given the print queue) otherwise it won't work.
So usually whatever the system default destination is of lpstat - s

olamike
New Contributor III

@tjhall I know but it seems the system is changing the printer name to Secure_Print instead of Secure Print and noway in the deployment have I named it Secure_Print

tjhall
Contributor III

@bodeo So what did you name the volume share? I'd say it's probably better to name it Secure_Print than having a space in the name.

mainelysteve
Valued Contributor

Lots of questions here:
1. I'm assuming cups logs have been looked at to determine loosely why the job is pausing?
2. What OS is the print server running on? If it's windows server then your url for the queue should be lpd://servername/queue_name.
3. If you're using a straight IP address to a server then how will cups determine what queue to send the job to?
4. Continuation of question 3. I'm assuming the Papercut application server is running on the same box as your queues? If it's not and you're pointing the queue on this Mac to the Papercut application server then that's not correct it needs to point to a print server.

FYI under cups any queue name with a space in it will get an underscore added to it. You won't see it in the Printers & Scanners pref pane but when looked at in cups (localhost:631 in your browser) it will have the underscore.

Chris_Hafner
Valued Contributor II

OK @bodeo I'm going to list out how I do it over our way. There are many ways to do this as your'e seeing. I suspect I know where your issue is though. In amny event Here's our setup.

1) PaperCut Server (Running on Windows 2012r2, in VSphere).
-Set using Standard SMB print queues. I'm happy to give details.
-Universal drivers installed for both HP and Xerox (Our primary pritners/copiers)
-Option on each printer to "Render print jobs on client comptuers"
-Currently using TCP/IP ports. -Each port is configured as a "Standard TCP/IP port" and assigned to a specific IP number (Printers have static IPs here)

2) I deploy print drivers seperately from print queue isntallation. Either during enrollment or via a policy, using a smart group to identify machines without current drivers. I load ALL drivers for each manufacturer we support, where possible. This way, I only need to call the specific driver with each printer install policy

3) My JAMF policy simply uses an lpadmin command in a script. Here's an example

lpadmin -p PRINT_DISPLAY_NAME -E -v smb://your.papercut.domain.com/PRINT_QUEUE_NAME -P /Library/Printers/PPDs/Contents/Resources/Xerox WorkCentre 5945.gz -o auth-info-required=negotiate -o XRFinisher=OF -o XRTrays=FiveTraysHCTT -o XRHolePunch=TruePunch -o XRFinishing=Unspecified -o XRPunchOption=None -o XRStapleOption=None -o XROutputDestination=Auto  -o XRBiDiCommunication=Off

I am using two options that you may find important here. 1), "o auth-info-required=negotiate" and 2) "-o XRBiDiCommunication=Off"

-You could also set this globally with the following defautls write command.

defaults write /Library/Preferences/.GlobalPreferences.plist BiDi Off

4) Last but not least, I have a smart group that tracks units with paused print queues. I set the following an an EA (Found somewhere here)

#!/bin/bash

# echo $(lpstat -p | grep -EB1 "Paused")
# echo $(lpstat -p | grep -w "disabled" | awk '{print$2}')

RESULT=$(lpstat -p | grep -w "disabled" | awk '{print$2}')

echo "<result>$RESULT</result>"

I scope this to a policy that uses the following commands, in a script

#EMPTYS ALL PRINTER QUEUES THAT ARE PAUSED
sudo cancel -a `lpstat -t | grep disabled | awk '{print $2}'`
#UNPAUSES PAUSED PRINTERS
sudo cupsenable `lpstat -t | grep disabled | awk '{print $2}'`

This attempts to re-print anything the user may have caught in a paused print queue. It's heavy handed but it catches things before a user piles up 10 versions of the same print job in a paused queue.

olamike
New Contributor III

@tjhall @mainelysteve @Chris_Hafner thanks guys for your comments, will try those and let you know. I am very new to Jamf we only just started using it and am still trying to figure things out. We primary have windows pcs and just about 25 macs.

The puzzling thing is that when I setup the printer via below, it works but not when deployed thru Jamf. I suspect the issue might be because the secure print share name has a space in it.
ebd18c7c26a54cbb88cca9b6934a2e45

@Chris_Hafner can you explain how to create the smart group that tracks paused print queue

mainelysteve
Valued Contributor

@bodeo I would highly suggest using the dns name of your print server rather than an IP address. Not a necessity by any means but it is good practice to do so.

Chris_Hafner
Valued Contributor II

@bodeo Listen to @mainelysteve and use DNS names. As for the scope question.

1) Create an Extension Attribute with the script I included above

#!/bin/bash

# echo $(lpstat -p | grep -EB1 "Paused")
# echo $(lpstat -p | grep -w "disabled" | awk '{print$2}')

RESULT=$(lpstat -p | grep -w "disabled" | awk '{print$2}')

echo "<result>$RESULT</result>"

2) Create a new SMART group as follows: CRITERIA of "NAME OF EXTENSION ATTRIBUTE"
OPERATOR: "is not"
VALUE: (leave blank)

It should look something like this:
8834501c93384a7cb390c88b5ee0faa7

Chris_Hafner
Valued Contributor II

Then scope that smart group to a policy that runs the script:

#EMPTYS ALL PRINTER QUEUES THAT ARE PAUSED
sudo cancel -a `lpstat -t | grep disabled | awk '{print $2}'`
#UNPAUSES PAUSED PRINTERS
sudo cupsenable `lpstat -t | grep disabled | awk '{print $2}'`

olamike
New Contributor III

@Chris_Hafner thanks for that. Yes I did use the dns name in the configuration only just rather than the ip, just left the ip on the screenshot because I was posting it on a public forum.

So I have created the smart group and pushed out the policy, this has gone rid of the paused state - Thank You. However the print Job is still going to Paused state when you send a print

rhoward
Contributor

I also second Papercut. We use that for ton of reasons (no need to push out drivers, secure airprint requiring credentials, better printing metrics, etc). We also have Toshiba copiers that have a built in "Find Me" queue that require a user login or scan their ID in order to print. We also have done something similar in testing by using a Raspberry PI with a touch display for other printers and that has been successful too as a release station.

Chris_Hafner
Valued Contributor II

@bodeo Good point about the public post 😉 There's got to be something in the way there. Does the queue give you a reason for pausing? Perhaps you should push out the defaults write command I posted.

defaults write /Library/Preferences/.GlobalPreferences.plist BiDi Off

Let me know if that makes any difference!

@rhoward You have me VERY insterested in your rPi solution. What is that handling? Just prox card/smart cards, or is that doing something with the release itself? I ask because I find Papercut's release device licensing to be a little silly.

rhoward
Contributor

@Chris_Hafner it was only in testing purposes for just releasing jobs. The goal was to cut down on paper waste and for printing confidential information. I'm not sure about the licensing as I don't generally deal with that side of things. Ultimately it was going to be a costly solution and we decided against it, but it could work in some environments!

Chris_Hafner
Valued Contributor II

@rhoward Thanks for that! Yea, prox readers are cheap. Last I checked, ACDI (Our vendor for Papercut) wanted something like $800/release station for licnesing.

mainelysteve
Valued Contributor

@bodeo Just to verify as your screenshot above shows you didn't add the printer share name to the URL field. So it should be lpd://servername/printer_share. It's probably pausing because of this config error.

You should check cups in your browser:
On the mac your testing with enter localhost:631 into Safari or whatever your favorite browser is. Click Printers and if prompted enter the command shown into terminal. Back in cups click the queue name created by the jamf Pro policy and ensure the connection field has a fully flushed out url and not just the print server address. If the queue/share name on the print server has spaces in it please use (-) dashes i.e. Office Printer should be entered as Office-Printer.
You may also have issues with the generic ppd you're using.

Again you may have already done this but I'm double checking as your previous posts show that jamf is sending out the incorrect url.

olamike
New Contributor III

@Chris_Hafner @tjhall @mainelysteve @rhoward good morning and thanks for all your help. I seem to have got this working now (fingers crossed) like I said in my earlier post when I manually setup the printing to the papercut printing queue on the mac it works absolutely fine, - you send a print walk to any printer, scan your id badge and the print comes out but when i use the same setting via Jamf pro it goes to "paused" state when you print. So what I have just done this morning is added the secure print onto the mac manually again and upload it via Jamf admin and based on initially testing this seems to working as it should be.