Papercut Deployment for Mac's not using AD

jakejanik
New Contributor

I have a customer who is running Papercut with users logging in with generic credentials to their macs. For authentication, they need to run the papercut pop up client as well as connect to a windows share for printing via windows printers via spoolss. The issue we are running into is that a constant SMB connection has to be made in order for printing to spool to the windows server and for the papercut client to stay connected to the server. Is there a way to push this out to have the one local account to connect to the windows server embedded with these things?

17 REPLIES 17

al_platt
Contributor II

We're testing something similar and were hoping that it did kerberos pass through for Enterprise Connect for auth but were told no.

I installed the print queues with lpadmin using -o auth-info-required=negotiate

First time user connects to the printer it asks them to auth. Tick the add to keychain box and you're good to go.

matt_at_papercu
New Contributor

Hi Jake!

Matt from PaperCut here, great question and definitely one we would be happy to help you find a solution for.

Have you taken a look at the Mobility Print feature within PaperCut? This allows you to publish printers out from your Windows server to your iOS and MacOS devices allowing users to easily install the printer themselves and authenticate the first time they print with their credentials being saves to their keychain. There is no need for them to reconnect every time and they will be able to easily pick up and continue to print the next time they join your network.

This section on our website shows you how your users will be able to set themselves up for success. Mobility Print Client Setup.

Also, if you are only using the client to allow the users to authenticate then this could remove the need for them to have this installed.

Any questions just let me know.
Matt.

achristoforatos
Contributor II

@matt_at_papercut I have several Xerox printer models such as c60's and 7835's. Mobility is turned on but they do not show in the add menu. If I add them via ip, etc they do not ask to be authenticated. I have found that using the advanced add feature can work using windows printer via spools. It will then ask to authenticate. However when using Jamf admin to add the printer to Jamf, the authentication feature does not carry over. Any ideas?

Matt_Roy93
Contributor

Use an LPD service not SMB if possible from your Windows Print Server, this solved many issues for our district. You can then create a Jamf package to install print drivers, install PCC client, install launchD, map the printer.

Matt_Roy93
Contributor

Here is a follow up to my previous post,

“Best Practices for Deploying PaperCut with Jamf”

Initial Setup: Virtual/Physical queue in PaperCut MF software is setup and pointing to correct location on print server, creating a Null local identifier port works if using a virtual hosted queue. We utilize this to enable print jobs to be released anywhere in the district(“FindMe”). SMB creates a lot of issues when deploying so it is HIGHLY recommended you use an LPD/LPR to host the printer.

Jamf Deployment: First you will need to determine what driver/software is required for users to add/print to the desired device, Konica Minolta requires a software package be installed prior to adding the print device, this was downloaded from their site as a .DMG, ran through Composer and a .PKG file was created for deployment purposes. Next, we installed the driver package on our host machine and added the printer via LPD/LPR port using the CUPS service built in to Mac OS. Filling the field with the name of the print server, followed by the name of the desired hosted printer/queue. I will include a picture below;

After you add the printer to your host machine and ensure everything is setup as desired you will need to add this printer to Jamf Admin to make it accessible to your Jamf Pro server.

After the printer is added to Jamf Admin you will be able to create a policy within Jamf Pro containing this printer, therefore mapping the device to the client Mac.

Next you will need to download the PaperCut Client application and create a .PKG install package similar to the print driver package before. This will install the client software to track jobs and handle authentication. In our case we have users authenticating with AD credentials when the pop-up window appears. Something at the OS level looks to the current account name of the user logged into the Mac, if this matches the credentials to authenticate to PaperCut it will automatically login. There is a LaunchD within the package contents of the client application and this can be used to auto start the process upon login if you desire.

The last step to this process is putting all this created work together into one singular computer policy that will install the required driver, client software, and map the desired printer to CUPS. There are some important priority options that need to be set on each package after uploading them to Jamf Admin, the driver package needs to be set to “1”, the other pieces can happen after this in any order needed depending if you are including the LaunchD piece.


We have this policy available to users within Self-Service giving them the opportunity to add this whenever convenient or needed. The last finishing touch is creating a script that will open the PaperCut app when the policy finishes running, we use the following “open /Applications/PCClient.app”

This gives a rough outline of the workflow we used to create a policy to deploy this capability to our users.

Chris_Hafner
Valued Contributor II

P.S. I want to write a lot more on this later but I wanted to directly verify that Enterprise Connect does, in fact, pass Kerberos for this process.

bizzaredm
Contributor

@Chris_Hafner Can you please expand one this setup if you can. We have papercut installed on windows server and I am trying to add printers to the macs, we have enterprise connect, and im not seeing any success with kerberos

Chris_Hafner
Valued Contributor II

Fair enough. How are your Papercut queues set up? We require authentication to the SMB queue (thinking of changing to LPR but...) and that's what's authenticating via Kerberos for us. We generally do not require authentication to Papercut itself unless it's for a secure release queue, where we want the user to manually enter credentials.

That said, I'm sure we can help you figure out whatever you're trying to accomplish. Where are you getting stuck? Also, how are your users set up?

bizzaredm
Contributor

@Chris_Hafner Is there somewhere we can connect to chat more directly?

Very new to papercut, I have tried adding the printers via smb windows print spools and have had varying success. It seems that If I have the papercut client installed and logged in it works somewhat (currently getting told the printer is paused...) but its not asking for authentication. Though this seems to be the client and not enterprise connect.

We ideally want to have everyone to have the ability to print directly to a printer (via the print server/papercut) and then we will roll out secure release (with badges), and for a while we will have both at the same time.

What I would love is to push everything through jamf, and have users not have to run the papercut client or anything extra, as enterprise connect should id them to the print server.... unless im going crazy

Chris_Hafner
Valued Contributor II

@bizzaredm Email me and we'll set up a time to chat.
chafner@brewsteracademy.org

bizzaredm
Contributor

@Chris_Hafner

Thank you! I will reach out soon.

I did have a break through and wanted to post it here for others

I was adding printers via advanced in sys prefs using windows print spools and the url being smb://papercutserver.domain.com/PrinterName not realizing that this does not work (at least in my environment) and i had to do smb://papercutserver/PrinterName and magically the printers now work with enterprise connect!

Chris_Hafner
Valued Contributor II

@bizzaredm Good to hear! That's interesting though.

thomH
New Contributor III

@matt_at_papercut

We have been able to get our Papercut server printers to publish as 'secure AirPrint' printers. Do you know what we need to do to get them to install with their full options? Previously we pushed them from Jamf using a driver pkg and the custom PPD file.

Thanks

panoptic
New Contributor

@Chris_Hafner - I'm having some issues with this also. We have PaperCut Mobility set up on a Windows server, a queue is configured and I have a script to add it to the newly enrolled Mac with Jamf. It does add the queue and I can print to it when logged in with an AD account, but it pops up asking for the domain login which I don't want. I know we can click the "save in keychain" box but what happens when their AD password changes? Also we didn't want the user to have to enter their details at all, since they already logged in with their AD credentials. Can you shed any light here? Thanks! David.

Chris_Hafner
Valued Contributor II

Yep! Something has to pass that credential. We use Enterprise Connect that kerberizes the unit and therefore doesn't ask. We don't bind to AD so I'm not sure if there are tricks on that side of thigns to make this funciton the way you want.

Pinkypinkrtn
New Contributor

The responses on this thread has helped me greatly. But I am currently stuck. I have Papercut MF (windows server) along side JAMF and Enterprise Connect. Using this method: I was adding printers via advanced in sys prefs using windows print spools and the url being smb://papercutserver.domain.com/PrinterName. Works and uses EC for the passthrough. As soon as I add this as a policy in JAMF and install through Self Service, it's asking me for authentication? What am I missing here? Thanks guys.

Hi, @Pinkypinkrtn. I am getting this same error. We are using Nomad for passthrough and if I add the printer on the machine, I can print without prompting for credentials. As soon as I deploy that same printer via policy, I get asked for credentials. Any headway on this? We are currently migrating from Munki to Jamf and I am banging my head against the wall on this one.