Jamf Nation Community

mbuckner · ‎06-10-2010

All of our teachers have macbooks. We want them to be able to print at home on their home printers, but we don’t give teachers admin rights. Is there any way to do this without me haivng to install each printer for them? Any thoughts or advice would be appreciated. At school, we install all printers through self service. Teachers have already been added to the lpadmin group so they can pause/resume printing, but they can’t install printer drivers.

Thanks,
Mark

dderusha · ‎06-10-2010

ask them what printers they have at home and unfortunately you will have to build them and place them on self service.
if it is IP based, have them tell you the IP as well. Not pretty but it works and hopefully they don't refresh their printers at home too often!

maybe start a policy where you will support a handful of printers?

hopefully someone has a better idea!

Dan De Rusha
I.T. SPECIALIST

SCHAWK!
T 847.296.6000 M 847.287.1337
F 847.296.9466

1600 Sherwin Avenue
Des Plaines, IL 60018 USA
schawk.com

Schawk invites Industry Thought Leaders to participate in BRANDSQUARE, a one-of-a-kind, exclusive online marketing community. Visit http://brandsquare.com.

tlarkin · ‎06-10-2010

I was under the impression there was an update in 10.5.7 that if a user
was part of the _lpadmin group they did not need rights to the admin
group to add printers from with in an application.....

However, if the drivers aren't native and they need to be installed,
that may require admin rights.

stevewood · ‎06-10-2010

A combination of Self Service and the lpadmin group might work. Create Self
Service packages to install the drivers of the most popular printers, like
all of the HP Drivers and perhaps Lexmark and Epson as well, and then let
the teachers install the drivers before setting up the printers at home.

Or, depending on how many teachers you have, do a survey of the teachers and
find out what printers they have, then build the self service packages.

Cumbersome, I know, but the only way I can think to make it work.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

Report Inappropriate Content · ‎06-10-2010

We install all of the OS X printer drivers during our cloning procedure, for
all workstations. We also use the following during the cloning process so we
don't have to do it later.

#!/bin/sh
dseditgroup -o edit -n /Local/Default -a netaccounts -t group _lpadmin
dseditgroup -o edit -n /Local/Default -a netaccounts -t group _lpoperator

So far this has worked very well, 10.5.8 works with this if I remember
correctly. If the printer isn't auto-detected by the system and installed
automatically, or if Bonjour doesn't pick it up as an option to add, then we
typically do not support it.

Hope that helps,
David

-- David Lundgren
Sr IT Systems Administrator

Brooks Institute - "Passion, Vision, Excellence"
27 East Cota Street
Santa Barbara, CA 93101
(888) 304-3456 (toll-free)
(805) 690-7615 (office)
http://www.brooks.edu

sean · ‎06-11-2010

Can you self service over vpn?

Sean

Bukira · ‎06-11-2010

well its just a web interface so if ur jss can be contacted via vpn
then you should be able to, as self service is just a web browser and if
ur DP can be connected to via AFp /SMB over VPN

Criss

Criss Myers
Senior Customer Support Analyst (Mac Services)
iPhone Developer
Apple Certified Technical Coordinator v10.5
LIS Development Team
Adelphi Building AB28
University of Central Lancashire
Preston PR1 2HE
Ex 5054
01772 895054

milesleacy · ‎08-26-2010

Hi All,

Here’s Apple’s KB article on the subject:

Mac OS X v10.5.7 or later: Allowing managed users to add or delete printers
http://support.apple.com/kb/HT3511

If that doesn’t work, the CUPS configuration file found at /private/etc/cups/cupsd.conf can be edited directly. I put together a short article on my blog last year describing the process (link below). Note, if you go this route, your changes may get overwritten by Apple updates.
http://themacadmin.com/?p=63

I hope this is helpful.

--
Miles Leacy
Technical Training Manager
Mobile (347) 277-7321

miles at jamfsoftware.com
....................................................................
JAMF Software
1011 Washington Ave. S
Suite 350
Minneapolis, MN 55415
....................................................................
Office: (612) 605-6625
Facsimile: (612) 332-9054
....................................................................
US Support: (612) 216-1296
UK Support +44.(0)20.3002.3907
AU Support +61.(0)2.8014.7469
....................................................................
http://www.jamfsoftware.com

Report Inappropriate Content · ‎08-26-2010

I have the same issue with teachers that need to be able to install home
printers. Under 10.5.8 we ran the following script which took care of the
problem:

dseditgroup -o edit -n /Local/Default -a $3 -t user lpadmin

However, I can't find anything that works under 10.6.4. Does anyone have
any ideas? I really need a solution for this. Teachers just need the
ability to add a printer on their own. Installing drivers is a separate
issue that I am not concerned with as I install all available drivers on
the base image. Also the generic driver will usually work for printers
that don't have the correct driver installed.

Cody Smedsrud
Educational Technology Associate
Success Charter Network

tlarkin · ‎08-26-2010

as a log in hook by Casper try this

dscl . append /Groups/_lpadmin GroupMembership $3

?xml version="1.0" encoding="ISO-8859-1"?>

robb1068 · ‎08-27-2010

We’ve added a managed preference for com.apple.mcxprinting and set “Require Admin to Add Printers” to false. Works for our network clients in 10.6.x.
--
Robb Gibson
System Engineer, eMMS IT, Publishing Systems

TEL: 630.864.5242 | FAX: 630.864.4120 | robbgibson at officemax.com
263 Shuman Blvd., Naperville, IL 60563 | http://www.officemax.com

tlarkin · ‎08-27-2010

I replied to this but do not see my comment in the thread....

So, here it goes again. I deleted the rest of the responses to make this email smaller. In 10.5.6 or 10.5.7 Apple introduced the _lpadmin group, or the printer admin group. This allows any user account that is a member of this group to install and add printers. Since local printers are such a pain to support because departments tend to buy whatever they want and there is like 50 different make and models to support we just let our end users use whatever and install whatever. Not my call, and I wouldn't do it that way if I were in charge, however, I am not in charge and just the sys admin guy, or as the students call me, "The tech dude."

So, to keep my user base happy, I do a simple log in script via Casper, and add them to the _lpadmin group.

#!/bin/bash

# grab current user by checking ownership of /dev/console # if using Casper comment out and can substitute $3 as current user, but only as a log in policy

CurrentUser=/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'

# now add user to the _lpadmin group

/usr/bin/dscl . append /Groups/_lpadmin GroupMembership $CurrentUser

exit 0

Alternatively, and maybe even easier is just make a log in policy and in the advanced tab have it run this one liner command:

/usr/bin/dscl . append /Groups/_lpadmin GroupMembership $3

That is all you need to do. Add that single line in the advanced tab and have it run at log in. I am just the sort of guy that loves to shell script everything, and sometimes I do things the hard way just so I can write a shell script :)

-Tom

Report Inappropriate Content · ‎08-27-2010

So, to keep my user base happy, I do a simple log in script via
Casper, and add them to the _lpadmin group.

CasperSally · ‎08-27-2010

I run this as part of a post image script for all staff members, allowing everyone to add printers on those staff machines.

/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin

milesleacy · ‎08-27-2010

Good scripts, but I’d be very wary of using the second method. Making it wide open can be a very bad thing.

If everyone has the rights to add printers, then everyone has the right to execute code as root. In order to exploit the loophole, the attacker would have to be familiar with the function of the CUPS system, but it’s still creating a security vulnerability. I believe this is the reason that Apple originally restricted the printer management tasks.

Forewarned is forearmed.

I hope this is helpful.

--
Miles Leacy
Technical Training Manager
Mobile (347) 277-7321

miles at jamfsoftware.com
....................................................................
JAMF Software
1011 Washington Ave. S
Suite 350
Minneapolis, MN 55415
....................................................................
Office: (612) 605-6625
Facsimile: (612) 332-9054
....................................................................
US Support: (612) 216-1296
UK Support +44.(0)20.3002.3907
AU Support +61.(0)2.8014.7469
....................................................................
http://www.jamfsoftware.com

Report Inappropriate Content · ‎08-27-2010

Sent: Friday, August 27, 2010 3:41 PM
To: James Palmer; Thomas Larkin; CasperList; Robb Gibson
Subject: Re: [Casper] Personal Printers

Good scripts, but I'd be very wary of using the second method. Making
it wide open can be a very bad thing.

If everyone has the rights to add printers, then everyone has the right
to execute code as root. In order to exploit the loophole, the attacker
would have to be familiar with the function of the CUPS system, but it's
still creating a security vulnerability. I believe this is the reason
that Apple originally restricted the printer management tasks.

Forewarned is forearmed.

I don't know your environment.

I've been using that since the day 10.5.7 dropped without issue.

To each their own I guess.

- JD

milesleacy · ‎08-27-2010

Absolutely. Just to be clear, it was not my intent to say that any method is wrong, just to point out the drawbacks. If the risk of unauthorized root code execution is acceptable in your environment, it’s certainly easier for the end user and requires less administrative effort to remove the restrictions completely.

Thanks,

--
Miles Leacy
Technical Training Manager
Mobile (347) 277-7321

miles at jamfsoftware.com
....................................................................
JAMF Software
1011 Washington Ave. S
Suite 350
Minneapolis, MN 55415
....................................................................
Office: (612) 605-6625
Facsimile: (612) 332-9054
....................................................................
US Support: (612) 216-1296
UK Support +44.(0)20.3002.3907
AU Support +61.(0)2.8014.7469
....................................................................
http://www.jamfsoftware.com

tlarkin · ‎08-27-2010

I believe the _lpadmin group is limited to adding and removing printers
and clearing print queues.

http://support.apple.com/kb/HT3511

milesleacy · ‎08-27-2010

I believe you are correct, however the act of adding a printer allows root-level code execution. I’m a little wary of spelling out exactly how, as I don’t want to be responsible for anyone’s CUPS systems getting victimized.

Thanks,
Miles Leacy
JAMF Software

Report Inappropriate Content · ‎08-30-2010

Absolutely. Just to be clear, it was not my intent to say that any
method is wrong, just to point out the drawbacks. If the risk of
unauthorized root code execution is acceptable in your environment, it's
certainly easier for the end user and requires less administrative
effort to remove the restrictions completely.

Thanks,

Of course and I loved how you worded that too ". If the risk of
unauthorized root code execution is acceptable in your environment"
Sounds similar to "if the risk of being shot in the face is ok, then
look down the barrel of a loaded weapon while holding the trigger." : )

The most they could really do here is fowl up one machine and with the
logging that's in place we'd know who did it. I'm very ok with
re-imaging a station. It takes about an hour and it's back in perfect
order the way it was before anything happened.

Before advanced imaging tools were available I'd have been suspect on
doing this but it's so simple to just blast em' back to install
configuration and let them bang on it some more.

There are many ways to skin this cat.

- JD