Secure Printing and #USERNAME in Url

Sturner01
New Contributor

Hello, long time lurker here. We are setting up a secure print service and part of the setup is to have your username before the print server/queue. I have uploaded the driver package, attached my PPD of my printer configuration and set up the printer in JSS, and created a self service policy that distributes the drivers and printer config. Everything works super flawless except getting the current users login added to the lpd url as seen below.

Device URl
lpd://$USERNAME@myservername.mycompany.com/SecurePrint_MAC_Queue

The #USERNAME stays in /etc/cups/printer.conf same as above. I need my actual username to replace it as you can gather.

If its not supported this way then perhaps I can use a script, one script I have tested is this:

sudo launchctl stop org.cups.cupsd
loggedInUser=$( ls -l /dev/console | awk '{ print $3 }' ) | sed -ie "s|$USERNAME|${loggedInUser}|g" /etc/cups/printers.conf
sudo launchctl start org.cups.cupsd

now it does reportedly stop cups and restart as well as replace the username in the printer.conf with mine however its still pushing to the print server queue as $USERNAME as well as after a reboot its back to $USERNAME

we are using Uniflow for the security aspect and cannon as the printer. Uniflow apparently handles their secure printing in a different manner so that selecting the check box for secure printing does not work hence the custom url.

Any suggestions would be greatly appreciated as I would like to avoid manual configuration.

2 ACCEPTED SOLUTIONS

dprakash
New Contributor III

https://www.jamf.com/jamf-nation/discussions/13109/password-prompt-when-printing-to-smb-device

View solution in original post

rob_hernandez
New Contributor III

I just implemented this in my environment. Since our Macs won't be bound to AD, and we don't have an intermediary like NoMAD to draw from, I had to figure out a way to pull the username while installing the printer. The solution was to leverage LDAP logins for the Self Service App. Using the reserved scripting value $3, I can pull the LDAP username from Self Service and then use it to map the printer. Here are the important parts.

#!/bin/bash userName="$3" # Pulls logged in user from Self Service /usr/sbin/lpadmin -p "PrinterNameWithoutSpaces" -E -v lpd://$userName@printserver.example.com/Queue -P "/Path/To/Drivers" -D "User Friendly Printer Name" -L "Location" -o printer-is-shared=false -o media=na_letter_8.5x11in

Don't forget to scope your printer such that it limits access to this policy to LDAP users or LDAP groups.

View solution in original post

5 REPLIES 5

dprakash
New Contributor III

https://www.jamf.com/jamf-nation/discussions/13109/password-prompt-when-printing-to-smb-device

dprakash
New Contributor III

https://github.com/PhantomPhixer/Phixits/tree/master/Uniflow%20printing

Sturner01
New Contributor

Thanks guys for the quick response! It looks like the GitHub option is what I'm looking for specifically the non-domain section.

I should be able to take /usr/sbin/lpadmin -p MacPrintSA -E -v lpd://$prUser@APRINTLBA.corp.com/MacPrintSA -P /Library/Printers/PPDs/Contents/Resources/CNMCIRAC7065S2.ppd.gz -D 'uniFLOW LPR queue A' -o printer-is-shared=false and add a pull username code snippet which I already have to pull the $prUser. All thats left is to place my ppd in the /Library location and build a package to deploy it.

Will let you know after I test.

rob_hernandez
New Contributor III

I just implemented this in my environment. Since our Macs won't be bound to AD, and we don't have an intermediary like NoMAD to draw from, I had to figure out a way to pull the username while installing the printer. The solution was to leverage LDAP logins for the Self Service App. Using the reserved scripting value $3, I can pull the LDAP username from Self Service and then use it to map the printer. Here are the important parts.

#!/bin/bash userName="$3" # Pulls logged in user from Self Service /usr/sbin/lpadmin -p "PrinterNameWithoutSpaces" -E -v lpd://$userName@printserver.example.com/Queue -P "/Path/To/Drivers" -D "User Friendly Printer Name" -L "Location" -o printer-is-shared=false -o media=na_letter_8.5x11in

Don't forget to scope your printer such that it limits access to this policy to LDAP users or LDAP groups.

Sturner01
New Contributor

I set my script up to use the userName="$3" option as it was much simpler than my grep script! I am able to deploy through a JSS policy and allow users to log into the App Store and download, both ways configure properly thanks to you both for your input! This is what I did in case anyone wants the specifics.

  • Download the printer driver DMG file and remove the PKG installer, Upload to the server.
  • Manually configure printer
  • Access printer config again and change finisher options
  • From the command line go to /etc/cups
  • Run command “diff printer.ppd printer.ppd.O” where one is the new ppd and one is the old ppd. Mac should retain old settings with the .O appended
  • The output will look like > DefaultCNSrcOption: OptCas2 ignore the “> Default” the rest of the line CNSrcOption is the setting and OptCas2 is the value
  • Create a shell script:

    !/bin/bash

userName=“$3
/usr/sbin/lpadmin -p Printername -E -v lpd://$userName@server.domain.com/MacPrintSA -P /Library/Printers/PPDs/Contents/Resources/yourprinter.ppd.gz -D ’printername' -o printer-is-shared=false -o CNSrcOption=OptCas2
Note: The -o sets the option, in this case CNSrcOption=OptCas2 which sets the printer cassette.
+ Install the drivers first, run script second.