Options for deploying HPLJ with AirPrint

MasterNovice
Contributor

Hello! Looking for detailed options, preferably native or free, to deploy HPLJ printers with Jamf School. We are a primary Windows environment. Our print server is Server 2016 and mostly leverages a universal windows driver for the HPLJ printers on our Windows workstations. Our goal is to reliably deploy printing to MacOS when in network for HPLJ printers. Open to direct to printer, or through hosted queue on the print server, we currently do not need to account for printing to these. Our Macs are not domain bound and use local non-admin user accounts. 

Current method, and challenges:

  1. Deploy an In-House Enterprise app package of the HP 5.1 Driver Pack (forum stripped the link here, but it's Apple KB dl1888) to a supervised Mac on various minor versions of Big Sur. 
  2. Deploy a Profile with the Printer Management payload defined and an lpd:// path for the queue on the Windows Print Server. lpinfo -m is run to find the specific model name for the profile field. Often, there is no exact match for modern printers. My understanding is that the driver pack is no longer supported or kept by Apple, and this method I'm describing is depreciated in general. PPD path is not defined. I am not sure how to find the correct info for this path. I'm assuming I need to install the printer locally first maybe, then find it on the pilot device and use file://<localpath> here? If this path is for a ppd that isn't included in that Apple hosted driver pack, how is it obtained? I've seen some suggestions of HP Easy Start to grab drivers not included in the Apple pack, but again should I go down this road of finding and updating driver packs in house if this method is being depreciated anyhow? 
  3. Often the queue deploys as a generic printer. It'll print, but with very limited functionality. We've found unexpected items that needed troubleshooting, like spaces in the share name on the Windows server for the printer causing failure on the Mac side, etc. In general, it's a clunky process, and doesn't work well for our scope of understanding with Mac devices. 

What exactly is the Apple and Jamf School approved option for deploying printers in enterprise? It sounds like this is AirPrint. Is that correct? If so, happy to pursue it, but finding a few issues there as well.

Testing AirPrint:

  1. Verify printer supports AirPrint and this option is enabled at the device. 
  2. Verify a local connection to the device over AirPrint using Bonjour discovery and a local printer find from a Mac. This works when devices are in the same subnet, but fails when on another. I can still connect to the printer over lpd as a direct IP device, which makes me think this secondary failure with AirPrint might be limited to discovery and Bonjour not traversing subnets. Is this correct? If so, is there a native/free option to work around this? I am not a network specialist, but our network does allow for multicasting policy and should be able to broadcast Bonjour traffic to and from workstation and printer subnets is this is a requisite. 
  3. No drivers are deployed to the device; this isn't supposed to be necessary for AirPrint. 
  4. A new profile is created with the AirPrint payload defined. I use the IP of the printer (in a different subnet than our workstations), port 631, and the resource path /ipp/print. I use ippfind the get the port and path, obtained in step two while the printer is on the same subnet as the pilot device. We do not force TLS here.
  5. When applied, the profile will show as successfully deployed, but no printer or queue shows up on the target Mac. I think this is partially successful, as I can still go to "Add Printer" on the target device, and it shows the printer as an "Airprint Profile" device. I can install the profile with a non-admin user, and the printer is added as a model specific printer with-Airprint appended at the end. If this is expected, is there any way to prevent the user from having to accept the profile and add the printer from the list? This is still way better than previous, but again looking for best options that work.

I've got Big Sur Macs, I want the users on those Macs to have their HPLJ printers available to them with the full functionality of the model, and would like to configure and deploy that centrally with Jamf School. Is this possible with oobe options?

1 ACCEPTED SOLUTION

ryan_w
Contributor

We are using that exact method you list in #4 and #5 under your "testing Airprint" section.  It is the best thing we have found so far.  I've also used Papercut's print deploy feature, but I like this Airprint feature better due to it being clientless and no need for drivers.  The main downside to me is you do have to let the user add the printer themself from the list you put into the profile.  We will create multiple profiles to try to just scope local printers to our end users.  The printer's Airprint name needs to be set on the printer as that is what the end user will see.

I'm not sure if you can always use all the printer features or not.   However, on our more advanced machines like our copy machines we just have the end users access them though the web browser and upload the file to print.

We also run this script using the JAMF School scripting module to allow non admins to install / remove printers.  I'm not sure if this has any other negative security impacts.

sudo /usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin

View solution in original post

5 REPLIES 5

ryan_w
Contributor

We are using that exact method you list in #4 and #5 under your "testing Airprint" section.  It is the best thing we have found so far.  I've also used Papercut's print deploy feature, but I like this Airprint feature better due to it being clientless and no need for drivers.  The main downside to me is you do have to let the user add the printer themself from the list you put into the profile.  We will create multiple profiles to try to just scope local printers to our end users.  The printer's Airprint name needs to be set on the printer as that is what the end user will see.

I'm not sure if you can always use all the printer features or not.   However, on our more advanced machines like our copy machines we just have the end users access them though the web browser and upload the file to print.

We also run this script using the JAMF School scripting module to allow non admins to install / remove printers.  I'm not sure if this has any other negative security impacts.

sudo /usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin

@ryan_w I need to check our non-admin allow install script. We have had something sitting in place since maybe early Catalina. I don't think it's been reviewed again recently, thank you for this!

We do similar for our large copiers and levage the vendor's mobile printing solution of mail-to a queue that can released at the device. 

Appreciate the feedback!

MasterNovice
Contributor

Using the AirPrint payload with the IP, port 631, and resource path /ipp/print seems to work for us. However, networking needed to forward the Bonjour traffic from the workstation subnets to the ones the printers are on to allow discovery to work. Also, the printer is not automatically added to the local printers list, it just pre-populates it in the discovery list when adding a new printer, and allows a non-admin to add it I guess? At any rate, it kind of works. Still doesn't feel right or like an enterprise solution though (admittedly I am sure this is 100% my own ignorance here.) Back to digging! 

Interesting, we did not need to do anything special to forward the Bonjour traffic between our subnets.  Maybe your networking people had some ACLs in place between the subnets.  It would make sense for security purposes if existing printer traffic all goes though the server.  We set a password on all of our printers for added security and so student's don't mess with the settings.  So you would not see the printer in the discovery list before networking forwarded the traffic?  I did also noticed if you don't put the leading forward slash in front of IPP path the printers don't show up. ( ipp/print vs /ipp/print)

I agree it does not feel like an enterprise solution.  We moved to this method over the summer and generally it has been easier to support than any other method we have used in the past.  We also used Printtopia for a while and it was decent.  I think it might actually route the traffic though the Mac you use as a server.  Papercut's print deploy basically just cloned settings from a Mac you had set up and then pushed them out to other Macs.  Good luck, wish I had a better suggestion!

 

MasterNovice
Contributor

Networking admittedly gets out of my scope of knoweldge and responsibility. I just know there was some push back on this from our teams trying to get Bonjour working across subnets quite a long while ago for AirPlay. Could be legacy concern that is no longer an issue if we spent time to test more. But yes, at current it appears that without forwarding Bonjour, cannot discover when in another subnet, so while the policy will push the printer, it doesn't actually show up on the client when in another sub.

I'm OK with it not feeling enterprise. I just don't always know what expectations are and need sanity checks often to know if I'm just doing something incorrectly, or if I need to adjust expectations. Feedback like yours helps us know we are doing what others are and what we can currently. Thanks!