Volume Number: 24 (2008)
Issue Number: 06
Column Tag: MacEnterprise

MacEnterprise: Printing with Leopard in the Enterprise

Changes for Mac Administrators

By Greg Neagle, MacEnterprise.org

Mac OS X 10.5 "Leopard" continues the trend of enhancements and modifications to printing on the Mac. Changes in the CUPS configuration and in the printing utilities in Leopard have the potential to simplify or complicate your environment. With a few simple changes, you can customize printing behavior in Leopard to more closely match its behavior in Tiger, and ease the transition for your users and support staff.

Printing in Leopard largely behaves as it did in Tiger. One particular change, however, might be of interest to Mac administrators: for the first time since Mac OS X was introduced, a user must be an administrator to add and remove printers.

Presumably, Apple made this change to improve security – Leopard has many changes to increase the security of Apple's OS. For most home users, where at least one user's account is an admin account, this change really doesn't affect the user experience much. But in an enterprise environment, this change can be more problematic.

In many enterprise settings, most users do not have administrative privileges. They cannot install or remove software, and cannot make many configuration changes. This provides a more stable and secure platform for enterprise users and administrators, and makes support of these machines easier. Restricting the addition of printers to admins has the potential to increase support costs, since any time a user needs to print to a new or different printer they have to contact support.

For some organizations, making the addition of printers an administrator-only function might be a good thing, especially if you tightly control printer usage. But if in your organization, the pre-Leopard behavior is a better fit, there is a way to allow non-admin users to add printers and reduce the burden on support.

To allow non-admins to add printers, we'll need to edit the cupsd configuration file, located at /private/etc/cups/cupsd.conf. You'll need to use sudo, and your favorite text editor. Look for this section:

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer¬
 CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

Remove or comment out this section and replace it with:

# Allow non-admin users to add printers
 <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer ¬
CUPS-Add-Modify-Class CUPS-Delete-Class ¬
CUPS-Set-Default>
    Require valid-user
    Order allow, deny
    Allow all
 </Limit>

Now look for this section, which should be directly below the section you just modified:

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer ¬
Disable-Printer Pause-Printer-After-Current-Job ¬
Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer¬
 Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer ¬
Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @AUTHKEY(system.print.admin) @admin @lpadmin
    Order deny,allow
  </Limit>
\

Change it to:

# Allow non-admin users to pause and resume printers
  <Limit Pause-Printer Resume-Printer¬
 Enable-Printer Disable-Printer Pause-Printer-After-Current-Job¬
 Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer¬
 Restart-Printer Shutdown-Printer ¬
Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    Require valid-user
    Order allow, deny
    Allow all
 </Limit>

These changes allow any authenticated user perform the CUPS actions defined – the key actions we are interested in are adding printers and the ability to pause or resume printers. In many cases, the changes to the section to allow pause/resume may not be needed, because by default, any user who is a member of the lpadmin group can perform these functions, and all local users are automatically added to the lpadmin group when they are created. You might need this change in an environment with network accounts, where network users are not members of the lpadmin group.

Now test the changes. Login as a non-admin user and open a document. Choose Print from the File menu. The standard Print dialog will open. In the Printer pop-up menu, select Add Printer... You should be able to add a printer without being prompted for an admin password. Note that using the Print and Fax preferences pane in System Preferences still requires an admin password, so tell your users to add printers using the method described above (from the Print menu), or make the additional change described below to provide another way to add printers. Additionally, as the Print menu does not offer an option to delete printers, there is no user-friendly way to remove printers without allowing access in the preference pane.

If you want to revert your changes, you can simply copy /etc/cups/cupsd.conf.default to /etc/cups/cupsd.conf to restore the CUPS configuration to Apple's default settings.

Prior to Leopard, there were at least three ways to add a printer: using the Print and Fax preference pane, using the Printer Setup Utility in /Applications/Utilites, and by choosing Add Printer... from the Print dialog in any application (which then opens the Printer Browser in the Printer Setup Utility).

In Leopard, Apple has simplified matters somewhat by removing the Printer Setup Utility. This may confuse your users who you've upgraded from Tiger. If they are not admin users, the Print and Fax preference pane will be of no use to them, either. You can of course tell them to use the Add Printer... item in the Print dialog. But you may want to increase the chances they'll figure things out for themselves by partially restoring the missing Printer Setup Utility.

We'll do this by creating a symlink in /Applications/Utilities named "Printer Setup Utility.app" that links to the AddPrinter application in /System/Library/CoreServices:

sudo ln -s /System/Library/CoreServices/AddPrinter.app \
/Applications/Utilities/Printer\ Setup\ Utility.app

Now when you users go looking for a tool in the Utilities folder to help them add a printer, they'll find one.

AddPrinter.app

This isn't a perfect solution. AddPrinter doesn't act like a standard application, since it wasn't designed to be one. It doesn't have a menu bar, it doesn't appear in the Dock, and it doesn't automatically come to the front when opened. This may confuse your users. You may want to decide whether or not making it available in this way will lessen your support burden or increase it.

If Leopard's printing changes have caused support issues in your environment, you now have a few tools to use to help your users help themselves!

Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com.

The MacEnterprise project is a community of IT professionals sharing information and solutions to support Macs in an enterprise. We collaborate on the deployment, management, and integration of Mac OS X client and server computers into multi-platform computing environments.