Integrating Apple MacOS Clients With Pharos Blueprint Enterprise Secure Release Here

Version 1

    Introduction

    Most organizations have "pocket" MacOS ("Mac") client implementations. Whether this implementation be task-based (Marketing/Graphic Design) or one of preference, they do exist and their users would often like to take advantage of Pharos Blueprint's Secure Release Here (SRH) offering. This document discusses how to integrate the Mac with SRH.

     

    How To Get There?

    The Mac has to be able to get the print job to the Blueprint Collector service and the shared secure queue. There are a few ways to get there:

    • LPR Queue on the Mac. LPR (Line Printer Request) printing requires that the Windows server hosting the Blueprint Collector and queue also have the Microsoft LPD service installed and enabled. It also requires that the shared queue name be no more than 12 characters long and contain no spaces or non-alphanumeric characters. This implementation bypasses the requirement for an authenticated connection (good) but can result in print jobs that can't be released because they're tied to an identity that cannot be authenticated at a terminal (bad). However, with some planning, this can be remedied with the use of Delegate Printing.
    • IPP Queue on the Mac. Microsoft servers have supported IPP (Internet Print Protocol) since Windows 2000. Within Windows, IPP connections must be authenticated, requiring the user to provide a valid domain ID and password when making the connection. The CUPS (Common Unix Printing System) application running on the Mac stores this user/password combination in plain text, so this is often not a desirable option by most IT Security organizations. And as most organizations running Active Directory require frequent password changes, an IPP queue will require ongoing management in order to keep working.
    • SMB Queue on the Mac. SMB (Server Message Block) is the "classic" way of connecting Windows clients to Windows servers, and has been supported by the Mac for several versions. Like IPP, an SMB connection is authenticated, and like IPP, the credentials are stored locally on the Mac in plain text. SMB will also be party to maintenance when passwords need changing.

     

    Because of the messiness surrounding password handling and management for IPP and SMB, most organizations quickly decide on the LPR method. But that is only half of the battle.

     

    Why Printer Drivers Can Be Problematic

    Back in the day, when "DTP" was just coming into its own and the PowerPC chip was just on the horizon, most Mac printer drivers for network (EtherTalk, anyone?) printers consisted only of a PPD (PostScript Printer Description) file, and all you did was chuck it into the System Folder:Printers folder, use the Chooser, and then quickly connect and set up the printer. MacOS X changed a lot of that, and each new OS X version has changed the landscape of printing ever so slightly. So today, without exception, most printer driver manufacturers for the Mac expect that the Mac will have a direct connection to the printer, so they include a bevvy of CUPS extensions along with the base PPD to provide things like automatic printer configuration, status updates, job management utilities, and consumables (ink/toner, paper) information. Since the Blueprint SRH queue isn't a physical printer, those CUPS extensions get in the way, and may sometimes cause the print job to fail.

     

    In many cases, the PPD file can be edited before installation to remove those CUPS extensions. This may require close communication between the organization and the printer driver manufacturer so that the modification fits the needs of the organization while remaining stable for ongoing use. Pharos Technical Services engineers may often assist in this endeavor, but the core responsibility lies with the manufacturer for support.

     

    Once the necessary modifications have been made, it is just a matter of installing the printer driver on the Mac prior to defining the printer object in System Preferences.

     

    A Test Case: Creating The LPR Queue

    1. On the Mac, launch the System Preferences panel and choose the "Printers and Faxes" pane.

    2. Click the "+" button at the bottom of the printer list to add a new printer object.

    3. Click the "IP" option in the top toolbar of the "Add Printer" window and fill out the information requested.



      > Address. This will be the name of the Windows server hosting the queue. Make sure that the Mac can resolve the name put here, or you will have to use the IP address of the server instead.
      > Protocol. Leave this at LPD.
      > Queue. This is the shared name of the queue in Windows. Again, the shared name must be 12 characters or less and only contain alphanumeric characters.
      > Name. This can be anything; it is the "friendly" name that the user will see in any application's "Print" dialog box.
      > Use. This is the driver that will be used to generate the print file for eventual print release.
    4. Click the "Add" button to finish the configuration and build the printer. When that is finished, there may be a prompt to finish user-configurable features. In the example, the only user-configurable option was to enable the Duplex Tray.



      Click "OK" to set the option(s) and finish adding the printer.

     

    ALL DONE! Sort of.

     

    Releasing Jobs

    Our example Mac is using a local user called "support." This means that every job submitted through the SRH queue will end up belonging to the "support" user account. Normally, a Mac user will have a domain account in Windows for things like e-mail. When they walk up to a secured device, the ID badge will most likely be tied to this domain account, so any attempt to list jobs will result in "0" jobs displayed. How is this fixed? There are a few ways:

     

    • Use the "Delegate" function of Blueprint to map the Mac user account name to the domain account for the user.
    • Install the Pharos PrintScout for MacOS and require authentication through its "popup window" interface.
    • Reconfigure the Mac to log in users as domain accounts.

     

    Each option has its drawbacks, but these are not terrible. The first option requires some work in the Blueprint Administrator to achieve, with the Mac user name populating the domain account's "Custom1" field. The second option forces software on the Mac, but also provides some user-based administration of waiting print jobs (deleting jobs that are no longer needed) and can also include a pre-configured secure print queue as part of the installation. The third option is a definite "sea change" for the Mac users, and may require that some users log in with domain accounts that become local administrative accounts, depending on applications used and workflows.

     

    Using Delegate Print

    In the example, the Mac user "support" is equivalent to the domain user "scotto." When using Delegate Printing, the name(s) of the user(s) that also need to be looked up are placed as a comma-separated list in the logged-in user's "Custom1" field. In Blueprint Administrator:

    1. Locate the "scotto" user in the Employees context.

    2. Click the "Advanced" tab.
    3. Type the user name "support" (no quotation marks) in the Custom1 field. The Pharos Blueprint standard "custom" authentication script looks for print delegates in this field when authenticating, and will display all listed users' jobs in the job list, too. Click the "Apply" button when complete.

    4. Verify the association by logging into a terminal as the "scotto" user.

     

    Using Pharos PrintScout for Blueprint for MacOS

    The PrintScout for MacOS installs by default with authentication enabled, meaning that it will prompt the Mac user for a domain name and password once installed. When this authentication succeeds, the PrintScout replaces the local user name with the authenticated user name, eliminating the need for manual Delegate creation within Blueprint Administrator. At the very minimum, the site configuration for the MacOS PrintScout requires only the definition of the Collector that will be considered the "parent" of the client.

     

     

    The queue for the Mac will still need to be built. When deploying the PrintScout .DMG file, the queue can be created at the same time. This is accomplished by editing the postflight.plist file. Upon the first print of the user session, the login box will display:

     

     

    This installation will also support the listing and deletion of waiting print jobs:

     

    Unlike the Windows version, however, it will not allow the user to manage Delegates. This will require "Delegate on Demand" via the Print Center (available in Blueprint 5.2 R1 Service Pack 3).

     

    Changing the Mac Login to Active Directory

    For instructions on integrating MacOS X with Microsoft Active Directory, please see http://training.apple.com/pdf/Best_Practices_for_Integrating_OS_X_with_Active_Directory.pdf

     

    Conclusion

    With minor up-front work, Mac users can readily avail themselves of the benefits that Pharos Blueprint Enterprise Secure Release Here offers.