Allow standard users to manage printers with a Munki NoPkg

Employees at our company all use Standard (non-admin) accounts on macOS and install printers via Managed Software Center. By default this only gives them the ability to install and uninstall in MSC, but not manage queues or add personal printers at home in System Preferences.

Thankfully a simple command that can be run to allow standard users to have that ability has been around for years:

dseditgroup -o edit -n /Local/Default -a staff -t group lpadmin

(Variations of this script posted around the web include using everyone instead of staff and _lpadmin instead of lpadmin.)

In the past I have always enabled this feature with a payload-free package. However that didn’t present a way to confirm the setting is still active or provide an easy way to reverse it.

To solve those issues I decided to convert it to a Munki NoPkg with logic to do both.

Read on for the details:

The NoPkg consists of four scripts to do the work. For applying the change we first use an installcheck_script to evaluate the status:

#!/bin/sh

# Check to see whether the staff group has been added to lpadmin
installed=$(/usr/sbin/dseditgroup -o read -n /Local/Default lpadmin | /usr/bin/grep ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014)

# See if the check is empty
if [ -z "$installed" ]; then
    /bin/echo "Standard users cannot manage printers, need to install."
    exit 0
else
    /bin/echo "Standard users can manage printers, no action needed."
    exit 1
fi

The postinstall_script is executed if installation is needed:

#!/bin/sh

/usr/sbin/dseditgroup -o edit -n /Local/Default -a staff -t group lpadmin

When the change needs to be reversed the uninstallcheck_script is run first:

#!/bin/sh

# Check to see whether the staff group has been added to lpadmin
installed=$(/usr/sbin/dseditgroup -o read -n /Local/Default lpadmin | /usr/bin/grep ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014)

# See if the check is empty
if [ -z "$installed" ]; then
    /bin/echo "Standard users cannot manage printers, no action needed."
    exit 1
else
    /bin/echo "Standard users can manage printers, need to uninstall."
    exit 0
fi

The uninstall_script is then executed if uninstallation is necessary:

#!/bin/sh

/usr/sbin/dseditgroup -o edit -n /Local/Default -d staff -t group lpadmin

After adding the NoPkg to your Munki repo, you can place it as either a Managed Install or a Managed Uninstall of a manifest to grant or revoke the permission as needed. The state will be evaluated each time Munki runs, about once an hour, and adjusted if necessary.

You can grab a copy of the complete NoPkg on my GitHub account: https://github.com/kevinmcox/Munki-NoPkgs/blob/main/PrinterManagementStandardUsers.pkginfo

Leave a Reply

Your email address will not be published. Required fields are marked *