Employees at our company all use Standard (non-admin) accounts on macOS and install printers via Managed Software Center. By default this only gives them the ability to install and uninstall in MSC, but not manage queues or add personal printers at home in System Preferences.
Thankfully a simple command that can be run to allow standard users to have that ability has been around for years:
dseditgroup -o edit -n /Local/Default -a staff -t group _lpadmin
(Variations of this script posted around the web include using everyone instead of staff and lpadmin instead of _lpadmin.)
In the past I have always enabled this feature with a payload-free package. However that didn’t present a way to confirm the setting is still active or provide an easy way to reverse it.
To solve those issues I decided to convert it to a Munki NoPkg with logic to do both.
Read on for the details:
The NoPkg consists of four scripts to do the work. For applying the change we first use an installcheck_script to evaluate the status:
#!/bin/sh
# Check to see whether the staff group has been added to lpadmin
installed=$(/usr/sbin/dseditgroup -o read -n /Local/Default _lpadmin | /usr/bin/grep ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014)
# See if the check is empty
if [ -z "$installed" ]; then
/bin/echo "Standard users cannot manage printers, need to install."
exit 0
else
/bin/echo "Standard users can manage printers, no action needed."
exit 1
fi
The postinstall_script is executed if installation is needed:
#!/bin/sh /usr/sbin/dseditgroup -o edit -n /Local/Default -a staff -t group _lpadmin
When the change needs to be reversed the uninstallcheck_script is run first:
#!/bin/sh
# Check to see whether the staff group has been added to lpadmin
installed=$(/usr/sbin/dseditgroup -o read -n /Local/Default _lpadmin | /usr/bin/grep ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014)
# See if the check is empty
if [ -z "$installed" ]; then
/bin/echo "Standard users cannot manage printers, no action needed."
exit 1
else
/bin/echo "Standard users can manage printers, need to uninstall."
exit 0
fi
The uninstall_script is then executed if uninstallation is necessary:
#!/bin/sh /usr/sbin/dseditgroup -o edit -n /Local/Default -d staff -t group _lpadmin
After adding the NoPkg to your Munki repo, you can place it as either a Managed Install or a Managed Uninstall of a manifest to grant or revoke the permission as needed. The state will be evaluated each time Munki runs, about once an hour, and adjusted if necessary.
You can grab a copy of the complete NoPkg on my GitHub account: https://github.com/kevinmcox/Munki-NoPkgs/blob/main/PrinterManagementStandardUsers.pkginfo
Pingback: Weekly News Summary for Admins — 2021-08-27 – Scripting OS X
in Mac OS X, the printer administrator group was originally called lpadmin, but since Mountain Lion, Apple appear to have prefixed all of the system groups with an underscore, so for the last 10 years or so, the group should be _lpadmin.
Good catch Kai, thanks. Apple still aliases “lpadmin” to “_lpadmin” so either group will work, but I’ve updated my post above to be more accurate.