- Changes for Fall 2016
- Enabling IPP Printing in Windows
- Deploying FollowMe Print Queues
On the July 2016 Patch Tuesday, Microsoft released a security update, MS16-087, that makes it extremely difficult to deploy connections to Samba-based print queues (which WolfPrint has been using) without admin access to the workstations. The part of the update that affects the use of Samba is a new requirement that drivers downloaded through the Windows Point-and-Print feature are signed or require admin approval in order to install on the workstation.
The vulnerability is critical enough that we have made some changes to the recommended method for deploying printers to Windows machines. As of August 1, 2016, it is possible to deploy IPP based print queues to Windows through SCCM instead of using Samba. This bypasses Samba and goes directly to CUPS on our servers. Benefits of this change include:
- Better load balancing on the server side and failover if one of the servers or campus data centers become unavailable.
- SSL encrypted connections between client and server.
In most cases clients already connected to one of the printers through Samba will still be able to print to that printer, but machines that get re-imaged and new print queues added to machines will not work without admin intervention.
Update: Starting May 11, 2017, Samba-based printing services will be discontinued in the WolfPrint environment.
To enable printing to the WOLFPRINT print servers from Windows, you will need to do one of the following:
- Link the “OITLAB-Unity-Allow IPP Printing” group policy to your OUs.
- Duplicate the settings in your own policies.
This policy has the following setting:
Computer Configuration -> Policies -> Adminsitrative Templates -> System -> Internet Communication Manager -> Internet Communication settings -> Turn off printing over HTTP: Disabled
OIT has made available groups under the “Software Packages\Special Configurations” OU at the NCSU level for deploying each of the FollowMe printers along with the appropriate driver. To add the printers to a machine, add it to one or more of the following groups for each printer that you are need to install:
- “<OU>-SC-WolfPrint-CUPSPrinter WolfPrint_BlackAndWhite-1.0″ for the WolfPrint-BlackAndWhite printer.
(This group name will eventually be shortened to: “<OU>-SC-WolfPrint-Printer WolfPrint_BW-1.0″)
- “<OU>-SC-WolfPrint-CUPSPrinter WolfPrint_Color-1.0″ for the WolfPrint-Color printer.
(This group name will eventually be shortened to: “<OU>-SC-WolfPrint-Printer WolfPrint_Color-1.0″)
- “<OU>-SC-WolfPrint-Printer WolfPrint_BW_Lib-1.0″ for the WolfPrint-BlackAndWhite-Libraries printer
- “<OU>-SC-WolfPrint-Printer WolfPrint_Color_Lib-1.0″ for the WolfPrint-Color-Libraries printer
where <OU> is your college or department OU name in WolfTech AD.
The method for removing the old Samba connections depends on how they were deployed:
- Group Policy Computer Configuration Deployed Printer
- Removing the deployed printer from the Policy or removing or disabling the Policy Link will remove the connection.
- If the policy is no longer linked to any OUs, it can be deleted.
- The Policies provided by OIT used this method, and removing the Policy Link from your OU will take care of it.
- Group Policy User Configuration Preferences
- If the “Remove this item when it no longer applies” option was checked, removing it from the policy will cause it to uninstall.
- If that option was not checked, change the action to “Delete” and leave the policy applied to your machines until you re-image those machines again. Because these settings are in the User section of the policy, the printer connections will be per-user, so each user that has logged into that machine and will have to log in again for it to remove the printer connection from their user profile.
OIT has two Casper Policies, one for each printer that deploys the WolfPrint FollowMe print queues:
Puppet modules will be made available for all clients using the Realm Linux Puppet servers soon for deploying the FollowMe queues to Linux workstations.