Printopia® 3

ENTERPRISE ADMINISTRATION GUIDE

Revision 10 • October 9, 2017 www.decisivetactics.com/printopiapro Legal

Copyright © 2012-2017 Decisive Tactics, Inc.

Printopia is a registered trademark of Decisive Tactics, Inc. Mac, iPhone, iPad, iPod Touch, iOS, OS X, and AirPrint are trademarks of Apple Inc.

Decisive Tactics, Inc. is not responsible for any loss or damage to you or your property, including your computer, arising from the use of our software. Any use of this software is at your own discretion and risk and you will be solely responsible for any damage to your computer system or loss of data that may result from its use. You agree to defend, indemnify and hold harmless Decisive Tactics, Inc. and its employees, from and against all claims and expenses, including attorney fees, arising out of this software. YOUR USE OF THIS SOFTWARE IS AT YOUR OWN RISK. THIS SOFTWARE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS.

Revisions

This document is updated frequently. For the latest version of this document, visit www.decisivetactics.com/support.

Printopia Enterprise Administration Guide 2 Table of Contents Introduction ...... 5

What is AirPrint™? ...... 5

The Problem ...... 5

The Solution ...... 6 Installation ...... 7

System Requirements ...... 7

Machine Considerations ...... 7

Software Components ...... 7

Network Considerations ...... 7

Firewall ...... 8

Multicast ...... 8

Licensing ...... 9

Installation ...... 9

Removal ...... 9 Administration ...... 10

Printers and Groups ...... 10 Groups ...... 11

Access Control ...... 11

Subnet Printing (Multicast) ...... 11

Wide-Area Printing (DNS-SD) ...... 11 Printers ...... 12

Adding Printers ...... 12

Driver Selection ...... 12

Printer Settings ...... 13

Printopia Enterprise Administration Guide 3 Printer Authorization ...... 14

Compatibility ...... 15 Advanced Settings ...... 16

General Panel ...... 16 Custom Network Port ...... 16 Profile Based Printing ...... 16 Service Prefix and Suffix ...... 17 Restore Defaults ...... 17

Wide-Area Printing Panel ...... 17 Web Folders ...... 18

Adding Web Folders ...... 18

Viewing Web Folder Contents ...... 18

Web Folder Authorization ...... 19

Deleting Items from Web Folders ...... 19 Subnet Printing (Multicast) ...... 20

Interface Selection ...... 20

Adding Virtual Interfaces ...... 21

Adding Physical Interfaces ...... 22 Wide Area Printing (DNS-SD) ...... 23 General Troubleshooting ...... 24

Things to Know ...... 24

Printopia Enterprise Administration Guide 4 Introduction

Printopia is print server software that allows you to make any printer available to iOS devices on your network for printing. In short, Printopia makes any printer AirPrint compatible.

Printopia Pro also adds several enterprise features to AirPrint, including centralized management, monitoring, access control, directory integration, and support for large networks.

What is AirPrint™?

AirPrint is the wireless printing technology built into Apple’s iPad, iPhone iPod touch and Macs, that enables printing to compatible printers directly, without the need for any additional software or configuration. Over 500 printers on the market today support AirPrint natively, and most iOS apps that support printing do so using AirPrint.

The Problem

Before AirPrint, every printer required vendor supplied drivers to be installed on the host computer. In fact, new Macs still ship with several gigabytes of drivers for the most common printers on the market, to simplify the user experience when adding a printer. When the iPhone and iPad were released, Apple had to solve a complex problem. They'd have to convince printer manufacturers to port hundreds of complex drivers over to the iOS platform, requiring an enormous effort. Even if vendors agreed, users would then have to download and install these drivers on their devices, a cumbersome, storage-intensive process.

AirPrint leverages the increased processing power available in modern printers, and effectively moves the driver from the host computer to the printer itself. This greatly simplifies things for the end user. AirPrint also presents a uniform, simplified user interface for printing, drastically reducing the number of choices available. While mostly beneficial, some printing features that would normally be available aren’t accessible through AirPrint.

AirPrint is evolving, but presently supports only basic printing features. Most printers support several options that are not normally available through AirPrint, and are only accessible when using the manufacturer’s native driver. In fact, when adding an AirPrint-compatible printer to a Mac, users have a choice between using AirPrint or using the native print driver. While AirPrint offers instant setup and ease of use, the manufacturer's driver enables the full set of features the printer offers. Printopia Pro bridges this gap by allowing you to configure all of your printer options, and then use this stored configuration when printing to that printer using AirPrint.

Printopia Enterprise Administration Guide 5 In its current form, AirPrint excels in home or small office environments. However, Bonjour (also known as mDNS), the discovery protocol used to locate printers, only operates over a single network segment, making it difficult to deploy in larger environments with a segmented network architecture. AirPrint also lacks centralized access control and directory integration.

Finally, only new printers support AirPrint natively.

The Solution

Printopia Pro addresses these shortcomings, allowing you to use AirPrint in a large enterprise or education environment. Printopia Pro does the following:

• Enables AirPrint printing for any existing printers that lack native support, allowing you to keep your existing printers. • Enables printer features not normally available through AirPrint. • Provides centralized access controls, to control who can print. • Works across subnets, allowing you to enable AirPrint on your network without restructuring it to pass Bonjour multicast traffic between network segments.

Printopia Enterprise Administration Guide 6 Installation

System Requirements

• An Apple Mac computer running OS X 10.7 or later, to act as a print server running the Printopia Pro software. If you don’t already have a Mac on your network, a Mac mini is an excellent server machine and can support a very large number of printers and clients simultaneously.

• iPhone, iPad, or iPod touch device running iOS 4.2 or later, or a Mac running OS X 10.7 or later, to be able to print to printers shared using Printopia Pro.

Machine Considerations

Printopia should be installed on a Mac that is powered on at all times. The machine does not require a display and keyboard be attached as Printopia is easily administered remotely. A wired ethernet connection to your network is strongly recommended for best performance.

If you have a very large number of users we recommend a dedicated machine. A Mac mini is perfect for this, as it can be placed out of sight in a data center or networking closet and administered remotely.

NOTE Printopia does not require OS X's built-in "Printer Sharing" to be enabled in order to operate, and in some configurations may interfere with Printopia. We recommend Printer Sharing be disabled.

Software Components

Printopia consists of two basic components— a server process that runs continuously in the background to handle print requests from clients, and the Printopia application used to administer the server.

Network Considerations

AirPrint uses the “Bonjour” protocol to discover available network services, and there are two operating modes for Bonjour. Before you get started, you will need to determine whether your network supports “standard” Bonjour, which uses multicast, and is limited to a single Layer-2 network segment. Printopia Pro supports multicast Bonjour on multiple independent

Printopia Enterprise Administration Guide 7 networks via physical network interfaces or VLANs, as long as all nodes on each network are on the same Layer-2 segment.

Many larger networks use a Layer-3 switch to route traffic between networks. Multicast Bonjour will not travel between networks in this case. To enable Bonjour across subnets even when a Layer-3 switch is involved, Printopia Pro also supports Bonjour’s unicast mode of operation. Our implementation of this is called “Wide Area Printing”, and is a unique implementation that works with all of the most commonly deployed name servers, including BIND and Windows DNS. For details, see the section on “Wide Area Printing”.

Firewall

Printopia Pro requires the following ports be open on the machine it's running on:

Port Protocol Description

10631 (default) TCP This is the IANA-reserved port for Printopia. All printing services, web services, and administration takes place on this port. The port may be changed in Printopia Pro’s Advanced Settings.

631 (alternate) TCP You may choose to configure Printopia Pro to run on this port if using configuration profiles on iOS clients to access shared printers.

5353 UDP Multicast Bonjour (mDNS)

53 UDP, TCP Unicast/Wide-Area Bonjour (DNS-SD) DNS-SD (and DNS in general) will not work reliably if the TCP and UDP ports are not both accepting traffic.

In addition to the above, the standard ICMP packet types must be allowed to pass.

Multicast

If you’re using multicast Bonjour (mDNS), you’ll need to make sure your network is properly configured for the following multicast addresses:

Address Description

224.0.0.251 mDNS IPv4 Multicast Address

ff02::fb mDNS IPv6 Multicast Address

IGMP (IPv4) and MLD (IPv6) must also be properly configured to pass Bonjour packets.

You may ignore this if using "Wide Area Printing" which avoids multicast.

Printopia Enterprise Administration Guide 8 Licensing

Printopia is activated using a conventional license key. The key enables the specific features you have purchased.

Installation

To install Printopia, download and launch the "Printopia" application.

Removal

To remove Printopia, drag the "Printopia" application to the trash. This will automatically remove the server component once the trash is emptied. (Note: If the Printopia Server is not running because sharing is turned off at the time Printopia is dragged to the trash then it will be removed automatically after you restart the machine.)

Printopia Enterprise Administration Guide 9 Administration

To administer Printopia, launch the "Printopia" application found within your Applications folder.

NOTE: Printopia no longer supports connecting to remote servers for administration.

Printers and Groups

The “Printers” tab displays the list of printers configured on this server. When first installed, all printers will be placed within the default “Shared Printers” group.

Groups allow you to organize your printers. Access control and certain other attributes are assigned at the group level, making it easier to work with a large number of printers.

Printopia Enterprise Administration Guide 10 Groups

Printer access control and network settings are applied using printer Groups. Add groups using the + button at the bottom of the printer list. Move a printer between groups by dragging it to the group’s heading in the printer list. Settings defined at the group level apply to all of the printers within that group.

Access Control

Control who is able to print to the printer group using the Access Control panel. Select users from your Mac's directory service list, or create new username and password combinations:

The access controls apply to all printers within the group with one exception. Some printers define their own access control policy, typically when the printer is hosted on another print server. To handle this situation, Printopia supports "passthrough" authentication. When pass- through access is enabled, the printer's own authorization takes precedence over that defined here in the group settings. For more detail, see the Printers section.

Subnet Printing (Multicast)

Choose which network interfaces will publish the printer group using multicast. See the Network Interfaces section of this guide for details.

Wide-Area Printing (DNS-SD)

Choose which “Wide Area Printing” domains will have access to this group of printers. See the Wide-Area Printing section of this guide for more on this feature. This option will appear if supported by the the current license and if Wide-Area Printing is enabled in under Advanced Settings.

Printopia Enterprise Administration Guide 11 Printers

Adding Printers

By default, Printopia will share all of the Mac's print queues. To add additional printers, click the "+" button below the printer list in the "Printers" tab. This launches the standard Add Printer window used by OS X to add print queues. (This is the same window used to add printers in the "Print & Scan" section of System Preferences.)

Printopia will work with network print servers, however for best results we recommend adding the printers directly when possible. Adding the printer directly simplifies the configuration and can increase throughput.

NOTE The Add Printer window will list all printers on your network- including those being published by Printopia, and those already added to your Mac. You may choose to use Advanced Settings to add a sharing prefix to the printer names Printopia shares. This will help disambiguate which names in this list are Printopia printers.

Driver Selection

If your printer supports AirPrint, you have two options when adding the printer. You may use the AirPrint driver, or the manufacturer-supplied driver. To be able to use and configure all of your printers features, it is important to select the manufacturer-supplied driver. Make sure not to choose "AirPrint", the default option, as shown below:

Printopia Enterprise Administration Guide 12 Printer Settings

Printopia allows you to configure the full range of vendor-specific printer settings that would otherwise be inaccessible when using AirPrint. To access a printer's settings, double-click on the printer in the printer list:

Printopia Enterprise Administration Guide 13

NOTE The vendor-supplied printer settings panel is only accessible when administering Printopia locally. When administering Printopia remotely, you'll be prompted to connect using Screen Sharing to access these settings. If the server has screen sharing enabled (either the Remote Management or Screen Sharing box have been checked under the “Sharing” tab in System Preferences), a "Share Screen..." button will appear. This will allow you to control the remote machine. This is the only setting that cannot be used remotely, because it requires the printer driver software that is only present on the remote machine.

Printer Authorization

If a printer shared by Printopia requires a username and password then an additional "Authorization" panel will appear under the settings for this printer.

By default any access controls defined by Printopia at the group level will be ignored and the authorization exchange will occur directly between the device and the printer. This is the "Prompt User" authorization mode shown below:

Printopia Enterprise Administration Guide 14

This was previously called "Pass Through" authentication.

As an alternative to the pass through or "Prompt User" mode Printopia also allows you to store a username/password for the printer using the "Stored Credential" feature. This allows you more fine grained control over who may access the printer using Printopia's access controls defined at the group level for the printer.

If you choose to store the printer's credentials within Printopia, the username and password will be stored securely within the System Keychain and used to authenticate jobs sent to that printer:

In the example above the "Printer User" username and password have been saved and will be used to send jobs to the printer.

Compatibility

Printopia works with any printer that's compatible with the Mac it's running on. This includes USB and networked printers.

Printopia Enterprise Administration Guide 15 Advanced Settings

The Advanced Settings panel can be found in the “Server” menu.

General Panel

The “General” panel allows you to configure how printers are published on the network.

Custom Network Port Use this setting to change Printopia's network port. The default port, 10631, is IANA-assigned to Printopia. The custom port may be between 1024 and 65535. Since version 1.0.4, you may also choose to use port 631, the standard IPP port normally used by CUPS if system-wide printer sharing is enabled. Printopia Pro must listen on port 631 if configuration profiles are used to tell clients where to look for printers.

Profile Based Printing This option causes Printopia to bind to the standard IPP printing port (TCP port 631) in addition to the Printopia port. This port is required when using AirPrint configuration profiles. You will need to disable the Mac's built-in printer sharing when using this feature as both services bind to port 631.

Printopia Enterprise Administration Guide 16 Service Prefix and Suffix The service prefix and suffix options are provided so you may control how printer names appear on the network, and in turn, how they appear to client devices. Since some printers being shared by Printopia Pro may already be network-enabled, the sharing name Printopia Pro uses needs to be unique to avoid a conflict.

For example, you may want to prefix printer names with the word "AirPrint" to help distinguish between AirPrint and non-AirPrint printers for clients other than iOS devices. (Other Mac, Unix, or Windows clients will see all IPP and AirPrint-IPP services as equals. This can create confusion.)

By default, Printopia adds the "@ Printopia Pro" suffix to the end of published printer names. While this suffix is part of the published service name, it is not displayed on iOS devices, but will be visible to other Mac, Windows, or Unix clients. If you’d like to publish printers using the more conventional “Printer @ Computer Name” format, you may set this string to “@ {host}” to have the computer name added in automatically.

The maximum length of a published printer name on a network is 63 bytes. If conflicts are occurring on your network, take a look at the prefix and suffix length to ensure that printer names do not exceed this length limit.

Restore Defaults This button restores all server settings to the default state. This will remove any printer customizations and remove all groups and network settings. Use of this option is analogous to a "factory reset" on a network device.

Wide-Area Printing Panel

If Wide Area Printing is supported by your license, an additional "Wide Area Printing" panel will be available under Advanced Settings. This panel allows you to enable and configure the wide-area printing feature which allows AirPrint to work across multiple subnets using DNS- SD, the unicast variant of Bonjour. See the section on Wide Area Printing for more information.

Printopia Enterprise Administration Guide 17 Web Folders

Web Folders are virtual printers. They show up just like printers on all AirPrint client devices. Print jobs are saved to the Printopia Pro server as PDF files or image files. These files can then be viewed, downloaded and managed using a web browser.

Adding Web Folders

Add Web Folders by clicking the "+" button below the printer list in the "Printers" tab and choosing "Add Web Folder...". Enter a name for the web folder and press OK.

Viewing Web Folder Contents

To access a Web Folder's content in your web browser, you must first determine the web folder’s URL. To do this, select the web folder in the "Printers" tab, and then click the "Show Web Page" button in the details pane:

Each Web Folder has its own web page with a URL based on its name. The URL will change if the Web Folder's name changes. Note that this web page is not on the public internet. It is being served by the Printopia Pro server on Printopia'a network port, and is only available to the local network.

The URL will be of the form “http://servername.local:10631/web/foldername”. The “:10631” portion is required, as web folders use the Printopia network port of 10631 (by default, configurable in the settings), instead of the default port 80:

Printopia Enterprise Administration Guide 18 If you have Wide Area Printing enabled, you may also access the web folders at one of the wide area domains configured for the printer. For example, if your web folder is shared to “airprint.mydomain.com”, you may also access it using the URL “http:// airprint.mydomain.com:10631/web/foldername”.

Web Folder Authorization

Permission to print to web folders is controlled by the owning group. Access to the Web Folder’s web page is controlled independently. By default, a Web Folder's web page is open to all visitors. To add access control, double-click the Web Folder in the printer list to access its settings. Add users using the "+" button and then press OK.

Once authorization is turned on, SSL will be required to access the web content. A self-signed certificate will by used by default. You may wish to access Web Folder content using a domain name and an SSL certificate signed by a certificate authority to avoid a warning message from the web browser.

Deleting Items from Web Folders

To delete items from a Web Folder, use the checkbox beside the desired items. Then click the "Delete Selected" button.

Printopia Enterprise Administration Guide 19 Subnet Printing (Multicast)

Printopia Pro allows you to control which network interfaces are used to share printers using the multicast mode of Bonjour, allowing you to control which printers are visible to specific subnets. This includes virtual interfaces that make use of IEEE 802.1q VLAN tagging, allowing you to serve multiple VLANs using a single physical Ethernet cable.

Many configurations are possible with this feature, including: • Bridge wired and wireless networks that exist on different network segments. • Serve multiple departments, each on their own network segment, using a single server. • Isolate printers on their own VLAN, so that all printer access is controlled by Printopia.

NOTE Since Bonjour (mDNS) uses multicast UDP packets, the networks served must all be flat, Layer-2 networks. Multicast mDNS packets will not be routed between subnets. For AirPrint support across multiple network segments, see the section on Wide-Area Printing.

Interface Selection

Printopia will share printers to all available network interfaces by default. To change this, open the settings panel for a printer group and navigate to the "Subnet Printing (Multicast)" panel:

Printopia Enterprise Administration Guide 20 In the example above, printers in the “Shared Printers” group will be shared to the "Engineering" network only, on interface en0.100 (meaning VLAN tag 100, with parent interface en0).

Once configured, the printers will be discoverable using Bonjour on the selected networks only. The printers themselves may be on any network, as long as that network is accessible from the machine running Printopia Pro.

Wireless Interface While supported, we do not recommend using the Mac's Wifi interface for printer sharing. We strongly recommend connecting to your wireless network using an Ethernet port. If you do choose to connect via Wifi, keep in mind the impact multicast traffic has on a wireless network. Also, many wireless access points filter traffic and may prevent communication between individual wireless clients without additional configuration.

Adding Virtual Interfaces

Macs support VLAN tagging over the built-in Ethernet network interface. To add additional VLAN interfaces, open System Preferences, click the Network icon, and click the button with the “gear” icon below the list of network interfaces. Choose "Manage Virtual Interfaces...". Here, you'll see a list of current virtual interfaces. To define a new VLAN, click the "+" button, and choose "New VLAN...". Select the tag for the new interface, the parent interface, and the interface will be created:

Depending on your network architecture, you'll either receive a DHCP address automatically on the new interface, or you'll need to assign one manually. Once completed, the interface will be available to Printopia Pro for sharing.

NOTE Use of VLANs requires your network also be configured to pass the desired VLANs to/from the Mac server, and may require your network administrator to make changes to your network.

Printopia Enterprise Administration Guide 21

Adding Physical Interfaces

Macs support additional network interfaces by adding USB or Thunderbolt Ethernet adapters.

If you choose to make use of additional physical network interfaces instead of VLANs, be mindful of the bandwidth limitations imposed by USB and the additional packet processing overhead.

NOTE We recommend only using network adapters that are compatible with the drivers Apple ships with OS X. These include the following Ethernet adapters we’ve tested for reliable operation:

• Cisco-Linksys USB300M 10/100 USB Ethernet Adapter (AX88772A chipset) • Apple 10/100/1000 Thunderbolt Ethernet Adapter

Printopia Enterprise Administration Guide 22 Wide Area Printing (DNS-SD)

Wide Area Printing allows you to make printing services available to iOS and Mac devices anywhere on your network, even if your network is structured in a way that prevents the normal “multicast” mode of Bonjour from working properly. Wide Area Printing allows Bonjour to work across subnets or through VPN tunnels, allowing devices on your network to to automatically discover and use printers from anywhere.

Wide-Area Printing requires minimal configuration on both the client and server end, and has the following benefits: • Reduced multicast traffic and its associated impact on wireless networks • Enables the use of AirPrint across layer-3 routed network segments • Enables the use of AirPrint over a VPN connection • Enables the use of AirPrint over the open internet, if desired

Consult the "Wide Area Printing Deployment and Troubleshooting Guide" for setup and troubleshooting information.

Printopia Enterprise Administration Guide 23 General Troubleshooting

Things to Know

The iOS print queue is strictly serial, and an issue with one job will prevent any other job from printing until it is resolved. As a result, if you're having trouble printing, check the print queue first to see what state it's in.

AirPrint will not work over your device's cellular data connection. You must be connected to your organization's Wifi network to be able to print.

If you don't see any printers in your iPhone or iPad's printer list:

• Ensure that the device is on the same network as the Mac running Printopia. • Ensure that the Mac is turned on and awake. • Check to make sure Printopia is running and printers are shown as shared.

Some routers may require a setting to be changed. Refer to your router's user manual if you're not sure how to access its settings. Ensure that Broadcast and Multicast settings are turned on if available. If your router has RIP settings, ensure that the RIP direction is set to "Both" and the RIP version is set to "RIP-1".

If you see printers, but nothing is printing:

Check your iPhone or iPad's Print Center. To do this, double-press the device's home button to reveal the task tray. If you see a "Print Center" icon, this means there is an item in the print queue that has not yet printed. Tap print jobs to view their status, and cancel any jobs that may be stuck in the queue. (If you don't see a Print Center icon, it just means that there's nothing in the queue.)

Check your printer's print queue on your Mac for status updates. To see all print jobs, choose "Show Completed Jobs" and "Show Everyone's Jobs" from the "Jobs" menu.

Check your Mac's firewall settings. (System Preferences-> Security-> Firewall). If your Firewall is turned on, click "Advanced", and ensure that "Printopia Server" is listed as allowing incoming connections. Also make sure that the "Block all incoming connections" checkbox is not checked. Alternatively, you may wish to temporarily turn off your firewall for troubleshooting purposes.

If you are using Intego's firewall software, ensure that "Client, local server" is selected rather than "Client only" mode.

Printopia Enterprise Administration Guide 24 If you see printers, but the device reports an error:

Try rebooting the iPhone or iPad. This may clear out cached information about printers which may have become invalid.

Try creating and printing to a "Web Folder" printer. If this works, but your real printer does not work, this means it's likely a printer-specific issue and not an issue with your network.

Be sure to clear the iPhone or iPad print queue before testing again.

Printopia Enterprise Administration Guide 25