Restrict printer usage in OS X
With the OS X printer configuration, you can impose limits on which accounts are allowed to print to specific printers on your system.
The default configuration for printers in OS X is relatively basic and offers you options to essentially add or remove a printer and then set some driver-specific features such as the amount of RAM or duplexing details; however, you may wish to have more options for managing access to your printer, such as limiting access to one printer and not another, or requiring a password to print.
The easiest way to administer these options for printers is via network access, where if you share the printer you can limit which users will have access to it over the network. Doing this involves setting up a separate computer to be a print server, and then manage which accounts can access the shared printer service over the network. Apple's OS X Server offers options for managing this, but you can also do the same in the client version of the OS.
To do this, with your printer set up on the computer, enable printer sharing for the device in the Sharing system preferences and then manage the specific users and groups allowed to print in the Users list. By default everyone will have access to the printer, but if you click the plus button you can add a local user to give only that user (or any others added) access to the printer. While local users are immediately available to add, you can also create a "sharing only" account for printer access by clicking the plus button then clicking "New Person" and entering a name and credentials for the user.
Using a Sharing Only account or two in this manner may be preferable since you can change its password at any time without affecting any local user account. Any network users who use this account for print authentication will then simply have to use the new password in order to print.
Unfortunately this ability only applies to shared printers, and local users on the system will not see these restrictions. However, the print system in OS X does have an option for requiring a password when printing and for preventing specific users from accessing a local printer. This feature is not available through the standard OS X printer setup options, but can be configured using the Web interface.
To activate the Web interface, open the Terminal and run the following command:
cupsctl WebInterface=yes
With this completed, load the interface by visiting the following URL:
Next you will need to set which users are allowed or denied access to the printer. To do this, go to the Printers tab and click the link for your printer in the list of configured devices. Then choose "Set Allowed Users" from the "Administration" menu, and you will be given an entry field with radio buttons to allow or prevent printing from the users in the field.
To only allow specific users access to the printer, choose "Allow these users to print" and then separate their short names (the names of their home folders) by commas. To prevent just these users from accessing and allow all others to access the printers, select the other radio button.
When finished, click "Set Allowed Users" and the changes should take effect immediately. If a user is not given access to the printer then it will no longer be available when that user is logged in to his or her account. The user will be able to print to other printers that are available, but will not be able to find the one you have applied the restrictions to. In this manner you can set access to several printers to govern access to who is allowed to use each of them.
In addition to setting specific users, in the same Administration window choose "Set Default Options" and then click the link called "Policies" where you should see a set of menus for Error and Operation policies. In there choose "Authenticated" for the operation policy and apply the settings, which will require users to authenticate when printing to this printer device.
A final approach to limiting users is to set up time limited print quotas for each printer on your system. This option is neither available via the Web interface nor the System Preferences, but can be done via the Terminal. This option is also on a per-device use and applies to all users on the system so you cannot set a quota just for one user and not have it be set for others. However, it is a way to impose a more global limit if needed.
To activate quotas, you must tell the system to use both a time frame in which to enforce them and a page limit to use. First get a list of your printers by running the following command (the printer name will be immediately after the word "printer" at the beginning of the output line):
lpstat -p
Next use this name exactly as-is in place of "PRINTER" in the following command, and also substitute SECONDS for the quota time frame and PAGES for the page limit to apply in that time frame. Follow this command by rebooting your system to restart the print system:
lpadmin -p PRINTER -o job-quota-period=SECONDS -o job-page-limit=PAGES
For example, for me to set my Phaser printer (name being "Phaser_8560DN") to a 20-page limit per day, I would run the following:
lpadmin -p Phaser_8560DN -o job-quota-period=86400 -o job-page-limit=20
To clear any of these settings, rerun the command but use 0 for either SECONDS or PAGES.
Questions? Comments? Have a fix? Post them below or
e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.