Disable Printer Sharing in System Preferences

oligiles
New Contributor

Hi All
Does anyone have any command/script suggestions for disabling printer sharing in System Preferences/Sharing?
I have users in 10.6 & 10.7 who've managed to enable it and i'd like to group them all and disable it one go.

Any help would be greatly appreciated.
Thanks
Oli

5 REPLIES 5

rlandgraf
Contributor

This is the command we used to turn off print sharing on all computers.

cupsctl --no-share-printers

jwojda
Valued Contributor II

sorry to hijack this - but will that disable the checkbox (either uncheck if it's checked) under printer preferences? We've got quite a few people that feel the need to share it over bonjour and it's generating support tickets...

Nevermind, I tested it, but it still allowed them to turn it back on if they went into sharing preferences...is there a more permanent options?

seabash
Contributor

UPDATE: corrected command syntax (previous order was incorrect)

Old thread, but here's the answer to question from @jwojda...

The command from @rlandgraf ensures that the Printer Sharing service is disabled (a la System Preferences > Sharing > Printer Sharing), but current or newly-added printers may have the "Share this printer..." option checked (lpadmin manpage says the default value is "true").

To disable the sharing option (checkbox) on a given printer, take this approach...

# List device names of all printers
lpstat -v

# Get the device name of desired printer (listed as "device for [SomePrinterName]:")
# Example to disable sharing for a printer named "SomePrinterName"
sudo lpadmin -p SomePrinterName -o printer-is-shared=false

To disable printer sharing on all printers, you could adapt the commands above in a script by looping thru output from lpstat -v then passing that variable to the lpadmin command. I'll leave the looping method up to you.

I kinda wish Casper had a built-in disable/enable sharing function for Printers, but I'm too lazy to check/submit a FR :)

HTH

mm2270
Legendary Contributor III

@jwojda Block the Sharing Preference Pane? I realize that's a heavy handed solution, but if users are abusing privileges and going in messing with stuff, that may be an approach to take. I like to give as much freedom as possible, but if the clients aren't listening to IT and doing stuff they shouldn't be anyway, then they don't have a right to those privileges in my eyes.

Another approach that might work is to use the LaunchDaemon method I outlined here
But instead of using it to monitor /private/etc/cups/ppd, you'd use a WatchPath of /private/etc/cups/cupsd.conf That file gets modified whenever a printer is shared or overall printer sharing is enabled in the Sharing Prefpane.
This command will tell you if Printer Sharing was turned on-

grep "Browsing On" /private/etc/cups/cupsd.conf

The script the LaunchDaemon runs could simply loop over all installed printers and run the above lpadmin -o printer-is-shared=false SomePrinterName command against each one to ensure they are all set to not share. Or if you want to get fancy, I suppose you may be able to script it to detect which printer is shared and only run the command against that one.

Hope that helps a bit.

mm2270
Legendary Contributor III

Just as a follow up, I put this together a few minutes ago, based on the stuff I outlined in the thread I mentioned before, and it seems to persistently stop printers from being shared out over Bonjour by making sure global printer sharing is disabled.

Here is the LaunchAgent (it can also be a LaunchDaemon I think, but it seems to work OK as a global LaunchAgent as well -- in /Library/LaunchAgents/. A LaunchAgent may make more sense since its only going to ever be needed when someone is logged in)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.mm2270.disableprintsharing</string>
    <key>Program</key>
    <string>/Library/Scripts/disable-printer-sharing.sh</string>
    <key>RunAtLoad</key>
    <true/>
    <key>WatchPaths</key>
    <array>
        <string>/private/etc/cups/cupsd.conf</string>
    </array>
</dict>
</plist>

I'm not at all wedded to naming anything after my username, so feel free to rename the Label to something else.

Here is the script. Extremely simple. It just checks to see if Browsing On gets returned when grepping the cupsd.conf file and if so, runs the command mentioned by @rlandgraf to disable global print sharing. It doesn't matter if the checkbox is checked for any printers since print sharing as a whole remains off (or more specifically, gets turned off about 1 second after its turned on) Of course, if you wanted to also have it loop over all installed printers and ensure their individual share me checkboxes are off, that could be added.

#!/bin/bash

if [[ $(grep "Browsing On" /private/etc/cups/cupsd.conf) ]]; then
    cupsctl --no-share-printers
else
    exit 0
fi

You can put the script anywhere you want on the system, as long as the LaunchAgent reflects that path.

After looking at all this, I have to wonder if there isn't some Config Profile payload that could keep sharing off. I had looked briefly at the Printers payload in a Config profile in our JSS, but it seems its more for adding printers. it does allow you to restrict users from changing the printer list, but I don't know if that also means preventing checking that sharing box. I have a feeling it doesn't.

EDIT: Corrected the LD. I had copied its contents when I temporarily disabled it, so the disabled flag was showing up in the plist.