Choose your language

Choose your login

Support

Authentication

This page applies to:

This article only applies to PaperCut NG and MF customers. When Mobility Print is installed on an existing PaperCut server then users will be authenticated for all print jobs. Otherwise, on a standalone Mobility Print server there is no authentication for printing.

How user authentication works

User authentication identifies users and then associates their identity with the print job. Jobs appear in the server’s print queue with this user identity.

For all devices except Windows laptops, the Application Server validates the username and password in real-time (for example, via Active Directory, LDAP, or G Suite) prior to receiving a print job. The same applies for user security (for example, group-based access control).

For Windows, the authentication process is:

  1. At the time the print queue is installed, the Application Server validates the username and password.
  2. If valid, the Application Server returns to the client an IPP URL with an encoded access token.
  3. A standard Windows IPP printer is automatically created using this special URL.
  4. The client uses this URL to deliver print jobs via IPP.
  5. Every time there is a print job, the Mobility Print server validates the access token.

Authentication security

Is the user authentication between devices and the Mobility Print server secure?

All user login credentials are secure and encrypted. Where possible, industry standard HTTPS/TLS is used. Print jobs on Android, macOS, and iOS are secure as they use HTTPS. Print jobs on Chromebooks are encrypted using AES with a 256-bit key length.

Is secure print release compatible with Mobility Print?

Of course! Mobility Print supports secure print release and Find-Me printing .

Absolutely. Mobility Print has the same level of security and authentication as any other PaperCut NG/MF feature. User identification is checked before a job is accepted. See the user authentication section above for details.

You can also choose whether or not to authenticate your users for every print job by adjusting the print authentication mode.

Client credentials

Where are credentials saved and how long are they retained?

 macOSiOSChrome & AndroidWindows

Default behavior

       

        Users are prompted when first job is sent

Users prompted when installer is run to add new printers
What about per-job authentication?

            

          Users are prompted with every print job

 

Mark the user as "Unauthenticated" as use the PaperCut Client instead
How long are credentials saved?Remembered by Keychain indefinitely Remembered by Keychain indefinitely Remembered for 30 days by default, and configurable up to 365 days   Indefinitely
Where are they stored?Keychain AccessKeychain AccessStored as part of the device profileConfigured in the connection string
How can they be reset?Open Keychain Access and either delete or edit the keychain for the Mobility Print serverTap (i) on the print page on the iOS device and hit forget my Username and PasswordReset & redeploy the Chrome or Android profileReinstalling the queue and entering the new credentials (but you don't actually need to!)

Clear the Cloud Print authentication

If a particular user is having an issue authenticating, there is a method available to reset the existing Cloud print token on an individual workstation.

Resetting authentication on all printer queues

  1. Go to the following folder on your device and delete the auth.toml file.

    Windows: %USERPROFILE%\AppData\Local\PaperCutMobilityPrintClient\auth.toml
    Mac: /Users/userX/Library/Application Support/PaperCutMobilityPrintClient/auth.toml
  2. Restart the Mobility client.

Resetting authentication on a specific print queue(s)

If you only want to reset authentication for a specific print queue(s),

  1. Open the auth.toml file in a text editor.
  2. Remove the token for the required printer(s) in the file (that is, remove each line for each printer). 
  3. Save and restart the Mobility client.

Does Mobility Print support Single Sign-on with Google?

Yes! Follow the steps in Manage Single sign on for Chromebooks so that users By default, you will see a “Sign in with Google” button in the Mobility Print Chrome extension on Chromebooks so they don’t have to re-enter their credentials to log in. You can find more information on how SSO works in our Configuring Google Single Sign On (SSO ) article.

Active Directory password changes

When a Windows client authenticates with Mobility Print for the first time, the workstation receives a token. If the user’s Active Directory password changes, the token is still valid, so there is no need for the user to reauthenticate.

Extending the period of authentication for users

By default Chrome and Android users are prompted every 30 days to re-enter their passwords for Mobility Print. However, it’s possible to extend this period up to 365 days.

If you change the period, it won’t affect users that are already authenticated, but will take effect the next time the user is prompted to log in.

If you want to force re-authentication, you’ll need to uninstall and reinstall the app on the Chromebook or Android device.

To extend the period:

  1. Browse to the config folder where Mobility Print is installed: [app-path]\Program Files (x86)\PaperCut Mobility Print\data\config\ or Applications\PaperCut Mobility Print\data\config
  2. Open the file mobility-print.conf.toml with a text editor.
  3. Change the line RememberUserLoginDurationDays=30 to the number of days that you want the login to be remembered (up to 365).
  4. Restart the PaperCut Mobility Print service.

Configure ID/Pin authentication

1. Log in to the PaperCut Web admin interface and click Options.

2. Under Client Software, set the Authentication Method to Identity Number.

3. Go to Users tab, select a user account, and scroll down to Other Details.

4. Under Card/Identity Numbers, make sure the user has digits entered in the Primary field. These digits are what the user will need to enter instead of their username.

Now, when the user attempts to print, they will be able to enter the ID number instead of their username!

Comments