This article only applies when Mobility Print is connected to PaperCut NG or MF. When Mobility Print is installed on an existing PaperCut NG or MF server then users will be authenticated for all print jobs. Otherwise, on a standalone Mobility Print server there is no authentication for printing.

Not sure if you want to use PaperCut NG or MF with Mobility Print? Read this .

How user authentication works

When Mobility Print is installed on a PaperCut NG or MF server—whether it’s a primary, secondary, or site server—users need to authenticate. The exact experience can varies depending on the client operating system and how printers are shared (mDNS/DNS, Known Host, or Cloud Print). But generally users will be prompted for their username and password either when they first run the Mobility Print client or when connecting to a new printer.

For macOS, iOS, Chrome, and Android: The Mobility Print server checks the credentials in real time with the primary PaperCut NG or MF server. The primary server syncs with your organization’s user directory (like Active Directory, LDAP, or Google Workspace) to confirm the details.

For Windows:

1. At the time the print queue is installed, the Application Server validates the username and password.
2. If valid, the Application Server returns to the client an IPP URL with an encoded access token.
3. A standard Windows IPP printer is automatically created using this special URL.
4. The client uses this URL to deliver print jobs via IPP.
5. Every time there is a print job, the Mobility Print server validates the access token.

Authentication Security

Is user authentication secure?

All user login credentials are secure and encrypted. Mobility Print uses industry-standard HTTPS/TLS wherever possible to keep your data safe.

• Android, macOS, and iOS devices: Print jobs are protected using HTTPS.
• Chromebooks: Print jobs are encrypted with AES and a 256-bit key length for added security.

Is secure print release compatible with Mobility Print?

Mobility Print works seamlessly with secure print release and Find-Me printing.

• Secure print release: Also known as Hold/Release in PaperCut NG and MF, this feature ensures that print jobs are only released when the intended user authenticates at the printer. This keeps sensitive documents out of the wrong hands.
• Find-Me printing: Mobility Print can share a Find-Me print queue to give users the flexibility to release their jobs at any compatible printer. This can vastly simplify printer deployment because only one printer needs to be installed on the user’s computer.

What happens if a user’s password changes?

When a Windows client authenticates with Mobility Print for the first time, the workstation receives a token. If the user’s Active Directory, LDAP, or Entra ID password changes, the token is still valid, so there is no need for the user to re-authenticate after updating their password.

Print job authentication - are jobs authenticated at the time of print?

With Mobility Print it’s possible to decide how often users need to authenticate:

• Every print job: Ideal for shared devices such a classroom iPad, requiring users to authenticate each time.
• First connection only: Streamlined printing, with authentication needed only when users connect to the printer.

To adjust this configure the print authentication mode in your Mobility Print settings.

Client Credential Behavior

There are some nuances to how each of the client operating systems work when it comes to authentication. To help, we’ve put together this comparison table to answer the following questions.

• Are users prompted when they submit a print job or when they first print?
• Can users be prompted for credentials every time they print?
• How long before a user needs to re-authenticate?
• How are the credentials stored? (In case they need to be cleared.)
• How would you clear or reset user a user’s cached login?

Keep in mind the following table applies to the mDNS and DNS discovery methods- Cloud Print and Known Host versions of certain clients may work differently.

Clearing Cloud Print authentication

If a user is having trouble authenticating, you can reset their Cloud Print token on their device.

To reset authentication on all printer queues:

1. Open the folder containing the auth.toml file:
   • Windows: %USERPROFILE%\AppData\Local\PaperCutMobilityPrintClient\auth.toml
   • Mac: /Users/userX/Library/Application Support/PaperCutMobilityPrintClient/auth.toml
2. Delete (or rename) the auth.toml file.
3. Restart the Mobility client.

To reset authentication on a specific print queue:

1. Open the auth.toml file in a text editor.
2. Find and delete the line(s) with the token for the specific printer(s).
3. Save the file.
4. Restart the Mobility Print client.

Extending the authentication period

In certain cases (namely when printing from Chrome or Android devices as well as Windows and macOS devices printing via Cloud Print) users will notice a checkbox at the bottom of the authentication dialog that says “Remember me”. When that box is checked, the Mobility Print server will trust this user for 30 days before prompting for authentication. This time period can be extended up to 365 days.

Steps to extend the authentication period:

1. Go to the Mobility Print config folder on the server:
   • Windows: [app-path]\Program Files (x86)\PaperCut Mobility Print\data\config\
   • macOS: /Applications/PaperCut Mobility Print/data/config/
2. Open the mobility-print.conf.toml file with a text editor with admin rights.
3. Update the line: RememberUserLoginDurationDays=30. Replace 30 with the desired number of days (up to 365).
4. Restart the PaperCut Mobility Print service to apply the change.

When making this change, be aware:

• Changing the authentication period won’t affect users who are already logged in. The new setting applies the next time they’re prompted to log in.
• To force re-authentication, uninstall and reinstall the app on the Chromebook or Android device.

Configure ID/Pin authentication

Want to have users log in with ID numbers and pins instead of usernames and passwords? It’s possible to configure this in PaperCut NG and MF. If a PIN is required, they’ll also enter their PIN for added security.

Limitations:

• This currently does not work for Cloud Print clients.
• The login prompt for some clients, like iOS, is not configurable and will still request “Username” and “Password” instead of “Identity Number”.

To set up ID/PIN authentication:

1. Log in to the PaperCut admin web interface and go to Options.
2. Under Client Software, set the Authentication Method to Identity Number.
   
   • If Require PIN is selected, users must enter both an Identity Number and a PIN to authenticate.
   • If Require PIN is not selected, users must enter their Identity Number in both the username and password fields.
3. Go to Users tab, select a user account, and scroll down to Other Details.
4. Under Card/Identity Numbers, ensure the user has a card/ID number definded in the Primary field. These digits are what the user will need to enter instead of their username.
   
5. Now, when the user attempts to print, they will be able to enter the ID number instead of their username.
   

Sign-in with Google and Mobility Print

Mobility Print supports Single Sign-On (SSO) with Google to make logging in easy for Chromebook users. When enabled, the Mobility Print Chrome extension displays a Sign in with Google button which allows users to authenticate quickly without typing a username or password.

Follow the steps in Manage Single sign on for Chromebooks . You can find more information on how SSO works in our Configuring Google Single Sign On (SSO ) article.