[ Music ]
Hi. I’m Todd Ritland, AirPrint engineer and the lead engineer on iOS printing.
And this is Deploying AirPrint in Enterprise.
AirPrint is Apple’s total printing solution.
It’s a technology that helps you to create full-quality printed output without the need to download or install drivers.
If you’re an app developer and want to add printing to your app, see developer.apple.com/airprint for a previous talk I gave at WWDC titled Advances in AirPrint and download the sample code to get started.
If you are a printer manufacturer or a print server developer and wish to license AirPrint technology for your product, please email [email protected].
This talk will focus on those who are responsible for deploying AirPrint and want to learn more about all the enterprise features that make AirPrint work great in enterprise environments.
Printing in enterprise has many unique requirements.
Our enterprise customers are dealing with a fleet of printers, often from many manufacturers and with different features, across floors of buildings or across many different buildings, and in many locations.
These can be hugely complex printers as well.
The network infrastructure is often very complex.
Often they’re wireless and wired clients and their network structure may be unrelated to the physical location in a building.
IT departments also have varying network requirements, such as no access to software update, no multicast packet traffic allowed, and certain ports blocks, which all have impact on printers.
Enterprise customers also may have accounting requirements since every page printed costs money.
And of course security requirements are essential and are increasingly important in enterprise printing.
The top requests we get from enterprise are the ability to create PDF and have more paper-free workflows, security, access control and accounting, and better discovery of printers.
So let’s go into what AirPrint offers for each of these in detail.
First, create PDF from the Print panel.
Mac OS has long had the ability to get a PDF anywhere you can print.
And now in iOS 10, all iOS devices have this ability as well and I’d like to show you how this works.
Here we have an iPad running iOS 10, and when I tap Print, I just pinch out with my two fingers on the Print Preview.
And from here, I have a Share button at the top corner.
Any app can accept PDFs will appear under the Share menu, as well as AirDrop and other system-sharing options.
This also works with the Managed Open In Enterprise feature that keeps business items and personal items separate.
On devices with 3D Touch, you can alternatively use the Peek and Pop gesture to access this same view from the Print Preview.
We think enterprise users will love having this new paper-free workflow on all of their iOS devices.
Next onto a hugely important topic, security.
AirPrint on iOS and Mac OS support full end-to-end encryption so your documents are protected on the network.
AirPrint supports the latest industry standard TLS 1.2 encryption on top of HTTP.
This encryption technology is a requirement for all new AirPrint printers and servers.
Next, for additional security, many enterprise customers don’t want printed pages sitting around in the output bin of a printer, where an unauthorized person can pick it up and view it.
iOS and Mac OS support PIN Release for printers and servers that support it, where the user will enter a PIN at the printer to receive their output.
On iOS, when a PIN is required, the Print panel has a label explaining that.
And when the user taps Print, an alert is displayed with the PIN to release the job.
On Mac OS, the user can type the PIN they want to use to release the job.
Mac OS also supports PIN when PIN is optional and not required to print.
Next, Access Control and Accounting.
AirPrint has always supported printers and servers that require authentication with a username and password.
We store the username and password entered in the keychain so the user never has to enter it again.
iOS 10 now supports the ability to forget that stored authentication information to support workflows where a different user name is needed.
Also new this year is support for password-only authentication so printer can be protected with just a simple password, as shown here.
When an enterprise needs to have billing or account information added to each print job, iOS and Mac OS both support printers and servers that take that account information.
If the account information is required for every job, the user will be required to enter that information before the job continues.
And iOS and Mac OS support either optional or required account ID for print jobs, and this is what the UI looks like on Mac OS X.
Next, Better Discovery.
AirPrint has many supportive ways to find and use printers.
The main method which most people associate with AirPrint is Local Bonjour.
There is no setup required.
The printer automatically appears as an available printer in the list without any setup.
AirPrint has also always supported Wide-Area Bonjour.
Bonjour is based on DNS Service Discovery.
And if a DNS server is configured with the correct records, printers can be discovered this way and I’ll go over how to do this.
Both iOS and Mac OS also now support Mobile Device Management or MDM profiles with a configured AirPrint payload.
And new in iOS 10, we have AirPrint Bluetooth Beacons as a way to discover printers using Bluetooth low-energy beacons.
Configuring a DNS server to advertise AirPrint printers is easy.
First, the configured DNS server must be in the list of DNS servers used by the iOS devices and Macs you want printers to appear.
There are lots of ways to manage which DNS servers and search domains are used, such as DHCP or MDM profiles.
And next you want to add A or AAAA records to the name of the printer and the printer setup with a static IP address.
Add a PTR record for the main IPPS service type and one additional PTR record for the universal subtype.
This is key for AirPrint because AirPrint isn’t just an IPPS service.
It has a subtype of universal and that’s what iOS devices and Mac search for.
You’ll add a SRV record for the service and than a TXT or text record that describes many capabilities and information about the printer.
It’s super important to find the TXT or text record of the printer or server, which can easily be accomplished using the Command Line tool Mac OS, dns-sd.
To use dns-sd to figure out the records, just run this command on the same subnet as the printer you’re setting up.
You run with the -Z option to display the records in zone file format and you’ll use the underscore tcp.
underscore ipps.service type in the local domain, like shown here in blue.
This is the output you’ll get for each printer that’s discovered locally.
These are almost the PTR, SRV, and TXT records you’ll need to add to DNS server with a couple additions.
The changes are highlighted here in green.
As I mentioned, you’ll add an additional PTR record for the universal subtype, like this one on the second line.
You’ll also replace the local printer name in the SRV record with the fully-qualified domain name, the A record I mentioned earlier, and you’ll also need to replace any other instances of the local Bonjour name with this fully-qualified domain name, like I have shown here in green, with the printer’s administration URL.
If this isn’t fixed, users won’t be able to use the button in Mac OS that quickly takes them to the printer’s admin webpage.
And so this is the text here that could be copied right into a zone file and a printer will appear in the list of printers for your users, if they have this DNS server configured as one of their DNS servers.
So the key to setting up Wide-Area Bonjour printers is to get some help from the dns-sd Command Line tool.
MDM profiles are very popular and a super easy way to configure printers for your users.
The AirPrint payload can be added to any profile and that payload consists of a host or IP address and a resource path.
The resource path is ipp/print for most AirPrint printers, and for an AirPrint server, this will be the queue.
And the screenshot shown here is Apple Configurator, one of the most popular Mobile Device Management tools.
Next we have a new technology we’re really excited about that’s new in iOS 10 and that’s the AirPrint Bluetooth Beacon.
So what is an AirPrint Bluetooth Beacon, and how does it work?
Well, it can be configured using one of the many third-party Bluetooth beacon devices available on the market and set next to or near a printer or can it be built into the printer itself using the printer’s built-in radios and antennas.
And future AirPrint printers will have this capability built right in.
What it does is beacon out the connection information.
And if the iPhone can reach that IP address, the printer will be accessible to send jobs to.
This is really powerful because the network complexities don’t matter.
All that matters is that the IP address is reachable.
This could even be a public IP address on the Internet.
So long as the iOS device is in Bluetooth range and the IP address is accessible, the printer will show up as an available printer on the list for users.
And the AirPrint Beacon works great with print servers too.
Here we have an AirPrint server on the right, and each printer on the network has an AirPrint Bluetooth Beacon which is advertising the server’s IP address and the Queue ID associated with that printer.
When the user prints, the job goes to the print server with the queue information, and then the server sends the job to the associated printer that the user has chosen in the UI.
Let’s go into detail about what the AirPrint Bluetooth Beacon format is so you can set these up for your printers.
First, we have a header.
This is what identifies this BLE beacon as an AirPrint Beacon.
It’s the same for all AirPrint Bluetooth Beacons, so this can just be copied.
Next, we have the connection information.
This tells whether the IP address found later in the beacon is an IPv4 address or an IPv6 address.
It also tells whether the IP address is for a server or identifies a printer and this byte identifies if the connection must be TLS encrypted.
For this example, the connection is TLS encrypted, the IP address is an IPv6 address, and this is not a server.
See the specification published on developer.apple.com for how this byte is set up.
Next we have a printer ID if this job should go to a print server or information about the resource path if this is directly to a printer.
This printer has ipp/print as the resource path.
Again, see the specification published for more details about specifying resource paths.
Next we have the port for the connection; 631 is the standard IPP port.
Port 443 is often used for TLS secure connections.
For this example, 277 is hexadecimal for 631, which is the standard IPP port.
And next we have the IP address.
If you’re using a non-updatable external beacon for the printer, make sure the printer has a static IP address.
Otherwise, this IP in the beacon will become stale when the IP address changes.
And last, like iBeacon, we have a measured signal strength value at 1 meter.
This uses the same methodology as Apple iBeacon measured power.
This gives the iOS device better information about the physical distance of the printer.
For this example, the transmission power was found to be on average 64 decibels, which is 40 in hexadecimal.
The format of the AirPrint Bluetooth Beacon is somewhat similar to iBeacon.
iBeacon format is one byte shorter, but the beginning header is very similar.
If you’re following setup instructions for a device with iBeacon technology, you may be able to adjust and use a similar setup for the AirPrint Bluetooth Beacon, and many manufacturers of Bluetooth hardware have or will have specific AirPrint Bluetooth Beacon setup procedures.
So for enterprise users, iOS and Mac OS provides many great technologies to support PDF workflows for an increasingly digital world.
And AirPrint provides great security, access control, accounting, and new discovery technologies to make printing great in any environment.
And as always, let us know your feedback about what specific enterprise needs are by submitting feedback on apple.com/feedback.
For more information about this presentation and for referenced specs, please check out developer.apple.com/wwdc16/725.
You may also want to check out the What’s New in Apple Device Management session in Nob Hill at Wednesday 11:00 a.m. and also Taking Core Location Indoors in the Marina at Wednesday at 3:15 p.m.