Azure – Hybrid Cloud Print service

Hybrid Cloud Printer Service is a new feature available on Windows Server 2016 allowing you to setup a print server/service available not only to AD Joined devices but also to Azure AD Joined devices.

Using corporate print servers while using an Azure AD Joined device can be challenging for both end-users and IT staff.

With this new feature, any Azure AD Joined devices will be able to easily setup and use corporate printers, wherever they are.

To implement this solution, you need to following requirements – in addition of the obvious ones which are Azure AD and Active Directory:

  • Azure AD Connect – installation and configuration not covered in this post
  • Intune
  • Azure AD Proxy – activation, installation and configuration not covered in this post
  • Azure Web Application

Bear with me as this is not a simple and easy process – including the printers publication. Hopefully this will be improved in a future release/update.

This is an interesting functionality but clearly still lot of work

 

Enable Hybrid Cloud Print feature

On a Windows Server 2016, enable the Hybrid Cloud Print feature either using PowerShell (don’t forget to use the Run As Administrator); you may be asked to install NuGet and trust the online module repository

  • Enable the Windows Server Role Print Server
  • Install-Module -Name PublishCloudPrinter
  • Import-Module PublishCloudPrinter

image

  • Then you need to configure the connection to your Azure Active Directory by launching the CloudPrintDeploy.ps1 script located in the C:\Program Files\WindowsPowerShell\Modules\PublishCloudPrinter\1.0.0.0 folder

This will enable IIS serve role with Asp.Net

CloudPrintDeploy.ps1 -AzureTenant <Domain name used by Azure AD Connect> -AzureTenantGuid <Azure AD Directory ID>; where the Azure tenant is the <your tenant name>.onmicrosoft.com URL and the tenand GUID is obtained from the Azure AD properties (Directory ID)

image

  • You then need to configure SSL on the IIS web site either by using a self-signed certificate or by using a certificate generated by a CA. As the certificate needs to be trusted by the client, it is recommended to use a public CA – or you internal CA if you have deployed your CA certificate to the Azure AD Joined device (which can be done by using Intune)

image

  • Next, you need to install SQLite package using the following PowerShell commands

Register-PackageSource -Name nuget.org -ProviderName NuGet -Location https://www.nuget.org/api/v2/ -Trusted –Force

Install-Package system.data.sqlite -providername nuget

imageimageimage

  • Copy the SQLite DLL’s from each SQLite subfolder located in C:\Program Files\PackageManagement\NuGet\Packages to the Mopria Cloud Service virtual directory (C:\inetpub\mopriacloudservice\bin)

System.Data.SQLite.**Core**.x.x.x.x\\lib\\net46\\System.Data.SQLite.dll copied to the bin directory
System.Data.SQLite.**Core**.x.x.x.x\\build\\net46\\x86\\SQLite.Interop.dll copied to the bin\x86 directory
System.Data.SQLite.**Core**.x.x.x.x\\build\\net46\\x64\\SQLite.Interop.dll copied to the bin\x64 directory
System.Data.SQLite.**Linq**.x.x.x.x\\lib\\net46\\System.Data.SQLite.Linq.dll copied to the bin directory
System.Data.SQLite.**EF6**.x.x.x.x\\lib\\net46\\System.Data.SQLite.EF6.dll copied to the bin directory

image

  • Then edit the web.config file located in C:\inetpub\mopriacloudservice to replace the value set for newVersion with the actual installed one (in my case when writing this post,the version registered in the web.config file was 1.0.102.0 and the installed one was 1.0.107.0)

imageimage

  • Finally you need to create the SQLite database with a command lien.The database which will be located in C:\C:\inetpub\mopriacloudservice\Database using the SQLite management tool (SQLite Tools) available at https://www.sqlite.org/download.html

sqlite3.exe MopriaDeviceDb.db ".read MopriaSQLiteDb.sql"

image

  • Edit the NTFS permissions on the MopriaDeviceDb.db file located in C:\inetpub\wwwroot\MopriaCloudService\Database to grant read and write permissions to users/groups being authorized to publish shared printers

 

Create the Azure Web Applications

3 Azure Web Applications are required to implement the hybrid cloud printer service – 2 as web app/API and 1 native:

    • one web app/API acting as the print service proxy
    • one web app/API acting as the print service discovery service
    • one native app acting as the print service

    For this post, I’m assuming you already have deployed Azure Application Proxy; if not you can check this post http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=608

    • From Azure administration portal, go to the Enterprise Application\All applications options of your directory and publish On-Premises application

    imageimage

    Recommendation I would recommend to set the Visible to users option to No as well as the User Assignment Required option set to No after publishing the applications; this will ensure the applications will not be displayed on the Azure Application Control Panel which could cause some trouble as the end points are designed to interact with end-users through the web browser

    image

    Recommendation while you can keep the default External URL, it is recommended to customize it by either shorten it or use your Internet domain. If you use your Internet domain, do not forget to create the required CNAME and also use it when generating the IIS certificate (used previously). You will then have to upload this certificate

     

    IMPORTANT NOTE if you perform any update on the Azure Web Applications, double check the Home page URL is still as defined below.

    Hybrid Cloud Discovery Endpoint Web Application 

    • Name: name the application has you wish; as usual use an understandable name, like Hybrid Cloud Print Service Discovery
    • Internal URL: this is your internal print server (something like https://serverfqdn/mcs/)
    • Pre authentication method: Passthrough

    image

    • Once the discovery application has been created, edit it to update the App ID URI to http://MopriaDiscoveryService/CloudPrint

    image

    • Then apply the required permissions by accessing the Required permissions blade to grant Sign in and read user profile permission (if not granted) and then apply by clicking on the Grant permissions

    image

    • Edit the Home page URL to be set as http://MopriaDiscoveryService/CloudPrint

    image

     

    Hybrid Cloud Proxy Service Web Application  

    • Name: name the application has you wish; as usual use an understandable name, like Hybrid Cloud Print Service
    • Internal URL: this is your internal print server (something like https://serverfqdn/ecp/)
    • Pre authentication method: Passthrough

    image

    • Once the proxy application has been created, edit it to update the App ID URI to http://MicrosoftEnterpriseCloudPrint/CloudPrint

    image

    • Then apply the required permissions by accessing the Required permissions blade to grant Sign in and read user profile permission (if not granted) and then apply by clicking on the Grant permissions

    image

    • Edit the Home page URL to be set as http://MicrosoftEnterpriseCloudPrint/CloudPrint

    image

     

    Hybrid Cloud Print Service Native Application

    • Create the native application and define the Redirect URI to your on-premises server; which will be something like ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-3784861210-599250757-1266852909-3189164077-45880155-1246692841-2835503667

    image

    • Grant the delegated permission for the 2 web applications to access the native application and then click on Grant Permissions

    imageimage

    • Finally add the following URL’s to the Redirect URIs option
      • ms-appx-web://Microsoft.AAD.BrokerPlugin/<NativeClientAppID>

    image

     

    Registry Update

    This step is important.

    Logon to your print server and edit the URL key located below HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudPrint\MopriaDiscoveryService with the public URL associated with your Discovery application (like https://externalURL/mcs/)

    and then restart IIS (iisreset)

    image

     

    Configure the MDM policies

    • Access to your Intune portal through the Azure administration portal, access the Device Configuration\Profiles blade and create a new profile

    image

    • Create and deploy a Windows 10 and later profile using the Device Restriction profile type and configure the Cloud Printer options

    image

    • And configure the settings as per below
      • Printer Discovery URL: Internet URL of the discovery end-point (the one ending with the /mcs virtual directory)
      • Printer Access authority URL: https://login.microsoftonline.com/<your Azure AD GUID>
      • Azure Native client app ID: The Azure  Native Application ID
      • Print Service URI: http://MicrosoftEnterpriseCloudPrint/CloudPrint
      • Maximum printers to query: any value
      • Printer Discovery Service Resource URI:
      • http://MopriaDiscoveryService/CloudPrint

    • If you want to deploy a Custom profile type, configure the following
    • Add the following OMA-URI
      • Name: CloudPrintOAuthAuthority
      • OMA-URI: ./Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/CloudPrintOAuthAuthority
      • Data type: String
      • Value: https://login.microsoftonline.com/<your Azure AD GUID>
      • Name: CloudPrintOAuthClientId
      • OMA-URI: ./Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/CloudPrintOAuthClientId
      • Data type: String
      • Value: The Azure  Native Application ID
      • Name: CloudPrintResourceId
      • OMA-URI: ./Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/CloudPrintResourceId
      • Data type: String
      • Value: http://MicrosoftEnterpriseCloudPrint/CloudPrint
      • Name: CloudPrinterDiscoveryEndPoint
      • OMA-URI: ./Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
      • Data type: String
      • Value: Internet URL of the discovery end-point (the one ending with the /mcs virtual directory)
      • Name: MopriaDiscoveryResourceId
      • OMA-URI: ./Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/MopriaDiscoveryResourceId
      • Data type: String
      • Value: http://MopriaDiscoveryService/CloudPrint
      • Name: DiscoveryMaxPrinterLimit
      • OMA-URI: ./Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
      • Data type: Integer
      • Value: Any value to define the maximum number of printers discovered

    image

     

    Publish the printer(s)

    There is no easy way (yet) to publish your printers to the Hybrid Print Service.

    To publish your printers, you need to logon with PowerShell to you Azure AD tenant and run the following commands

    IMPORTANT the account you are using to publish the printers needs to be granted read and write permissions on the MopriaDevicedb.db file

    IMPORTANT there will be no options available on Windows 10 clients until a printer is published

    Install the Hybrid Cloud Print PowerShell modules

    • Logon on a Windows 10 Azure AD Joined device
    • Using a PowerShell prompt using the run as administrator

    NOTE you may be prompted to trust the repository

    Find-Module -Name "PublishCloudPrinter"
    Install-Module –Name "PublishCloudPrinter"

    image

    • Use the Publish-CloudPrinter command to publish the printer with the following parameters:
      • Printer: name of the published shared printer – this needs to be the shared printer name
      • Manufacturer: printer manufacturer
      • Model: printer model
      • OrgLocation: a JSON string defining the location of the printer
      • SDDL: string defining the permissions assigned to the printer (to get it run the PowerShell command (Get-Printer “YourSharedPrinterName” -Full).PermissionSDDL). You will have to add O:BA as prefix to the result

    image

      • DiscoveryEndpoint: the external URL of the Discovery Azure Web Application created earlier (the one with /mcs)
      • PrintServerEndpoint: the external URL of the Proxy Azure Web Application created earlier
      • AzureClientID: the application ID of the Azure Native application
      • AzureTenantID: your Azure tenant ID

    The command will then be like this

    Publish-CloudPrinter -Printer "Epson Stylus Office BX620FWD" -Manufacturer "Epson" -Model "Epson Stylus Office BX620FWD" -OrgLocation ‘{"attrs": [{"category":"country", "vs":"Australia", "depth":0}, {"category":"organization", "vs":"Benoit HAMET", "depth":1}, {"category":"site", "vs":"Sydney,AU", "depth":2}, {"category":"building", "vs":"Home", "depth":3}]}’ -Sddl "O:BAG:SYD:(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)" -DiscoveryEndpoint "https://<hybrid print service discovery URL>/mcs/" -PrintServerEndpoint "https://<hybrid print service endpoint URL>/ecp/" -AzureClientId "<Azure native app ID>" -AzureTenantGuid "<Azure AD tenant ID>"

    image

    If you are getting the error “Invoke-RestMethod : You don’t have permission to Publish.”, check the NTFS permissions assigned on the MopriaDeviceDb.db file

    image

     

    Using the Hybrid Print Service

    • From a Window 10 Azure AD Joined device, ensure the policies have been sync, then go the Settings\Devices\Printers & Scanners and you should see the option Search for cloud printers

    image

     

    Hybrid Print Service Management

    The management of the hybrid print service consists either of publishing, querying or removing shared printers.

    Publishing printers has been covered previously.

    Query Hybrid Print Service

    To query the service to gather which printers have been published, use the following command

    The result is a really a crap

    Publish-CloudPrinter –Query -DiscoveryEndpoint “<your discovery endpoint URL – like https://<hybrid print service discovery URL>/mcs/>” -AzureClientId “<your Azure Native App ID>” -AzureTenantGuid "<Azure AD tenant ID>"

    image

    Remove a published printer

    To remove a published printer run the following command

    Publish-CloudPrinter -Unpublish –Printer “<name of the published printer>” -DiscoveryEndpoint “<your discovery endpoint URL – like https://<hybrid print service discovery URL>/mcs/>” –PrintServerEndpoint “<your hybrid print service endoint – like https://<hybrid print service endpoint URL>/ecp/>” -AzureClientId “<your Azure Native App ID>” -AzureTenantGuid "<Azure AD tenant ID>"