The big problems are:
- macOS using restriction profiles seems unable to handle relative paths. In earlier versions of OS X you could use these paths such as '~/' for the home folder to for example deny execution of applications from within the home folder
- In order to print, macOS needs to create these 'PrinterProxy' apps in the users home directory under 'Library/Printers'.
Why these PrinterProxys habe to be located within the home directory is out of my reach.
Also I don't think this is logic. Even if the printer is assigned to the machine, the folder containing those PrinterProxys is still located in the home directory of the user.
But anyway.
I tried al sorts of redirections, creating a PrinterProxy folder in /Library or /tmp and then creating a symlink that would point at these folder.
Forget it. It won't work.
So, in the end I ended up doing this:
For every file share that contains user home directories, I created an entry in the 'Allow Folder' section of the profile.
These entries look like this:
/Network/Servers/By using the payload variable '%short_name%" inside the path allows you to use the users short name as is most often done for the name of his home directory./Volumes/ /%short_name%/Library/Printers
The rest of the path has to correspond to the path that you get when entering the command
pwdin the terminal when logged in as an example user.
I hope this helps others to save some time and prevents them from going all the way again.
This procedure was verified using macOS 10.12.3
