Skip to main content
Question

Best Practice for Scanning 200 + Subnets, Enrollment

  • July 21, 2015
  • 5 replies
  • 49 views
W
Forum|alt.badge.img+12

We have MACs out in the wild, and some are not managed by Casper. My task (whether I choose to accept it or not) is to find these rogue devices and enroll them into my JSS.

The environment that has over 200 subnets where Macs & PCs reside. I normally use Recon or ARD. I like Recon as it's more efficient. So, what is my question?.... Is there a better tool out there that can scan my subnets and perhaps check for a jamf agent? on the machine?

I have a spreadsheet with the different subnets (broken down by scope). Is there a way for Recon to import the contents of the spreadsheet to set up the different subnets?

    5 replies

    C
    Forum|alt.badge.img+10
    • calumhunter
    • New Contributor
    • July 21, 2015

    Just thinking ahead.

    Lets assume you locate a rogue mac that is not managed.

    If the machine has remote login (ssh) and remote management (ARD/VNC) disabled (default settings), how are you going to get it managed?

    F
    Forum|alt.badge.img+11
    • Fveja
    • New Contributor
    • July 21, 2015

    Unfortunately Recon has not been update for a long time and is not as powerful as it could be. I wish JAMF would think about their roots and update it. :)

    One way I have seen it done is to create the xml based setting recon files manually, or through a script, maybe one per subnet, then run Recon for each file, with all the known username and passwords in your environment.

    -Florin

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • July 21, 2015

    @wmateo

    Is there a better tool out there that can scan my subnets and perhaps check for a jamf agent? on the machine?

    AFAIK, recon is still the best tool for that job.

    roiegat
    Forum|alt.badge.img+16
    • roiegat
    • Valued Contributor
    • July 21, 2015

    Tool wise Recon is the best I've seen, given you have the admin credentials of the machine.

    But a little word of warning. Make sure you let your network guys know what you are doing and coordinate with them to scan at certain times. Scans like this can cause a big disturbance in the force, which some very edgey switches might see as a DOS attack. So always get your network guys approval and scan away.

    K
    Forum|alt.badge.img+12
    • krichterjr
    • Employee
    • July 21, 2015

    @wmateo I recommend reaching out to your TAM to discuss what you plan on doing just to make sure there aren't any other "gotchas" unique to your environment.

    I did something similar in at a previous employer and one thing I found was at the beginning of a scan Recon will cache the current IPs logged in the JSS. If you are scanning as many IPs as you are it will take a long time. People in my environment moved around and if they got a new IP that wasn't cached at the beginning it would re-enroll the machine. While most of the info for this device is kept, there are somethings that were lost (such as User and Location info).

    I believe there are some settings you can change in the database to stop this but I would recommend reaching out to your TAM just to confirm. I had created a Feature Request back in the day you could probably reference as well.

    Terms & ConditionsCookie settingsAccessibility statement