- Jamf Nation Community
- Products
- Jamf Pro
- Best Practice for Scanning 200 + Subnets, Enrollme...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Best Practice for Scanning 200 + Subnets, Enrollment
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2015 06:48 PM
We have MACs out in the wild, and some are not managed by Casper. My task (whether I choose to accept it or not) is to find these rogue devices and enroll them into my JSS.
The environment that has over 200 subnets where Macs & PCs reside. I normally use Recon or ARD. I like Recon as it's more efficient. So, what is my question?.... Is there a better tool out there that can scan my subnets and perhaps check for a jamf agent? on the machine?
I have a spreadsheet with the different subnets (broken down by scope). Is there a way for Recon to import the contents of the spreadsheet to set up the different subnets?
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2015 08:01 PM
Just thinking ahead.
Lets assume you locate a rogue mac that is not managed.
If the machine has remote login (ssh) and remote management (ARD/VNC) disabled (default settings), how are you going to get it managed?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2015 08:39 PM
Unfortunately Recon has not been update for a long time and is not as powerful as it could be. I wish JAMF would think about their roots and update it. :)
One way I have seen it done is to create the xml based setting recon files manually, or through a script, maybe one per subnet, then run Recon for each file, with all the known username and passwords in your environment.
-Florin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-20-2015 10:40 PM
Is there a better tool out there that can scan my subnets and perhaps check for a jamf agent? on the machine?
AFAIK, recon is still the best tool for that job.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-21-2015 05:04 AM
Tool wise Recon is the best I've seen, given you have the admin credentials of the machine.
But a little word of warning. Make sure you let your network guys know what you are doing and coordinate with them to scan at certain times. Scans like this can cause a big disturbance in the force, which some very edgey switches might see as a DOS attack. So always get your network guys approval and scan away.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-21-2015 09:06 AM
@wmateo I recommend reaching out to your TAM to discuss what you plan on doing just to make sure there aren't any other "gotchas" unique to your environment.
I did something similar in at a previous employer and one thing I found was at the beginning of a scan Recon will cache the current IPs logged in the JSS. If you are scanning as many IPs as you are it will take a long time. People in my environment moved around and if they got a new IP that wasn't cached at the beginning it would re-enroll the machine. While most of the info for this device is kept, there are somethings that were lost (such as User and Location info).
I believe there are some settings you can change in the database to stop this but I would recommend reaching out to your TAM just to confirm. I had created a Feature Request back in the day you could probably reference as well.
