Best Practice for Scanning 200 + Subnets, Enrollment


We have MACs out in the wild, and some are not managed by Casper. My task (whether I choose to accept it or not) is to find these rogue devices and enroll them into my JSS.

The environment that has over 200 subnets where Macs & PCs reside. I normally use Recon or ARD. I like Recon as it's more efficient. So, what is my question?.... Is there a better tool out there that can scan my subnets and perhaps check for a jamf agent? on the machine?

I have a spreadsheet with the different subnets (broken down by scope). Is there a way for Recon to import the contents of the spreadsheet to set up the different subnets?


Contributor III

Just thinking ahead.

Lets assume you locate a rogue mac that is not managed.

If the machine has remote login (ssh) and remote management (ARD/VNC) disabled (default settings), how are you going to get it managed?

New Contributor II

Unfortunately Recon has not been update for a long time and is not as powerful as it could be. I wish JAMF would think about their roots and update it. πŸ™‚

One way I have seen it done is to create the xml based setting recon files manually, or through a script, maybe one per subnet, then run Recon for each file, with all the known username and passwords in your environment.


Honored Contributor III
Honored Contributor III


Is there a better tool out there that can scan my subnets and perhaps check for a jamf agent? on the machine?

AFAIK, recon is still the best tool for that job.

Contributor II

Tool wise Recon is the best I've seen, given you have the admin credentials of the machine.

But a little word of warning. Make sure you let your network guys know what you are doing and coordinate with them to scan at certain times. Scans like this can cause a big disturbance in the force, which some very edgey switches might see as a DOS attack. So always get your network guys approval and scan away.


@wmateo I recommend reaching out to your TAM to discuss what you plan on doing just to make sure there aren't any other "gotchas" unique to your environment.

I did something similar in at a previous employer and one thing I found was at the beginning of a scan Recon will cache the current IPs logged in the JSS. If you are scanning as many IPs as you are it will take a long time. People in my environment moved around and if they got a new IP that wasn't cached at the beginning it would re-enroll the machine. While most of the info for this device is kept, there are somethings that were lost (such as User and Location info).

I believe there are some settings you can change in the database to stop this but I would recommend reaching out to your TAM just to confirm. I had created a Feature Request back in the day you could probably reference as well.