Jamf Nation Community

Recon.app's Network Scanner is a place to start, but be aware there are prerequisites to being able to use it effectively. For example, you need to know of at least one or more possible local administrator account names and associated passwords on your deployed Macs, that Recon.app can use to connect to them. Also, SSH has to be enabled. If you have a bunch of Macs that were either set up piecemeal with no standard local admin accounts on them, or no SSH enabled, Recon.app isn't going to be much help. Essentially, it needs a way it can "remote in" to each Mac, copy the jamf binary over and enroll the Mac back into the Jamf Pro server.

From the sounds of what you described, it doesn't sound like you'll be able to use this method, since you said "Remote login and management are generally not turned on" but perhaps some of them are enabled. You'd still need to enter the admin names/passwords to connect.
As you said Remote Management isn't typically enabled, that rules out using something like Apple Remote Desktop, which does provide an avenue to push a QuickAdd.pkg. But... it's gotta be on, or SSH has to be on. With both off, you're kind of stuck.

The only other method that comes to mind is having users enroll themselves by clicking a link in an email to the user initiated enrollment (UIE) page, once you set that up. This works if your users are a) local admins (they need to be able to install a .pkg), and b) if you can entice them to enroll so they can partake in something you will be rolling out. An example might be 802.1x certificate based Wi-Fi, if applicable. IOW, see if you can come up with some reason they will want to be managed and they will do it.

Last thing is, you're not alone here. I've seen a few environments that get Jamf Pro in place, and then go, "Now what?" once they realize they don't have a good way of discovering all these rogue Macs on the network and wrangling them under management. It's not uncommon.

Hope that helps anyway.

Active Directory can identify the OS, so your AD administrator should be able to help you find the Macs in AD. It's handy if you can convince the AD admin to put them in their own OU.

I was fortunate when I rolled out my current Jamf setup that all of the AD names in our organization include the building and room number. Cross-referencing those locations with the employee directory made it fairly easy to identify the associated users.

Assuming your AD and naming scheme aren't set up to facilitate the process, I'd recommend you start by sending out an organization-wide email request to get your Mac users to self-identify for the purpose of enrolling their machines.

If there are still machines that weren't identified during the self-identification phase, your next step could be to remove them from the domain a few at a time. Removing those machines should work well and quickly, if the Mac users are all domain users, to encourage the straggler users to self-identify. You could announce that removal plan in advance to reduce the backlash. "The voluntary phase is over. We're now going to require your Macs to be managed."

Thanks guys for this. What i am finding is not everyone is bound to the domain. Its just a bit of a mess right now. I will take these suggestions and run with them. Its going to be a bit of a struggle, but we will get there. On a different note do you guys have problems with RECON freezing up when its running? It does this to me and it doesn't got to not responding, but just sits there. I can leave it all day and it still comes back stuck in the same spot.