This sounds like a case for Rogue System Detection.
If you schedule an hourly check for new rogues and deploy mcafee agent as a response to that task you should be ok.
Then schedule an hourly task to deploy your chosen av software and you should be set, no machine will be able to be on your network for more than 2 hours at most before it has av on it.
k.howard, Welcome to McAfee community.
This is a common scenario. First thing you should do is "register" each server on the other one. You will have to export/import keys. What this will allow is to "transfer" your - systems, policies, tasks, tags etc from OLD server to the new one with click of a button. Once you've transferred all systems, keep the old server up for some time to see whether some agents are still connected to it.
Existing clients can be "transferred" to new ePO after registering as mentioned above. OR you can install McAfee agent on these systems which will then communicate with new EPO.
New clients - Setup RSD as mentioned by martinph above. Highly active servers such as DNS, DHCP, DCs are good candidates. As always, test for any adverse performance impact. You can create custom "Query" based server tasks that will target "unamanged" systems and will try to deploy agents on them. I'm assuming your systems are domain joined, which will make the deployment process easy. In addition, you can provide your technicians the McAfee agent package to be baked on their system image. This way when machines are given to users, they will already have McAfee agent (and other packages such as ENS).
You can most certainly apply tags automatically. It depends on few things. For example, if your laptops and desktops are in different containers in AD, within McAfee ePO, you can configure your systems folder to apply those tags. If your systems have certain naming conventions (ie - name begins with "DT" or "LT" prefix) you can apply tags as needed.