Intel® vPro™ Technology

Configuring Intel® Active Management Technology

Overview of Intel® Active Management Technology Configuration Process

Configuration Process for Small Businesses
Intel® Active Management Technology (Intel® AMT) is designed to allow small businesses to configure and utilize it without depending on third-party software. However, since the configuration process requires manual operation on each system with Intel AMT, it is not scalable beyond the needs of a small business. The initial configuration of Intel AMT is performed through a specialized BIOS module, available on systems with Intel AMT, called the Intel® Management Engine BIOS Extension (Intel® MEBX). An administrator uses the Intel MEBX screens, such as the one presented in Figure 1, to enable Intel AMT to configure a password, and possibly specify the network settings required for network connectivity.

Figure 1: Intel® MEBX, Intel® AMT configuration screen example
Source: Intel Corporation, 2008
click image for larger view

From this point onward Intel AMT is accessible over a Local Area Network (LAN), and further configuration or use can take place through a set of Web pages that Intel AMT exposes, such as the one presented in Figure 2.

Figure 2: Intel® AMT Web page example
click image for larger view

Configuration Process for Enterprises
For enterprises, Intel AMT configuration is performed automatically and remotely, by using a configuration server. The configuration server is integrated into ISV management suites, such as Symantec Notification Server*, LANDesk Management Suite*, and the Microsoft SCCM*. The configuration server establishes a secure connection with Intel AMT and then downloads the configuration data into Intel AMT. The protocols for setting up the secure connection are described in subsequent sections.

Intel® AMT Configuration Methods
Configuration of Intel AMT in an enterprise is fundamentally based on two available protocols. These are the Transport Layer Security (TLS)[5] protocol, based on the Pre-Shared Key (PSK) method; and the TLS protocol, based on the Asymmetric Key method (or remote configuration). Certain attributes and properties of these protocols can be adjusted to achieve varying levels of security and configurability.

TLS Configuration Protocol Based on the Pre-Shared Key Method
This protocol is based on the TLS-PSK Request For Comment (RFC)[6]. This RFC specifies a mechanism by which two parties can establish a secure channel of communication with one another.

In the case of Intel AMT, the two parties interested in setting up a secure communication channel are the Intel AMT and the Intel AMT configuration server. The starting assumption of the TLS-PSK protocol is that both parties must already share a secret. The PSK method offers stringent security that meets the needs of the most security-conscious enterprises; however, this method requires distribution of the PSK and that comes at a price.

Remote Configuration Protocol Based on the TLS Asymmetric Key Method
This protocol is also based on the TLS standard. This TLS standard specifies a protocol by which two parties can set up a secure channel of communication with one another, by using Rivest-Shamir-Adleman (RSA) key pairs established by each of them, a priori. There is no need for the two parties to pre-share any secret, as is the case when using the PSK protocol. This is the biggest advantage of this mechanism, that is, we do not have to devise mechanisms to share secrets, as in the PSK case.

Configuring Enterprise Data
Once a secure and trusted session is established between the configuration server and Intel AMT, the configuration server can push down the enterprise-specific information, enabling Intel AMT systems to be operational on the enterprise network. Intel AMT leverages the Common Information Model (CIM) of the Distributed Management Taskforce (DMTF) [7] to represent the various configuration settings that are communicated, by using DMTF’s Web-Services for Management (WS-MAN)[8] protocol. Intel AMT supports DMTF’s Desktop and Mobile Architecture for System Hardware (DASH) initiative [9], which aims to standardize the manageability of desktop and mobile systems. Certain configuration properties of Intel AMT utilize DMTF’s management profiles mandated by DASH. For example, local user-account management and authorization are based on DMTF’s Simple Identity Management [10] and Role Based Authorization [11] profiles.

The Intel AMT Software Development Kit (SDK) [12] provides the complete list of supported management profiles and the complementary CIM-based data model available for ISVs and IT.

Back to Top