Intel® vPro™ Setup and Configuration Basics & Integration
Frequently, developers ask how to integrate Intel® Active Management Technology (Intel® AMT)/Intel vPro commands into their Management Console. To manage Intel AMT clients, they must first be enabled and provisioned.
What is Intel AMT configuration and why is it important?
When a system is shipped from the OEM that supports configurable Intel AMT, features will depend on if the system is Intel Standard Manageability or Intel vPro Technology. Regardless of the Intel AMT type, configuration is the process of setting up the firmware so that it be accessed remotely on the corporate network.
In basic setup and configuration the process will establish a connection to the Intel AMT device and will supply the Master Digest Password and network settings. There are many additional features that can be enabled, including; Active Directory Integration, Alarm Clock, AMT Events, Hardware Asset inventory, KVM, Remote Power Management, Storage Redirection, System Defense, TLS, wireless profiles and 802.1x.
Intel AMT uses a minimum of three passwords as listed below:
- Management Engine BIOS Extension (MEBx) - This password can be thought of as the physical access password. It is only used when you are sitting at the system to access the MEBx during the Boot Process. This password can be changed during access via the MEBx or USB Configuration or SCS configuration.
- AMT Master Digest Password- This password is the default "admin" password and used for all remote connections to the Intel AMT firmware. During initial provisioning this password is the same as the MEBx password (stored as two separate values).
- RFB5900 - This password is optional and only used if you are configuring to use a traditional VNC client on port 5900
Control Mode Choice affects redirection permissions
The configuration process will establish the Intel AMT device in one of two modes; Client Control Mode (CCM) or Admin Control Mode (ACM). The difference is primarily that CCM requires User Consent for redirection operations and ACM does not.
The User Consent feature adds another level of security for remote users. When a redirection is required of the remote client, a User Consent code must be submitted. Accessing via KVM or executing an IDEr command is considered a redirection operation, but performing a get power state or reboot is not.
Management Console Integration
Configuration process can be simply integrated by providing a basic configuration profile or utilizing Intel SCS to create highly configurable profiles.
Basic Console Integration
The most basic console integration uses Host Based Configuration (HBC). HBC allows for configuration from within the Windows OS leaving the device in CCM. The console will provide the profile and script for configuring the remote AMT device.
A typical minimal integration would require the Management Console to perform the following:
- Provide the AMT password.
- Determine if the AMT client is DHCP Enabled or has a Static IP.
- Create a profile.xml file and encrypt it with a password <decryptionpassword>
- Push the profile.xml to the client along with acuconfig.exe, acu.dll and script
- Launch the script (.bat or .ps1) on the Intel AMT device.
- Example: acuconfig.exe configamt profile.xml decryptionpassword <password>
Creating the profile
Determine the Intel AMT features that are to be supported by the console. Then use the ACUWizard from the SCS package to create a sample profile.xml. Unfortunately the file will be encrypted and you will need to decrypt it using the SCSEncyption tool from the SCS package "utils" folder. Once decrypted, open in a XML editor and use this sample to determine which xml tags are required for your needs. Then create your own XML in your console's XML creator. Encryption of your final profile.xml file is optional.
Decryption syntax: SCSEncryption.exe Decrypt <input_filename> <password> /Output <output_filename>
For a more in depth article on this go here
Why Intel SCS is considered the Premier Tool for Configuration
Intel's SCS utility is the one of the methods that allows for remote configuration into Admin Control mode (ACM). However, Intel SCS does not provide APIs, so there is no console integration available.
Other Configuration Solutions
The Intel AMT Implementation and Reference Guide provides sample code and additional resources if you choose to use the already mentioned tools.
In order for an Intel AMT device to be remotely managed, it requires configuration to communicate over the corporate network. At the very minimum, the device must have an AMT Master Digest Password (User: Admin) assigned and the local network connection information applied to the firmware. Until this has been accomplished, remote management cannot occur.
Remember that the Control Mode (Client or Admin) affects the ease of redirection operations.
Product and Performance Information
Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.