The User Consent feature of Intel® Active Management Technology (Intel® AMT) is one of the distinguishing differences between Admin Control Mode (ACM) and Client Control Mode (CCM). (See Intel® AMT Basic Concepts for more information.)
The User Consent feature adds another level of security for remote users. When redirection is required of the remote client, a User Consent code must be submitted. Accessing an Intel AMT device via the Intel® KVM Remote Control feature or executing storage redirection are considered redirection operations. While performing operations such as remote power management doesn’t redirect data, so the technician doesn’t need further authentication beyond the typical AMT authentication.
The User Consent code is provided on the client-side as a sprite on the Intel AMT device’s display. This sprite is generated by the Intel® GPU and is not available to the OS. This is a 6-digit code that the technician will use when making the connection requiring the consent, such as an Intel KVM connection. (see Figure 1)
Figure 1. The 6-digit User Consent code
Console Integration of the User Consent Feature
If the console performs client configuration using host-based configuration, then User Consent will be enabled by default, which makes the integration of the User Consent feature mandatory for redirection operations.
The basic steps in the process are:
- Making the initial AMT connection:
Using the HLAPI, we can easily make the connection and authenticate with the firmware; the solution will require the use of several files: HLAPI.dll, imrsdk.dll, and IWSManClient.dll.
This is done by creating an object for each Intel AMT device. The instance is created using the AMTInstanceFactory.Create method and the IAMTInstance interface.
- Requesting the User Consent code to be displayed:
The User Consent code can be generated by calls from the HLAPI either remotely or locally by using the DisplayConsentCode HLAPI method.
- End user to provide the code to the technician:
This is a manual process as the sprite is not available to the CPU, so software-based means will not be able to “see” the code.
- The admin console sends the User Consent code back to the Intel AMT client:
The remote operator will send the User Consent code as a string by the UserConsent.SendCode function.
- Intel AMT client processes incoming code and enters into an in-session state:
The Intel AMT device authenticates the user consent code and then the Intel AMT device changes the ConsentProcessState enumeration to ReadyForSessionStart until such time as the SessionTimeout value of the UserConsentSettings has expired or a redirection operation has commenced that will change the enumeration of ConsentProcessState.InSession.SessionTimeout.
For more information, visit out site on the Intel AMT HLAPI User Consent feature.
*No product or component can be absolutely secure.
Did you find the information on this page useful?