Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Symantec Zone > Blog
Up to Blog Posts in Symantec Zone

Symantec Zone

8 Posts
julie nusom
0

Valerent is expanding their business by helping customers lower TCO, increase productivity and improving compliance with Symantec's Altiirs platforms and Intel vPro technology. Find out more by reading the case study.

0 Comments Permalink Tags: advantage, valerent, grow, business, competitive
julie nusom
0

Find out more by reading new content in the 2nd edition of the Intel/Symantec  eBook .

0 Comments Permalink
Terry Cutler
0

Intel and Symantec recently released an eBook containing videos, whitepapers, customer and analyst testimonial, and related information on client based solutions.

 

The eBook is entitled: Turn Sustainable IT Strategies into Real ROI

 

Go to http://symantecintelalliance.com/ebook to check it out for yourself.

 

There are sections on Sustainable IT, Manageability, Virtualization, and ROI.

 

The following a screenshot and quick glimpse - click to go to the live version

 

ebook.jpg

 

Visit the eBook today to learn more about how Intel and Symantec are providing Real ROI to our customers today!

0 Comments Permalink Tags: vpro, symantec, intel
julie nusom
0

Sustainable IT

Posted by julie nusom Jul 8, 2009

INT-SYM_eBook_CIO_336x280_R1.gif

Intel and Symantec are committed to helping

you implement sustainable IT solutions

that can reduce costs, lower TCO,

and reduce power consumption. Find out how by

viewing the interactive eBook.

 

 

0 Comments Permalink Tags: vpro, altiris, symantec, manageability, sustainable, it, energy, efficiency, virtualization
Terry Cutler
0

A training course on configuring and using Intel vPro Technology in an Altiris environment can be requested from Symantec training

 

The course summary is posted below, and can also be found at the Symantec Education site:

  • Go to http://education.symantec.com
  • Navigate to section 9, labeled "Infrastructure Operations" at the bottom of the page
  • Select Client Management Suite

 

After performing the above steps, the course catalog screen will appear.  A subsection of that screen is shown below.  The Intel vPro technology course is "Altiris Enhancing Out of Band Automation with Intel vPro Technology".

 

cms-oob-trng.gif

 

If you click on the course name, it will lead the PDF document which is attached within this posting.

 

If you click on the "View" button, you will note that no courses are scheduled.  However, you can request additional information or schedule a session for your location by contacting Symantec at 800-327-2232 (option 4) or send an email to americas_education@symantec.com.

 

The training course was developed about a year ago, and was originally listed as the A100 course.  It is built on the Altiris CMS v6 environment, yet the core principles are the same for CMS7.  To get a glimpse of how Intel vPro and Altiris work together, see http://www.symantec.com/connect/articles/combining-band-and-out-band-management - which includes an attachment of a CMSv7 video demonstration.

0 Comments Permalink Tags: training, altiris, symantec, vpro, course
Michele Gartner
0

 

>>Register Here

WHEN: Thursday, April 16, 2009

TIME: 1:00 PM ET / 10:00 AM PT

 

 

Advanced solutions for PC management and security

Nearly 90 percent of an organization’s IT budget and time is spent keeping their business running securely and smoothly. When provisioned with Altiris solutions, computers with Intel vPro processor technology allow unprecedented ability to solve business IT problems. These are just a few examples—regardless of the computer’s power state or the health of the operating system:

  • Remove infected computers from the network while     preserving a remote IT connection to the affected computer for remediation   
  • Speed patch saturation by up to 56%.
  • Reduce end-user tampering, which interferes with     enforcing IT policies
  • Conduct hardware/software inventory up to 94% faster     per PC
  • Reduce the need for hardware/software desk-side visits     by up to 56%.
  • Remotely repair BIOS from an IT gold image

The combined strengths of Intel and Altiris means that network management and security are no longer reliant on a software agent, which minimizes exposure to end-user tampering.

 

Sustainable – Green IT

Symantec and Intel promote and provide the use of energy efficient hardware, software, services, and best practices that reduce environmental impact by enabling IT to run more efficiently, conserve power, and cut energy costs:

  • Gain efficiency and save money when you deploy     Intel®-based platforms together with Symantec IT management software.
  • Reduce your company’s environmental impact by     maximizing resources and conserving power with Intel and Symantec hardware     and software.
  • Make the most of all your IT assets.
  • Control equipment sprawl by optimizing utilization of     each server in your data center.
  • Comply with current energy efficiency regulations and     be ready for future legislation.
  • Comply with the policies of your customers who require vendors to be energy efficient.


0 Comments Permalink Tags: altiris, webinar, software_update, spend_smart, remote_repair, symantec, events, green_it
Joel Smith
1

What are the Best Practices for configuring or provisioning Intel vPro capable systems within the Symantec Management Platform 7.0 ?  More specifically how can I use Out of Band Management 7.0 to reliably enable my vPro systems for use within the infrastructure?

For those who understand vPro technology and the Altiris/Symantec implementation will recognize that there are multiple ways to configure AMT systems.  Not all methods are created equal, and experience has revealed which ways are best.  Using this article you can avoid many of the pitfalls and difficulties surrounding such a securely robust architecture.

Introduction

With different options available for configuring an Intel vPro system, this document is a must.  Since so many components tie into the vPro supported architecture sometimes results will vary.  Some methods have revealed inherent problems in how the Altiris Infrastructure handles a computer resource’s identity.  To avoid any potential issues, this method has proven to be the most reliable.  Keep in mind that as newer versions of AMT, vPro, Intel SCS, and Out of Band Management are released, these details may change.  Symantec is working to resolve configuration issues to allow more reliable choices for configuring the vPro enabled systems.

Infrastructure Items

The best methods for setting up the infrastructure are provided here.  The manual configuration method is not covered as it’s a manual pain and alphanumeric nightmare.  The first segment covers the universal ProvisionServer DNS record required for the hands-off approach in AMT versions 2 through 5.  Subsequently two other infrastructure components are covered so that the subsequent steps covered later will have all necessary infrastructure items in place.

DNS Configuration

Everyone loves automatic procedures that don’t require the eyes and hands of an overworked IT Professional to complete.  The DNS configuration is utmost to achieving the no-touch, hands-off automated approach available with AMT provisioning.  The following steps show how to set this up:

  1. Launch DNS Management.
  2. Expand the Forward Look-up Zones tree.
  3. Right-click on the Domain that will be used for Provisioning and choose to create a CNAME record.
  4. In the Alias field type in: ProvisionServer
  5. In the Fully Qualified Domain Name field put the full name of the Notification Server (IE: MyServer.mydomain.com).

Now that this Alias is created, when the AMT systems send out the ‘hello’ message targeting the name ‘ProvisionServer’, DNS will properly route that message to the Notification Server/Intel SCS Provisioning Server.  To test that this is working properly, follow this procedure:

  1. In the Symantec Management Console, browse under Home > Remote Management > and click Out of Band Management.
  2. In the left-hand pane, browse under Configuration > Configure Service Settings > and select DNS Configuration.
  3. In the right-hand pane click the ‘Test’ button found about halfway down the text of the page.
  4. Under the Resolved “ProvisionServer” IP:, you should see the IP address of your Notification Server.  If it fails, the NS cannot resolve the name “ProvisionServer” on the network.  See this screenshot for an example:
    DNSConfig.jpg

General Items – Remote Configuration

Note that the Remote Configuration option is not available on all versions of AMT.  As of the creation of the document, versions 2.2, 2.6, 3.0, 3.1, 4.0, 5.0 support Remote Configuration.  All AMT Systems with these versions have pre-configured certificates loaded into the firmware.  Examples are GoDaddy, VeriSign, and Comodo (others may be provided.  Please check Intel or the computer manufacturer’s documentation for a full list).  The systems come from the manufacturer already prepared to find the Provisioning Server and initiate the Configuration process.

The following infrastructure items need to be in place for Remote Configuration:

  1. Obtain a valid certificate from the appropriate vendor (GoDaddy, VeriSign, Comodo, etc.).
  2. Install the certificate on the Notification Server and register it with the Provision Server.  Details on how to do this are best covered in the following article.  This details not only the best practices but also how to troubleshoot issues with the remote configuration certificate application:

https://www-secure.symantec.com/connect/articles/remote-configuration-certificate-application-best-practices-intel-vpro-systems

  1. Enable the CNAME option for ProvisionServer as detailed previously if this has not been completed yet.  This is essential to make a Remote Configuration process seamless and to make it hands free.
  2. Enable Resource Synchronization.  Use these steps to complete it:
    1. In the  Symantec Management Console browse under Home > Remote Management > Out of Band Management.
    2. In the left-hand tree browse under Configuration > Intel AMT Systems > and select Resource Synchronization.
    3. On the title bar to the right click the button next to ‘Off’ and select ‘On’.
    4. Make sure the option ‘Use DNS IP resolution to find FQDN when assigning profiles is NOT checked.
      NOTE: This option should only be used in environments where DNS is reliable for obtaining a system’s identity.  Since DNS usually isn’t, this option is highly not recommended.
    5. Set an appropriate schedule (do not run this too often as it does take time to process).
    6. Click Save changes if any options needed to be changed, especially to turn the policy on.
  4. For the steps on how to proceed with Configuration for these systems please see the subsequent section in this article labeled Discovering and Configuring new vPro systems: Remote Configuration.

General Items – One-Touch to No-Touch PSK Provisioning

This option is available for all AMT versions 2.0 and beyond.  The one-touch option requires security keys to be generated within the Symantec Management Console and configured on the target systems using One-Touch provisioning.  The manufacturers offer a service to have pre-configured keys already setup on purchased vPro target systems.  This allows a no-touch provisioning method using the PSK (pre-shared keys) model.

The following infrastructure items need to be in place for PSK Configuration.  The first half of the steps is for no-touch PSK provisioning:

  1. Please see steps 3 and 4 in the Remote Configuration section above as they, too, apply to PSK Configuring.
  2. Have the Manufacturer pre-configure all purchased systems to already have the PID and PPS (TLS-PSK) configured (this is optional but is required for a no-touch configuration model).
  3. The manufacturer will provide the keys in a file to be imported into the Notification Server.  NOTE: it is recommended to have the file broken down into smaller parts if exceeding 1000 key pairs, or systems to be configured.  This allows an easier time importing those keys.  For version 7 there are no known limitations on the number of key-pairs unlike the 6.x versions.
  4. Import the file using these steps:
    1. In the Symantec Management Console browse under Home > Remote Management > Out Of Band Management.
    2. In the left-hand tree browse under Configuration > Configuration Service Settings > and select Security Keys.
    3. Click the ‘Import security keys’ icon (blue arrow pointing down-right on blank paper).
    4. Click the browse button and browse to the location you’ve stored the key-file provided by the manufacturer.
    5. Click Import.
    6. Ensure that the appropriate keys appear in the key list after the screen refreshes.
  6. If you are using the one-touch method, use the icon labeled ‘Generate’ to create a series of keys (it is recommended to keep the number of keys to 1000 per USB flash drive to improve performance when out configuring systems).  Click OK when done configuring the keys to generate.  See this screenshot for an example:
    GenerateKeys.jpg
  7. Highlight a group of keys (1000 max recommended) and use the export button.  This will allow the keys to be put into a Setup.bin file.  The USB key will be used later as part of the configuration process. Place this file on a USB flash drive with the following configuration:
    • FAT 16 File System
    • Setup.bin needs to be the first file on the drive
  9. Enable the CNAME option for ProvisionServer as detailed previously if this has not been completed yet.

Discovering and Configuring new vPro systems

Now that the Infrastructure items are in place, the process for configuring Intel AMT vPro capable systems needs to be defined.

The Altiris Agent

The key sequence in the configuration process actually doesn’t directly involve the AMT provisioning piece.  The Altiris Agent should be installed to the client system before the system is discovered to the core NS through other discovery processes, due to issues with resource integration between discovery methods.  If you plan to manage the system with the Altiris Agent, It needs to be installed first.  The steps for this are covered in each methodology.

NOTE: Due to the requirement of having the right computer identity at the time of Configuration, this step is considered crucial to a successful Configuration process for vPro systems.  The Altiris Agent will provide all the proper identification items (Fully Qualified Domain Name, or FQDN, and the UUID).

Remote Configuration

The following steps show how to configure the system in Remote Configuration mode.  Note that the steps are written to show the proper sequence, though some of the items may have been completed previous to its sequence in the list:

  1. Install the Altiris Agent on the target computer.  This can be done with a push or a pull.

PUSH

  1. For the push method, browse in the Symantec Management Console under Actions > Agents/Plug-ins > and select Push Altiris Agent. 
  2. You can individually enter in the computer names or IP addresses of the target systems, or you can use the blue lettered link ‘Discover Computers’ to discover the systems automatically on the network. 
  3. Once systems are selected, click the ‘Install Altiris Agent’ button below the list.
  4. Provide the required details to install the Altiris Agent to the target systems (including the correct Admin account, install path, etc…).
  5. An alternate method is to use the ‘Schedule Push to Computers’ option after you have discovered the machines using the discover computers option to schedule the push for another time.
  6. To set the proper settings for the scheduled push click the button ‘Installation Settings’ and set the options as required.

PULL

1.       For the pull method, browse in the Symantec Management Console under Actions > Agents/Plug-ins > and select Push Altiris Agent.

2.       Under ‘URL of download page’ a link is provided.

3.       On the target system, pull up a webpage and paste in the URL obtained from step #2.  This link can also be sent out via Email, or posted on a Web Page for users to access.

  1. Verify that the Altiris Agent has successfully sent Basic Inventory and obtain a Configuration from the Notification Server.  Right-click on the Altiris Agent icon and choose ‘Altiris Agent Settings’.  As long as valid dates are under the following headings, the system is prepared for synchronization:
    1. Configuration

                                                               i.      Requested

                                                             ii.      Changed

  1. Basic Inventory

                                                               i.      Sent

  1. Make sure that after an initial Basic Inventory sending that the Configuration is again requested as the Notification Server will have populated the computer into collections based on the Basic Inventory sent it.
  2. Run an Out of Band Discovery on the target system.  This will be an automatic step after the Altiris Agent is installed, yet it needs to be initially setup.  Use the following steps to set it up:
    1. In the Symantec Management Console browse under Home > Remote Management > and click on Out of Band Management.
    2. In the left-hand tree browse under Out of Band Agent Install > and select Out of Band Discovery.  See this screenshot for an example of the Task:
      OOBDiscovery.jpg
    3. To the right of the title bar there’s an On Off switch.  Click the red-colored light and change it to On.
    4. By default this is set to only ever run once.  This is sufficient when systems will only ever be provisioned once.  One fail-safe is to set this to a reoccurring schedule so we have up to date information on a system if needed.
    5. The current collection is usually sufficient, but if systems are not getting the Out of Band Discovery job, try adding a more general collection such as All Windows Computers.
  4. Setup and Configuration will occur automatically.  The above items may occur after the initial “hello” packet is send from a system since systems already come configured to use Remote Configuration, but without the Altiris Agent Intel SCS will be unable to provision until the Altiris Agent has been installed and Out of Band Discovery has run.
  5. The Configuration will occur from this point, yet if you want your system to show up in the vPro or AMT specific collections, next manually launch the Resource Synchronization.  As we’ve already touched this policy it should be setup to run automatically, but to run it now follow these steps:
    1. In the Symantec Management Console browse under Home > Remote Management > and select Out of Band Management.
    2. In the left-hand tree browse under Configuration > Intel AMT Systems > and select Resource Synchronization.
    3. Under the ‘Last synchronization statistics’ section, click the ‘Run now’ button to force the synchronization.
  7. When synchronization completes, the system will show up in the Out of Band and AMT specific collections (Note, this is not required to use vPro functions but only affects what collections the systems show up in).

The following diagram represents the basic steps used for this method of configuration:

RemoteConfigDiagBP.JPG

PSK Provisioning

Depending on the method, the following steps will show the best way to configure the system with One-Touch or PSK mode:

  1. Install the Altiris Agent on the target computer.  This can be done with a push or a pull.

PUSH

a.       For the push method, browse in the Symantec Management Console under Actions > Agents/Plug-ins > and select Push Altiris Agent. 

b.      You can individually enter in the computer names or IP addresses of the target systems, or you can use the blue lettered link ‘Discover Computers’ to discover the systems automatically on the network. 

c.       Once systems are selected, click the ‘Install Altiris Agent’ button below the list.

d.      Provide the required details to install the Altiris Agent to the target systems (including the correct Admin account, install path, etc…).

e.      An alternate method is to use the ‘Schedule Push to Computers’ option after you have discovered the machines using the discover computers option to schedule the push for another time.

f.        To set the proper settings for the scheduled push click the button ‘Installation Settings’ and set the options as required.

PULL

a.       For the pull method, browse in the Symantec Management Console under Actions > Agents/Plug-ins > and select Push Altiris Agent.

b.      Under ‘URL of download page’ a link is provided.

c.       On the target system, pull up a webpage and paste in the URL obtained from step #2.  This link can also be sent out via Email, or posted on a Web Page for users to access.

  1. Verify that the Altiris Agent has successfully sent Basic Inventory and obtain a Configuration from the Notification Server.  Right-click on the Altiris Agent icon and choose ‘Altiris Agent Settings’.  As long as valid dates are under the following headings, the system is prepared for synchronization:
  1. Configuration

                                                               i.      Requested

                                                             ii.      Changed

  1. Basic Inventory

                                                               i.      Sent

  1. Make sure that after an initial Basic Inventory sending that the Configuration is again requested as the Notification Server will have populated the computer into collections based on the Basic Inventory sent it.
  2. Run an Out of Band Discovery on the target system.  This will be an automatic step after the Altiris Agent is installed, yet it needs to be initially setup.  Use the following steps to set it up:
  1. In the Symantec Management Console browse under Home > Remote Management > and click on Out of Band Management.
  2. In the left-hand tree browse under Out of Band Agent Install > and select Out of Band Discovery.  See this screenshot for an example of the Task:
    OOBDiscovery.jpg
  3. To the right of the title bar there’s an On Off switch.  Click the red-colored light and change it to On.
  4. By default this is set to only ever run once.  This is sufficient when systems will only ever be provisioned once.  One fail-safe is to set this to a reoccurring schedule so we have up to date information on a system if needed.
  5. The current collection is usually sufficient, but if systems are not getting the Out of Band Discovery job, try adding a more general collection such as All Windows Computers.
  1. If using USB One-touch, insert the prepared USB flash drive into a USB slot on the vPro system.  Reboot or turn on the system.  A prompt will appear asking if the machine should be configured.  Follow the prompts until it requests the USB drive be removed and the system rebooted.  The system is now ready and will be sending out ‘hello’ messages.
  2. If the systems are preconfigured, Configuration will occur automatically. The above items may occur after the initial “hello” packet is send from a system since systems already come configured to use Remote Configuration, but without the Altiris Agent Intel SCS will be unable to provision until the Altiris Agent has been installed and Out of Band Discovery has run.
  3. Next manually launch the Synchronization (note that this step will occur per the default schedule at 2AM the following day).   In the Altiris Console browse to View > Solutions > Out of Band Management > Configuration > Provisioning > Intel AMT Systems > and select Resource Synchronization.  Under the ‘Last synchronization statistics’ section, click the ‘Run now’ button to force the synchronization.
  4. When synchronization completes, the system will now show up in the OOB and AMT collections.

The following diagram represents the basic steps used for this method of configuration:

OneTouchDiagBP.JPG

Conclusion

By implementing a process that adheres to the above guidelines, and having the right infrastructure pieces in place and proper configured will take the complexity out of setting up and configuring vPro enabled systems.  This document was based off of the 6.x Best Practices document, with changes for the new 7.0 version and additional clarification or steps to improve success.

1 Comments Permalink Tags: altiris, best_practices, symantec, provisioning, setup, out_of_band_management, configuration
kdharber
0

I often see testers get hung up when they try to repair a system that has been provisioned with an improper FQDN.  Here's a shortlist if things you can look at if you are in a similar situation.

If a pre-existing profile assignment exists in SCS, it will be reused, and the client will be provisioned with stale data. Altiris utilizes profile auto-assignment for provisioning clients that do not have a preexisting profile mapping.  Altiris can be configured with entries that map the domain suffix of a to-be-provisioned client to the appropriate AMT profile and desired organization unit.  The remaining setting that needs to be retrieved is the FQDN of the to-be-provisioned client.  To retrieve this, Altiris first attempts to match the to-be-provisioned client to one already in its database by performing a match based on GUID or MAC address.  If those fail to produce a match then a reverse lookup is performed based on the IP address received via the hello packet.  If any of these methods produces stale data, the client will be mis-configured.

In order to clean up after an already configured client or a client that is currently being improperly configured, three areas must be examined:

SCS:

If a profile assignment exists for a client’s UUID, the client will be assigned the settings in that assignment during provisioning. These assignments can be viewed in the Altiris console via Settings > Remote Management > Out of Band Management > Intel AMT Systems > Profile Assignments.  If an incorrect assignment is present delete it.  If desired a correct assignment can be manually created as a replacement or the profile auto-assignment mechanism can automatically create one at the time of provisioning.

Altiris DB:

As stated, the profile auto-assignment mechanism first looks through the Altiris database to retrieve the client’s FQDN.  There are several ways in which this can yield the wrong data.  The most common is if the client was previously in the Altiris DB with a different FQDN.  Several steps must be taken to repair such a situation.

Agent Uninstallation:

First, the Altiris agent must be removed from the client. When the agent is installed on the client, the install retains the FQDN of the client at the time the agent was installed.  If the client’s FQDN is changed, the agent will still retain the old FQDN.  The agent periodically re-populates to the Altiris DB, so if an agent with a stale FQDN is left installed, improper entries will repopulate to the Altris DB. To uninstall the Altiris agent is log onto the client and execute c:\Program Files\Altiris\Altiris Agent\aexagentutil.exe /uninstall /clean.

Altiris DB clean-up

After the agent is removed, delete stale client instances from the Altiris DB.  This can be done by accessing Manage > All Computers from within the Symantec Management Console, and deleting all stale entries pertaining to the effected client.

DNS:

During profile auto-assignment, the Altiris DB is searched, and if no matches are found for the to-be-provisioned client, Altiris will attempt a reverse lookup to retrieve the client’s FQDN from DNS.  If a stale reverse lookup exists in DNS or is cached in the management core’s DNS cache, it can result in improper assignment of the FQDN.  Furthermore, DNS scans are also used to populate the Altiris DB, so if stale forward lookups exist they can result in incorrect entries populating to the Altiris DB.

To fix this, view the forward and reverse lookup zones on the DNS server and eliminate any stale entries.  Then on the management core machine execute ipconfig /flushdns to remove any stale entries that may have been cached locally.

More general information can be found here:

http://www.symantec.com/community/article/1751/what-does-the-resource-synchronization-do-in-out-of-band-management-for-intel-vpro-provisioned-systems

0 Comments Permalink Tags: fqdn, altiris, domain, provision, scs

Popular Blog Posts