On April 3rd, 2010 Steve Jobs showed this renewed computer tablet concept (i.e. iPad, which was not the first tablet computer available in the market, but was one that had great success), triggering a new kind of personal computer system that complements traditional form factors (e.g. desktops and notebooks) used by knowledge workers in corporate environment or even replace the workers in some cases. In fact, a tablet design is an excellent form factor to consume information, but it lacks ergonomic qualities to produce content with a physical QWERT keyboard larger display screen.

The computer industry is investing in several form factors in order to reinvigorate personalcomputer systems with exciting designs: Ultrabook, convertibles designs, touch screens, tablets, tablets with slide QWERT keyboard, multiples dock station capabilities. And in this new World of mobility and thin design, looks that RJ45 interface has become antiquated. For business, wired interface still predominant in most organizations and lot investments were made in this media for security and manageability and how to manage seamless Intel vPro devices, independently of form factor and connectivity medium (i.e. wired or wireless)?

Some Ultrabooks, such as Lenovo ThinkPad X1, arrived without an embedded Ethernet port, only with a dongle RJ45 interface that can provide wired connectivity for Operating System, however it doesn’t work for OOB (i.e. Intel ME).

The absence of an integrated Ethernet interface in these devices limits some use cases for devices of this category. E.g. Host-based Configuration (aka. HBC) is the only remote Setup and Configuration method supported, user consent is required for healing scenarios such as KVM or IDE-R, but fortunately, these limitations in most cases fits well with mobile use models. Admin Control mode can be achieved only configuring locally in Small and Business Mode (SMB), which for enterprise environment can be undesirable due to the required manual labor for configuration.

System Defense, that is enabled by McAfee ePo Deep Command for example, will not be available in WLAN-only systems for security reasons – basically, HBC transfers IT admin authentication to users, that is the reason that in HBC, for each remote operation, user consent is needed. However, for System Defense, there is no reason for user consent to switch on, that is the reason that System Defense is turned off in HBC.

For a wireless-only device be managed OOB with Intel vPro technology, it’s required that Intel ME be in 8.1 version and Wireless driver 15.3 (for Windows 7) and 15.5 (for Windows 8) have been updated for a correct operation.

For further details on creating a profile for wireless environment, read my priorblog post about “Managing Intel® vPro™ Technology clients in a wireless environment” where I discuss some basic configurations and lessons learned in this kind of environment.

Some management consoles such as Microsoft System Center 2007 or 2012, use the concept of provisioning using PKI that set the machine in Admin Control Mode that is not supported for wireless-only devices. So for these cases, Intel Setup and Configuration Services 8.1 (aka. Intel SCS) can be used for provisioning and configuring, following these instructions.

In order to provide better service for “road warriors” you can provided a full set of capabilities, including Fast Call For Help (aka. FCFH). This allows users outside of a corporate firewall to have support from a help desk technician even OOB. Intel vPro configuration profile provides detailed possibilities for provisioning as showed an example of a complete wireless configuration option:

• Active Directory Integration is required if corporate wireless network requires 802.1x authentication;
  
• Access Control List (ACL) that is required in order to specify users/groups for permissions (i.e. authorization) in Intel ME;
• Home Domains used to specify when machine is inside or outside corporate network based on suffix DNS received by DHCP - this definition is important to enable FCFH when machine is outside corporate perimeter;
• Remote Access specify address for Intel vPro Gateway (former Management Presence Server) and requires server configuration in corporate DMZ - read further details in Intel AMT SDK;
• Wifi connection defines configuration and profiles for OOB connection and with Intel PROSet there profiles can be populated by users when added into PROSet profile.

For further details on each of these sections, read Intel SCS 8.1 documentation available on the Intel website.

Following these instructions and guidelines, you will be able to integrate these new categories of managed form factor with actual management console and allow seamless management.

Comment below with any questions – I would be more than happy to provide further details.

Best Regards!

     Networks constitute the new morphology of our society and the diffusion of this logic transforms operations and results in productive processes, experience, power and culture. Therefore, network organization has existed for a long time; the new information technology paradigm provided the material base for expansion that penetrated into whole social structure. Now we’ve come upon the mobility craze, the fastest changing field in technology, and the introduction of these new form factors into our society are reshaping the way that we interact with each other through social networks. They’re influencing the way that we work and produce information.

     What we are seeing nowadays is the wave of Bring Your Own Device (aka. BYOD), where corporations are allowing employees buy devices and bring to enterprise, letting them use it to access their e-mails, calendars, contacts and even line-of-business applications. This new chapter in IT brings new opportunity for increased productivity, while putting valuable information in employee’s hands. BYOD takes advantage of the fast paced evolution of consumer devices such as smartphones, tablets, and the applications that run these devices and empower users with highly collaborative capability. However, these benefits come also with challengers for IT departments:

     Security: Probably the biggest challenge for most organizations. Dealing with multiples devices, operating systems, and users accessing multiples devices at same time requires in-depth strategy, securing and integrating multiples layers into overall enterprise-class policy. The first touch point is the user, so starting with a small tech-savvy group can be a good start point, as demonstrated by BP case published 6 years ago by ZDNet.

     Now IT organizations also can count on Intel® Anti-theft Technology (aka. Intel® AT) technology embedded into Intel tablets, laptops and Ultrabooks to lockdown lost or stolen device in order to “brick” and destroy information stored in these devices and make the device itself a useless piece. Also, to protect user’s identity these devices have Intel® Identity Protection Technology (aka IPT), that provides the foundation for a comprehensive, tamper proof and tied with hardware asset that match user and device to provide a consistent authentication mechanism and credential protection.

     All these technologies have the potential to set an alliance between personal and professional roles into same device. As I already wrote about use of IPT for consumer using an online banking, this same technology can be applied for enterprise application in order to strengthen overall user identity. Pragmatism is the safest strategy for enterprise, IT organizations can’t ignore that their users are using their devices for personal matters, accessing personal e-mail and multiples cloud services, probably using the same password used by corporate systems. So, if IT ignores this simple human expected behavior and continues to think that IT security is based on firewall perimeter, and an employee losing his or her personal device won’t offer any threat to corporate will undoubtingly find themselves with a security breach.

     Define a strategy to support an effective BYOD policy. This is actually not only an opportunity to boost employee productive but also, if well conducted, a way to protect against the security breaches that existed in today’s world.. However, it is not an easy task and there isn’t one solution fits all. That is the reason that some well-established consulting companies are focusing their efforts in this area, as announced by IBM Global Service and explained in this white-paper.

Best Regards!

     Intel produced the latest “tick” (or die shrink) on our “tick-tock” release schedule with the Intel® 3^rd Generation Core Processors. Code named “Ivy Bridge,” this next generation brought us to a 22nm manufacturing process. Newer processors perform as well or better than previous models, with lower power requirements and better cooling. In addition to the thermal and performance improvements, our Intel 3^rd Generation Core Processors brings an updated version of integrated Intel HD Graphics that is compatible with DirectX 11, improving intensive 3D experience and allowing the user to view 1080p HD video smoothly.

     As for Ultrabooks, there are actually more than 110 Ultrabooks based on dual-core version of 3^rd Intel Core Generation processor. Most of these designs are intended for the more traditional laptop form-factor; however with Windows 8 expected to launch this year, we should see more innovative designs as well. There will be more than 30 models with touchscreen functionalities, including 10 convertible designs that can be used as laptop or tablet.

To be classified as an Ultrabook (which is an Intel trademark), there are some requirements which can only be achieved through capable operating system integrations, such as Windows 8:

• Thin Design: must be 18mm or less in thickness for systems with display less than 14inches and 21mm for larger screen
• Responsive: A interesting capability that comes with this generation is device wake in flash – going from sleep state to full use in less than 7 seconds
• Battery Life: The Ultrabook must offer at least 5hs of battery life with 8hs as recommended
• Security Enabled: Anti-theft technology (i.e. AT) and Identity Protection Technology (i.e. IPT) are those security features embedded into Ultrabook platform
• Faster I/O: must have USB 3.0 or Thunderbolt technology
• Processor: Powered by 3^rd Intel Core Generation processor

     To complement these technical specifications, Microsoft has redesigned the user interface in Windows 8. Known as Metro, this interface is specifically designed to bring an excellent experience for touchscreen devices, with beautiful tiles and a motion engine.

     Tablets and smartphones are also utilized in the workplace and as personal devices. For knowledge workers, tablets are an excellent device to consume information with their sleek displays and user-friendly motion engine. On the other hand, Ultrabooks have a convertible design and a mature operating system such as Microsoft Windows. They allow the possibility of having a single device that provides an ergonomic solution, supports easy attachment to use multiple/bigger displays, and remains a thin, light and tablet-like form factor. Ultrabooks provide the most flexibility in the user’s life and are, in my opinion, the best solution – removing concerns with data synchronization, application compatibility and other issues that come with managing a second device.

     A convertible Windows 8 PC with a 3^rd Generation Core processor (such as Lenovo IdeaPad Yoga presented at CES 2012) provides an experience that you cannot get with Windows 7 alone, and will be the best solution for my work environment.

Best Regards!

     If you have been following along, this will be the third in a series of posts regarding Intel vPro configuration with Linux. Our first post was about Intel Setup and Configuration Service 7.2 (a special version designed for Linux users). Following that, we wrote in our second post about configuring vPro with Linux in User Control Mode. Now, this post will explain how to configure in Admin Control Mode, i.e. no user consent required, that is the desired mode for most of embedded usage modes such as ATMs, Kiosks and Digital Signage.

     Now, I’ll describe how to configure a Linux machine using Intel SCS 7.2 in admin control mode – This means the administrator doesn’t need user consent to access the remote control operations.

(Tux, the Linux Penguin, is copyrighted by Larry Ewing and Simon Budig (penguin-variant.sk also by Anja Gerwinski). Used with permission.)

Creating Profile

     In order to configure Intel® vPro™ it is required that we supply the system with information about how all of the tools should behave, such as: WebUI, IDE-R, KVM, security authentication and authorizations, network connectivity, etc. The way we accomplish it with Linux is the same as with Windows machines: you should use Intel SCS 7.1 console to create profile and export it to .xml file as demonstrated in my previous post. However, there is a direct way to make a basic configuration only using ACUConfig and command line parameters as I have demonstrated in this video, where I also decided to make this configuration using static IP.

Best Regards!

There are several ways to configure an Intel® vPro™ machine and the most popular among corporate companies is the Zero Touch configuration method, which is based on PKI. You must issue a certificate for a provisioning server in order to establish a trusted relationship between the provisioning server and the ME. VeriSign is one company that can provide a certificate for this.

Since the launch of Intel® vPro™ in 2006, VeriSign has made some changes to their products. Rather than issuing certificates from G1 and G3 roots in their Secure Site (Standard SSL) and Secure Site Pro (Premium SSL) SKUs, these products now issue certificates of different roots. Unfortunately, Intel ME is firmware and updating the list of root certificate authorities is not as easy as it is in an operating system. Updating this list in the Intel ME will instead require a firmware upgrade.

If you have different Intel® vPro™ generations in your environment, you are most likely looking for a solution that uses the least common denominator like we have displayed in this table:

As you can see, the latest version of each firmware generation is accompanied with a complete list of trusted roots.

However, a problem occurs if you have multiple versions of vPro but are only able to use one certificate for provisioning server (and cannot issue a certificate from G1 or G3 anymore). Fortunately, in order to avoid interoperability issues with legacy browsers, VeriSign makes a cross-signed of VeriSign Class 3 PPCA-G5 with Class 3 PPCA (G1.3). This is called Secure Site Pro, creating a cross certificate as shown in this diagram:

Usually, OpenSSL libraries use a PEM file format when building the trust chain in order to validate the certificate. We can statically define the trusted certificates that we would like to use in this chain. Microsoft has some wrapper code available to build the PEM list of certificates and, in this particular case, Windows has 3 possible root certificates to be used. All three are equally valid and Windows built the trusted chain using the shortest chain, i.e. VeriSign "G5" Class 3 PCA Root or VeriSign "G1.5" Class 3 PCA Root, both of which are not present in some old ME firmware. When you install the certificate, without any modification you see the root certificate VeriSign "G5" Class 3 PCA Root as shown here:

In order to force Windows to build the trusted chain up to VeriSign Class 3 Primary CA - G1, we have to eliminate VeriSign "G5" Class 3 PCA Root and VeriSign "G1.5" Class 3 PCA Root from the Root folder (or at least disable Client Authentication and Server Authentication from the purpose list of these certificates).

Without these two certificates, the only valid chain will be with VeriSign Class 3 Primary CA - G1. That chain is present in every ME firmware version, since the first version, i.e. 2.0 through 7.1 - See below:

Now you don’t have to be concerned about these VeriSign certificate issues with your Intel vPro versions, just follow the instructions presented in this document and have yourself a happy vPro configuration.

***************

All Intel-provided code snippets in or attached to this blog are provided under the BSD License unless otherwise specified.

Any user submitted code or materials posted on this blog is supplied under license from the submitter, and should be used or downloaded in accordance with any license terms specified. Intel is not responsible for user submitted code nor warrants that it will work correctly.  If no license is provided, you should contact the submitter.

****************

     Since Intel vPro launched in 2006, there are lots of questions about how configure a vPro device that is using static IP. I’ll try demystifying and explain how vPro TCP/IP stack works and what you can and can’t do. I’ll also bring to your attention some best practices to make these procedures easier and less susceptible to manual error.

     First of all, we need to understand the relationship between Host and Intel Management Engine (aka Intel ME) TCP/IP stack: Before ME 4.0, the OEM had the ability to set a different MAC address to the ME and host. In such a case, they should also use different IPs and this mode was called "dedicated MAC". The consequences of this approach is that usually, in a regular infrastructure you should also use the different names in order to avoid mismatching in DNS and risk having the machine inaccessible while switching NIC ownership between the Host and ME.

     However, in "Shared MAC," available since ME 4.0 (where ME dedicated MAC was left “FF"), ME uses the host MAC, hence, in DHCP they must have the same name and in static IP they may still use the same IP address or different, but if using different IP address, must use also different names.

There are several situations where static IP is required such as ATMs, Kiosks, Digital Signage and several embedded devices or even legacy network infrastructure. For those, manual configuration into the MEBx is error susceptible. For some cases, including  PCs with ME 6.2 and beyond, exists Host Base Configuration (aka HBC) in order to accomplish this task without external infrastructure dependencies or requirements to pass a long IP parameter string based on the host operating system. However, HBC configures the machine in Client Control Mode, and it’s mandatory due security reasons. At least for most  embedded devices, such as ATMs, Kiosks and Digital Signage, where we don’t have a regular user that we can send the consent request, it’s a show stopper.

     A possible approach to overcome manual entry configuration is to use a USB key created by USBfile.exe that can be found in the Intel AMT SDK or ACUConfig.exe found in Intel Setup and Configuration Service 7.x (aka Intel SCS 7.x), but both tools require that IP parameters (i.e. IP address, network mask, default gateway and DNS servers) be passed by command line and is also error susceptible.

     A possible solution for these situations is to use a Visual Basic script that basically captures IP parameters from Windows and creates the USB key previously attached to the machine’s USB interface, and then automatically reboots to configure the ME with the same IP address of host. I developed this script that can be downloaded here (i.e. provisionUSB.vbs).

     If you would like to configure a vPro machine using Kerberos (i.e. with Active Directory integration) or issue a TLS certificate (usually required by highly secure environments), you will need to use the Remote Configuration Server (aka RCS) found in Intel SCS 7.x. In this situation, the principle of capturing IP parameters and the USB key is the same as the previous case, but now requires a PSK exchange with RCS that will be used for ME and RCS communication to conclude the configuration.  I just developed a script (called provision.vbs) based on SCS 7.1 (fail with SCS 7.0) that automates these tasks and is demonstrated in this video:

     At this point, there are some requirements and known issues with these scripts as listed:

• All IP parameters must be present in Windows Host (i.e. IP address, Subnet mask, default gateway, and primary and secondary DNS);
  
• ACUConfig.exe, ACU.dll and xerces-c_2_8.dll found in Intel SCS package should be placed in the same script directory;
  
• Tested only on ME 7.0
  
• You need to define in script which NIC adapter is the ME interface (onboard) to capture the correct IP address parameters, look for this line:
  

("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE Description = 'Intel(R) 82579LM Gigabit Network Connection' and IPEnabled = TRUE")

     And replace the Description with description that showed in an ipconfig command line.

     For further details, just execute the script in command line instead of windows interface:

     C:\>cscript provisionUSB –or- C:\>cscript provision.vbs

     Please, let me know if you find any issue or suggestions that are not covered in this version.

Best Regards!

     When Intel released Intel SCS 7.0, it was completely redesigned to become a simple Windows service by  removing the web server and Microsoft SQL Server dependency. However, the innovation that Intel SCS 7.0 brings is not only on software architecture, but also on how it is used to manage Intel® AMT systems.

     An important concept embedded in SCS 7.0 is the Unified Configuration that allows the definition of one deployment package to configure all Intel AMT versions in their network and select the necessary configuration method for each AMT version, i.e. Host Based configuration for AMT  6.2 and beyond and legacy mode (i.e. PKI or PSK) for older version of AMT.

     As you may note, Intel SCS 7.0 doesn’t use a Database to store AMT credentials as used by previous generations, so how can we retrieve the randomized password used for each AMT system?

     Digest Master Password (DMP),  is a method for deriving the AMT password from the  DMP which creates a unique password per device. The management console possessing the DPM attempts to connect to the Intel AMT device, which triggers the response with a digest-challenge. Based on RFC 2617, the digest-challenge contains a realm-value, that is a fixed value generated by the AMT device using a high-entropy random-number-generator, such in theory, is unique per platform. The management console concatenates the realm-value to the username of digest account it wishes to access and calculates the HMAC-SHA256 of the resultant string, using the DMP as HMAC key. Converting the HMAC-SHA256 to BASE64 value, voilà! We have the password!

     To make it easier to understand, let’s put it in an equation:

Administrator password = BASE64 [HMAC-SHA256 (DMP, realm-value & username)]

     Since the realm value does not change for a given AMT device, this result is consistent every time it is calculated.

     The good news of this approach is that if you contract a 3^rd party to manage these devices, it’s not necessary to give them access to your password  data base, neither create replication strategies with your ITO - just share the DMP and it will be enough to calculate the individual passwords.

          The weakness of this approach is not so different than the “traditional” way - you still have to periodically change the DMP and consequently each AMT device password as any good security procedure.

Best Regards!

     ATMs, kiosks and digital signage are types of embedded devices, a computer system designed to do one or more dedicated functions, with or without user interaction. Usually these devices are located in public areas with restricted network infrastructure and and have  multiple  locations (e.g. shopping malls, gas stations, libraries, etc.). For this type of machine, remote diagnosis and repair has a tremendous value, so that the administrator can avoid unnecessary visits to  reboot a machine or restore an operating system image. You can even remotely diagnose  hardware problems, such as hard disk failure and then send the technician with the correct spare part for replacement.

The latest Intel® vPro™ release (i.e. with ME firmware 7.1), brings some improvements and capabilities to address this market segment:

• Linux support: Until now, only Microsoft Windows was officially supported on Intel® vPro™ machines, but now, Intel is productizing the Intel SCS and ME drivers; thus, tools will be launched for the Linux OS also. They will not be  at the same maturity level that you can find in the Windows world, but hopefully enough to address the embedded market - where Linux adoption is higher than the regular PC market;

• Wireless support on desktop motherboards: Yes, vPro now supports wireless on the desktop motherboard.  Of course, it is not mandatory, but some motherboards may support it,  such as DQ67EP and, in this case, you must use an Intel® Centrino® Advanced-N 6205 wireless NIC to be compliant with ME 7.1;

• Simplified configuration tool: Host Based Configuration (HBC) method, is by far the simplest method for vPro configuration, however the main adoption barrier of this method for embedded devices relies on fact that User Consent (aka. Client Control Mode) is not a viable option. To overcome this limitation, the ME 7.1 firmware kit used by OEM to assemble the motherboard/machine, now comes with a tool capable of provisioning the machine while unattended  and place the machine in administrative control mode.

     I would appreciate to hear from you if you have any initiative to adopt Intel® vPro™ and what kind of usage are you thinking to adopt. Thanks in advance for feedback.