Have you seen the Network World article on Intel vPro technology?

Take a look at the article Wanted for dead or Alive PCs: Intel vPro technology. (Click on the name to link to the article)

Sometimes within Intel Marketing, we're told that our description of Intel Centrino with vPro technology or Intel Core 2 with vPro technology is a bit lengthy. Therefore, while at ManageFusion, we asked Intel customers as well as technical experts from Intel and Symantec to give us their best, most concise acronym that best describes Intel vPro Technology. Listen to their responses below.

The Norton Backup Exec looks very promising as a receovey tool now that it uses WinPE...Maybe we can take a recovery point and convert to VMware or MS VM image- possibly use this as temporary system for users while their system is being worked on?

The Altiris CMS version 7 (beta) integrates many of the Norton suite features- of interest to me was the choice of PCanywhere, RDP OR VNC as a remote control

Symantec announced at the event that they purchased AppsStream and plan to intogetrate it into Altiris NS.

The next gen Ghost product includes many new features including Ghconfig, which can be used to rename a system.. this may be useful for easily renaming waterfalled (hand me down) systems...

On April 8th, Intel Vice-President Gregory Bryant was part of the opening ManageFusion keynote led by Symantec's Steve Morton.

In the first part of the keynote, Steve talked about his travels to Intel to learn more about Intel vPro technology. Then Gregory talked about about how customers are realizing value today with Intel vPro technology through better remote management, better power management and better security policies - essentially allowing IT administrators to "levitate." View the first part of the keynote below:

Then, Gregory (along with Steve) introduced Ted Wilkinson, an IT Vice-President at Bank of NY-Mellon. He talked about his infrastructure of 47,000 PCs after the integration of Bank of NY with Mellon Bank, and how Intel vPro technology helps his new infrastructure with enhanced remote power control and remote remediation - which eliminates costs within his new infrastructure.

Also, Gregory discussed future Intel vPro technology directions - including:

• The dynamic virtual client - which blends the manageability of thin clients with the ability to take advantage of the performance of thick clients
• The ability to manage laptops and desktops that are outside of the corporate firewall starting with Intel vPro technology that come out mid 2008
• The integration of hard drive encryption with Intel vPro technology starting in Q3'08 that is easy to manage

This week I was reflecting on my IT journey in the last few years and how I successfully adopted new technology. I thought that sharing this type of information may be helpful to those out there that are either about to start or in the middle of their integration of Intel® vPro™ Technology. First things first, here’s an illustration of the different camps within an IT shop (architecture, engineering, operations, finance, security) and then of course there is the leadership (mgmt) that provides air cover for such new adoptions / also a key stakeholder in the success.

For each of these camps there is a different perspective and frames of reference, therefore let me dive into each one.

ARCHITECTURE: for the architect community, the requirement is to understand their 3-5 year roadmap and how a new client technology fits in - does it violate any major design rules, does it embrace the technology strategy?. Specifically the focus is around conceptual and reference architecture with focus on high level themes i.e. Compliance, Provisioning, Remediation, Automation, Virtualization. The vantage point here is looking at the big picture and being able to define it in relationship to the rest of the architecture. This includes the BDAT model as well (business, data, applications and technology), focus is around the business process changes, data architecture changes with respect to where data is being stored, retained, transmitted, etc.. Applications are all about the application architecture requirements and potentially any changes to the high level picture.

ENGINEERING: for engineering it’s all about the connection points, ports, protocol’s, access rights. What I find very compelling in this realm is that the dialogue is around AS IS and TO BE solution architecture with heavy reference to the BDAT model output. How does it specifically fit in w/ the rest of the pieces, what is the traffic pattern, what is the fault tolerance, how does it reuse the pieces of infrastructure already in place, how does each level of the support stack manage their respective pieces without breaking the separation of duties requirements, scaling out ramifications.

OPERATIONS: for operations it all about what is the process change, realization of the value and how does it all work. As you dig in more in this area it is about the 1-x process steps required, there is a heavier view on automation of remedial tasks, there is focus on ownership of problems, reliability of the solution, SLA’s, OLA’s (operational level agreements). The dialogue for operations is about the minutes it takes to operate a given function, the time to execute, back out, re provision, etc.. This is where the business process understanding and changes are the most critical as they are truly tested in live production scenarios

FINANCE: for finance, it’s a few things that I think are important to know, it’s not all about the ROI & TCO, however that is about 90% of it. The other 10% is primarily focused on how this solution would enable company objectives, goals and vision. They are also the keepers of the value (from Headcount, costs, impact, including how to verbalize) when it’s all said and done, as they play the role in delivering a projected vs. actual account of the events, therefore their keen involvement and insight is important. An Enlisted finance manager can make a world of difference.

SECURITY: I initially did not draw in security & then went back to add this into the picture above. Why you ask? Well, years back security was an afterthought, however Ever since the Code Red/Nimda/SQL Slammer days – they’ve had a pretty strong foothold in decisions within IT – especially in evaluating new technologies… They have to ensure that the ‘last mile’ is covered in the enterprise, 1 box can wreak havoc on the network, etc. What this means is that it’s all about CIA (Confidentiality, Availability & Integrity), therefore diving into the technology & understanding the RISK is the key part here (specifically the Risk Assessment).

LEADERSHIP/MANAGEMENT: the focus here is around not just being an “approver” but to also being a champion for the new technology. The goal is to have them very aware & equally as passionate as the adopter of the technology. If you can drive this passion from the top the air cover is significant in removing roadblocks that may arise.

So is one more important than the other? No, they are all critical for full adoption, however I will highlight that the message crafted towards the leadership team is critical.
Does a small/medium IT shops have these same challenges? I think so, they are just differing in size of the work required . for example in a small business the IT director may be participating in arch-eng-ops type of roles and rolling out the technology, where as in large enterprises these may be broken out over different people and groups.

So.. how do you go for the WIN?
My past has taught me that if I can understand the differing roles, what is needed to satisfy their requirements, the process is smoother (not perfect). I have also realized that sometimes even in IT you have to put on a marketing’ish type of role to help push the adoption along, whether it’s brown bag lunch meetings to show off the technology or just asking the Sr. Exec to join you in the data center for a hands on demo. In every case of new technology I’ve enlisted a team of passionate peers that see the vision and then together we tackle the key area’s as a team, while also diffusing that passion to others.

I’d like to share some examples of each area if there is interest in the community, specifically focused around Intel® vPro™ Technology. please comment back and then I will attach examples for each..

Also. What have I missed? What key questions do you think need to get answered for a “WIN”.

If you see this pop up on your PRO machines and you would like to turn it off..

Check out what Gael already wrote on this on the Manageability Developers site

Greetings from the trenches! My name is Sandy Wood and I'm a network administrator for the Orange County District Attorney's office in Southern California.

What I do

My primary job is to manage and support our fleet of 950 or so Windows workstations and 30 Windows servers. This covers everything from updating software, performance monitoring, alert management as well as second level Help Desk support.

The tools I use the most in my day to day activities are Microsoft SMS Server 2003 and Microsoft System Center Operations Manager 2007. These tools are indispensable in our daily jobs to keep our systems running smoothly and up to date.

vPro What?

Earlier this year, while attending a Microsoft Management conference, I stopped by the Intel booth and learned about vPro technology. Boy, what an eye opener for a management geek! This could really be system management nirvana! Since we were in the beginning stages of planning for the replacement our entire PC fleet, I called my boss and told him he had to make sure that our next systems had vPro technology. This was going to revolutionize the way we managed our systems from deployment to software updating to day-to-day support.

Why Should You Care?

Well, fast forward to today and we're just beginning to receive our first new systems. Brand, spanking new HP systems with, yes, you guessed it, Vpro with AMT 3.0! Everyone watched while we opened and unpacked the first system box. After my big vPro sales pitch, management was keen to see all the great new bells and whistles that vPro and AMT were sure to bring us. Before I go into just how cool it all worked and how cool I looked doing it, I thought it would be instructive to blog the actual steps (and missteps) I took in planning and deploying AMT in a real world situation, warts and all.

This is why you should care - if you're getting ready to deploy AMT or are just interested in the technology, this may (I hope) offer a glimpse into what it will take to get AMT rolling in your world. Reading the manuals is good and I highly recommend it however, nothing beats a real step by step walk through with real situations to give you a feel for the product and its potential.

What's Next?

The next step for me will be the planning phase. Although most of us love to just get out there and run setup, planning before you deply AMT in your environment will truly pay off for you. AMT has a lot of pieces and features that you're going to want to sit down and do a bit of thinking about before running setup. Trust me; you'll be glad you did.

Well, I'm finishing up my planning and will be back here soon with another installment of Life in the Trenches as I run down just what I did to plan for AMT deployment in my environment.

Stay tuned and as always, your comments and questions are welcome!

Traditionally speaking - if security is improved, manageability suffers. The reverse of this is true also - traditionally.

Intel vPro presents a different approach and perspective to this common understanding - consider some of the usage models and scenarios described at the follow link. http://www.intel.com/business/vpro/index.htm (see the "improve security" and "extend manageability" links on this page under Resources - lower right side)

The above links demonstrates and introduces the usage models and capabilities. But - what about ensuring the security of the platform. As commonly inquired - "Could vPro be used maliciously?". Considering that any tool of value - even the screwdriver sitting in a garage or a desk drawer - could be used maliciously, the question might be better phrased - "What are the built-in security features of Intel vPro?" The following is only a summary and overview - yet should provide some comfort in the platform. (BTW: Are you aware of all the security features in current environments, or would introducing vPro perhaps expose a long term policy or technological oversight? Just a thought.)

• Internal security - Use of Intel digitally signed firmware. In some cases, the OEM will also require their digital signature for firmware updates. The non-volatile RAM (NVRAM) has strict security and access control. There is a small section referred to as "3rd party datastore" or 3PDS. Access to this area requires registration with Intel and granting of a token. Communications into the management engine occur through secure channels - whether from the operating system or from the network interface. Generally speaking - compromising the internal security would indicate there are bigger problems in the environment.
• Enterprise setup and configurationsecurity - Enterprise mode setup and configuration is handled via either a pre-shared secret or certificate based authentication. (see related blog on the latter). The configuration uses secure handshakes, authentication, and so forth. Replay attacks are prevented. With the latest configuration service, option to require authentication or approval of systems to be provisioned\configured. Pre-shared keys are changed after configuration, and subsequently based on definable schedules. Minimal setup rights can be used to limit exposure of accounts to perform setup\configuration. Security audit logs and event logs monitor activities. The process also has dependencies on the enterprise DHCP, DNS, PKI\CA, and so forth. Generally speaking - if the enterprise setup and configuration service is compromised, there are bigger problems wtihin the environment (whether technological, social networking, policy\procedure, etc)
• Operator Security - Roles, permissions, and AMT security realm access control come into play here. This effectively defines who is allowed to configure the "configuration services", who is allowed to authorize or change vPro configurations, and who is allowed to utilize functions on configured vPro systems. The "who" could be defined by a user, group, service, etc.In addition - use of Kerberos for user rights mgmt and so forth provides an integration into the Microsoft Active Directory. Thus a group of users can be defined withe various levels of access control and capability. Plus - all security related actions and configuration changes can be logged. Generally speaking - if an operator compromising vPro security, there are likely bigger problems in the environment (eg. policies, procedures, etc)
• Communication Security - Once a system configured, transport layer security (TLS) or Mutual TLS can used to secure management traffic. User sessions can authenticated using a digest protocol or Kerberos.
• Infrastructure Security - Since vPro effectively hasa separate management computer inside, this management engine can be configured for environments supporting wireless profiles (WPA or WPA2), VLAN, Network Access Control, 802.1x, etc.
• Operational Client Security - On top of all the configuration security items is the end-user usage and capabilities. Items such as System Defense, Agent Presence, remote power management, and so forth.

Open to hear from the community on your thoughts - whether in agreement or disagreement.