Each release of the Intel® AMT provides a few additional features. The good news is that Altiris handles the abstraction and interface or capabilities in heterogeneous environments. However, for troubleshooting, deployment, product selection, and other decisions - it may help to provide a summary of features and capabilities within each generation of the platform.
Yet this raises some questions: What version of Intel® AMT is running on the client system? What features does the version support? What are the dependencies on the Intel® Setup and Configuration Service (SCS) for Altiris Out-of-Band provisioning?
All good questions - let's step through each.
What version of Intel® AMT do I have?
Production Intel® AMT systems support either version 2.1 (for Intel® vPro^TM^ desktop systems) or 2.5 (for Intel® Centrino® Pro systems). First generation Intel® vPro^TM^ systems were codenamed Averill. First generation Intel® Centrino® Pro systems were codenamed Santa Rosa. Weybridge is the codename of the second generation Intel® vPro^TM^ desktop platform, and will start with Intel® AMT version 3.0.
If ever a question of what exact version of the MEBx (management engine
BIOS extension), the login screen will reveal the answer. This screen is typically access via Ctrl-P during the POST boot process. The picture below comes from an Intel® Centrino® Pro systems, running v2.15.15.0000 of the MEBx.
Click to view.
Versions and Features of Intel® AMT
The table below provides a summary of Intel® AMT platform versions and support features. Remote configuration, formerly called Zero Touch Configuration, will be released in September timeframe for Averill and Santa Rosa systems. A future article will address this topic.
Details on Intel® AMT versions beyond that which is stated will be shown later. There is an Intel® AMT 1.0 version, yet not branded as Intel® vPro^TM^. Details will not be shared.
A common question is raised of migration paths from one Intel® AMT family to the next. For example - will Averill systems be firmware upgradeable to Weybridge. No. However, the functionality will continue to grow and the capabilities will be integrated into the Altiris console. Thus a mixed environment is supported.
Will you find all these items supported in the current Altiris console for out-of-band manageability? No. This is due to the underlying configuration service and management that is needed, and is presently provided by Intel® SCS. This will be addressed more in the next section. If you happen to download and test the Early Access version of
OOB, RTSI, and RTCI
portals.altiris.com/eap, you will see the additional functionalities.
Does this mean that Santa Rosa systems will not work with the current production environment? In a wired mode, they will perform all of the functions of Averill systems. Some key questions and consideration - Notebooks are powered by AC (wall plug) or DC (battery). In addition, with the wireless network support management of profiles and configurations is needed.
Before continuing to the next sections on power policies and supported states for wired versus wireless environments, a quick review of what hardware asset data is collected might help. See
this document for a refresher.
Intel® AMT Power Policies
Adding Intel® AMT to notebooks presents some new possibilities and considerations. The tables below address some permutations of wired vs. wireless, running on AC or DC power, and whether the host system is healthy (e.g. system on and operating system running), sick (e.g. system on yet operating system failed or unavailable), or asleep (whether standby, hibernate, or off). The power states of Intel® are defined in a policy, with nomenclature that might confuse at first. (e.g. S0, S3, S5, and H0 power states). Review mention of power policies and states in
.this article
In the case of Intel® Centrino® Pro systems, the power policy is even more extensive. Below is a screen shot of the MEBx menu for power policy. A similar list of options will appear in the Intel® AMT profile.
this article
Click to view.
Intel® AMT over Wired
Since Intel® AMT is on by default and consuming power, if powered by battery it may be better to turn the management engine off. This explains the "No" in the right column of the table below. What about the "No" for system isolation and agent presence is the system the host system is asleep and powered via AC? If the host system is off, what agent or virus outbreak is being prevented? That is why these states are not supported nor needed - they both require the host to be running (not necessarily the host operating system).
Wired mode also assumes the system is connected directly to the management network. If a remote site is connected to the main site via a VPN appliance, this is effectively a virtual extension of the managed network. However, if the target system requires a software agent running above the host operating system to support VPN, this is different and will be addressed in the next section.
Intel® AMT over Wireless
Similar to the last table, the next view addresses Intel® AMT over wireless. The use cases are the same, as are AC or DC selections, and the state of the host system. The key difference is whether Intel® AMT has wireless access. The wired
NIC is on by default and built into the hardware. The wireless NIC actually requires the host system to be on.
Wireless allows mobility, including outside of the managed network. Does this remove the manageability and security of the Intel® AMT platform? If a VPN connection to the managed network requires a Layer 3 (L3) VPN (virtual private network) agent running on top of the host operating system, does out-of-band management still apply?
Technologically, the L3 VPN functionality could be embedded into the Intel® AMT management engine. However, do the variety or vendors and approaches, this presents a major validation and certificate challenge. Plus, the number of potential updates and patches would not be favorable. Therefore, if the system is connected via wireless (or wired) outside of the managed network, and using an L3 VPN agent to connect in - there are some consideration of supported functionality. This does not apply to situations where a VPN appliance is between the Intel® AMT system and the managed network - since that is effectively a virtual extension of the physical managed network.
Intel® AMT 2.5 supports wireless profiles. Thus if the Intel® AMT device is inside a managed environment, connecting via an 802.11 b/g/n network with defined SSID and configurations, the system can be managed out-of-band.
- Note: 802.11i, 802.1x, and NAC are supported in the Intel® AMT profile for Centrino® Pro environments. More on this in a latter section
- 802.11n is draft version today. For best compatibility, use 802.11 b/g networks
With the perceived constraints of Intel® AMT over wireless, does out-of-band still apply? Yes.
If the device is within a managed network environment - whether wireless or wired - and has been configured (e.g. provisioned) correctly, the system is still manageable if the host is on. (e.g. healthy or sick). As mentioned in an earlier tech-tip, system data is still being collected at boot. Plus, if a network filter policy is pushed down to the Intel® AMT device - part of the System Isolation capability (formerly called Circuit Breaker), that policy remains in effect until removed.
If the system is on, yet the host operating system is not functional and the system is inside a managed network environment (whether wired or wireless) - the system is manageable.
The last item may raise some concern - if the system is wireless and host is asleep (S1 through S5 power state), why are all use cases not supported? Remember that the wireless network driver for Intel® AMT requires the host to be on (H0), whether or not the operating system is running. Only the wired NIC is powered in the asleep state - if a connection is available.
Intel® SCS versions
Within the Altiris OOB server install, a service labeled "AMTconfig" is running. The version number of this windows service refers to the Intel® SCS version number. The Altiris Out-of-Band management console (under Provisioning > Configuration Service Settings) will show additional options and capabilities with higher versions of Intel® SCS. Yet what is the relation and mapping of Intel® SCS to Intel® AMT?
The general concept is this: The major version number of Intel® SCS (again - check the AMTconfig service version number) indicates all versions of Intel® AMT supported at or below that number. Therefore, Intel® SCS 3.0 would support AMT 2.0 through 3.0 versions (i.e. Averill, Santa Rosa, and Weybridge). Of course, there are always expections to the rule. Intel® SCS version 1.x supports Intel® AMT 2.1 and below, and Remote Configuration will be supported with a version of Intel® SCS slightly above 3.0. (More on Remote Configuration in a near future article)
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.
