What are the Best Practices for configuring or provisioning Intel vPro capable systems within the Symantec Management Platform 7.0 ?  More specifically how can I use Out of Band Management 7.0 to reliably enable my vPro systems for use within the infrastructure?

 

For those who understand vPro technology and the Altiris/Symantec implementation will recognize that there are multiple ways to configure AMT systems.  Not all methods are created equal, and experience has revealed which ways are best.  Using this article you can avoid many of the pitfalls and difficulties surrounding such a securely robust architecture.

 

Introduction

With different options available for configuring an Intel vPro system, this document is a must.  Since so many components tie into the vPro supported architecture sometimes results will vary.  Some methods have revealed inherent problems in how the Altiris Infrastructure handles a computer resource’s identity.  To avoid any potential issues, this method has proven to be the most reliable.  Keep in mind that as newer versions of AMT, vPro, Intel SCS, and Out of Band Management are released, these details may change.  Symantec is working to resolve configuration issues to allow more reliable choices for configuring the vPro enabled systems.

 

Infrastructure Items

The best methods for setting up the infrastructure are provided here.  The manual configuration method is not covered as it’s a manual pain and alphanumeric nightmare.  The first segment covers the universal ProvisionServer DNS record required for the hands-off approach in AMT versions 2 through 5.  Subsequently two other infrastructure components are covered so that the subsequent steps covered later will have all necessary infrastructure items in place.

 

DNS Configuration

Everyone loves automatic procedures that don’t require the eyes and hands of an overworked IT Professional to complete.  The DNS configuration is utmost to achieving the no-touch, hands-off automated approach available with AMT provisioning.  The following steps show how to set this up:

  1. Launch DNS Management.
  2. Expand the Forward Look-up Zones tree.
  3. Right-click on the Domain that will be used for Provisioning and choose to create a CNAME record.
  4. In the Alias field type in: ProvisionServer
  5. In the Fully Qualified Domain Name field put the full name of the Notification Server (IE: MyServer.mydomain.com).

Now that this Alias is created, when the AMT systems send out the ‘hello’ message targeting the name ‘ProvisionServer’, DNS will properly route that message to the Notification Server/Intel SCS Provisioning Server.  To test that this is working properly, follow this procedure:

  1. In the Symantec Management Console, browse under Home > Remote Management > and click Out of Band Management.
  2. In the left-hand pane, browse under Configuration > Configure Service Settings > and select DNS Configuration.
  3. In the right-hand pane click the ‘Test’ button found about halfway down the text of the page.
  4. Under the Resolved “ProvisionServer” IP:, you should see the IP address of your Notification Server.  If it fails, the NS cannot resolve the name “ProvisionServer” on the network.  See this screenshot for an example:
    DNSConfig.jpg

 

General Items – Remote Configuration

Note that the Remote Configuration option is not available on all versions of AMT.  As of the creation of the document, versions 2.2, 2.6, 3.0, 3.1, 4.0, 5.0 support Remote Configuration.  All AMT Systems with these versions have pre-configured certificates loaded into the firmware.  Examples are GoDaddy, VeriSign, and Comodo (others may be provided.  Please check Intel or the computer manufacturer’s documentation for a full list).  The systems come from the manufacturer already prepared to find the Provisioning Server and initiate the Configuration process.

 

The following infrastructure items need to be in place for Remote Configuration:

  1. Obtain a valid certificate from the appropriate vendor (GoDaddy, VeriSign, Comodo, etc.).
  2. Install the certificate on the Notification Server and register it with the Provision Server.  Details on how to do this are best covered in the following article.  This details not only the best practices but also how to troubleshoot issues with the remote configuration certificate application:

https://www-secure.symantec.com/connect/articles/remote-configuration-certificate-application-best-practices-intel-vpro-systems

  1. Enable the CNAME option for ProvisionServer as detailed previously if this has not been completed yet.  This is essential to make a Remote Configuration process seamless and to make it hands free.
  2. Enable Resource Synchronization.  Use these steps to complete it:
    1. In the  Symantec Management Console browse under Home > Remote Management > Out of Band Management.
    2. In the left-hand tree browse under Configuration > Intel AMT Systems > and select Resource Synchronization.
    3. On the title bar to the right click the button next to ‘Off’ and select ‘On’.
    4. Make sure the option ‘Use DNS IP resolution to find FQDN when assigning profiles is NOT checked.
      NOTE: This option should only be used in environments where DNS is reliable for obtaining a system’s identity.  Since DNS usually isn’t, this option is highly not recommended.
    5. Set an appropriate schedule (do not run this too often as it does take time to process).
    6. Click Save changes if any options needed to be changed, especially to turn the policy on.
  3. For the steps on how to proceed with Configuration for these systems please see the subsequent section in this article labeled Discovering and Configuring new vPro systems: Remote Configuration.

 

General Items – One-Touch to No-Touch PSK Provisioning

This option is available for all AMT versions 2.0 and beyond.  The one-touch option requires security keys to be generated within the Symantec Management Console and configured on the target systems using One-Touch provisioning.  The manufacturers offer a service to have pre-configured keys already setup on purchased vPro target systems.  This allows a no-touch provisioning method using the PSK (pre-shared keys) model.

 

The following infrastructure items need to be in place for PSK Configuration.  The first half of the steps is for no-touch PSK provisioning:

  1. Please see steps 3 and 4 in the Remote Configuration section above as they, too, apply to PSK Configuring.
  2. Have the Manufacturer pre-configure all purchased systems to already have the PID and PPS (TLS-PSK) configured (this is optional but is required for a no-touch configuration model).
  3. The manufacturer will provide the keys in a file to be imported into the Notification Server.  NOTE: it is recommended to have the file broken down into smaller parts if exceeding 1000 key pairs, or systems to be configured.  This allows an easier time importing those keys.  For version 7 there are no known limitations on the number of key-pairs unlike the 6.x versions.
  4. Import the file using these steps:
    1. In the Symantec Management Console browse under Home > Remote Management > Out Of Band Management.
    2. In the left-hand tree browse under Configuration > Configuration Service Settings > and select Security Keys.
    3. Click the ‘Import security keys’ icon (blue arrow pointing down-right on blank paper).
    4. Click the browse button and browse to the location you’ve stored the key-file provided by the manufacturer.
    5. Click Import.
    6. Ensure that the appropriate keys appear in the key list after the screen refreshes.
  5. If you are using the one-touch method, use the icon labeled ‘Generate’ to create a series of keys (it is recommended to keep the number of keys to 1000 per USB flash drive to improve performance when out configuring systems).  Click OK when done configuring the keys to generate.  See this screenshot for an example:
    GenerateKeys.jpg
  6. Highlight a group of keys (1000 max recommended) and use the export button.  This will allow the keys to be put into a Setup.bin file.  The USB key will be used later as part of the configuration process. Place this file on a USB flash drive with the following configuration:
    • FAT 16 File System
    • Setup.bin needs to be the first file on the drive
  7. Enable the CNAME option for ProvisionServer as detailed previously if this has not been completed yet.

 

Discovering and Configuring new vPro systems

Now that the Infrastructure items are in place, the process for configuring Intel AMT vPro capable systems needs to be defined.

 

The Altiris Agent

The key sequence in the configuration process actually doesn’t directly involve the AMT provisioning piece.  The Altiris Agent should be installed to the client system before the system is discovered to the core NS through other discovery processes, due to issues with resource integration between discovery methods.  If you plan to manage the system with the Altiris Agent, It needs to be installed first.  The steps for this are covered in each methodology.

NOTE: Due to the requirement of having the right computer identity at the time of Configuration, this step is considered crucial to a successful Configuration process for vPro systems.  The Altiris Agent will provide all the proper identification items (Fully Qualified Domain Name, or FQDN, and the UUID).

 

Remote Configuration

The following steps show how to configure the system in Remote Configuration mode.  Note that the steps are written to show the proper sequence, though some of the items may have been completed previous to its sequence in the list:

  1. Install the Altiris Agent on the target computer.  This can be done with a push or a pull.

PUSH

  1. For the push method, browse in the Symantec Management Console under Actions > Agents/Plug-ins > and select Push Altiris Agent. 
  2. You can individually enter in the computer names or IP addresses of the target systems, or you can use the blue lettered link ‘Discover Computers’ to discover the systems automatically on the network. 
  3. Once systems are selected, click the ‘Install Altiris Agent’ button below the list.
  4. Provide the required details to install the Altiris Agent to the target systems (including the correct Admin account, install path, etc…).
  5. An alternate method is to use the ‘Schedule Push to Computers’ option after you have discovered the machines using the discover computers option to schedule the push for another time.
  6. To set the proper settings for the scheduled push click the button ‘Installation Settings’ and set the options as required.

PULL

1.       For the pull method, browse in the Symantec Management Console under Actions > Agents/Plug-ins > and select Push Altiris Agent.

2.       Under ‘URL of download page’ a link is provided.

3.       On the target system, pull up a webpage and paste in the URL obtained from step #2.  This link can also be sent out via Email, or posted on a Web Page for users to access.

  1. Verify that the Altiris Agent has successfully sent Basic Inventory and obtain a Configuration from the Notification Server.  Right-click on the Altiris Agent icon and choose ‘Altiris Agent Settings’.  As long as valid dates are under the following headings, the system is prepared for synchronization:
    1. Configuration

                                                               i.      Requested

                                                             ii.      Changed

  1. Basic Inventory

                                                               i.      Sent

  1. Make sure that after an initial Basic Inventory sending that the Configuration is again requested as the Notification Server will have populated the computer into collections based on the Basic Inventory sent it.
  2. Run an Out of Band Discovery on the target system.  This will be an automatic step after the Altiris Agent is installed, yet it needs to be initially setup.  Use the following steps to set it up:
    1. In the Symantec Management Console browse under Home > Remote Management > and click on Out of Band Management.
    2. In the left-hand tree browse under Out of Band Agent Install > and select Out of Band Discovery.  See this screenshot for an example of the Task:
      OOBDiscovery.jpg
    3. To the right of the title bar there’s an On Off switch.  Click the red-colored light and change it to On.
    4. By default this is set to only ever run once.  This is sufficient when systems will only ever be provisioned once.  One fail-safe is to set this to a reoccurring schedule so we have up to date information on a system if needed.
    5. The current collection is usually sufficient, but if systems are not getting the Out of Band Discovery job, try adding a more general collection such as All Windows Computers.
  3. Setup and Configuration will occur automatically.  The above items may occur after the initial “hello” packet is send from a system since systems already come configured to use Remote Configuration, but without the Altiris Agent Intel SCS will be unable to provision until the Altiris Agent has been installed and Out of Band Discovery has run.
  4. The Configuration will occur from this point, yet if you want your system to show up in the vPro or AMT specific collections, next manually launch the Resource Synchronization.  As we’ve already touched this policy it should be setup to run automatically, but to run it now follow these steps:
    1. In the Symantec Management Console browse under Home > Remote Management > and select Out of Band Management.
    2. In the left-hand tree browse under Configuration > Intel AMT Systems > and select Resource Synchronization.
    3. Under the ‘Last synchronization statistics’ section, click the ‘Run now’ button to force the synchronization.
  5. When synchronization completes, the system will show up in the Out of Band and AMT specific collections (Note, this is not required to use vPro functions but only affects what collections the systems show up in).

 

The following diagram represents the basic steps used for this method of configuration:

 

RemoteConfigDiagBP.JPG

PSK Provisioning

Depending on the method, the following steps will show the best way to configure the system with One-Touch or PSK mode:

  1. Install the Altiris Agent on the target computer.  This can be done with a push or a pull.

PUSH

a.       For the push method, browse in the Symantec Management Console under Actions > Agents/Plug-ins > and select Push Altiris Agent. 

b.      You can individually enter in the computer names or IP addresses of the target systems, or you can use the blue lettered link ‘Discover Computers’ to discover the systems automatically on the network. 

c.       Once systems are selected, click the ‘Install Altiris Agent’ button below the list.

d.      Provide the required details to install the Altiris Agent to the target systems (including the correct Admin account, install path, etc…).

e.      An alternate method is to use the ‘Schedule Push to Computers’ option after you have discovered the machines using the discover computers option to schedule the push for another time.

f.        To set the proper settings for the scheduled push click the button ‘Installation Settings’ and set the options as required.

PULL

a.       For the pull method, browse in the Symantec Management Console under Actions > Agents/Plug-ins > and select Push Altiris Agent.

b.      Under ‘URL of download page’ a link is provided.

c.       On the target system, pull up a webpage and paste in the URL obtained from step #2.  This link can also be sent out via Email, or posted on a Web Page for users to access.

  1. Verify that the Altiris Agent has successfully sent Basic Inventory and obtain a Configuration from the Notification Server.  Right-click on the Altiris Agent icon and choose ‘Altiris Agent Settings’.  As long as valid dates are under the following headings, the system is prepared for synchronization:
  1. Configuration

                                                               i.      Requested

                                                             ii.      Changed

  1. Basic Inventory

                                                               i.      Sent

  1. Make sure that after an initial Basic Inventory sending that the Configuration is again requested as the Notification Server will have populated the computer into collections based on the Basic Inventory sent it.
  2. Run an Out of Band Discovery on the target system.  This will be an automatic step after the Altiris Agent is installed, yet it needs to be initially setup.  Use the following steps to set it up:
  1. In the Symantec Management Console browse under Home > Remote Management > and click on Out of Band Management.
  2. In the left-hand tree browse under Out of Band Agent Install > and select Out of Band Discovery.  See this screenshot for an example of the Task:
    OOBDiscovery.jpg
  3. To the right of the title bar there’s an On Off switch.  Click the red-colored light and change it to On.
  4. By default this is set to only ever run once.  This is sufficient when systems will only ever be provisioned once.  One fail-safe is to set this to a reoccurring schedule so we have up to date information on a system if needed.
  5. The current collection is usually sufficient, but if systems are not getting the Out of Band Discovery job, try adding a more general collection such as All Windows Computers.
  1. If using USB One-touch, insert the prepared USB flash drive into a USB slot on the vPro system.  Reboot or turn on the system.  A prompt will appear asking if the machine should be configured.  Follow the prompts until it requests the USB drive be removed and the system rebooted.  The system is now ready and will be sending out ‘hello’ messages.
  2. If the systems are preconfigured, Configuration will occur automatically. The above items may occur after the initial “hello” packet is send from a system since systems already come configured to use Remote Configuration, but without the Altiris Agent Intel SCS will be unable to provision until the Altiris Agent has been installed and Out of Band Discovery has run.
  3. Next manually launch the Synchronization (note that this step will occur per the default schedule at 2AM the following day).   In the Altiris Console browse to View > Solutions > Out of Band Management > Configuration > Provisioning > Intel AMT Systems > and select Resource Synchronization.  Under the ‘Last synchronization statistics’ section, click the ‘Run now’ button to force the synchronization.
  4. When synchronization completes, the system will now show up in the OOB and AMT collections.

 

The following diagram represents the basic steps used for this method of configuration:

 

OneTouchDiagBP.JPG

Conclusion

By implementing a process that adheres to the above guidelines, and having the right infrastructure pieces in place and proper configured will take the complexity out of setting up and configuring vPro enabled systems.  This document was based off of the 6.x Best Practices document, with changes for the new 7.0 version and additional clarification or steps to improve success.