Skip navigation

When creating an Intel AMT Configuration profile with Transport Layer Security (TLS), a target Microsoft Certificate Authority (CA) and certificate template must be specified.  When using TLS with Intel AMT, a Server Authentication certificate must be defined and applied into the firmware of each system.   The easiest choice is the WebServer certificate template.   In some environments, this template might be disabled or removed due to security policies.

 

The following steps summarize the required steps.

 

First - if a valid Server Authentication certificate template has not be published, a screen similar to the following will occur.   The certificate template field is blank with no available options

 

pic1.png

Within the Microsoft Enterprise CA, duplicate the WebServer certificate template.  When prompted, select the default option for "Windows 2003 Server, Enterprise Edition"

pic2.png

Provide the details for the certificate template.   Shown below the certificate template name is "Intel AMT TLS Cert".

pic3.png

On the security tab, provide access to the template for the logon account of RCSserver.   In this example, RCSserver is running under the Network Service Account of a system with hostname SCS8, thus the select "SCS8$".   Grant the "Read" and "Enroll" permissions

pic4.png

Next, issue the certificate template.   Right click on Certificate Templates under the target Microsoft CA (Note: Required only for Microsoft Enterprise CA to issue certificate templates to the Microsoft Active Directory.   Microsoft Standalone CA implementations do not include this option.)

pic5.png

With the certificate template issued...

pic6.png

... in the Intel SCS console, select "Refresh CAs &Templates".   Via the pull down list, select the target certificate template.

pic7.png

Two final reminders - ensure the logon account for RCSserver (the server component of the Intel SCS installation) has rights to "Issue and Manage Certificates" along with "Request Certificates" as required for the Web Enrollment process.

pic8.png

And ensure the Policy Module setting allows for automatically issuing certificates

pic9.png

 

The above information is provided in the Intel SCS User Guide.   This article provides a summary and reminder

On April 3rd, 2010 Steve Jobs showed this renewed computer tablet concept (i.e. iPad, which was not the first tablet computer available in the market, but was one that had great success), triggering a new kind of personal computer system that complements traditional form factors (e.g. desktops and notebooks) used by knowledge workers in corporate environment or even replace the workers in some cases. In fact, a tablet design is an excellent form factor to consume information, but it lacks ergonomic qualities to produce content with a physical QWERT keyboard larger display screen.


The computer industry is investing in several form factors in order to reinvigorate personalcomputer systems with exciting designs: Ultrabook, convertibles designs, touch screens, tablets, tablets with slide QWERT keyboard, multiples dock station capabilities. And in this new World of mobility and thin design, looks that RJ45 interface has become antiquated. For business, wired interface still predominant in most organizations and lot investments were made in this media for security and manageability and how to manage seamless Intel vPro devices, independently of form factor and connectivity medium (i.e. wired or wireless)?


507px-Wireless_tower.svg.png

 

Some Ultrabooks, such as Lenovo ThinkPad X1, arrived without an embedded Ethernet port, only with a dongle RJ45 interface that can provide wired connectivity for Operating System, however it doesn’t work for OOB (i.e. Intel ME).


The absence of an integrated Ethernet interface in these devices limits some use cases for devices of this category. E.g. Host-based Configuration (aka. HBC) is the only remote Setup and Configuration method supported, user consent is required for healing scenarios such as KVM or IDE-R, but fortunately, these limitations in most cases fits well with mobile use models. Admin Control mode can be achieved only configuring locally in Small and Business Mode (SMB), which for enterprise environment can be undesirable due to the required manual labor for configuration.


System Defense, that is enabled by McAfee ePo Deep Command for example, will not be available in WLAN-only systems for security reasons – basically, HBC transfers IT admin authentication to users, that is the reason that in HBC, for each remote operation, user consent is needed. However, for System Defense, there is no reason for user consent to switch on, that is the reason that System Defense is turned off in HBC.


For a wireless-only device be managed OOB with Intel vPro technology, it’s required that Intel ME be in 8.1 version and Wireless driver 15.3 (for Windows 7) and 15.5 (for Windows 8) have been updated for a correct operation.


For further details on creating a profile for wireless environment, read my priorblog post about “Managing Intel® vPro™ Technology clients in a wireless environment” where I discuss some basic configurations and lessons learned in this kind of environment.


Some management consoles such as Microsoft System Center 2007 or 2012, use the concept of provisioning using PKI that set the machine in Admin Control Mode that is not supported for wireless-only devices. So for these cases, Intel Setup and Configuration Services 8.1 (aka. Intel SCS) can be used for provisioning and configuring, following these instructions.


In order to provide better service for “road warriors” you can provided a full set of capabilities, including Fast Call For Help (aka. FCFH). This allows users outside of a corporate firewall to have support from a help desk technician even OOB. Intel vPro configuration profile provides detailed possibilities for provisioning as showed an example of a complete wireless configuration option:


SCS_Internface.png

 

  • Active Directory Integration is required if corporate wireless network requires 802.1x authentication;
  • Access Control List (ACL) that is required in order to specify users/groups for permissions (i.e. authorization) in Intel ME;
  • Home Domains used to specify when machine is inside or outside corporate network based on suffix DNS received by DHCP - this definition is important to enable FCFH when machine is outside corporate perimeter;
  • Remote Access specify address for Intel vPro Gateway (former Management Presence Server) and requires server configuration in corporate DMZ - read further details in Intel AMT SDK;
  • Wifi connection defines configuration and profiles for OOB connection and with Intel PROSet there profiles can be populated by users when added into PROSet profile.

 

For further details on each of these sections, read Intel SCS 8.1 documentation available on the Intel website.


Following these instructions and guidelines, you will be able to integrate these new categories of managed form factor with actual management console and allow seamless management.


Comment below with any questions – I would be more than happy to provide further details.


Best Regards!

Hi

 

Some new vPro platforms heading our way in 2013 may not have LAN port on-board, therefore only WLAN will be available. This configuration implies of course that Intel AMT will connect via WLAN only.

 

In general, LAN-less platforms are becoming common in the emerging Ultrabook segment, as Ultrabook requirements put limitations on traditional LAN solutions both in power consumption and in physical size. While the LAN solutions are evolving to handle those new requirements (still LAN is the most reliable and fast communication method in wide use) there are vPro Ultrabooks with WLAN only, and more platforms are anticipated.

 

Most capabilities of vPro platform are available on the WLAN only systems, including security use cases and the majority of automation use cases. I would like to take this opportunity to remind the AMT IT manager of the key differences between LAN and WLAN in terms of AMT usage:

  • Provisioning:
    • Host-based Configuration (HBC) is the only remote Setup and Configuration method supported in WLAN**
    • HBC over WLAN enables the AMT in Client Control Mode, for which user consent is required for healing scenarios (e.g. KVM or IDE-R). Indeed user presence for some of these use cases fits well with the mobile Ultrabook use models, but this is still a limitation to consider.
    • Notice that provisioning the AMT for Admin Control Mode is still available through local provisioning
  • The vPro based capability "System Defense", enabled by ecosystem solutions like McAfee ePO Deep Command, will not function on WLAN-only systems.

 

** Note: Usage of a docking station that makes AMT available through Intel LAN is not considered as WLAN only as long as system is docked.

National Bank of Egypt.jpgThe Intel® vPro™ platform helps companies efficiently manage their enterprise client resources.Two new business success stories show how companies are making the most of it:

 

You can find more real-world business success stories like these on Intel.com and iTunes. And to keep up to date on the latest business success stories, be sure to follow ReferenceRoom on Twitter.

Infanta Leonor Hospital.jpgIntel® Core™ i5 processors deliver amazing performance with stunning visuals on an all-in-one or standard PC--whether it’s a laptop or desktop--creating incredible PC and visual experiences. Three new business success stories show how companies are making the most of it:


You can find more real-world business success stories like these on Intel.com and iTunes. And to keep up to date on the latest business success stories, be sure to follow ReferenceRoom on Twitter

 

*Other names and brands may be claimed as the property of others.

Filter Blog

By date: By tag: