| Published On : | June 1, 2009 12:00 AM PDT |
Rate |
|
Intel provides software developers with excellent support to take advantage of the next-generation manageability capabilities of Intel® Active Management Technology (Intel® AMT). This overview introduces developers to the hardware, firmware, and software architecture that underlie Intel AMT, preparing them to get started with the technology.
Intel® Active Management Technology (Intel® AMT) is a silicon-resident management mechanism for remote discovery, healing, and protection of computing systems. It provides the basis for software solutions to address key manageability issues, improving the efficiency of remote management and asset inventory functionality in third-party management software, safeguarding functionality of critical agents from operating-system (OS) failure, power loss, and intentional or inadvertent client removal:
- Remotely Discover Computing Assets in Any Operational State: Intel® AMT stores hardware asset information in flash memory that can be read anytime, even if the PC is powered off or has an inoperable OS. Intel AMT does not rely on software agents to prevent accidental data loss. It also provides management applications with a general-purpose, non-volatile data store that accepts local or network-based storage commands.
- Remotely Heal Computing Assets: Proactive alerting notifies IT of a system problem, even when the system is down. Intel AMT provides out-of-band (OOB) access to remotely diagnose, control, and repair PCs after software, OS, or hardware failures. Alerting and event logging assists IT to diagnose problems quickly to reduce end-user downtime. Intel AMT also supports IDE-Redirection and Serial-Over-LAN capabilities for management applications.
- Remotely Protect Computing Assets: Through out of band communication, each system’s software version numbers are checked and, if necessary, system software and virus protection are remotely updated with the most recent patches and virus definitions. Viruses and worms can also be contained at their source, if needed, by means of built-in circuit-breaker functionality.
Intel AMT infrastructure supports the creation of setup and configuration interfaces for management applications, as well as network, security, and storage administration. The platform provides standards-based encryption support by means of Transport Layer Security (TLS), as well as robust authentication support via Kerberos.
The technical capabilities and business value of Intel AMT are summarized in the use cases linked to the descriptions below:
|
Use Case |
Purpose |
Intel AMT Features Implemented (Typical) |
|
UC1 (Discover): Platform Auditing |
Reduce or eliminate manual inventory audits by being able to locate systems regardless of power state or health. Improve asset management. |
Out of Band (OOB) access, Power Status Control/ Monitoring, Intel® AMT Flash, Remote platform inventory, Tamper-resistant agent, Network Admin Interface |
|
UC2 (Discover): Software Inventory Management |
Improve the software-inventory process; optimize maintenance contracts, licensing, and configurations inventory through firmware (FW) resident SW info. |
Out-of Band (OOB) access, Remote software inventory, 3rd Party Data Store,Tamper-resistant agent, Network Admin Interface |
|
UC3 (Discover): Hardware Inventory Management |
Reduce manual audits and better manage hardware inventories, recalls, warranties. Efficiently manage hardware inventories. |
Out-of Band (OOB) access, Intel® AMT Flash, Remote Hardware Inventory, Tamper-resistant agent, Network Admin Interface |
|
UC4 (Heal): Remote Diagnosis, Remote Repair |
Remotely diagnose and repair client machines, reducing on-site visits to resolve SW problems, even when OS is down. |
Out-of Band (OOB) access, Remote troubleshooting and recovery, Tamper-resistant agent, Alert Handling, Read Event Logs, Network Admin Interface |
|
UC5 (Heal): Remote Diagnosis, Local Repair |
Reduce visits to resolve HW problems with improved remote diagnosis and hardware information. |
Out-of Band access, Remote troubleshooting and recovery, Remote field-replaceable unit(FRU) inventory, Intel® AMT Flash, Tamper-resistant agent, Event Logs, Alert Handling, Network Admin Interface |
|
UC6 (Protect): Software Version Compliance |
Ensure up-to-date software versions, virus signatures, et c. Improve accuracy, speed and efficiency of anti-virus software updates regardless of OS or power state. |
Out-of Band (OOB) access, IDE-R/SOL, 3rd Party Data Storage, System Defense, Agent Presence, Alert Handling, Read Event Logs, Network Admin Interface |
|
UC7 (Protect): Hardware-based Isolation and Recovery |
Detect and stop malware from propagating. Suspicious activity detected at a node, alert sent to console, IT quarantines system and updates policy out of band. Monitors out-bound traffic by comparing a time slice of network traffic to enhanced filters in the system defense engine to obtain data on the timeframe and number of occurrences of a particular network traffic event. |
IDE-R/SOL, System Defense, Alert Handling, Read Event Logs, Network Admin Interface, Wired and/or Wireless Network Filters, Flash Memory for Enhanced Filter Storage, Worm-Detection Filters |
|
UC8 (Protect): Presence Checking of User Partition Agents |
Virtually eliminate the ability of users or malware to circumvent protection. If the user disables agents, that action triggers alerts, quarantines the system, and re-initializes agent. |
Agent Presence, Alert Handling, Read Event Logs, IDE-R/SOL, Network Admin Interface |
|
UC9 (Protect): Endpoint Access Control (EAC) |
Limit network access by visitor, rogue systems, and systems that do not conform to company policies for virus protection, OS patches, etc. Force systems that do not meet corporate policy onto a remediation network. |
NAC server plug-in to read posture, verify AMT signature and return health statement; posture is created by Intel AMT firmware from system and BIOS data and then given to the Intel AMT Posture Plugin in Host OS |
|
UC10 (Configure): One-Touch Configuration |
Perform automated setup and configuration of an Intel AMT device, either using credentials stored on a USB key storage device or by keying credential information manually into BIOS. |
Intel AMT firmware image, LMS driver, MEI driver, Intel Setup and Configuration Service (if a corresponding service is not provided by third-party software) |
|
UC11 (Configure): Remote (Zero-Touch) Configuration |
Automatically set up and configure an Intel AMT device upon connection to the network, either using a third-party management software agent resident on the client OS or from a 'bare-metal' state, without requiring a host OS. |
Intel AMT firmware image, LMS driver, MEI driver, Intel Setup and Configuration Service (if a corresponding service is not provided by third-party software) |
|
UC12 (Remote Management) |
The Client Initiated Remote Access (FAST CALL FOR HELP) feature allows Intel AMT platforms to initiate a secured connection to vPro enabled gateway residing in the enterprise De-Militarized Zone (DMZ). Using FAST CALL FOR HELP, Intel AMT clients can be managed remotely by the IT Administrator when the system is located outside the corporate network . |
Remote access connection can be initiated through OS or Bios, at defined time period and when platform alert occurs |
|
UC14 Audit Log |
The Audit log feature enables auditors to audit actions initiated by administrators and other users in the system |
Auditor configuration, enabling/disabling audit events, audit logs, audit alert |
Intel AMT's core hardware architecture is resident in firmware, as shown at a high level in Figure 1. The micro-controller within the chipset's graphics and memory controller hub houses the Management Engine (ME) firmware, which implements various services on behalf of management applications. Flash memory houses system BIOS, code used by the management engine, and a third-party data store (3PDS) that enables applications to store information as needed in non-volatile memory.
Figure 1. Intel AMT silicon architecture
The ME, which resides in the micro-controller within the graphics and memory controller hub, is shown in more detail with associated architectural components in Figure 2. Note that the ME runs on auxiliary power and is available at all system power states (S0-S5). The shared SPI interface allows multiple masters to use a single FLASH device, including BIOS, firmware, 3PDS, and communications.
While one of the key usage models for Intel AMT is that it allows management applications to access client computers when they are in a powered-off state, the radio in a wireless network interface card (NIC) in AMT versions 2.5 and lower is typically not operational in power states other than S0. Thus, no wireless Intel AMT functionality is available when laptops are powered down or in low-power modes (sleep, hibernate, etc.) for AMT 2.5 and lower.
Note: For complete details about the capabilities of each Release, see the Intel® Active Management Technology SDK Start Here Guide. For details about Intel AMT wireless functionality, see "Technical Considerations for Intel® AMT in a Wireless Environment."
Figure 2. Management Engine (ME) architecture
A small amount of main memory (typically less than 1% of total system memory) is dedicated to execute ME code and store ME run-time data. This characteristic is similar in concept to UMA for Graphics, and this memory will be located adjacent to the Graphics UMA memory space. From the OS's perspective, the Graphics UMA space will simply appear to be slightly larger. ME code is stored compressed in Flash, so no hard drive access is required to make use of it.
The chipset protects this memory range from being accessed by the main CPU, preventing the ability of malicious software to access this space. Note that this space is always taken from memory channel 0; thus, the channel 0 DIMM slot must be populated. If memory slot 0 is not populated, no UMA is available to the ME.
The ME can access its dedicated memory space even when the system is in S3 state, and the graphics and memory controller hub can dynamically switch memory power state to allow ME access. This capability allows for low average power, since the memory is 'on' only when needed.
Intel AMT provides for remote communication of PCs with a central management console via SOAP, regardless of power state and OS condition, as shown in Figure 3. This mechanism allows the ME firmware to share a common LAN MAC, hostname, and IP address with the OS, helping to minimize the IT infrastructure cost to support functionality based on Intel AMT.
Figure 3. Intel AMT out-of-band communications architecture
The out-of-band communications architecture supports the following filters:
- ARP: Forwards ARP packets containing a specific IP address to the host and/or the micro-controller
- DHCP: Forwards DHCP Offer and ACK packets to the host and/or the micro-controller
- IP Port Filters (HTTP and Redirection): Redirects incoming IP packets on a specific port to the micro-controller
As shown in Figure 4, communication between the host OS and the ME is accomplished by means of the Host Embedded Controller Interface (HECI). HECI is bi-directional, and either the host or Intel AMT firmware can initiate transactions. In addition, transactions can be completed asynchronously by the firmware and then synchronized later.
Figure 4. Intel AMT host and network access
Message flow between one client pair does not impede mes sage flow between a separate client pair, and messages may be of any length, subject to the limitations of the client's receive buffer (rather than limitations of the HECI drivers). HECI software and firmware drivers can break messages into packets in order to support long messages. Flow control is communicated by HECI bus messages, and the HECI driver will not transmit a message until the associated client has a buffer ready to receive it.
The Flash memory associated with Intel AMT is shared by multiple masters (Host, ME, and LAN). The Flash protection scheme does not allow any master to perform a direct write to Flash, and read/write permissions to each Flash region are enforced in hardware. Each master has a Grant Override register that can override its descriptor permissions, giving other masters access to the region they own. A security-override strap is used during initial manufacturing and service returns to program (or re-program) the Flash.
Region boundaries are defined for BIOS, ME, GbE, and the Flash Descriptor. Master requester IDs are defined for BIOS, GbE, and ME, and read/write access is defined for each master in each region. The I/O controller hub hardware reads the Flash Descriptor at offset 0 at power-on reset. A 32-bit Flash signature is used to determine whether the system is operating in Descriptor Mode (with security). If an invalid signature is read, Descriptor Mode is disabled, and any master can have access to the entire Flash.
Intel AMT provides a general-purpose non-volatile data store for use by applications that provides security equivalent to that provided by the OS for the file system. This data store is not a trusted-platform module; it is provided through a Storage Manager implemented in the ME firmware.
The data store accepts storage commands over local host and network interfaces. Applications are uniquely identified using a concatenation of strings selected by the software vendor and platform owner, plus a unique user ID. It uses allocation lists to 'over-subscribe' the right to allocate, while only allocating actual storage to applications that are registered with the system, protecting the space allocated by one application from other applications unless the owning application grants permission.
The structure, meaning, and sensitivity of data placed into the non-volatile data store are transparent to the Storage Manager. Applications are responsible for any security mechanisms necessary to protect their stored data (e.g., encryption of sensitive data or keys). Applications are also responsible for backup and recovery of their Application ID, data-store configuration, and any stored data.
The current minimum Flash size is 2MB, defined as the sum of space allocated to BIOS, ME firmware, and 3PDS. It supports partner space for four partners at 48KB each, with no support for non-partner space.
The following table summarizes the evolution of management capabilities in Intel AMT, relative to previous-generation management technologies.
|
Capabilities |
Alert Standard Format (ASF): Client |
Intelligent Platform Management Interface (IPMI): Server |
Intel® AMT |
|
Event Alerting |
Yes |
Yes |
Yes |
|
Event Logging |
No |
Yes |
Yes |
|
Remote Reboot |
Yes |
Yes |
Yes |
|
Secure Communications |
Simple Authentication |
RMCP+ |
HTTP Digest Authentication, TLS Encryption |
|
Connection Protocol |
RMCP |
IPMI = RMCP+Advanced = HTTP |
HTTP |
|
Layer 4 Stack |
UDP |
UDP |
TCP |
|
Persistent Asset Information |
No |
Yes |
Yes |
|
OOB Management (OS State Independent) |
No |
Yes |
Yes |
|
Remote Control Capabilities |
Remote Reboot Only |
Serial Over LAN, KVM (with additional hardware) |
Serial Over LAN |
|
Remote Media Capabilities |
PXE |
IDE/USB Redirect |
IDE Redirect |
|
Remote BIOS Update |
No |
In Some Servers |
Yes |
|
Fast call for Help |
No |
No |
Yes (from 4.0 onwards) |
|
OOB Wireless Access States |
No |
No |
Yes (from 4.0 onwards) |
|
Audit Logging |
No |
No |
Yes (from 4.0 onwards) |
Intel AMT integrates comprehensive security measures to protect data integrity throughout the system.
The primary goal of ME firmware security is to ensure that only firmware images approved by Intel can run on the Intel AMT subsystem hardware, and that only IT administrators can apply approved Intel firmware update images.
During the design phase, a Firmware Signing Key (FWSK) public/private pair is generated at a secure Intel Location, using the Intel Code Signing System. The Private FWSK is stored securely and confidentially by Intel. Intel AMT ROM includes a SHA-1 Hash of the public key, based on RSA, 2048 bit modulus fixed. Each approved production firmware image is digitally signed by Intel with the private FWSK. The public FWSK and the digital signature are appended to the firmware image manifest.
At runtime, a secure boot sequence is accomplished by means of the boot ROM verifying that the public FWSK on Flash is valid, based on the hash value in ROM. The ROM validates the firmware image that corresponds to the manifest’s digital signature through the use of the public FWSK, and if successful, the system continues to boot from Flash code.
Network security is provided by TLS, and XML-encoded messages are encapsulated in SOAP over HTTP. TLS mutual authentication is carried out using the cipher suites TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_NULL_SHA (export/import), and RSA certificates and keys generated off-line and provisioned (2048 bit modulus). Mutual authentication is required by means of preinstalled certificates on both the client and server.
Two local Intel AMT features exist: 3PDS and Local Agent Presence. The traffic between these two features running on the host and Intel AMT goes over SOAP/TLS. The local interface is aligned with network interface security.
Each Intel AMT device must be provisioned with at least one username/password pair, preferably unique. Because it is difficult to guarantee uniqueness, common username/passwords are a potential vulnerability. In response to that challenge, Intel AMT systems support Kerberos in order to achieve integration with Windows* domain authentication. This mechanism is based on a well-accepted set of Internet standards, including Kerberos v5 (RFC 1510), GSS-API (RFC 1964), and SPNEGO (RFC 2478).
This approach simplifies User ID management by using the group-based Windows authorization approach, rather than placing responsibility for creating a new approach on administrators. IT administrators are allowed or denied privileges to manage Intel AMT devices based on their group memberships in Active Directory.
Wireless profiles, including network keys and other authentication information, must be programmed directly into the firmware, since the ME cannot synchronize directly with the host-resident set of wireless profiles.
Management applications that support the configuration of the wireless Intel AMT interface must address the variety of security topologies employed by their customers' wireless networks. The Intel AMT wireless management interface does not support open wireless networks, nor does it support Wireless Equivalency Protocol (WEP). Use of Intel AMT wireless connectivity typically requires the use of security included in or related to the 802.11i specification, such as Wi-Fi Protected Access (WPA) or Robust Security Network (RSN). It also optionally supports 802.1x authentication.
Note that, when the wireless Intel AMT interface is initially accessed for setup and configuration, it will by definition not yet have any wireless security profiles configured on it. For this reason, initial setup and configuration of the wireless Intel AMT interface must be accomplished over the wired connection.
Command Path Security utilizes security mechanisms contained in the local and remote OS network stacks (i.e., TLS with mutual authentication) to secure the path over which an application’s storage commands travel. Access to administrative commands is controlled by a separate HTTP authentication ACL (StorageAdministration). Access to registration and storage commands is controlled by another separate HTTP authentication ACL (Storage).
Physical protection and isolation of the Flash device is provided by the chipset hardware. Because Flash devices provide a limited number of write cycles (~100K operations per 4Kb Flash block), the chipset al so provides mechanisms to detect and prevent flash wear-out, as well as to prevent Flash wear-out attacks by malware and non-partner applications. This functionality is augmented by mechanisms to prevent Application ID masquerade attacks (ID/interface binding).
Intel AMT systems are classified as 'commodity' for purposes of export from the United States, and as such, they are not subject to export restrictions. If an importing country objects to confidentiality, a SKU can be created with confidentiality disabled by setting the silicon fuse CRYPTO_ENA = FALSE, and for TLS, using cipher suite RSA_WITH_NULL_SHA.
Intel AMT provides two general types of interfaces: network and local. Network interfaces consist of two types: a SOAP interface and an embedded web user interface. The SOAP interface is the enterprise model, enabling robust functionality designed to be controlled by management console applications created by third-party software makers. The full ranges of APIs associated with the SOAP interface are documented in the freely available Intel AMT SDK. The embedded web user interface has more limited functionality and is intended for use without enterprise management software, such as in small-to-medium business environments. The local host interface is used by software agents to access 3PDS and to support agent presence.
The Intel AMT network interface, represented in Figure 5, is OS-independent and always available, assuming that the system is connected to the network and auxiliary power (with the caveat noted above that the wireless management interface is not available in low system-power states). It is manifested as a SOAP-based API based on Web Services Description Language (WSDL) 1.1. Each service supported by the network interface is provided by a distinct WSDL file. Security measures for the network interface include the use of HTTP Digest (RFC 2617) authentication by username/password credentials. The interface also supports TLS-secured connections and mutual authentication. Intel AMT Releases 2.5 and higher also support 802.11x., as well as Cisco Network Access Control (NAC). Microsoft Network Access Protection (NAP) is supported in Intel AMT 4.0 and higher.
Figure 5. Intel AMT network interface topology
Realms are a method of partitioning areas of responsibility within the administration of the firmware. Authentication occurs over HTTP or HTTPS, and Access Control Lists are maintained in firmware.
|
Realm |
Controls access to: |
Network |
Local |
Release |
|
Administration |
All of the Intel® AMT interfaces |
X |
1.0 and up |
|
|
General Info |
General Information Interface |
X |
X |
2.0 and up |
|
Hardware Asset |
Hardware Asset Interface |
X |
1.0 and up |
|
|
Remote Control |
Remote Control Interface |
X |
1.0 and up |
|
|
Event Manager |
Event Manager Interface |
X |
1.0 and up |
|
|
Redirection |
Redirection interfaces (SOL/IDER) |
X |
1.0 and up |
|
|
Storage (3PDS) |
ISV Storage Interface |
X |
X |
1.0 and up |
|
Storage Admin |
Storage Admin Interface |
X |
1.0 and up |
|
|
Local Agent Presence |
Local Agent Presence Interface |
X |
2.0 and up |
|
|
Remote Agent Presence |
Remote Agent Presence Interface |
X |
2.0 and up |
|
|
Circuit Breaker |
Circuit Breaker Interface |
X |
2.0 and up |
|
|
Network time |
Network Time Interface |
X |
2.0 and up |
|
|
Wireless Configuration |
Wireless Configuration |
X |
2.5, 2.6 and 4.0 only |
|
|
End Point Access control |
End Point Access Control |
X |
2.5 and up |
|
|
End Point Access control Admin |
End Point Access Control |
X |
2.5 and up |
|
|
Local UN |
Local User Notification |
X |
2.5 and up |
|
|
Audit< /strong> |
Secure Audit Log |
X |
4.0 and up |
|
|
Remote Access |
Remote Access |
X |
4.0 and up |
|
|
User Access Control |
User Access Control |
X |
4.0 and up |
|
Administration APIs:
The APIs in this realm can be classified into:
- Security Administration APIs – These APIs manage security control data, such as Access Control Lists, Kerberos parameters, Transport Layer Security, Configuration parameters, power saving options and power packages.
- Network Administration APIs – These APIs configure local network options. These are usually configured with a DHCP server, but can be configured directly using APIs in this interface.
The table below lists a couple of Administration APIs and their details
|
Method |
Description & Compatibility |
|
AddUserAclEntryEx() |
Adds a user entry to the Intel AMT device. Supported in Intel AMT Release 2.0 and later. |
|
EnumerateUserAclEntries() |
enumerates entries in the User Access Control List (ACL). Supported by Intel AMT Release 1.0 and later. |
|
GetUserAclEntryEx () |
reads a user ACL entry from the Intel AMT device. Supported in Intel AMT Release 2.0 and later |
|
GetHostName() |
Retrieves the host name used by Intel AMT device. Supported in Intel AMT Release 1.0 and later |
|
SetPingResponse() |
Allows an administrator to configure how an Intel AMT device will respond to ICMP requests (Ping). Supported in Intel AMT Release 1.0 and later |
For a complete list of these APIs and their details, refer to the Network Interface Guide included in the Intel AMT SDK.
GeneralInfo APIs:
The GeneralInfo APIs provides general (read only) information for various (local or network access) management applications. The table below lists some of the GeneralInfo APIs. Refer the Network Interface Guide for a complete list and their details.
|
Method |
Description & Compatibility |
|
GetCoreVersion() |
Reads the firmware version information from the Intel AMT. Supported in Intel AMT Release 1.0 and later. |
|
GetCodeVersions() |
Reads the BIOS and firmware information from the Intel AMT Supported by Intel AMT Release 2.0 and later. |
|
GetProvisioningMode() |
Gets the current provisioning mode (Enterprise or Small Business) from the Intel AMT device. Supported in Intel AMT Release 1.0 and later |
|
GetHostName() |
Gets the host name currently used by the Intel AMT device. Supported by Intel AMT Release 1.0 and later |
HardwareAsset APIs:
The HardwareAsset APIs perform operations that return hardware asset data. The table below lists HardwareAssetAPIs and their details.
|
Method |
Description & Compatibility |
|
EnumerateAssetTypes() |
Enumerates the names of hardware asset types supported by the Intel AMT device. Supported in Intel AMT Release 1.0 and later. |
|
GetAssetData() |
Returns hardware asset data of Intel AMT device. Supported by Intel AMT Release 1.0 and later. |
Remote Control APIs:
The Remote Control APIs managing the power and booting state of the Intel AMT managed system. The below table lists Remote Control APIs and their details.
|
Method |
Description & Compatibility |
|
GetRemoteControlCapabilities() |
Gets the remote control capabilities supported by the Intel AMT device. Supported in Intel AMT Release 1.0 and later. |
|
RemoteControl() |
Remotely controls the boot and power state of the Intel AMT-managed PC. Supported by Intel AMT Release 1.0 and later |
|
GetSystemPowerState() |
Returns the power state of the Intel AMT-managed PC system. Supported by Intel AMT Release 1.0 and later. |
Event Manager APIs:
Event Manager APIs include operations that can be used by a remote application to subscribe for events, set event filters and manage the event log. The below table shows some of the Event Manager APIs and their details. Refer to the Network Interface Guide for a complete list of these APIs.
|
SubscribeForGeneralAlert() |
Allows creation of an alert that can be reported either in SNMP PET format targeted to an IP address or as a SOAP message targeted to a URL. Supported by Intel AMT Release 2.5 and later |
|
EnumerateGeneralAlertSubscriptions() |
Enumerates alert subscriptions in the Intel AMT device. Supported by Intel AMT Release 2.5 and later |
|
GetGeneralAlertSubscription() |
Gets details of an alert subscription from the Intel AMT device. Supported by Intel AMT Release 2.5 and later. |
Redirection Library APIs:
The APIs included in the Redirection library provide support for managing clients, performing SOL/IDE-R operations on the client, storing client states in a file for later retrieval and translate error codes into error strings.
T he table below lists some of the Redirection APIs and their details. For a complete list and their details, refer to Redirection Library Design Guide included in the Intel AMT SDK.
|
Function |
Description |
|
IMR_SOLOpenTCPSession () |
Opens an SOL session with the specified client over a new TCP connection. This is deprecated in Intel AMT Release 4.0 and later releases in favor of IMR_SOLOpenTCPSessionEx(). |
|
IMR_SOLCloseSession() |
Closes an open SOL session with the specified client |
|
IMR_IDEROpenTCPSession() |
Opens an IDER session with the specified client over a new TCP connection. This function is deprecated in Intel AMT Release 4.0 and later releases in favor of IMR_IDEROpenTCPSessionEx. |
|
IMR_IDERCloseSession() |
Closes an open IDER session with the specified client |
ISV Storage APIs:
The ISV storage APIs are used by ISVs to access the Intel AMT non-volatile storage feature. The table below lists a couple of ISV Storage APIs and their details. For a complete list, refer to Storage Design Guide included in the Intel AMT SDK
|
Method |
Description & Compatibility |
|
ISVS_AllocateBlock() |
Allocates a portion of the Intel AMT non-volatile storage area, sets the block visibility and defines the block name. Once the block is allocated the application becomes the owner of the block. |
|
ISVS_GetAllocateBlocks() |
Enables an application to get a listing of block handles for those blocks allocated by a given application. |
Agent Presence APIs:
These APIs can be categorized into:
- Local Agent Presence APIs: These APIs can be used by an application designed to run on the local platform to report that it is running and to send heartbeats periodically.
- Remote Agent Presence APIs: These APIs can be used to register Local Agent applications and to specify the behavior of In tel AMT when an application is running or stops running unexpectedly.
The table below lists some of the local and remote AgentPresence APIs and their details. Refer to Network Interface Guide for a complete list.
|
Method |
Description & Compatibility |
|
ConsoleWatchdogCreate() |
Creates an entry for an application to be monitored. Supported by Intel AMT 2.0 and later. |
|
ConsoleWatchdogSetActions() |
Sets actions for a given application watchdog entry. Supported by Intel AMT 2.0 and later. |
|
AgentWatchdogRegister() |
Called by applications that wish to start reporting their running state. Supported by Intel AMT 2.0 and later. |
|
AgentWatchdogHeartbeat() |
Issued periodically by an application to report its running state. Supported by Intel AMT 2.0 and later |
Circuit Breaker APIs:
The Circuit Breaker interface (also known as System Defense) is used by remote or local applications (i.e. management consoles, agent presence, environment detection, and also NAC / 802.1X) to apply filters to the network traffic.
The below table shows a couple of Circuit Breaker APIs and their functions. A full list of these APIs and their details is included in the Network Interface Guide.
|
Method |
Description & Compatibility |
|
CbPolicyCreate() |
Creates a CircuitBreaker policy. Supported by Intel AMT 2.0 and later. |
|
CbFilterCreate() |
Creates a CircuitBreaker filter. Supported by Intel AMT 2.0 and later. |
Wireless Configuration APIs:
The Wireless Configuration APIs are used for embedding wireless profiles into Intel AMT as well as for reading general wireless configuration settings.
The below table shows a couple of Wireless Configuration APIs and their functions. A full list of these APIs and their details is included in the Network Interface Guide.
|
Method |
Description & Compatibility |
|
AddWirelessProfile() |
Adds a new wireless profile to the store of profiles in the Intel AMT device. Supported by Intel AMT Release 2.5, 2.6 and 4.0 |
|
GetWirelessSettings() |
Returns the current active profile and whether the radio in the interface is on or not. Supported by Intel AMT Release 2.5, 2.6 and 4.0 |
Endpoint Access Control APIs:
These APIs configure and enable NAC posture and returns settings associated with it. The table below lists a couple of Endpoint Access Control APIs and their details. For a complete list, refer to Network Interface Guide.
|
Method |
Description & Compatibility |
|
SetPostureSigner() |
Identifies the certificate to be used to sign EAC postures in response to a GetPosture request. Supported by Intel AMT Release 2.5 and later. |
|
GetPosture() |
Returns posture information interpretable by a properly configured NAC device. Supported by Intel AMT Release 2.5 and later. |
|
EnableEAC() |
Enables or disables the local interface EAC capability. Supported by Intel AMT Release 2.5 and later. |
Local UN APIs:
Local UN APIs are used for local user notification. A couple of Local UN APIs are included in the table below. For a complete list, refer to the Network Interface Guide.
|
Method |
Description & Compatibility |
|
SubscribeForGeneralAlert() |
Allows creation of an alert that can be reported either in SNMP PET format targeted to an IP address or as a SOAP message targeted to a URL. Supported by Intel AMT Release 2.5 and later |
|
EnumerateGeneralAlertSubscriptions() |
Enumerates alert subscriptions in the Intel AMT device. Supported by Intel AMT Release 2.5 and later |
Audit APIs:
These APIs allow a system auditor to monitor critical events. The below table gives a list of Audit APIs and their functions. A detailed list of these APIs can be seen in the Network Interface Guide.
|
Method |
Description & Compatibility |
|
SetAuditPolicy() |
Sets the auditable event policy, which defines rules for recording an event to the audit log. Supported by Intel AMT Release 4.0 and later |
|
EnableAuditing() |
Starts the auditing process in the system according to the current auditing policy. Supported by Intel AMT Release 4.0 and later |
Remote Access APIs:
These APIs enable administrators to configure remote access parameters for Fast Call for Help feature in Intel AMT 4.0 and later. The table below lists a couple of these APIs and their details. For a complete list, refer the Network Interface Guide.
|
Method |
Description & Compatibility |
|
AddMpServer() |
Adds information about a Management Presence (MP) server to an Intel AMT device. Supported by Intel AMT Release 4.0 and later |
|
EnumerateRemoteAccessPolicies() |
Enumerates the Remote Access policies that are configured on the Intel AMT device. Supported by Intel AMT Release 4.0 and later |
User Access Control APIs:
Users who have access to the User Access Control realm can use these APIs to modify their own password. In addition, a user with special permissions can remove special realm permissions from himself.
The table below lists a couple of User Access Control APIs and their details. For a complete list, refer the Network Interface Guide.
|
Method |
Description & Compatibility |
|
EnumerateUserAclEntrie s() |
Enumerates entries in the User Access Control List (ACL). Supported by Intel AMT Release 4.0 and later. |
|
GetUserAclEntryEx () |
Reads a user |
The Intel AMT Software Development Kit (SDK) provides tools and capabilities that enable developers to develop manageability applications that take full advantage of Intel AMT. The latest version of the Intel AMT SDK is freely downloadable from http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk. The SDK includes the following components:
- Intel AMT Storage Library and API provides abstraction of Intel AMT non-volatile storage calls. The library enables local and remote access to the non-volatile store on Intel AMT machines in all power states, and it includes a static library, headers, and sample code, as well as a C-based API.
- Intel AMT Redirection Library and API provides abstraction of redirection calls, Serial over LAN (SoL) console redirection, and IDE Redirection (IDER). The library enables remote management of Intel AMT machines through SoL and IDER sessions, and it includes a dynamic library (Windows), static library (Linux*), header files, and sample code, as well as a C-based API.
- Intel AMT Network Interfaces include the SOAP-based network interfaces defined in WSDL files.
- Documentation includes a User Guide, Storage Design Guide, Network Design Guide, and Validation Design Guide. Also included are a Redirection Library User Guide, Developer Guide to the sample setup, Small Business Configuration User Guide, and System Defense Feature & Agent Presence Overview.
The Intel AMT SDK can be used with any language that includes a SOAP stack, including gSOAP (C++), ATL SOAP (MS C++, although optional parameters are not supported and a memory leak has been reported), and C#. The SDK requires the Microsoft .NET Framework v1.1 (some samples and other components require the .NET Framework 2.0), and Windows Storage library requires the Microsoft Platform SDK (for WinHTTP).
Additional freely downloadable tools are also provided by Intel for use by developers in creating management applications that support Intel AMT. For a full list of these tools and their downloads, please see the Intel® AMT Downloads.
Intel AMT Developer Support
Developers creating products that take advantage of Intel AMT are entitled to technical support from Intel. A Manageability Software Development Forum exists for the purpose of providing support for architect/developer questions regarding Intel manageability technologies, including the Intel AMT Software Development Kit (SDK), Developer Tool Kit (DTK), and Setup and Configuration Service (SCS). Intel also has developed a community around manageability to help foster growth and promote development efforts. Questions are answered by both peers and Intel representatives that monitor this forum.
Additional Resources
- Intel Manageability Community is a core developer resource for manageability technologies from Intel that provides tools, documentation, use cases, blogs, and user forums.
- Intel® vPro™ Expert Center is a place for IT Practitioners to discuss Client technologies around: Integration, activation & deployment of Intel® AMT & Security.
- Intel AMT Technology Brief (PDF 424KB) provides a concise overview of the technology from a business perspective, with a focus on features and benefits to IT organizations and software vendors.
Comments (4) 
March 5, 2009 5:35 PM PST
 David | I need this article at spanish, and others articles about Intel AMT. Tks |
| June 27, 2009 7:00 AM PDT
feng | the foil is very clear |
| March 1, 2010 11:27 PM PST
Vicky Chen
|
How to update the ME Firmware on the Redfort FAB3 CRB? Thanks!! |
aNGEl
P.S. Sorry for my english, thanks ahead..