| Last Modified On : | October 13, 2008 10:52 AM PDT |
Rate |
|
Intel® Active Management Technology (Intel® AMT) addresses traditional weaknesses in platform-audit capabilities, substantially reducing costs for IT organizations. Advanced, out-of-band (OOB) remote-discovery techniques replace conventional means, preventing end-user interference and avoiding the necessity of IT personnel making expensive physical visits to the systems being audited.
This use case concerns process improvements that result in dramatic cost savings during platform audits to support maintenance of hardware and software contracts, as well as regulatory compliance with legislation.
Conventional tools traditionally available for asset discovery work on an in-band basis only; that is, these tools require the target system operating system to be operational, and they fail if the platform is powered off or the operating system is otherwise non-functional. Moreover, users can intentionally or inadvertently remove the software agents on which auditing tools depend.
As a result, IT organizations must depend on users to report their IT assets, or IT employees must be sent to check the assets manually. No standard, persistent asset ID exists, and there is no reliable down-the-wire method to discover unused or underutilized hardware or software assets. These limitations combine to create substantial cost inefficiencies related to software licensing, IT personnel, and hardware maintenance contracts. Wireless environments and laptops make this even more challenging since at any point in time, laptops may be connected to a corporate LAN over the wireless network or via VPN (in case of remote mode) or may not be connected to an AC power source.
Using an asset management application that supports Intel AMT, an IT professional discovers and audits all Intel AMT-based platforms remotely, down-the-wire, assuming the following scenarios:
- Desktop Mode – Platforms are AC powered and connected to the corporate LAN via a wired LAN connection (not over VPN)
- Mobile mode – Laptops in S0 are AC powered or on battery and are on the corporate wireless network (not connected via VPN)
- Remote Mode – Laptops in S0/H0 are connected to the corporate network via VPN
Intel AMT makes that possible via OOB remote access to a platform's persistent, tamper-resistant asset ID, which end-users are typically unable to access or modify.
The IT professional can compare the remotely obtained asset IDs against the asset management database kept in a third-party management application. This step allows validation of the stored asset data. In case of laptops, since all of them might not be within the corporate network (mobile mode) or connected to the corporate LAN via VPN (remote mode) when the inventory is taken, either some manual checking might be necessary, or the inventory might span over multiple days in order to catch all laptops connected appropriately. Depending on the Intel AMT features supported by a management console and IT policies, additional inf ormation may be accessible from the platform that assists an IT audit process. Remote platform audits assisted by Intel AMT are far more complete than traditional manual ones, without resorting to manual desk-side visits.
The following table summarizes the features and functionality utilized in this use case that are provided by Intel AMT or enabled by Intel AMT in third-party software:
|
Feature |
Functionality |
|
Out-of-band (OOB) access |
Accessing the persistent asset ID when the operating system is unavailable or the platform is powered off |
|
Remote Platform Inventory |
Utilizing the persistent asset ID to discover the platform |
|
Intel® AMT Flash |
Allows storage of persistent unique asset ID |
|
Tamper-Resistant Agent |
Allows for access to the asset ID with little risk of tampering by a user |
Through Intel AMT platforms, an IT department can reduce or eliminate manual platform audits by means of remote, down-the-wire access to platforms, regardless of operating system state assuming that the platforms are either in desktop mode (AC powered (but not necessarily turned on) and connected to the corporate network via a wired connection (not over VPN)), mobile mode (within the corporate environment on wireless or battery connected (not VPN connected), or remote mode (connected via VPN - AC or DC powered and wired or wirelessly connected). This functionality, which is relevant to both planned and emergency situations, allows for faster, more accurate, and more timely platform audits. Additionally, the remote, down-the-wire discovery capabilities make regulatory compliance possible without labor-intensive rushes to meet audit deadlines. Moreover, remote access to asset information enables optimization of maintenance contracts, warranties, and configurations, as well as planned repurposing of underutilized platforms.
This use case enables IT organizations to save on audit and maintenance costs:
- Audit-Cost Savings: Achieve cost savings relative to a manual audit, because the platforms do not need to be physically touched.
- Software Maintenance Savings: Reduce software-maintenance contract costs by making more efficient use of those contracts.
- Hardware Maintenance Savings: Save on total hardware maintenance contracts (both platforms and hardware) by knowing which platforms require what maintenance levels (rather than covering them all with the most expensive option).
Intel AMT downloads hardware and software asset information from the BIOS and OS into non-volatile memory during boot, which can be accessed by IT anytime, even if the PC is off.
The workflow associated with this implementation is as follows:
|
Step |
Action |
API Call |
|
1 |
Is this an AMT Device? |
GetCoreVersion() ISVS_GetAPIVersionEx() |
|
2 |
If so, get inventory from Intel AMT |
EnumerateAssetTypes() |
The following tables provide an overview of Platform Auditing APIs:
GeneralInfo APIs:
The GeneralInfo APIs provides general (read only) information for various (local or network access) management applications.
|
Method |
Description & Compatibility |
|
GetCoreVersion() |
Reads the firmware version information from the Intel AMT Supported in Intel AMT Release 1.0 and later |
|
GetCodeVersions() |
Reads the BIOS and firmware information from the Intel AMT Supported by Intel AMT Release 2.0 and later |
|
GetProvisioningMode() |
Gets the current provisioning mode (Enterprise or Small Business) from the Intel AMT device Supported in Intel AMT Release 1.0 and later |
|
GetProvisioningState() |
Gets the current provisioning (configuration) state from Intel AMT Supported by Intel AMT Release 2.0 and later |
|
GetVlanParameters() |
Gets the VLAN mode and ID used by the Intel AMT device Supported by Intel AMT Release 1.0 and later |
|
GetHostName() |
Gets the host name currently used by the Intel AMT device Supported by Intel AMT Release 1.0 and later |
|
GetConfigServerInfo() |
Gets Configuration Server Information from Intel AMT Supported by Intel AMT Release 2.0 and later |
|
GetAdminAclEntryStatus() |
Reads Admin ACL entry status from Intel AMT Supported by Intel AMT Release 2.0 and later |
|
GetAdminNetAclEntryStatus() |
Reads remote Network Admin ACL entry status from Intel AMT Supported by Intel AMT Release 2.0 and later |
|
GetPasswordModel() |
Gets the BIOS password mode of work from Intel AMT Supported by Intel AMT Release 2.0 and later |
|
GetEnabledInterfaces() |
Gets enabled interfaces information of Intel AMT device Supported by Intel AMT Release 2.0 and later |
|
GetNetworkState() |
Reads Network State information from Intel AMT Supported by Intel AMT Release 2.0 and later |
|
GetSecurityParameters() |
Reads local interface security parameters Supported by Intel AMT Release 2.0 and later |
|
GetIderSessionLog() |
Reads the IDER session log Supported by Intel AMT Release 2.0 and later |
HardwareAsset APIs:
The HardwareAsset APIs perform operations that return hardware asset data.
|
Method |
Description & Compatibility |
|
EnumerateAssetTypes() |
Enumerates the names of hardware asset types supported by the Intel AMT device Supported in Intel AMT Release 1.0 and later |
|
GetAssetData() |
Returns hardware asset data of Intel AMT device Supported by Intel AMT Release 1.0 and later |
Remote Control APIs:
The Remote Control APIs managing the power and booting state of the Intel AMT managed system.
|
Method |
Description & Compatibility |
|
GetRemoteControlCapabilities () |
Gets the remote control capabilities supported by the Intel AMT device Supported in Intel AMT Release 1.0 and later |
|
GetSystemPowerState() |
Returns the power state of the Intel AMT-managed PC system Supported by Intel AMT Release 1.0 and later |
ISV Storage APIs:
The ISV storage APIs are used by ISVs to access the Intel AMT non-volatile storage feature
|
Method |
Description & Compatibility |
|
ISVS_GetAPIVersion() |
Gets the ISVS API version supported by the Intel AMT device (deprecated since AMT 2.0) |
|
ISVS_GetAPIVersionEx() |
Gets the ISVS API version supported by the Intel AMT device Extended version of ISVS_GetAPIVersion. |
The following SDK sample source code provide examples of Platform Auditing:
- GeneralInfo
- AssetDisplay
The following SDK Documents provide further information:
§ The following assumptions underlie the analysis in this use case:
- Some platforms will be discovered in-band, without using the OOB feature of Intel AMT.
- Platform audits without Intel AMT are costly, manually intensive, time consuming, and error prone.
- Asset IDs are placed in the platforms' Intel AMT firmware prior to deployment.
- All research data was gathered from global, US-based IT organizations.
- Platforms being audited using Intel AMT are connected to a power so urce (electrical outlet, battery, etc.), but the platform does not have to be powered on.
- Platforms are connected to an AC power source (Desktop mode) or platforms are in S0 (Mobile mode) or S0/H0 (Remote mode) and are either AC or DC powered
- Platforms are physically connected through a working wired Ethernet connection to the corporate LAN and not over VPN (Desktop mode) or they are connected to the corporate wireless network not via VPN (Mobile mode) or they are connected via VPN either wired or wirelessly (Remote mode) for OOB access.
- Not all laptops can be discovered and inventoried at one time given that some will not be in desktop, mobile, or remote mode.
RESOURCES:
- The Intel Manageability Community
- Intel® Active Management Technology Use Cases
- Architecture Guide: Intel® Active Management Technology
- Intel® Active Management Technology
- Intel® Active Management Technology (Intel AMT) Software Development Kit (SDK) Start Here Guide
- Download the latest Intel® AMT Software Development Kit (SDK)
- Intel® Active Management Technology Software Development Kit (SDK) User Guide
- Intel® AMT: Developer Resource Guide
- Intel® Active Management Technology
- Intel® Active Management Technology Brief
Comments (9) 
May 5, 2008 7:11 AM PDT
 rahul |
is this persisitent id we are talking about, actually the ip address of the computer or something else stored in AMT flash memory? |
| May 5, 2008 5:01 PM PDT
Gael |
it wouldn't be an IP address - it most likely refers to the AssetType as defined in the Network Interface Guide for whatever Asset we are talking about. |
| May 6, 2008 3:47 AM PDT
rahul |
thanx Gael for the reply. |
| May 6, 2008 4:18 AM PDT
rahul |
gael, is there any way we can retreive the asset ID from the AMT enabled systems manually without going into third party storage systems? |
| May 7, 2008 5:19 PM PDT
Intel(R) Software Network Support |
Rahul: we recommend posting this and any additional AMT questions you have to the Manageability forum at http://softwarecommunity.intel.com/isn/Community/en-US/forum.....Forum.aspx. |
| June 26, 2008 11:23 AM PDT
Intel Software Network Support |
Resource list now included. IAMT Use Cases article has list of 11 examples like this one. |
| October 27, 2008 10:05 AM PDT
Danny | Has anyone found any user guides on how to user Active Managemetn Technology. All I can find are articles that state what a great product it is. Any help would be appreciated. |
| November 6, 2008 3:00 PM PST
Michele Gartner |
Hi Danny - We really do have information on how to use vPro and Intel AMT! I list these docs out on a wiki over at the Intel vPro Expert Center. Here are some links that you may find helpful: Online training: http://download.intel.com/business/vpro/ActivationClass/main.html User Docs: http://communities.intel.com/openport/docs/DOC-1370 Use Cases (How to put vPro into action): http://communities.intel.com/openport/docs/DOC-1586 Let me know if that doesn't do it for you - we have quite a few docs in the works to support the functionality of Intel AMT versions 4.0 & 5.0 right now. Thanks, Michele |
Louis Duran
It would be VERY nice if the all the different use case pages had a link back to the use case overview page. I can't find a simple list of all the use cases and what AMT version support those use cases.