This section describes the flow for the case where the Security ISV implemented the Manageability Interface as recommended in the Remote Encryption Management SDK. If the Security ISV implemented their own interface, or implemented additional functionality, the Manageability ISV would need to coordinate with the Security ISV on the mechanism used to request an unlock.
1. The Security ISV would make the Manageability Interface available at a given Fully Qualified Domain Name (FQDN). The Manageability ISV should be able to connect to the service at that FQDN when it’s protected with NTLM or Kerberos authentication.
2. The Manageability Interface supports either unlocking one Intel® AMT system, or multiple Intel AMT systems. Based off of either scaling or security concerns, a Security ISV can choose to restrict how many systems can be unlocked at once. This information is available through the Manageability Interface (in the MaxSystemsPerRequest property of the instance of the AMT_RemoteEncryptionService), and should be checked if multiple systems are being unlocked.
3. The Manageability ISV can choose to check the current power state of the systems they’re requesting unlocked (using the EnabledState property of the CIM_ComputerSystem AMT instance on the WS-Man interface, or using the GetSystemPowerState call in EOI), so they can restore the system back to the same power state.
4. An unlock request would be made using the UnlockSystems function of the AMT_RemoteEncryptionService instance, and passed an array of strings containing FQDN’s (or IP Addresses, if they can be used to uniquely identify the systems). The output of this request would return the reference to the ConcreteJob that will track whether the unlock request has completed (the Manageability ISV should keep track of the ConcreteJob reference and what systems they requested unlocked).
5. To see if the unlock had completed, the Manageability ISV can check the JobState of the ConcreteJob instance that they received a reference for in step 4.
6. Once the unlock is completed, the Manageability Interface provides a mechanism for checking the state of the AMT systems through the GetUnlockedSystems function of the AMT_RemoteEncryptionService. By default this will only return values if the job is complete. An alternative approach that a Manageability ISV could use to discover if a system had powered on would be if the Manageability ISV had an agent running on the system that checked into the server periodically when the OS was up. Once the system was unlocked, that agent would check in, and the Manageability ISV would know that the system was available.
7. It is the responsibility of the Manageability ISV to return the system to a powered off (S5) or hibernate state (S4) after they have finished managing a given Intel® AMT system, to ensure that the hard drive is locked. Optionally they can choose to simply put systems into S4 (Hibernate), to ensure that they don’t shut down a system that was previously in hibernate, and risk losing a users work.
|
Copyright © 2006-2012, Intel Corporation. All rights reserved. |