The complexity of Intel® Active Management Technology (Intel® AMT) configuration profiles vary depending on the enabled features. The first step in integrating Intel AMT into a management console is to determine which features the console should support.
Begin by looking at configuration options within the ACU Wizard tool where you can examine the options. This tool is part of the Intel® Setup and Configuration Software (Intel® SCS) download. You can find more information about the options in the Intel SCS documentation within the Intel SCS download.
The most common console integration uses the host-based configuration methodology. This method uses the host's OS (Windows* 7+) with a scripted configuration to execute the configuration.
This article shows how the ACU Wizard tool creates a sample configuration profile. The profile provides the expected XML code so the console can create and encrypt for deployment to Intel AMT devices.
Note: If the console creates the profile XML, you should encrypt the file by using the SCSEncryption.exe tool prior to deployment to the Intel AMT device. Without encryption, the file will be sent to the client in clear text, exposing passwords within the profile.xml file.
Automating the configuration process will involve creating the profile.xml file and creating a script to perform the configuration. The basic steps are:
Host-based configuration, as described above, has one significant disadvantage. It does not allow an Intel AMT device to be configured into Admin Control Mode. With a slight change to the configuration profile, we can point the firmware to a Setup and Configuration Server to access a Provisioning Certificate. For more detail on Admin Control Mode/Client Control Mode, see Intel vPro Setup and Configuration Integration.
The ACU Wizard tool has several methods for configuring an Intel AMT Device. However for our purposes, we only need one of the options to get our sample xml file. To create the profile.xml file while using ACU Wizard, do the following:
Note: For detailed instructions on using the ACU Wizard, please refer to or the documentation contained within the Intel® SCS download.
Now we have an encrypted profile.xml. We next need to decrypt the file to expose the configuration parameters by using SCSEncryption.exe program, contained in the Intel SCS download. Once decrypted, you can open the file in an xml viewer and see the exposed xml tags.
>SCSEncryption.exe Decrypt <input_filename> <password> /Output <output_filename>
Note: If you wish to enable additional features within your profile or explore other features of Intel AMT, these features can be enabled in step 5 above. For example, one of the popular and highly recommended features is wireless configuration.
The configuration process will place the Intel AMT device into one of two modes: Client Control Mode or Admin Control Mode. The main difference is that Client Control Mode requires User Consent for redirection operations and Admin Control Mode does not.
The User Consent feature adds another level of security for remote users. A User Consent code must be submitted when a redirection or control is required of the remote client. For example, accessing via Remote KVM or executing an IDEr command is considered a redirection operation, but performing a get power state or reboot is not.
One of the most important integration tasks for managing Intel AMT-enabled devices is configuration. The process of configuration is straightforward when using ACUconfig.exe, however the profile creation process is the portion we need to address in depth.
Using ACUWizard.exe we can create a sample profile.xml that gives us a snapshot showing how we can create dynamic console-based profiles, so we are not tied to a specific static profile. This gives us the ability to manage Intel AMT in a wider range of feature enablement, such as User Consent Configuration, wireless profiles, Active Directory Access Control Lists (AD ACLs), and so on.
Joe Oster has been at Intel working with Intel® vPro™ technology and Intel AMT since 2006. When not working, he spends time working on his family farm or flying drones and RC aircraft.
Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.
Notice revision #20110804