How to Integrate Intel® Active Management Technology Profiles into a Management Console

The complexity of Intel® Active Management Technology (Intel® AMT) configuration profiles vary depending on the enabled features. The first step in integrating Intel AMT into a management console is to determine which features the console should support.

Begin by looking at configuration options within the ACU Wizard tool where you can examine the options. This tool is part of the Intel® Setup and Configuration Software (Intel® SCS) download. You can find more information about the options in the Intel SCS documentation within the Intel SCS download.

Console Integration of Host-Based Configuration

The most common console integration uses the host-based configuration methodology. This method uses the host's OS (Windows* 7+) with a scripted configuration to execute the configuration.

This article shows how the ACU Wizard tool creates a sample configuration profile. The profile provides the expected XML code so the console can create and encrypt for deployment to Intel AMT devices.

Note: If the console creates the profile XML, you should encrypt the file by using the SCSEncryption.exe tool prior to deployment to the Intel AMT device. Without encryption, the file will be sent to the client in clear text, exposing passwords within the profile.xml file.

Automating the configuration process will involve creating the profile.xml file and creating a script to perform the configuration. The basic steps are:

  1. Copy the “configurator” folder and the profile.xml file from the SCS download folder to a location accessible by the Intel AMT client (Local, Network share, USB thumb drive, and so on).
  2. Open a command prompt with “Run as Administrator”  privileges, and then navigate to the acuconfig folder and run the following command: "acuconfig.exe configamt <profile.xml> /decryptionpassword <PASSWORD>"
  3. The configuration is successful if the program exits with code 0.

Host-based configuration, as described above, has one significant disadvantage. It does not allow an Intel AMT device to be configured into Admin Control Mode. With a slight change to the configuration profile, we can point the firmware to a Setup and Configuration Server to access a Provisioning Certificate. For more detail on Admin Control Mode/Client Control Mode, see Intel vPro Setup and Configuration Integration.

How to Use the ACU Wizard Tool

The ACU Wizard tool has several methods for configuring an Intel AMT Device. However for our purposes, we only need one of the options to get our sample xml file. To create the profile.xml file while using ACU Wizard, do the following:

  1. Create the profile by opening the ACU Wizard and selecting the Create Settings to configure Multiple Systems option.
  2. The Intel® AMT Configuration Utility: Profile Designer Window opens.
  3. Click the green plus sign.
  4. When the Configuration Profile Wizard opens, click Next.
  5. When the Configuration Profile Wizard Optional Settings Window opens, click Next.
  6. The Configuration Profile Wizard System Settings Window opens.
    1. Enter the RFB password if being enabled (not required).
      1. RFB refers to the Remote Frame Buffer protocol, also known as RFB5900. Enabling the RFB password allows for the use of a standard VNC viewer using port 5900, as opposed to a VNC viewer enabled for Intel AMT, which also uses Port 16994 or 16995.
    2. Enter the password in the use the following password for all systems data field.
    3. To edit the network settings, click the Set... button.
      1. There are no changes to make if the host OS is DHCP Enabled. Note the changes required if the OS has a static IP address.
      2. Select Cancel.
    4. Click Next.
  7. The Configuration Profile Wizard - Finished window opens.
    1. Enter the profile name you want to use, for example: profile.
    2. Encrypt the xml file by adding and confirming the password.
    3. Click Finish.
  8. The Intel® AMT Configuration Utility: Profile Designer Window opens.
    1. Note the Profile Path shown on your screen.
      1. It should look like this: <userName>\documents\SCS_Profile
    2. Close the ACU Wizard.

Note: For detailed instructions on using the ACU Wizard, please refer to or the documentation contained within the Intel® SCS download.

 

Using the Profile.xml file

Now we have an encrypted profile.xml. We next need to decrypt the file to expose the configuration parameters by using SCSEncryption.exe program, contained in the Intel SCS download. Once decrypted, you can open the file in an xml viewer and see the exposed xml tags.

Decryption syntax:

>SCSEncryption.exe Decrypt <input_filename> <password> /Output <output_filename>

Note: If you wish to enable additional features within your profile or explore other features of Intel AMT, these features can be enabled in step 5 above. For example, one of the popular and highly recommended features is wireless configuration.

Control Mode Choices

The configuration process will place the Intel AMT device into one of two modes: Client Control Mode or Admin Control Mode. The main difference is that Client Control Mode requires User Consent for redirection operations and Admin Control Mode does not.

User Consent

The User Consent feature adds another level of security for remote users. A User Consent code must be submitted when a redirection or control is required of the remote client. For example, accessing via Remote KVM or executing an IDEr command is considered a redirection operation, but performing a get power state or reboot is not.

Additional Resources

Summary

One of the most important integration tasks for managing Intel AMT-enabled devices is configuration. The process of configuration is straightforward when using ACUconfig.exe, however the profile creation process is the portion we need to address in depth.

Using ACUWizard.exe we can create a sample profile.xml that gives us a snapshot showing how we can create dynamic console-based profiles, so we are not tied to a specific static profile. This gives us the ability to manage Intel AMT in a wider range of feature enablement, such as User Consent Configuration, wireless profiles, Active Directory Access Control Lists (AD ACLs), and so on.

About the Author

Joe Oster has been at Intel working with Intel® vPro™ technology and Intel AMT since 2006. When not working, he spends time working on his family farm or flying drones and RC aircraft.

For more complete information about compiler optimizations, see our Optimization Notice.