Intel® AMT Use Case #11: Remote Configuration

In this use-case example, an IT manager receives shipment of several PCs that he wants to configure to use Intel® AMT. These PCs are all shipped with Intel AMT turned on (the manageability mode set to "AMT") and SOL/IDE-R turned on (assuming this feature is desired by the end user). Intel AMT must be configured so that the management console can securely identify and communicate with an Intel AMT-enabled PC. Note that Remote Configuration is available starting with Intel AMT 3.0 for the desktop and AMT 2.6 for Notebooks.

Using Intel® AMT Remote Configuration to Enable Provisioning

Under Remote (previously known as Zero-Touch) Configuration using the Intel Activator Utility, the PC is connected to power and the network, and Intel AMT automatically initiates the configuration process:

  • Delayed configuration: When an Intel AMT-enabled system is first turned on, it automatically sends out "hello" packets. After a timeout period has elapsed, it stops sending these packets until it receives a message from the configuration server. When a configuration message is received by a third-party software agent running in the client PC operating system, the configuration process begins. Certificates are exchanged and compared to hashes stored in the Intel AMT firmware, and passwords are exchanged. The client system also ensures that the configuration request has been received from a server on its network before allowing configuration to occur. Once all of the proper checks have occurred, the configuration server loads the settings and data required to enable Intel AMT to reboot the system.
  • Bare Metal configuration: The process for bare-metal configuration is the same as for delayed configuration, except that a third-party software agent is not needed, and the configuration server can configure Intel AMT without the one time password. Once Intel AMT is configured, an operating system can be loaded from the network onto the PC, allowing for a completely no-touch configuration of the system with an IT-specified operating system.

Key Functionality Enabled by Intel AMT that Underlies this Use Case

The following table summarizes the features and functionality utilized in this use case that are provided by Intel AMT or enabled by Intel AMT in third-party software:

Feature Functionality
Intel provides the Intel® AMT silicon, firmware image, LMS driver, Intel MEI driver, and the Intel® Setup and Configuration Service (SCS) along with the Activator Utility (included with the Intel SCS) These components form the basis for Intel AMT Remote Configuration support.


In addition, the following functionality can be performed by third-party management applications:

  • Third parties must provide the configuration server services (if not provided by Intel) and the ability to configure an Intel AMT-enabled PC.
  • The PC manufacturer must ship the Intel AMT-capable PC with the manageability mode set to "AMT", configuration mode set to "ZTC", and SOL/IDE-R turned on (if that feature is desired). Note that in order to successfully provision an Intel AMT client using the Remote Configuration method, the system must be in factory mode.

The Advantage of Intel AMT Remote Configuration

Remote Configuration automates the process of setting up and configuring business PCs for use with Intel AMT, including the ability to configure them remotely. It is the most convenient option provided by Intel to set up systems to be managed via Intel AMT.

Business Value of the Intel AMT Solution

This use case enables IT organizations to save on deployment costs, relative to other Intel AMT setup and configuration options:

  • Remote Configuration automates the provisioning of business PCs.
  • Remote Configuration enables IT organizations to configure PCs for Intel AMT without being in physical proximity to them.



Remote Configuration Usage Model Implementation

The following steps represent an overview of Remote Configuration flow:

Before Remote Configuration begins, the network should be configured as follows:

  1. The Intel SCS must have a server (provisioning) certificate, used only for setup and configuration, with the appropriate OID or OU that traces to a CA which has a root certificate hash stored in the Intel AMT device. The OID in the Extended Key Usage field must be [amt]2.16.840.1.113741.1.2.3, or the OU value in the Subject field must be "Intel® Client Setup Certificate".
    • Contact one of the vendors whose root certificate hashes are built into the Intel AMT firmware. A list of the hashes should be provided by the platform vendor. Go to the vendor's web site and purchase an "SSL certificate" For example, the following link to Verisign's* site http://www.verisign.com/ssl/buy-ssl-certificates/index.html shows how to purchase an appropriate certificate. Use the OID or the OU values above (or both) when defining the certificate.
    • This provisioning certificate must be installed in the SCS User's personal store.
  2. The Intel AMT device must be configured to receive its IP address from a DHCP server. The DHCP server's Scope Options must be configured to support option 15 and to return the domain suffix that is in the provisioning certificate.
  3. The Intel AMT device must be pre-programmed with at least one active root certificate hash.
  4. For the delayed installation sequence described below ("delayed" meaning that the Intel AMT device was not setup immediately upon being connected to the network), an ISV-created local agent must be installed on the host platform.
  5. The Intel AMT Setup and Configuration Server (SCS) must be registered with a DNS server accessible to the Intel AMT device with the name "ProvisionServer" (or the name defined by the PC manufacturer) and be in either the same domain as the device or in a domain with the same suffix. (Add an alias for "ProvisionServer"= <domain of the Intel AMT Client>.)
Description: Intel® AMT Setup and Configuration - Remote Configuration. Implementation of this Use Case depends on the following additional preconditions:

  1. Intel® AMT silicon must be present.
  2. Intel® AMT FW image must be loaded.
  3. LMS driver must be loaded.
  4. Intel® MEI driver must be loaded.
  5. Intel® Setup & Configuration Server must be running on the network (if third party does not provide).
  6. Intel AMT-enabled Management Console is running on the network.
  7. OEM must ship the Intel AMT capable PC with the manageability mode set to "AMT", configuration mode set to "ZTC", and SOL/IDE-R turned on (if that feature is desired).
The implementation of Remote Configuration usage case follows these steps:

Feature Functionality
1 IT orders a group of systems from OEM and provides OEM AMT settings for their environment.
2 OEM enters AMT configuration information for the customer for each system. (PID, PPS, SOL/IDE-R, Manageability Mode set for AMT, Sleep states, etc).
3 IT receives systems from OEM.
4 System is then deployed into the environment.
5 System is plugged into network and power.
6 System is discoverable via Management Console.
7 System can now be managed by Management Console.
6 AMT system sends out "Hello" packets.
7 After a timeout, it stops sending "Hello" packets until it receives a message from the configuration server.
8 IT professional has the configuration server send out a configuration packet to all AMT systems waiting to be configured.
9 When a configuration message is received by an ISV agent running in the client PC OS, the configuration process begins.
10 Certificates are exchanged and compared to hashes stored in the AMT FW as well as passwords exchanged.
11 Client system ensures that the configuration request has been received from a server on its network before allowing
12 Once all of the proper checks have occurred, the configuration server loads the settings and data required to enable Intel® AMT.
13 Configuration server reboots the system.
Alternate Path 2 - Bare Metal Configuration:
6 AMT system sends out "Hello" packets.
7 After a timeout, it stops sending "Hello" packets until it receives a message from the configuration server.
8 IT professional has the configuration server send out a configuration packet to all AMT systems waiting to be configured.
9 When a configuration message is received by AMT the setup and configuration server starts the configuration process without using a onetime password.
10 Certificates are exchanged and compared to hashes stored in the AMT FW as well as passwords exchanged.
11 Client system ensures that the configuration request has been received from a server on its network before allowing configuration to occur.
12 Once all of the proper checks have occurred, the configuration server loads the settings and data required to enable Intel® AMT.
13 Configuration server reboots the system.
14 IT can now load an operating system from the network onto the PC allowing for a completely no touch configuration of the system with an IT specified OS.

The above steps assume the IT professional is either using the Intel® SCS, a third-party equivalent or has written their own Setup and Configuration Application. Should the developer wish to write their own Setup and Configuration Application, the following tables describe the relevant WSMan Realms that can be found in the Intel® AMT Software Development Kit.

WSMan Interface Realm
Setup and Configuration (Provisioning)
Network Administration
General Info
Security Administration

The following SDK resources provides WS-Man examples of the components involved for implementing Setup and Configuration One-Touch Configuration use case:

  • CertChainBuilder (Sample Code in Configuraton Folder)
  • GeneralInfo (Sample Code - WS Management Samples)
  • SecurityAdmin (Sample Code - WS Management Samples)
  • NetworkAdministration (Sample Code - WS Management Samples)
Additional information on the features associated with this Use Case can be found in the Intel® AMT SDK html based documentation. Download and install the SDK; open the file default.htm found under ...\ DOCS\Implementation and Reference Guide\. Under the "Contents" tab select "Intel® AMT Features".

The following Intel® SCS Documents provide further information on how to use this application to configure and Intel® AMT client.
  • Intel SCS 6.0: Intel®_SCS6.0_Installation_and_User_Guide
  • Intel SCS 6.0: Intel®_SCS6.0_Release_Notes
  • Intel SCS 6.0: Intel®_vPro_Technology_Activator_Guide.pdf
  • Intel SCS 6.0 Lite: Intel®_SCS6.0_Lightweight_Installation_and_User_Guide
  • Intel SCS 5.2: Intel®_SCS5.2_Installation_Guide
  • Intel SCS 5.2: Intel®_SCS5.2_Console_Guide
  • Intel SCS 5.2: Intel®_SCS5.2_Troubleshooting_Guide
  • Intel SCS 5.2: Internationalization of SCS Messages

Etiquetas:
Para obtener más información sobre las optimizaciones del compilador, consulte el aviso sobre la optimización.