Manageability Interface

It is recommended that any implementation that works with Remote Encryption Management implement a WS-Man service that supports the following solution which will be called the Manageability Interface.

The primary purpose of the Manageability Interface is to allow other applications that are performing patching or fixing system issues (named here as the Manageability ISV console), a service for accessing systems in a powered down state.  The high level diagram of the flow is shown below, where the Security ISV exposes the service to the  Manageability ISV Console (based on established authentication policies within the network) in order to perform an unlock and wake event.  Without this service, an IT user would have to unlock the systems through the Security ISV Console and separately perform the patches with the Manageability ISV Console, while ensuring that they were working with the same systems through both consoles.  Due to the nature of information passed through the Manageability Interface, this service should be protected with NTLM or Kerberos.

The maximum number of allowed systems per unlock request would be defined by the Security ISV Console implementing the Manageability Interface, and would be dictated by:

   The amount of time that is acceptable to leave systems unlocked, depending on an IT user.  System unlocks are highly dependent on both implementation and system boot time, and would require testing to validate.  As a rough approximation using the requirements specified in the Architectural Requirements section for the Remote Encryption Management Image, an individual system unlock time would take between 15 and 30 seconds, and 20 systems can be unlocked simultaneously.

   The maximum number of systems that the Manageability Interface could handle reliably, depending on the Security ISV Console implementation of the service.

Assumptions

The Manageability Interface described here and in more detail in Manageability Interface, makes certain assumptions about the two interacting ISVs, specifically:

   For optimal performance, the Manageability ISV console knows which systems should be unlocked.

   The Security ISV has knowledge of Intel® AMT credentials and can establish connection to Intel® AMT clients requested by the Manageability ISV based on their FQDNs or IP addresses.

Responsibilities

The Security ISV Console (the application implementing the Manageability Interface) and the Manageability ISV Console (the application using the Manageability Interface) have certain responsibilities imposed on them.

Manageability ISV responsibilities:

   Must maintain list of FQDN’s of systems that they requested unlocked per each unlock request.

Security ISV Console responsibilities

   Implementation must track the FQDN’s of Intel® vPro™ systems.

   Implementation must maintain results of request for 30 minutes.

   Implementation must return the maximum number of systems accepted per unlock request.

   (optional) The Implementation can choose to return the unlocked and failed systems as they are updated prior to the job completing.

Copyright © 2006-2013, Intel Corporation. All rights reserved.