User Consent

In Client Control mode, user consent is always required. In Admin Control mode, user consent can be disabled (subject to the AMT_GeneralSettings.PrivacyLevel property). When user consent is enabled, attempting to initiate a redirection session (IDE-R or KVM) or to set a boot option causes a Sprite containing a User Consent Code to be displayed to the user. The user will have to provide this code to the remote IT administrator to enter the Consent Code to gain access. Once the correct Consent Code is entered, it enables all types of redirection sessions.

See User Consent for the commands and flows used to manage the user consent feature.

The following table lists the methods that require user consent when in Client Control mode or when user consent is configured to be required in Admin Control mode.

Class Name

Member/Method

Details

AMT_BootSettingData

Put

Sets boot options for the next boot.

Returns “access denied” if user consent is required but was not set.

CIM_BootService

SetBootConfigRole

Applies previously set boot options and boot sources.

Returns “access denied” if user consent is required but was not set.

CIM_BootConfigSetting

ChangeBootOrder

Changes boot order.

Returns “access denied” if user consent is required but was not set.

Web-UI

Remote control

Requires user consent before changing boot settings.

SOAP commands

RemoteControl

Method will fail without user consent if any of the boot settings are:

SpecialCommand,

SpecialCommandParameter,

BootOptions,

OEMparameters

 

Returns the SOAP Fault “User Consent Required” if user consent is required but was not set.

Redirection protocol (port 16994,16995)

Open IDE-R Session

Allows opening an SOL session.

Allows opening a KVM session, which initiates the User Consent flow.

Attempting to open an IDE-R session without user consent causes a USER_CONSENT_REQUIRED error.

The user consent screen will be shared with existing KVM screen if display of a Sprite is supported; otherwise, the MEBx will display a screen the next time the platform is rebooted.

The language of the Sprite can be set with a WS-Management method. This mechanism is disabled starting in Release 8.0 in favor of using an IMSS/UNS flow. Intel AMT supports 11 languages in Release 6.0. Release 7.0 extends the list to 27 languages.

The MEBx supports 10 languages for the user consent screen. If the MEBx does not support the selected language, it defaults to English.

The following steps summarize the user consent flow (see User Consent General Flow for additional detail):

1.  The IT operator and the PC user make contact over the telephone. For example, the user contacts the IT operator for help or the IT operator contacts the user because of the need for a reboot and remote update. The IT operator tells the user to watch for display of a consent code.

2.  The operator initiates a user consent application that requests display of a user consent code (see the User Consent Samples for more details).

3.  An opt-in sprite pops up on the PC user’s screen, displaying a one-time password (“User Consent Code”). Note that the language used in the sprite can be changed using the IMSS.
If the platform is not configured to display sprites (for example, the platform is configured for discrete graphics), the user consent application will initiate a restart of the platform and the user consent code will be displayed by the MEBx. The user does not need to press <Ctrl>-P to see this notice.

4.  If the user cannot see the displayed sprite, the IT operator may use the user consent application to switch to a second display (see Set the Default Monitor Property.)

5.  The PC user reads the consent code to the IT operator over the telephone.

6.  The IT operator enters the consent code via the means provided by the user consent application. The application sends it to the platform.

7.  When this operation succeeds, IDE-R, KVM and set boot options commands can be performed.

8.  The IT operator will be able to initiate a new activity that would require user consent for approximately 2 minutes (configurable to 1 to 15 minutes) after the end of the previous activity without re-sending a consent code.

 

See Also:

   User Consent Feature

   Opt-In Flow for KVM

Copyright © 2006-2013, Intel Corporation. All rights reserved.