Client Control Mode and Admin Control Mode

When any method of setup completes, Intel AMT is placed into one of two control modes. The modes are:

   Client Control Mode (CCM) – Intel AMT enters this mode after performing a basic host-based setup (see Host-Based (Local) Setup). This mode limits some of Intel AMT functionality, reflecting the lower level of trust required to complete a host-based setup.

   Admin Control Mode (ACM) – After performing any of the existing setup and configuration methods – remote setup (TLS-PSK or remote configuration) or a manual setup via the MEBx – Intel AMT enters Admin Control Mode. Also, performing a host-based AdminSetup before any provisioning was done or an UpgradeClientToAdmin when Intel AMT is already in Client Control mode moves Intel AMT to Admin Control mode. In this mode, there are no limitations to Intel AMT functionality. This reflects the higher level of trust associated with these setup methods.

Beginning in Intel AMT Release 10.0, secured FQDN host based provisioning is supported.

Host Based Provisioning Matrix

Provisioning Type

Precondition

Network or HBC

Final Mode

Zero Touch

LAN-less

Static IPv4

ACM

     Certificate hash

     LAN connected

     DHCP OTP-15/24

HBC

ACM

Yes

No

No

CCM upgrade to ACM (PKI)

     Certificate hash

     LAN connected

     DHCP OTP-15/24

HBC

or over network

ACM

Yes

No

No

CCM upgrade to ACM with Secured FQDN suffix

Secured FQDN

Added in Release 10.0

HBC

or over network

ACM

No

No

but it can be available

No

but it can be available

ACM (PKI) with Secured FQDN suffix

Secured FQDN

Added in Release 10.0

HBC

ACM

No

No

but it can be available

No

but it can be available

CCM

 

HBC

CCM

Yes

Yes

Yes

PSK via MEBx, USB key or manufacturing

PSK

 

Over network

ACM

No

No

but it can be available

No

but it can be available

Embedded

Enabled by manufacturing

 

HBC

ACM

Yes

Yes

Yes

 

note-icon Note:

PSK was removed in Intel AMT release 11.0.

Admin Control Mode Limitations

In Intel AMT Release 9.5, on LAN-less platforms, TLS is not enabled. 

 

Client Control Mode Limitations

When a simple host-based configuration completes, the platform enters Client Control Mode, which imposes the following limitations:

1.  The System Defense feature is not available.

2.  Redirection (IDE-R and KVM) actions (except initiation of an SOL session) and changes in boot options (including boot to SOL) require user consent in advance (see User Consent). This still enables IT support personnel to remotely resolve end-user problems using Intel AMT.

3.  If an Auditor user is defined, the Auditor’s permission is not required to perform unprovisioning.

4.  A number of functions are blocked from execution to prevent an untrusted user from taking over control of the platform.

The rationale for Client Control mode is that it supports the most common Intel AMT usage model, while dramatically reducing the ISV and IT overhead required to perform Intel AMT configuration and operation.

 Note:

There are two ways to transition from Client Control Mode to Admin Control Mode

   Provide the necessary parameters and invoke IPS_HostBasedSetupService.UpgradeClientToAdmin.

   First unprovision Intel AMT, and then perform setup and configuration using one of the other setup and configuration methods – remote setup (TLS-PSK or remote configuration) or a manual setup.  From Release 10.0, a provisioning server with a secured-FQDN suffix is also supported.

 

See Also:

   Functional Limitations of Client Control Mode

   Additional Functionality

   User Consent

   SDK Software Support for Host-Based Setup and Configuration

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.