It is possible to set up Intel AMT having only local OS admin permissions.
Host-based setup and configuration allows you to complete preparation of Intel AMT for use without requiring a setup and configuration application connecting with the Intel AMT device over the network or requiring IT personnel to configure settings in the MEBX. Instead, an application running locally sets up Intel AMT and configures it for use. The local application initiating the process requires OS administrative privileges on the platform. This model meets the needs of many IT environments that prefer to push an agent to the platform to perform IT-mandated activities locally and avoid the complexity of a networked setup and configuration server.
The host-based setup capability trades off limiting access to certain security-sensitive features for ease of setup. User consent is required for redirection, KVM and certain remote control functions. Other functions are blocked to avoid a rogue takeover of Intel AMT or the user’s platform.
Host-based setup adds the concept of control modes. Client Control Mode has limited capabilities for security reasons, while Admin Control Code has the full range of Intel AMT features.
Note Before Setup: |
Before proceeding with Intel AMT setup, you need to check whether Intel AMT is enabled on the platform. |
End of Support Notice and Recommendation |
Starting from Intel® CSME 19.0, the IPS_HostBasedSetupService.AdminSetup method of setting up ACM provisioning will be removed. Intel recommends using the Secure Host-Based (Local-PKI) provisioning method for customers who require ACM provisioning. |
More on Client Control Mode and Admin Control Mode
Functional Limitations of Client Control Mode
Copyright © 2006-2022, Intel Corporation. All rights reserved. |