The enhanced remote manageability enabled by Intel ® Active Management Technology (Intel® AMT), a component of Intel® vPro™ processor technology, is now available for business laptops through the wireless interface. This paper introduces some key considerations for enterprise IT organizations to consider when investigating the potential of wireless Intel AMT support in their environments.
IT organizations can use Intel® Active Management Technology (Intel® AMT), which is included in business PCs based on Intel® vPro™ and Intel® Centrino® Pro processor technology, to remotely manage those computers when they are powered down or have a non-functioning operating system. This manageability is based on an out-of-band communication channel that is enabled by a firmware-resident management engine (ME), which communicates via TCP/IP over conventional physical network interfaces. The communication interface used by the ME is logically separate from the host interface and has its own IP address.
Enterprises can increase the efficiency of support operations by means of this technology, since a larger proportion of trouble calls can be handled remotely, as in cases where a machine cannot boot successfully. With the new availability of functionality in laptops based on Intel Centrino Pro processor technology that is similar in scope to Intel vPro processor technology, these manageability and security enhancements have been added to wireless mobile computing for business. The new mobile platform incorporates the following core components:
- Intel® Core™2 Duo processor with Intel® Virtualization Technology, up to 4MB L2 cache, and up to 800MHz front-side bus
- Mobile Intel® GM/PM965 Express Chipset with enhanced I/O Controller Hub (ICH8M) and support for Intel AMT 2.5
- Intel® Wireless WiFi Link with choice of Next-Gen Wireless-N Intel® Wireless WiFi Link 4965 AGN] or Intel Wireless WiFi Link 4965 AG or Intel® PRO/Wireless WiFi Link 3945 ABG supporting Intel AMT
- Intel® 82566MM Gigabit Ethernet Connection supporting Intel AMT
This paper introduces key considerations that enterprise IT organizations should consider in planning wireless support for Intel AMT. It discusses the security requirements and configuration issues associated with the technology, and it directs the reader to resources for more in-depth investigation of these topics. This discussion assumes a general familiarity with the capabilities and functionality of Intel AMT, as well as general Intel AMT deployment considerations and techniques; for further information, please see the Intel® Manageability Community. For a corresponding discussion that targets small/medium businesses (SMBs), see "SMB Considerations for Deploying Wireless Intel® AMT Support."
Preliminary Considerations: Capabilities and Limitations
Intel AMT devices have two modes of operation: Enterprise Mode and Small/Medium Business (SMB) Mode. In Enterprise Mode, setup and configuration requires the use of Transport Layer Security (TLS) communication protocols for secure communication, and the process is quite automated by Intel AMT Setup and Configuration Services (SCS). For more information on SCS, see Intel® AMT Setup and Configuration Service: Technical Overview. The initial setting of Enterprise or SMB Mode is made at the point of manufacture, and the default setting is typically Enterprise Mode; if not, then the value must be changed to Enterprise mode during the setup and configuration process.
Wireless profiles must be configured in the Intel AMT device separately from the wireless profiles that are configured in the wireless client within the host OS, even though the profiles may be exactly the same. The Intel AMT device does not have the capability to synchronize profiles with those configured in the host OS. This configuration must be accomplished through the wired interface for security reasons, since client machines right out of the box have no security configured on the wireless Intel AMT interface.
System administrators can access the Intel AMT device either by means of the Intel AMT BIOS Extensions or using a USB key that has been populated with a configuration file generated by SCS. In this context, setup and configuration is the process that populates a system with the credentials and network parameters that enable it to be administered remotely using Intel AMT. Once initial setup and configuration is complete, device settings and profiles can be changed and maintained using the wireless Intel AMT interface.
Depending on system state and what management functions are being undertaken, control of the wireless network interface controller (NIC) is passed back and forth between the Intel AMT network interface and the host network interface. For details, see "Technical Considerations for Intel® AMT in a Wireless Environment." Because of the logical separation of the two interfaces (even though they share physical hardware), they have separate IP addresses, and only one of them is active at a time. Further, since the wireless NIC is powered off in low- and no-power platform states (e.g., standby, sleep, hibernate, and off), wireless management functionality is not available in these states.
While in the wired context, Intel AMT supports both DHCP and static IP, the wireless management interface requires DHCP and does not support static IP addresses. In addition, the wireless management interface is always initially disabled, even if valid wireless profiles are configured and Intel AMT is enabled. By contrast, wired Intel AMT interfaces can be enabled by default at the point of manufacture. Wired and wireless management interfaces can not be on the same subnet concurrently. IT organizations should carefully consider these issues, to develop a clear understanding of how wireless support for Intel AMT fits into the larger network and management frameworks.
Planning Enterprise-Scale Wireless Intel AMT Deployment
Customers implement Intel SCS functionality by means of third-party network management s oftware that is engineered to integrate Intel AMT functionality. The ecosystem of these solutions is large and growing, including the following products:
- Altiris Real Time System Manager*
- CA Unicenter*
- HP OpenView*
- Microsoft Systems Management Server* 2003
- StarSoftComm StarNet*
- SyAM Software Desktop Monitor*
Enterprise IT departments use these applications to connect client devices to the Intel AMT managed network, by means of Intel SCS. The implementation of these solutions is based on widely used enterprise technologies such as Dynamic Host Configuration Protocol (DHCP), Domain Name Services (DNS), Public Key Infrastructure (PKI), and Microsoft Active Directory*. In practice, management setup and configuration solutions can use Intel SCS to provide management software with the necessary information to communicate with the managed hardware, including Intel AMT credentials, hostname data, and connection requirements.
The primary matter for consideration in deployment planning should be how existing wireless network infrastructure fits in with support for wireless access to Intel AMT. Security is a key consideration for network administrators planning support for wireless Intel AMT capabilities; the technology requires encryption stronger than Wired Equivalent Privacy (WEP), such as Wi-Fi Protected Access (WPA) or Robust Security Network (RSN) and optionally, 802.1x authentication. Contact your equipment supplier for additional details about Intel; AMT support for specific security protocols.
Those organizations that choose to upgrade wireless security as part of their implementation of Intel AMT should thoroughly validate all combinations of client and network-access hardware to ensure that performance levels are acceptable. In some cases, it may be necessary to maintain a legacy wireless network as a transition measure until older client machines that do not provide adequate performance using the new security are retired.
To implement 802.1x authentication profiles with Intel AMT, enterprises should verify that they have a suitable verification server in place, as well as a network-management console application that supports the use of 802.1x with Intel AMT. Contact your management-software provider for details. 802.1x profiles are applied independently on wired and wireless interfaces, and there is no facility to align host-based 802.1x profiles with Intel AMT. Note also that wired and wireless management interfaces can not be on the same subnet concurrently. 802.1x requires Active Directory integration with Intel SCS. This requirement is specific to wireless implementation.
Intel SCS is designed to perform setup and configuration of multiple Intel AMT devices simultaneously, over the network. It also supports scripting to help automate the process. This document assumes that enterprises already have Intel SCS up and running on a server for provisioning client computers on the network. In order to configure client Intel AMT devices with the PID/PPS password pairs generated by Intel SCS, administrators must either boot each machine from a USB key populated with the necessary data, or they must input the information directly into each client machine's BIOS. 'Zero-touch configuration,' which enables setup and configuration of client machines to be accomplished without the administrator being in physical proximity to the machine, is not yet supported in the wireless Intel AMT context.
While deployment of wireless Intel AMT access is not a major undertaking, system administrators should understand the general considerations associated with the deployment of Intel AMT first. It is also necessary to have WPA or RSN wireless network security in place in order to support access to the wireless Intel AMT interface.
As an adjunct to wired access to the Intel AMT device, wireless access extends manageability of laptops based on Intel Centrino Pro processor technology. Enterprises that deploy that access add valuable management functionality to their networks.
The following materials provide a point of departure for further research on this topic:
- Business Client Community is a core developer resource for manageability technologies from Intel. It provides tools, documentation, use cases, blogs, and user forums.
- Intel AMT Technology & Research provides in-depth information about the hardware and software features and capabilities that underlie Intel AMT.
- Intel AMT Technology Brief provides a concise overview of the technology from a business perspective, with a focus on features and benefits to IT organizations and software vendors.
About the Author
Matt Gillespie is an independent technical author and editor working out of the Chicago area and specializing in emerging hardware and software technologies. Before going into business for himself, Matt developed training for software developers at Intel Corporation and worked in Internet Technical Services at California Federal Bank. He spent his early years as a writer and editor in the fields of financial publishing and neuroscience.