Management Console Integration for Intel AMT

Frequently, developers ask "How to integrate Intel AMT/vPro commands into their Management Console?" To manage Intel AMT clients, they must first be enabled and provisioned.

What is AMT configuration and why is it important?

When a system is shipped from the OEM that supports configurable Intel AMT, features will depend on if the system is Intel Standard Manageability or Intel vPro Technology. Regardless of the Intel AMT type, configuration is the process of setting up the firmware so that it be accessed remotely on the corporate network.

In basic setup and configuration the process will establish a connection to the Intel AMT device and will supply the Master Digest Password and network settings. There are many additional features that can be enabled, including; Active Directory Integration, Alarm Clock, AMT Events, Hardware Asset inventory, KVM, Remote Power Management, Storage Redirection, System Defense, TLS, wireless profiles and 802.1x

Passwords

Intel AMT uses a minimum of three passwords as listed below:

Management Engine BIOS Extension (MEBx) - This password can be thought of as the physical access password. It is only used when you are sitting at the system to access the MEBx during the Boot Process. This password can be changed during access via the MEBx or USB Configuration or SCS configuration.
AMT Master Digest Password- This password is the default "admin" password and used for all remote connections to the Intel AMT firmware. During initial provisioning this password is the same as the MEBx password (stored as two separate values).
RFB5900 - This password is optional and only used if you are configuring to use a traditional VNC client on port 5900

Control Mode Choice affects redirection permissions

The configuration process will establish the Intel AMT device in one of two modes; Client Control Mode (CCM) or Admin Control Mode (ACM). The difference is primarily that CCM requires User Consent for redirection operations and ACM does not.

The User Consent feature adds another level of security for remote users. When a redirection is required of the remote client, a User Consent code must be submitted. Accessing via KVM or executing an IDEr command is considered a redirection operation, but performing a get power state or reboot is not.

Management Console Integration

Configuration process can be simply integrated by providing a basic configuration profile or utilizing Intel SCS to create highly configurable profiles.

Basic Console Integration

The most basic console integration uses Host Based Configuration (HBC). HBC allows for configuration from within the Windows OS leaving the device in CCM. The console will provide the profile and script for configuring the remote AMT device.

A typical minimal integration would require the Management Console to perform the following:

Provide the AMT password.
Determine if the AMT client is DHCP Enabled or has a Static IP.
Create a profile.xml file and encrypt it with a password <decryptionpassword>
Push the profile.xml to the client along with acuconfig.exe, acu.dll and script
Launch the script (.bat or .ps1) on the Intel AMT device.
1. Example: acuconfig.exe configamt profile.xml decryptionpassword <password>

Creating the profile

Determine the Intel AMT features that are to be supported by the console. Then use the ACUWizard from the SCS package to create a sample profile.xml. Unfortunately the file will be encrypted and you will need to decrypt it using the SCSEncyption tool from the SCS package "utils" folder. Once decrypted, open in a XML editor and use this sample to determine which xml tags are required for your needs. Then create your own XML in your console's XML creator. Encryption of your final profile.xml file is optional.

Decryption syntax: SCSEncryption.exe Decrypt <input_filename> <password> /Output <output_filename>

Why Intel SCS is considered the Premier Tool for Configuration

Intel's SCS utility is the only method that allows for remote configuration into Admin Control mode (ACM). Intel SCS does not provide APIs, there is no console integration. Instructions are available in the Intel SCS download package.

Summary

In order for an AMT device to be remotely managed, it requires configuration to communicate over the corporate network. At the very minimum, the device must have an AMT Master Digest Password (User: Admin) assigned and the local network connection information applied to the firmware. Until this has been accomplished, remote management cannot occur.

Remember that Control Mode (Client or Admin) affects the ease of redirection operations.

Intel SCS