In this use case example, an IT manager receives shipment of several PCs that he wants to configure to use Intel® AMT. These PCs are all shipped with Intel AMT turned off (the manageability mode set to "None"). Intel AMT must be configured prior to deployment to users' desks so that the management console can securely identify and communicate with an Intel AMT enabled PC.
Using Intel® AMT One-Touch Configuration to Enable Provisioning of Business PCs
One-Touch Configuration of Intel AMT-enabled business PCs encompasses a number of setup scenarios:
- Automated setup using a USB key storage device (for both dynamic IP and static IP environments): An IT administrator requests provisioning passphrase (PPS) and provisioning ID (PID) pairs for all systems requiring setup from the configuration server. The configuration server stores the PPS/PID pairs and an administrator password and other configuration data on the USB storage device. The IT administrator plugs the USB storage device into the PC and powers the PC on. As the PC loads, the BIOS and MEBx (Management Engine BIOS Extension) reads the administrator password, PPS, PID, and other required information from the USB storage device.
- Manual setup for dynamic IP networks: The IT administrator requests PPS and PID pairs for all systems requiring setup from the configuration server. The administrator powers on the PC to be set up, and during the boot, he or she presses the appropriate key to display the MEBx configuration screen. The IT administrator logs into the MEBx using the factory default administrator username and password and changes the username and password when prompted. The IT administrator ensures that the MEBx manageability mode is set to Intel AMT, turns on SOL/IDE-R if desired, verifies that the power policies are set for sleep state operation as desired, enters the PPS/ PID pair, and exits the MEBx screen. The BIOS will then continue to load.
- Manual setup for static IP networks: This sequence is the same as for dynamic IP networks until the step where the PPS/PID pair is entered. At that point, the IT administrator assigns a name to the PC's operating system for identification purposes and selects the TCP/IP option. The IT administrator then disables DHCP and then sets TCP/IP and DNS settings appropriately for the static IP network. The IT administrator then enters the PPS/PID pair, exits the MEBx, and allows the system to complete booting.
- Final automated configuration for all setup methods: The PC is connected to power, and the Intel AMT device automatically initiates the configuration process over the network by locating the configuration server and establishing secure communications via the PPS/PID. The configuration server loads the settings and data required for the environment and reboots the PC.
Key Functionality Enabled by Intel AMT that Underlies this Use Case
The following table summarizes the features and functionality utilized in this use case that are provided by Intel AMT or enabled by Intel AMT in third-party software:
In addition, the following functionality is performed by third-party management applications:
- Third parties provide the configuration server services (if not provided by Intel).
- Third-party software must be capable of configuring an Intel AMT-enabled PC.
The Advantage of Intel AMT One-Touch Configuration§
One-Touch Configuration automates the process of setting up and configuring business PCs for use with Intel AMT. It is the most secure option provided by Intel to set up systems to be managed via Intel AMT.
Business Value of the Intel AMT Solution
This use case enables IT organizations to save on deployment costs and to enhance security, relative to other Intel AMT setup and configuration options:
- One-Touch Configuration automates the provisioning of business PCs.
- This modality provides superior security, relative to Remote (Zero-Touch) configuration.
One-Touch Configuration Usage Model Implementation
The following sequence is followed when an Intel AMT device enters setup mode and the sample Intel AMT Setup and Configuration Server Sample Application (SCA) is running:
- When the SCA starts, it runs two initialization scripts named “CHECKCA.BAT” and "CHECKCS.BAT". CHECKCA.BAT ensures that there is a subordinate CA certificate file named subcacert.pem. CHECKCS.BAT ensures that there are certificates for TLS mutual authentication. Three certificates are required:
- a trusted root certificate, which is used to sign local_client and remote_client certificates
- a local client certificate
- a remote client certificate
These certificates are for demonstration purposes only, and not for a production environment. The trusted root certificate (not to be confused with the root CA created by CHECKCA.BAT) is sent to Intel AMT devices, where it will be used for client authentication in an Intel AMT device configured for mutual authentication.
- An Intel AMT device in Setup Mode tries periodically to connect to the SCA using the settings defined during the Factory Mode setup. The platform sends setup (“Hello”) messages to the SCA via a TCP/IP socket connection to the SCA listening port. The default destination port is 9971 or a value set by the platform OEM, but this value can be configured when the SCA is started. The version 2 “Hello” message contains the UUID and PID of the Intel AMT device.
- The SCA searches psk.repository.xml for the PID and locates the corresponding PPS.
- Responding to the “Hello” message, the SCA executes an external script named “GETCFG.BAT”. Based on parameters received in the “Hello” message, "GETCFG.BAT" chooses an appropriate configuration file and saves its name to conf.choice. The sample SCA reads the name from conf.choice.
- If TLS is enabled in “..CONF.XML”, (the commands to configure TLS are different for Intel AMT Release 1.0 and for later releases) the SCA will additionally invoke ”GENCERTCHAIN.BAT” to create the RSA key and certificate for the Intel AMT device. The SCA sends the RSA key and certificate to the Intel AMT platform using the SOAP protocol. If mutual authentication is enabled, then a trusted root certificate is sent to the Intel AMT device, along with optional Certificate Revocation List (CRL) and fully qualified domain name (FQDN) settings.
- The SCA sends various configurations settings to the Intel AMT device using the SOAP protocol. The SCA finishes by sending a “CommitChanges” command, which commits the settings to the Intel AMT platform.
- The Intel AMT platform enters Operational Mode and the SCA calls the “PROVEND.BAT” batch file to clean up files created during the setup and configuration process. A system administrator may customize this script to send email or update databases regarding the machine deployment. It is possible to make changes in the Intel AMT device configuration after it is in operational mode by using the SOAP interface.
Note: See the “System Defense Feature and Agent Presence Overview.pdf” [PDF 335KB] or the “Intel® AMT Network Interface Guide.pdf” [PDF 2.45MB] documents located in the Intel AMT SDK for further details.
§ The following assumptions underlie this use case:
- The PC must have a BIOS capable of running Intel AMT, but have the manageability mode set to "NONE".
- Intel SCS or a third-party equivalent must be present on the network, as well as a management console with a management or security application that is capable of managing Intel AMT PCs and running Intel SCS or a third-party equivalent (Intel SCS could be installed on a server other than the management console).
RESOURCES:
