Much has been written on this site (Altiris Juice), Intel vPro Expert Center, and other sites on provisioning the Intel vPro technology. The focus of this article is an attempt to help standardize the naming and options to the various models, and to summarize the four key criteria to successfully provision an Intel vPro system. I will try not to belabor the point.
Three Provisioning Models
Similar to configuring an operating system or application, Intel vPro management technology must be configured before it can be utilized. Regardless of the configuration options or approaches used, once the technology is configured, the out-of-band usage models within the Altiris environment are the same.
The table below provides a brief summary of the approaches with indications on the mode, method, provisioning service, managing of the client configuration settings, authentication security, and so forth. Most enterprise deployments today use a "Standard" approach.
|
Basic |
Standard |
Advanced |
Configuration Mode |
Small-Medium
Business |
Enterprise |
Enterprise |
Provisioning Method |
Manual |
Manual, USB 1-touch,
or Remote
Configuration |
Manual, USB 1-touch,
or Remote
Configuration |
Provisioning Service |
No |
Yes |
Yes |
Client Configuration
Maintenance |
One-to-One |
One-to-Many |
One-to-Many |
Authentication
Security |
HTTP Digest |
HTTP Digest |
Kerberos (optional) |
Active Directory |
N/A |
N/A |
Yes (optional) |
TLS and MTLS
Support |
N/A |
N/A |
Yes (optional) |
Secure Network
Connectivity |
N/A |
N/A |
Wireless, 802.1X, NAC,
NAP (all optional) |
Again - the core intent of the table is to provide a simplified name to quickly identify how the technology was configured and with what options. Past and future articles, along with the Altiris OOBM Administrator and Help files, will provide more detail on each of the options. In addition, more articles will be posted to address the "Advanced" configuration options.
Within the table above, changing from Basic to Standard requires touching each Intel vPro client to reset the management engine configuration mode. However, adjusting configurations in a Standard mode or moving from Standard to Advanced can be accomplished via the central provisioning service within the Altiris Out of Band Management interface.
Key Criteria to Successful Provision
With the three models summarized above, understanding the four key criteria to successful provision Intel vPro into an Altiris environment may help to future understand situations where provisioning events might fails.
- Authenticate the Intel vPro Firmware to the Provisioning Service
Authentication credentials must be established between the firmware and the provisioning service running within Altiris Out of Band Management. Unlike a user login credential, these must be provided "out of band". A variety of methods are available, the details of which will not be belabored herein.
These credentials are either assigned security keys or handle via certificates (aka Remote Configuration). More on remote configuration is available at here. The following image shows where the security keys are generated and exported.
Again - the focus is to provide credentials for the initial trust between the firmware and the provisioning service. Whether security keys or certificate based remote configuration - the core purpose is the same.
- Provision Profile to Define Configuration Parameters
The provision profile is the primary location to determine what configuration parameters will be applied during the provisioning process. If this profile is subsequently updated, it must be applied to previously provisioned systems in order for the changes to take effect. Here is the flexibility and "upgrade path" of moving within or between a Standard to Advanced configuration model.
The following image provides an example what the provision looks like and where it is located.
If Integration with Active Directory is enabled, a Microsoft Active Directory (AD) Organizational Unit (OU) must also be defined. This occurs in the Resource Synchronization section by default, which will be shown in a moment. More details on Integration with Active Directory for the purpose of Kerberos Authentication will be shared in a future article.
- Mapping of Unique Identifiers
There are two key unique identifiers for every system. The first is the Universally Unique Identifier (UUID) which is assigned to every computer system board at time of manufacturing. The second is the Fully Qualified Domain Name (FQDN) which is changeable yet cannot be duplicated within a single production environment. This is used to locate a specific client using DNS. In the context of Intel vPro, the FQDN is stored in the provisioning database and used to locate clients for future maintenance and provisioning related operations. In addition, the unique identifiers are important when TLS, Kerberos, and other Advanced configuration options are used in the environment.
The mapping of the unique identifiers is automated via a provisioning script and sequence within the Altiris environment. Although the FQDN and AD OU can be manually entered for each system in the provisioning service - this is a tedious and unreasonable task to be performed.
This leads to two common errors with simple indications of what is likely occurring:
- If the provisioning service shows only the UUID and not the FQDN, then the provisioning script or agent is unable to determine the FQDN. Resource synchronization, having the Altiris NS agent installed and registered, OOB Discovery, or other items will help to resolve this situation. More information in this article and previous articles.
- If both the UUID and FQDN are listed, yet provisioning will not complete - then it is very likely that the authentication process listed in the first criteria above is failing.
- Update and Integration into the Altiris Client Management Suite
An Intel vPro client may technically be provisioned or configured. However, until the Altiris console is aware of the client, the associated out-of-band functions will not be available. In a Basic provisioning model, the Network Discovery with Advanced options for AMT in SMB mode must be used. However, repeatedly running Network Discovery may not be favorable in a production environment.
For Standard and Advanced provisioning models, the Resource Synchronization routine provides a nice interface to automatically assign a provision profile, AD OU, and to schedule the synchronization of the provisioning database (e.g. intelAMT) with the Altiris CMDB. The following image provides an example:
Conclusion
Easily identifying the provisioning models will help in understanding what options are available to configure Intel vPro technology in an Altiris environment. The core criteria will help to quickly identify what is missing if the provisioning process is not flowing well or acting "automated". If additional troubleshooting is needed, check out Joel Smith's series of articles here.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.