This is the third of a few articles to discuss enterprise integration of the Intel® vPro™ processor technology and Intel® Centrino® Pro platforms in an Altiris environment. The previous articles include:
Subsequent articles will have a similar introduction to identify their respective contents and portions. This – the third article – focuses on the Intel® AMT provisioning process. The article after this will step through the Altiris OOBM provisioning interface.
Provisioning Overview
Before stepping through provisioning or configuration process, a short overview is required on Intel® AMT provisioning, also referred to as configuring the management engine (ME). If a more detailed article is needed, please comment below.
First, there are two provisioned or configuration options – Small and Medium Business (SMB) or Enterprise mode. A short summary will help to understanding the difference. For most enterprise environments and for the subsequent articles in this series, enterprise mode configuration will be the focus point. Both modes support the key functionalities of discover, heal, and protect.
SMB mode supports the Intel® AMT usage scenarios yet does not include centralization of provisioning control such as Intel® AMT profiles, maintenance operations, and so forth. This mode may be best for small workgroup environments.
Enterprise mode includes Intel® AMT profile settings, integration with the Altiris OOBM interface, and may be best for medium to large enterprise environments.
By default, present systems with Intel® AMT have the management engine disabled. This is called the factory default state. When the management engine is provided with provisioning setup information, the management engine is then in a setup state. After Intel® AMT has received configuration parameters including new administrator password, network settings, TLS settings, access control settings, and power policy – the management engine is in a configured state. If the configuration needs to be changed or removed, possibly due to a system move, the management engine should be returned to a setup state and is ready to be reconfigured or re-provisioned. At the end of the client lifecycle, the customer environment has the option to remove all configuration data and return the management engine to factory default.
The following graphic provides a summary overview.
As mentioned in the first article, the Intel® vPro™ processor technology platform and recently released Intel® Centrino® Pro platform require key infrastructure components and settings. More on the infrastructure details will be shared in a future article.
Basic Enterprise Provisioning Process
The basic provisioning process is also referred to as TLS-PSK (Transport Layer Security Preshared Key). This is due to the pre-shared secret of the Provisioning ID (PID) and the Provisioning Pass-phrase (PPS) that are used to perform the necessary steps of authenticating a new client and initiating the provisioning process. In addition, a new password for the management engine BIOS extensions (MEBx) is provided. The MEBx is viewed only at the local console.
The PID is comprised of 8 alphanumerical characters. The PPS is comprised of 32 alphanumerical characters. The MEBx password must be a strong password – comprised of upper and lower characters, numbers, and special characters.
The provisioning process can be performed via two methods in the current platform: manually entering the provisioning data at each client or via USB flash drive with a setup.bin file at the root. The USB method is also referred to as "One Touch Provisioning". The provisioning keys tech tip provides a short overview of the requirements.
A setting within the MEBx and CMOS allows for only one USB provisioning. To reset, the CMOS has to be cleared on the Intel® AMT device. This is often performed by disconnecting the power source and removing the BIOS battery. Not a simple or preferred process for the system user or administrator.
A future enablement will be Remote Configuration, formerly known as Zero Touch Configuration (ZTC). This process is also referred to as PKI-CH (Public Key Infrastructure, Certificate Hash). The details on this feature and associated process will be shared as a later time.
The following animated graphic, built for ManageFusion, provides a short overview of the One Touch provisioning method based on TLS-PSK. If more details are needed, please provide a comment to this article and let me know.
Enterprise Provisioning with TLS
With an overview understanding of the provisioning process, this next section will focus on the addition of Transport Layer Security to the provisioning process. During the provisioning process, and with the current infrastructure components, an Intel® AMT device can be configured to encrypt management traffic via Transport Layer Security (TLS). TLS is the successor to SSL 3.0, which is commonly used to secure website transactions and so forth.
A quick overview of the supported states in an Altiris environment may help to provide additional understanding.
- SMB mode – HTTP Digest authentication of user session, no TLS option
- Enterprise mode – HTTP Digest Authentication of user session, TLS available.
These are the current supported states of the Altiris OOBM and Intel® vPro™ combined platform, although Intel® AMT systems can also support Kerberos authentication and Mutual TLS in Enterprise mode. These additions are expected in a future release of the Altiris environment.
A key point to keep in mind with TLS is the role of "server" and "client". One provides a service which is consumed by the other over an encrypted channel. The Intel® AMT device is the "server" and the Altiris management system is the "client". The first is providing services to be consumed or acted upon by the second. Therefore, the server certificate is stored within the non-volatile memory (NVRAM) of the Intel® AMT device.
The Altiris management console is configured as to whether a standalone or enterprise certificate authority will be utilized, along with the associated chain of trust via a PEM file. For those security experts out there, this will be familiar. For those that are not security experts, a PEM file defines the root and subordinate certificates to define the chain of trust. The basic idea is establishing the credentials and proof of authority to initiate a secure and encrypted session.
This animated picture, shown at ManageFusion in Las Vegas, provides a summary overview of the TLS enablement process.
With a basic understanding of the client provisioning process, including configuration and support for TLS, the next article in this series will step through the Altiris OOBM provisioning interface. Until then.