Intel,Altiris Group

This is the fourth of a few articles to discuss enterprise integration of the Intel® vPro™ processor technology and Intel® Centrino® Pro platforms in an Altiris environment. The previous articles include

• Enterprise Integration Overview
• Future State and Client Platform Readiness
• Intel® AMT provisioning

Subsequent articles will have a similar introduction to identify their respective contents and portions. This - the fourth article - focuses on Altiris console environment for Out-of-Band Management called Provisioning, along with a short step through of the common tasks and usages for client manageability and security.

As stated in the Enterprise Integration Overview article, Altiris provides a platform today in support of Intel® vPro™ processor technology, and will be moving to support the upcoming Intel® Centrino® Pro platform. In fact, Altiris has received the "runs great on vPro" certification.

Altiris Provisioning Console

With an overview understanding of the provisioning process, a quick step through of the Altiris console with built-in components from the Intel® Setup and Configuration Service (SCS) will provide additional understanding. This section will only step through the interface to provide general understanding and awareness. Best practices for configuration settings per specific deployment scenarios are beyond the intent of this article.

Within the Altiris Out-of-Band Management menu, a new submenu appears called "Provisioning". With the Intel® AMT provisioning process explained the following short explanations and diagrams provide the administrator view.

• DNS Configuration - The "ProvisionServer" is the Altiris OOBM server running the AMTconfig service within Intel® SCS, which provides a virtual directory for AMTSCS to send and receive webservice calls. This screen provides a test function to ensure proper IP address resolution.
  

  Click to view.

• General - Allows for customization of Intel® SCS threads, listening port of the "hello" packets, logging level, and so forth. In essence, these values help to determine the IntelAMT database size and the associate system resource utilization for configuring and maintaining Intel® AMT client system.
  • Port 9971 is used for provisioning of clients and is the default port to which "hello" packets are sent. If there is a conflicting application in the environment, this port can be changed yet will require manual provisioning of the clients since the associated changes will need to be made within the MEBx of each Intel® AMT client.
  • For troubleshooting purposes, setting the Intel® SCS log level to errors or verbose mode will provide a more granular view in the logs section mentioned below. However, this will increase the IntelAMT database size since all messages will be entered into the log.
  • The remaining settings are best left at default values for now. They determine size of memory buffers, number threads for configuring or maintaining systems, and so forth.
  

  Click to view.

• Maintenance - Once Intel® AMT based systems are configured (aka provisioned), maintenance operations can be scheduled on defined intervals for security, functionality, and other purposes.
  • If using TLS, certificates can be set to reissue on an interval before expiration.
  • For security or profile updates, all systems can be re-provisioned on a defined interval.
  • For security purposes, the administrator password to access the systems can be changed to a random value per set interval (a copy of the password is stored in an encrypted database accessible by the Altiris console).
  • For security purposes, the random key generator can be renewed on a set interval thus raising the difficult of replaying a previous communication session.
  • Lastly, the Intel® AMT clock can be resynchronized since operations are time stamped based.
  

  Click to view.

• Profiles: General Settings - During the provisioning process, an Intel® AMT profile is sent to the client system as it transitions to a configured state. When partial un-provisioning a system, the profile is removed yet the pre-shared keys (e.g. PID, PPS, and MEBx password) remain. This first section determines the administrator password - whether same for all systems using the profile or randomly created. For production environment security, randomization of the password will mitigate users from directly accessing the MEBx at the system. Here is also where the profile name and description are set.
  

  Click to view.

• Profiles: Network - The second tab addresses the network interface. By default, once Intel® AMT is activated the system will respond to network pings whether or not the operating system is functional. Here is one place to disable for all systems receiving the profile. If the management network utilizes a VLAN, the appropriate VLAN tag is entered here. If the profile is not to allow the WebUI, Serial-over-LAN, or IDE-Redirection functionality - similar adjustments can be made at this point. A key item to note - if the local MEBx has Serial-over-LAN or Redirection disabled, these settings will supersede the Intel® AMT profile settings
  

  Click to view.

• Profiles: TLS - Once a client has been provisioned, Transport Layer Security (TLS) can be used to authenticate and encrypt all Intel® AMT webservices traffic between the management console and the client. Either a standalone Microsoft certificate authority (CA) or enterprise public key infrastructure (PKI) can be used. During the provisioning process, a server certificate is entered into the non-volatile RAM (NVRAM) of the client.
  

  Click to view.

• Profiles: ACL - Individual access accounts to the Intel® AMT device can be defined with access control list (ACL) granularity of accessible attributes. The Intel® AMT security realms refer to the individual attributes, with the option to configure local or remote accessibility. For example, an entry level support access account might be denied redirection capability. More information on the specific security realms or attributes can be provided if requested in comments of this article. At least one user needs to be defined for access to the realms, and a future release of the Altiris platform will support Kerberos integration via Microsoft Active Directory
  

  Click to view.

• Profiles: Power Policy - Once activated, the Intel® AMT management engine is always on as long as power is supplied to the system. Depending on the OEM, this will consume power in a range of 5W to 9W. For power conservative environments, configuration options available to place Intel® AMT in a sleep state depending on the state of the host system and a defined interval (covered up in this screen shot). In order to wake the MEBx, similar to wake-on-lan, a small amount of power will always be required.
  

  Click to view.

• Security Keys - For provisioning or configuration process, a triplet of information is required: the provisioning ID (PID), the provisioning passphrase (PPS), and a new admin password. In addition, Intel® AMT has a factory default admin password set by the OEM. This screen shows the available keys. Keys can be manually entered, created in mass, exported, imported, or printed as needed. Once a key has been used for configuration, it will no longer appear in this screen, yet is retained in a database. During the Intel® AMT clients configuration process, a new PID and PPS is generated and will appear in the security keys screen.
  

  Click to view.

• Security Keys: Exporting - This will create a setup.bin file containing a series of records with the triplet pair of data required to place Intel® AMT in a setup or pre-provisioned state. Options are also available to generate keys than export to a file. For the USB or One-Touch provisioning process described earlier, this is how the setup.bin file is created. The administrator then saves that file to a USB flash drive which has been FAT16 formatted, with the setup.bin file at the root of the drive. FAT16 is used to provide best BIOS compatibility.
  

  Click to view.

• Intel® AMT systems - As systems are discovered via the provisioning process, they will appear in this screen. This particular screenshot shows available options when right clicking on a single or group of systems. Similar options are available view the menu bar just above. If a system is listed without a fully qualified domain name (FQDN), the provisioning process will not complete and the status will remain as UnProvisioned. The FQDN can be entered manually, yet a better option is described below in the Resource Synchronization section. If the status is listed as InProvisioning, the process has started and a screen refresh may be needed.
  

  Click to view.

• Intel® Systems: UnProvision - Per the earlier description of configuration states, once a system has been provisioned the administrator can change the configured state back to setup or factory default modes. If the system will continue to exist in the environment yet is being moved or renamed, partial UnProvision is recommended. The system will retain the PID, PPS, and admin password triplet. If a system is to be removed from the environment, a full UnProvision is recommended which will remove all Intel® AMT configuration data and return the system to factory default.
  

  Click to view.

• Profile Assignments - For all provisioned or configured systems, this screen shows which Intel® AMT profile has been assigned. The profile name is determined at the creation of individual profiles as mentioned above.
  

  Click to view.

• Resource Synchronization - To automate the configuration process, a default profile can be assigned to every Intel® AMT device located on the network and ready for provisioning and configuration. The Enable option must be checked, and a default profile assignment selected for Intel® AMT 2.0+ devices. This refers to all Intel® vPro™ and Centrino® Pro systems. The Intel® AMT 1.0 selection refers to earlier generations of the platform. Another important section is the synchronization of the Intel® Setup and Configuration Service (SCS) database with the CMDB. The SQL process can be set for a defined interval or can be forced via the "Run Now" option. This process will update the Out of Band Management (OOBM) collections referenced at the end of this article.
  

  Click to view.

• Logs - When troubleshooting or checking status of requests, these screens provide a summary of the status operations related to Intel® AMT. In the General section mentioned earlier, setting the log to verbose mode will provide more entries to the log. More details on each - Actions Status, Log, and Security Audit - can be provided if needed.
  

  Click to view.

• Resources and Collection - Once an Intel® AMT device has been provisioned and the resource synchronization has occurred, the OOBM collections are updated and systems are now directly accessible from the Altiris console interface. An Intel® AMT device can also be directly accessed via the RTSM interface by directly specifying the FQDN or IP address of the device.
  

  Click to view.

With a brief walk-through of the Altiris OOBM Configuration Provisioning interface, the next step is to understand the enterprise infrastructure components. This will be discussed in the next article of this series.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries