When thinking about Intel AMT, most customers and partners look to the common usage models: remote power control, boot redirection, or real-time hardware asset information.
From a feature\functionality perspective - Did you know that inside the Intel AMT firmware is a small NVRAM storage space which can be used by defined applications and interfaces? Did you know that Intel AMT could monitor for processes or agents running in the operating system, with the option to attempt restarting or sending the administrator an alert? Did you know that Intel AMT can provide alerts to certain hardware events? Did you know that the common uses of remote power control or redirection can be done outside a single management console?
The following picture is what I call the iceberg slide. I realize that might have misunderstandings - yet the intent is to show that there is much which the current Intel AMT firmware supports, yet which is simply not utilized.
Most management solutions are "above water" - supporting the remote power, boot redirection, and hardware asset.
Symantec Management platform supports some of the items that are shown below the water - such as System Defense basic (i.e network filtering), events\alerts, and a few others will appear soon in the software.
But what about the usage models suggested above? If you wanted to allow uses to power-on their own systems - such that they could connect remotely from outside the environment, power-on their desk system, etc - how would this be enabled with just a Symantec Management environment? Workflow solution could make it happen - but that might a heavy price to pay for just allowing users to power-on their systems.
From a day-to-day use case perspective – Did you know that communications to Intel AMT can be done outside a single management console?
There are a host of ideas and materials online to provide a rich development, experiment, and enablement environment. Certain features within the Intel AMT platform may not be utilized by a major solution, or the target users of the solution (such as helpdesk) do not have access to the major management solution used in the environment. Many customers and partners are taking advantage of command line tools, reference tools, or coding\scripting their own solutions due to specific needs.
The golden rule to remember is that once Intel AMT is configured, it is a service awaiting an authenticated and authorized request. Thus the trick is knowing what authentication is allowed, combining with tools needed, and having ideas how you would like to utilize the technology.
Authentication is handled by MD5 Digest or Microsoft Active Directory Kerberos integration. This depends on how the platform was originally configured. Authentication can also include TLS or Mutual TLS to encrypt the traffic and also provide additional environmental security. If the Intel AMT firmware only requires MD5 Digest authentication, then the system can be configured in any environment yet via the network interface only in the target domain as defined at configuration. If using Kerberos, TLS, or Mutual TLS – the configuration and usage of Intel AMT must occur in the same environment due to the dependencies of the Microsoft Active Directory, root certificate, or issued certificate for the respective technologies.
As a few examples and insights on the possibilities for talking to Intel AMT, developing custom tools, and more – see the following:
- Intel provided samples
- Usage and Tool ideas:
There are online developer forums to interact with other developers -
http://software.intel.com/en-us/forums/manageability-software-development/
And lastly – if you have a great idea or request,
Use the Intel Idea Zone for vPro technology
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.