Intel,Altiris Group

Back to Library

Best Practices for Configuring an Intel vPro Capable System within the Symantec\Altiris vPro Toolkit 

Nov 05, 2007 02:35 PM

What are the Best Practices for configuring or provisioning Intel vPro capable systems within Symantec's Altiris Manageability Toolkit for Intel vPro Technology. For those who understand vPro technology and the Altiris/Symantec implementation will recognize that there are multiple ways to configure AMT systems. Not all method are created equal, and experience has revealed which way is best. This article covers the main process, using other articles to cover the specifics of a process already covered previously.

Introduction

With different options available for configuring or provisioning an Intel vPro system, this document is a must. Since so many components tie into the vPro supported architecture sometimes results will vary. Some methods have revealed inherent problems in how the Altiris Infrastructure handles a computer resource's identity. To avoid any potential issues, this method has proven to be the most reliable. Keep in mind that as newer versions of AMT, vPro, Intel SCS, and Out of Band Management are released, these details may change. Symantec is working to resolve configuration issues to allow more reliable multiple choices for configuring the systems.

Infrastructure Items

The best methods for setting up the infrastructure are provided here. The manual configuration method is not covered as it's a manual pain and alphanumeric nightmare. The first segment covers the universal ProvisionServer DNS record required for the hands-off approach in AMT versions 2.0-3.0. Subsequently two method's infrastructure items are covered so that the configuration steps covered later will have the necessary components in place.

DNS Configuration

Everyone loves automatic procedures that don't require the eyes and hands of an overworked IT Professional. The DNS configuration is utmost to achieving the no-touch, hands-off automated approach available with AMT provisioning. The following steps show how to set this up:
  1. Launch DNS Management.
  2. Expand the Forward Look-up Zones tree.
  3. Right-click on the Domain that will be used for Provisioning and choose to create a CNAME record.
  4. In the Alias field type in: ProvisionServer
  5. In the Fully Qualified Domain Name field put the full name of the Notification Server (IE: MyServer.mydomain.com).
Now that this Alias is created, when the AMT systems send out the 'hello' message targeting the name 'ProvisionServer', DNS will properly route that message to the Notification Server/Intel SCS Provisioning Server.

Remote Configuration

Note that this option is only available to AMT versions 2.2, 2.6, and 3.0. All AMT Systems of the afore mentioned versions have pre-configured certificates loaded into the firmware. Examples are GoDaddy and VeriSign (others are provided. Please check Intel or Computer manufacturer's documentation for a full list). The systems come from the manufacturer already prepared to find the Provisioning Server and initiate the Provisioning process. The following infrastructure items need to be in place for Remote Configuration:
  1. Obtain a valid certificate from the appropriate vendor (GoDaddy, VeriSign, etc.).
  2. Install the certificate on the Notification Server and register it with the Provision Server. Details on how to accomplish this can be found in the Administrator's Guide for Out of Band Management Solution. Go to http://www.altiris.com/Support/Documentation.aspx, click O from the alphabet navigation bar, and click the appropriate guide for OOB 6.2. Pages 48 and 49 detail how to apply this. Note to follow the steps for the sections labeled:
    • Installing the Remote Configuration Certificate
    • Load the Certificate into Intel SCS
    • Enabling the Remote Configuration Feature
  3. Enable the CNAME option for ProvisionServer as detailed previously if this has not been completed yet.
For the configuration process, see the Remote Configuration section under Discovering and Configuring New vPro Systems.

One-Touch to No-Touch PSK Provisioning

This option is available for all AMT versions 2.0 and beyond. The one-touch option requires security keys to be generated within the Altiris Console and configured on the target systems using One-Touch provisioning. The manufacturers offer a service to have pre-configured keys to already be setup on the target systems. This allows a no-touch provisioning model. The following infrastructure items need to be in place for PSK Provisioning:
  1. Have the Manufacturer pre-provision all purchased systems to already have the PID and PPS (TLS-PSK) configured.
  2. The manufacturer will provide the keys in a file to be imported into the Notification Server. NOTE: it is recommended to have the file broken down into smaller parts if exceeding 1000 key pairs, or systems to be configured. A known limitation on importing limits how many key pairs can be in a single file.
  3. Import the file following these steps:
    1. In the Altiris Console browse to View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > and click on 'Security Keys'.
    2. Click the import button on the toolbar
    3. Select the file provided by the manufacturer.
    4. Ensure that the appropriate keys appear in the key list.
  4. If you are using the one-touch method, use the generate keys icon to create a series of keys, not to exceed 1000. Click OK when done configuring the keys. Highlight a group of keys (1000 max recommended) and use the export button . This will allow the keys to be put into a Setup.bin file. The USB key will be used later as part of the configuration process. Place this file on a USB flash drive with the following configuration:
    • FAT 16 File System
    • Setup.bin needs to be the first file on the drive
  5. Enable the CNAME option for ProvisionServer as detailed previously if this has not been completed yet.

Discovering and Configuring new vPro systems

Now that the Infrastructure items are in place, the process for configuring Intel AMT vPro capable systems needs to be defined.

The Altiris Agent

The key sequence in the configuration process actually doesn't directly involve the AMT provisioning piece. The Altiris Agent should be installed to the client system before the system is discovered to the core NS through other discovery processes, due to issues with resource integration between discovery methods. If you plan to manage the system with the Altiris Agent, It needs to be installed first. The steps for this are covered in each methodology.

Remote Configuration

The following steps show how to configure the system in Remote Configuration mode. Note that the steps are written to show the proper sequence, though some of the steps to ensure something has occurred can be assumed once a process is implemented that ensure the steps are conducted in the correct order:
  1. Install the Altiris Agent on the target computer. This can be done with a push or a pull.

    PUSH

    1. For the push method, browse in the Altiris Console to View > Configuration > Altiris Agent > Altiris Agent Rollout > and click the Altiris Agent Installation item.
    2. You can individually enter in the computer name or IP address of the target systems, or you can use the blue lettered link 'Discover Computers' to discover the systems automatically on the network.
    3. Once systems are selected, click the 'Install Altiris Agent' button below the list.
    4. An alternate method is to use the 'Schedule Push to Computers' option after you have discovered the machines using the discover computers option.

    PULL

    1. For the pull method, browse in the Altiris Console to View > Configuration > Altiris Agent > Altiris Agent Rollout > and click the Altiris Agent Installation item.
    2. Under 'URL of download page for Win32 users' (this also includes x64 systems) a link is provided.
    3. On the target system, pull up a webpage and paste in the URL obtained from step #2.
  2. Verify that the Altiris Agent has successfully sent Basic Inventory and obtain a Configuration from the Notification Server. Right-click on the Altiris Agent icon and choose 'Altiris Agent Details'. As long as valid dates are under the following headings, the system is prepared for synchronization:
    • Configuration Last Requested:
    • Configuration Last Changed:
    • Basic Inventory Last Sent:
  3. Provisioning will occur automatically. This means that while step 1 lists the Altiris Agent as the preceding step, Remote Configuration and provisioning may occur within minutes after the computer is added to the network. Note that as long as Synchronization does not occur before the Altiris Agent is installed, it's fine for Provisioning to occur. The reason to follow these steps stems from an issue with the way Computer Resources are created and managed within the Notification Server.
  4. Next manually launch the Synchronization (note that this step will occur per the default schedule at 2AM the following day). In the Altiris Console browse to View > Solutions > Out of Band Management > Configuration > Provisioning > Intel AMT Systems > and select Resource Synchronization. Under the 'Last synchronization statistics' section, click the 'Run now' button to force the synchronization.
  5. When synchronization completes, the system is ready to be managed.
The following diagram represents the basic steps used for this method of configuration:

Click to view.

PSK Provisioning

Depending on the method, the following steps will show the best way to configure the system with PSK mode:
  1. Install the Altiris Agent on the target computer. This can be done with a push or a pull.

    PUSH

    1. For the push method, browse in the Altiris Console to View > Configuration > Altiris Agent > Altiris Agent Rollout > and click the Altiris Agent Installation item.
    2. You can individually enter in the computer name or IP address of the target systems, or you can use the blue lettered link 'Discover Computers' to discover the systems automatically on the network.
    3. Once systems are selected, click the 'Install Altiris Agent' button below the list.
    4. An alternate method is to use the 'Schedule Push to Computers' option after you have discovered the machines using the discover computers option.

    PULL

    1. For the pull method, browse in the Altiris Console to View > Configuration > Altiris Agent > Altiris Agent Rollout > and click the Altiris Agent Installation item.
    2. Under 'URL of download page for Win32 users' (this also includes x64 systems) a link is provided.
    3. On the target system, pull up a webpage and paste in the URL obtained from step #2.
  2. Verify that the Altiris Agent has successfully sent Basic Inventory and obtain a Configuration from the Notification Server. Right-click on the Altiris Agent icon and choose 'Altiris Agent Details'. As long as valid dates are under the following headings, the system is prepared for synchronization:
    • Configuration Last Requested:
    • Configuration Last Changed:
    • Basic Inventory Last Sent:
  3. If using USB One-touch, insert the prepared USB flash drive into a USB slot on the vPro system. Reboot or turn on the system. A prompt will appear asking if the machine should be configured. Follow the prompts until it requests the USB drive be removed and the system rebooted. The system is now ready and will be sending out 'hello' messages.
  4. If the systems are preconfigured, Provisioning will occur automatically. This means that while step 1 lists the Altiris Agent as the preceding step, the systems were preconfigured already by the manufacturer and provisioning may occur within minutes after the computer is added to the network. Note that as long as Synchronization does not occur before the Altiris Agent is installed, it's fine for Provisioning to occur. The reason to follow these steps stems from an issue with the way Computer Resources are created and managed within the Notification Server.
  5. Next manually launch the Synchronization (note that this step will occur per the default schedule at 2AM the following day). In the Altiris Console browse to View > Solutions > Out of Band Management > Configuration > Provisioning > Intel AMT Systems > and select Resource Synchronization. Under the 'Last synchronization statistics' section, click the 'Run now' button to force the synchronization.
  6. When synchronization completes, the system is ready to be managed.
The following diagram represents the basic steps used for this method of configuration:

Click to view.

Conclusion

Following the above steps when provisioning the system has shown the greatest degree of success. Once the process is understood, it can be adapted and refined to best fit your environment. For example the NS can be setup to automatically discover and install the Altiris Agent on remote systems. This takes away the need to do it manually. As long as the schedules are timed right, the Altiris Agent can be installed before Resource Synchronization takes place.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Nov 14, 2007 10:35 PM

Nice Walk-Through, Easy to Follow & not too "Executive-Level" of a write-up.
I would love to see a full "soup to nuts" write-up for Dell Client Mgmt, Intel vPro, & Intel AMT; if anyone is feeling so inspired.

Related Entries and Links

No Related Resource entered.