Chapter 1: Introduction to Altiris® and Intel® vPro™ Technology

Intel® vPro™ technology provides hardware-based manageability and proactive security for business desktop computers. Altiris is partnering with Intel to expand its management software to support Intel vPro technology functionality. This document describes the enhanced management benefits that you can utilize using Intel vPro technology with Altiris management solutions.

Topics include:

• Intel vPro Technology Overview
• Management Feature Overview
• Altiris Products that Support Intel vPro technology

Intel vPro Technology Overview

Altiris management software and Intel vPro technology provide the following core features.

Built-in Manageability

Intel vPro technology incorporates Intel® Active Management Technology (Intel® AMT), which allows administrators to remotely inventory, diagnose, and repair computers even when they are powered off or the operating system is not running. This reduces costly visits by staff to computers and increases end-user uptime.

Proactive Security

You can identify threats to computers before they reach the operating system, isolate infected computers quickly, and perform remediation tasks.

Management Feature Overview

Using Altiris management software to manage computers with Intel vPro technology, you can utilize the following features.

Discovery and Inventory

One difficult IT task is identifying all of the computers in the environment network at any given time. You can now identify and inventory all computers with Intel vPro technology, even if they are turned off or are in an inoperative state.

After you discover the computers, you can view hardware inventory data about those computers. Intel vPro technology stores inventory data in non-volatile memory in the hardware. This makes the inventory data available even if the computers are turned off or are in an inoperative state.

The benefits of this are that you can remotely see what a computer has without physically visiting the site. For example, if a computer cannot start due to a failed hard disk, you can remotely determine what replacement disk is needed.

Remote Computer Management and Remediation

The following list describes remote management and remediation tools:

• Event Logs - You can remotely view logs of events that lets you track what happened before a problem occurred on a computer.
• Alerting - You can use industry-standard alerts for platform hardware sensors, hardware failures, operating system lockups, and platform boot failures.
• Power management - You can remotely start a computer, perform the management task, and then return it to its previous power state or restart it, if needed. Intel vPro technology provides remote power management that is more secure than Wake on LAN (WOL) and PXE (pre-execution environment).
• Serial over LAN - You can remotely take control of a client computer after it boots and before it loads the operating system (text mode only). This lets you remotely edit BIOS settings, view startup messages, and so forth.
• IDE-Redirect - You can redirect the boot source of a computer to a different location, such as an ISO on a network share. This is useful if a computer cannot start the local operating system. You can boot using another operating system and then repair the locally installed operating system.

Network Management and Security

You can use Intel vPro technology and Altiris software to provide network management and security.

The following is a list of network management and security tools:

• System defense (network filtering) - Hardware filtering of network traffic that blocks all inbound and outbound network traffic from a virus-infected computer and prevents the threat from spreading.
• Agent Presence - Hardware heartbeat for third-party management agents.

Intel AMT Setup and Configuration

Before managing computers with Intel vPro technology, you must configure the Intel AMT device build into the computers. You can configure the device either manually in small business mode, or use automated setup and configuration (provisioning) in enterprise mode. Provisioning in enterprise mode is also recommended for secure communications between the Notification Server and Intel AMT devices in large-scale organizations.

You can use Altiris® Out of Band Management Solution™ software to set up and configure (provision) Intel AMT devices in enterprise mode. You can perform the following actions:

• Define configuration parameters.
• Create profiles that define the setup parameters for the Intel AMT devices to be provisioned.
• Manage the list of valid TLS-PSK keys that match what is installed, or to be installed, on the Intel AMT devices awaiting provisioning.
• View and manage entries identifying each Intel AMT device, provisioned or unprovisioned.

Altiris Products that Support Intel vPro technology

These products all run under Altiris® Notification Server™ software, which is a free product.
Altiris® Out of Band Management Solution™ 6.1 SP1	Lets you manage collections of computers with Intel vPro technology from the Altiris Console. This is considered one-to-many management. You can view event logs, inventory information, and perform various Intel AMT administrative tasks. The solution will also assist you in setting up and configuring Intel AMT capable computers in enterprise mode. Out of Band Management Solution uses the following Altiris products: Altiris® Task Server™ Altiris® Console 6.5 Altiris® Real-Time Console Infrastructure Altiris® Connector Solution™ (SNMP Management) Out of Band Management Solution is a free product.
Altiris® Real-Time System Manager Solution™ 6.2 SP1	Lets you manage a single computer with Intel vPro technology from the Altiris Console. This is considered one-to-one management. You can view status and inventory information and perform tasks in real time. Using Real-Time System Manager Solution, you can view detailed realtime information about a managed computer and perform various Intel AMT administrative tasks. Real-Time System Manager Solution can be evaluated for free for 30 days, after which a purchased license is required. It is also available as part of several Altiris management suites.
Altiris® Network Discovery	Discovers network resources using Internet Control Message Protocol (ICMP) ping sweep, Simple Network Management Protocol (SNMP), service port polling, circular Domain Name System resolution, and NetBIOS name and domain queries. Network Discovery is a free product.

Altiris Documentation

The following documentation (with accompanying release notes) provides additional information:

• Altiris Notification Server Help
• Altiris Notification Server Reference
• Altiris Out of Band Management Solution 6.1 SP1 Help
• Altiris Real-Time System Manager Solution Reference Guide
• Altiris Task Server Help
• Altiris Console 6.5 Help
• Altiris Network Discovery Product Guide
• Altiris SNMP Management Help

Product documentation is available in Microsoft HTML Help (.CHM) and Adobe Acrobat (.PDF) formats. Documentation files are installed in the following directory:

C:\Program Files\Altiris\Notification Server\NSCap\Help

You can easily access documentation from the Altiris Console by clicking the following icons in the upper-right corner of the Altiris Console:

Access the contextual online help by clicking the online help icon.

Access an index of all help by clicking the index icon.

Altiris Documentation

Source	What information it includes	Where you can find it
Altiris Knowledgebase	Comprehensive collection of articles, incidents, and issues for Altiris solutions.	http://kb.altiris.com/
Altiris Juice, an online magazine for users	Best Practices, tips and tricks, and articles for users of Altiris solutions.	http://www.symantec.com/connect/
Online Forums	Forums for Altiris solutions and suites.	http://forums.altiris.com/
Documentation and Release Notes	Information about new features, update instructions, and known issues for each release.	http://www.altiris.com/ support/documentation

Download the PDF for this article here.

Chapter 2: Understanding Management Functionality

This chapter helps you understand the management features provided by Altiris products that use Intel vPro technology.

Topics include:

• In-Band vs. Out-of-Band Management
• Single Computer vs. Collections Management
• Client Computer Discovery
• Alerts, Logs, and Events
• Remote Power Management
• Serial Over LAN
• IDE-Redirect
• System Defense
• Agent Presence
• Intel vPro Computer Setup and Configuration

In-Band vs. Out-of-Band Management

Intel vPro technology provides out-of-band management capabilities above and beyond normal in-band management capabilities.

Remote management of client computers often requires the need for the managed computer to be powered on, with an operating system running and a management agent loaded. When a computer is powered on with a running operating system, the computer is considered in-band.

Out-of-band is when a client computer is in one of the following out-of-band states:

• The computer is plugged in but not actively running (off, standby, hibernated).
• The operating system is not loaded (software or hardware boot failure).
• The software-based management agent is not available.

Out-of-band management is the ability to manage computers in these states.

Altiris products that support out-of-band management include Network Discovery, Real-Time System Manager Solution, and Out of Band Management Solution 6.1 SP1.

Single Computer vs. Collections Management

Using the Altiris Console, you can manage computers in the following modes.

One-to-One

You can manage a single computer one-to-one, in real time. When using real-time tools, you can view detailed real-time information about a managed computer and perform various administrative tasks, such as running an application, restarting the computer, resetting the password, terminating a process, and more. Real-Time System Manager Solution lets you perform real-time one-to-one management tasks.

One-to-Many

One-to-many management indicates that you can run a task on a collection of computers, either immediately or on a schedule. Many pre-defined collections are already available in the Notification Server. The following are examples of collections:

• All 32-bit Windows Computers
• All Windows NT/2000/XP Workstations
• All Intel AMT Capable Computers
• All Configured Intel AMT Computers

Also, you can create your own collections, based on any criteria you want. The collections can be based on computer types, the operating system installed, and so on. Out of Band Management Solution 6.1 SP1 lets you perform one-to-many management.

Client Computer Discovery

To fully manage the computers in your environment, you must know which computers can be configured for out-of-band management. The following methods of discovering and viewing computers with Intel vPro technology are available.

Using Altiris Network Discovery

You can use an Altiris Network Discovery scan policy to discover configured computers with Intel vPro technology. When the scan policy runs, Intel AMT information is gathered along with SNMP data. This is an out-of-band discovery. It can be accomplished without a management agent (Altiris Agent) installed on the computer, and the computer can be powered on or off. This method is useful in the following scenarios. Starting in an environment where computers are unmanaged. Discovering new computers that have not had a management agent installed yet.

Using Out of Band Discovery policy

You can use the Out of Band Discovery policy to discover both configured and unconfigured computers with Intel vPro technology. This is an in-band discovery. The client computer must be powered on, have an operating system running, and have the Altiris Agent installed.

Client Computer Inventory

After computers are discovered, you can view hardware and software inventory data about those computers. Altiris solutions report inventory data to the Notification Server, and the inventory is stored in the Notification Database. You can view inventory summaries and reports based on the stored inventory data.

Intel vPro technology stores computer’s hardware inventory data in non-volatile memory. This makes the inventory data available even if the computers are powered off or are in an inoperative state. Using the Altiris management software, you can remotely see what hardware a computer has without physically visiting the site. For example, if a computer cannot start due to a failed hard disk, you can remotely determine what replacement disk is needed.

Inventory data stored in the hardware also lets you track computers where softwarebased inventory data may not be persistent. For example, a computer may have been recently reimaged, or a software-based agent may be inoperative due to a virus or computer hacking.

You can use Altiris Network Discovery to gather initial out-of-band inventory of the computers with Intel vPro technology. Altiris Network Discovery does the following:

• Checks for Intel AMT capable computers (through a ping sweep or seed device)
• Performs a handshake with credentials on discovered computers
• Gets Intel AMT device information and creates a computer resource in the Notification Database
• Writes a time-stamp and records the MAC address in flash memory on the computer
• Stores inventory data in the Notification Database

You can use Out of Band Management Solution 6.1 SP1 to perform ongoing inventory gathering. This inventory data is also stored in the Notification Database. The inventory task is collection-based, scheduled, and is also an out-of-band process.

You can use Real-Time System Manager Solution to view inventory for a single computer in real time. The information is not stored in the Notification Database.

Also, the solutions include various reports, where you can view and analyze your inventory data.

Alerts, Logs, and Events

You can configure client computers with Intel vPro technology to send computer health alerts to the Notification Server. These alerts inform you of hardware and software problems that occur on the client computers. These proactive alerts can let administrators know about sensor warnings for high temperatures, fan failures, exceeded sensor thresholds, case intrusions, low power-supply voltage, hardware failures, lock-ups (blue screens), and system boot failures.

Alerts are handled using hardware-based out-of-band communication independent of the operating system. This means that system lock-ups, hangs, crashes, and other problems do not prevent alerts from being sent. You can be notified immediately when something happens to a computer, which lets a technician recover the system remotely or simply be more effective in the desk-side repair. When used with inventory information, alerting can help minimize repair time even further because technicians can arrive with the right part, possibly even before customers know they have a problem.

Using Out of Band Management Solution 6.1 SP1, you can configure alerts for multiple computers using collections. Using Real-Time System Manager Solution you can configure alerts for a single computer.

When a problem occurs on a client computer, you can remotely view logs of events that let you track what happened before the problem occurred.

Remote Power Management

Normally, you cannot perform a remote management task off hours because a computer is turned off. With Altiris management software and Intel vPro technology you can now remotely start a computer, perform the management task, then return the computer to its previous power state. You can also perform a remote restart as part of a management job, if needed. Intel vPro technology provides remote power management that is more secure than Wake on LAN (WOL) and PXE (pre-execution environment).

You can perform remote power management tasks on computers using Out of Band Management Solution 6.1 SP1. You can perform tasks on a single computer or you can use collections to specify multiple computers. You can perform tasks immediately or on a schedule.

You can also perform real-time remote management tasks on a single computer using Real-Time System Manager Solution.

Serial Over LAN

From the Altiris Console, you can remotely take control of a client computer after it boots and before it loads the operating system. The Serial Over LAN (SOL) functionality lets you establish a remote console session to change BIOS settings, view startup messages, reinstall or repair an operating system, and so forth. This control is possible only in text mode before a graphical user interface is loaded.

SOL functionality is provided through Real-Time System Manager Solution.

Example: You can use Real-Time System Manager Solution to remotely start a computer, then you can use SOL to modify the BIOS or run FDISK to check for disk errors.

IDE-Redirect

From the Altiris Console, you can perform a remote boot through integrated device electronics redirection (IDE-R). This feature lets you change the computer’s boot device to a CD or to an image located on a remotely mounted CD-ROM or hard drive. After you boot a computer from a remote image, you can perform a full system recovery or simply copy corrupt or missing files.

Example: You may have many client computers that have a certain program installed and are experiencing a blue screen when starting Windows due to a bad .dll file. Using Real-Time System Manager Solution, you can remotely start the computer, use IDE-R to boot from a clean ISO, and then copy a new version of the .dll file. You can then use a remote power management task to restart the computer.

System Defense

You can remotely limit any network traffic to and from the operating system of the target computer using programmable hardware-based filters (Circuit Breaker).

Example: You can use Real-Time System Manager Solution to isolate an infected computer from the network and stop threats from spreading. Once activated, the network filter will block all ports except for those required by the Altiris Agent to communicate with the Notification Server.

Also, you can prevent a computer infected by a virus from sending malicious packets by forcing the identity verification of outgoing network traffic. If the computer is suspected of originating malicious attacks, known as “IP spoofing,” System Defense will drop the malicious packets.

Agent Presence

Agent presence is a hardware-based “heartbeat” timer that ensures third-party security and software agents remain present. You can use Real-Time System Manager Solution to view a list of all the currently registered agents and their status.

Intel vPro Computer Setup and Configuration

To remotely manage a computer using Intel vPro technology, the computer must be set up and configured.

Out of Band Management Solution installs the core components of Intel Active Management Technology's (Intel AMT) Setup and Configuration Service (Intel SCS) to help you set up and configure (provision) computers with Intel vPro technology in enterprise mode.

You can use Out of Band Management Solution to configure Intel SCS settings, define provisioning parameters, and provision Intel vPro computers.

You can also use Out of Band Management Solution 6.1 SP1 and Real-Time System Manager Solution to remotely change the settings of provisioned Intel AMT devices or unprovision the computers.

Chapter 3: Installing Altiris Management Components

This chapter explains the requirements of and how to install Altiris management components.

Topics include:

• Requirements
• Installing Altiris Software
• Licensing

Requirements

The following sections list the minimum requirements for installing Altiris products.

• Notification Server Requirements
• Solution Requirements
• Intel AMT Setup and Configuration Service Requirements
• Client Computer Requirements

Notification Server Requirements

Install Notification Server 6.0 SP3 or later on a computer that meets the following minimum requirements.

Minimum Hardware Requirements
Processor	Pentium* III 800 MHz or faster
RAM	512 MB (1 GB recommended for increased speed)
Hard drive	5 GB (20 GB recommended)
File system	NTFS partition

Minimum Software Requirements
Operating system	Microsoft Windows Server 2003 (Standard or Enterprise) with SP1, Microsoft Windows 2000 Server with SP4, or Microsoft Windows 2000 Advanced Server with SP4
Database	Microsoft SQL Server 2005 or Microsoft SQL Server 2000 SP3
Web server	Microsoft IIS 5.0
Services	Microsoft .NET 1.1 Framework (with ASP .NET), Microsoft .NET 2.0 Framework, and Microsoft Data Access Control 2.8 (MDAC)
Browser	Microsoft Internet Explorer 6.0

Solution Requirements

Out of Band Management Solution 6.1 SP1 and Real-Time System Manager Solution require Notification Server 6.0 SP3 or later.

The following solution components are required and will be installed with Real-Time System Manager Solution.

• Altiris® Real-Time Console Infrastructure 6.2
  Provides infrastructure for the remote management over the WMI/ASF/AMT.

The following solution components are required and will be installed with Out of Band Management Solution 6.1 SP1.

• Altiris Console 6.5
  Provides the infrastructure for Task Management Solution, solution-based menus, and quick-start shortcuts.
• Altiris® Task Management Solution 6.0
  Provides the task management infrastructure.
• Altiris® Real-Time Console Infrastructure 6.2
  Provides infrastructure for the remote management over the WMI/ASF/AMT.
• Altiris® Connector Solution Event Integration Component 6.0
  Provides SNMP traps receiver functionality.

Intel AMT Setup and Configuration Service Requirements

Out of Band Management Solution installs Intel AMT Setup and Configuration Service (Intel SCS) on the Notification Server computer. The following requirements must be met.

• Intel SCS requires that .NET Framework 2.0 be installed on the Notification Server computer.
• (Optional) To use the Transport Layer Security (TLS) feature for secure communication between the Notification Server and the client Intel vPro computer, Intel SCS requires that the Notification Server be installed on Microsoft Windows Server 2003. TLS does not work with Microsoft Windows 2000 Server.
• (Optional) To securely manage the Intel vPro technology computers using the Transport Layer Security (TLS), then Intel SCS requires that Microsoft’s Certificate Authority (CA) be installed on the Notification Server computer. If you are installing on a clean computer, make sure the IIS is installed before CA.

Client Computer Requirements

• Client computer with Intel vPro technology, connected to the network and plugged into a power source
• Windows 2000 SP3 or later

Installing Altiris Software

You can install Altiris software through the following installation scenarios:

• Installing Notification Server for the First Time
• Installing on an Existing Notification Server

Installing Notification Server for the First Time

Use these instructions for a first-time Altiris installation with no previous Notification Server installation. You will use the Altiris Installation Manager (AIM) to install Notification Server and Real-Time System Manager Solution. After that, you can install Out of Band Management Solution 6.1 SP1 and Network Discovery on the Notification Server.

The following steps are involved in installing the products:

1. Downloading and extracting the installer files
2. Downloading and installing the product

To download and extract the installer files

1. Go to the Altiris Web site download page (http://www.altiris.com/Download.aspx).
2. Enter your e-mail address.
3. Select the product you want to install.
   Example: Real-Time System Manager.
4. Click Submit.
5. Read and accept the license agreement.
6. Click Download Altiris Installation and Configuration Manager.
7. Click Run.
8. Specify a location for the installer files and click one of the available options:
• Extract & Execute App
  The files are extracted to the specified location, and the Altiris Installation Manager is launched. Follow the wizard to install the product.
• Extract Only
  The installation files are extracted to the specified location. Choose this option if you intend to copy the installation files to another computer or if you want to run the installation at a later time. You can start the installer by running Setup.exe.

To install Notification Server and Real-Time System Manager Solution

1. Start the installer program if it is not already running. When you extracted the installer files, if you selected Extract & Execute App, the installer is already running. If you selected Extract Only, you can start the installer by running Setup.exe in the file extraction location (the default location is C:\Program Files\Altiris\Setup Files\AICM\product name\Data\Downloads).
Note: If Notification Server is already installed and you run the install program, the Altiris Console will open to the Solution Center.
2. Choose a product download option.
   • Download and install on the computer
     You will be prompted for information needed for the installation and configuration of the product and Notification Server. At the same time, the needed files are being downloaded in the background. You can see the download progress at the bottom of the page.
   • Download only
     This option can be used to copy the setup files to another computer for installation, possibly a computer without an Internet connection. To install the product on a different computer, copy all of the setup files onto a CD or the computer on which you want to run the installation. The setup files are located in the location specified when you extracted the installer files (by default,
     C:\Program Files\Altiris\Setup Files\AICM\product name\Data\Downloads).
     When you are ready to install the product, run Setup.exe again and continue with the installation.
3. Accept the license agreement.
4. Specify a location where Notification Server will be installed. The location must be on the local computer and cannot be a network share or a removable device.
5. The installer checks if your computer meets the requirements for Notification Server. The following table shows the possible results of each requirement check.

Icon	Description
	The requirement and any recommendations are met.
	The requirement has been met and you can continue with the installation, but there are some recommendations to consider.
	The requirement has not been met. You cannot continue with the installation until the requirement has been met.

When there is an error or recommendation, click the associated text in the Help column for additional information.

After making changes to your computer, you can recheck your system by clicking Recheck Requirements.

6. Enter the user name (include the domain) and password of an existing user account that you want to use to access Notification Server. The user name must be a Windows user with local administrator rights to the Notification Server computer. Also, specify the user name and password to be used to install the Altiris Agent on the computers you want to manage.
7. (Optional) To configure the e-mailing of Notification Server events, provide the needed e-mail information. Enter the DNS name or IP address of your SMTP server. If the server requires authentication, enter a valid user name and password. Click Send Test E-mail to verify that Notification Server is sending e-mails to the correct address. Select Later if you want to configure this at a later time through the Altiris Console.
8. Specify the credentials to access Microsoft SQL Server and the Notification Database.
   Enter the name of the server running Microsoft SQL Server. You can install the Notification Database to a specific SQL Server instance by entering the server name and SQL instance. Example: SQL server name\SQL instance.
9. Select the computers you want to manage.
   The installation program lets you select up to 100 computers to manage. If you have additional computers, you can select them after the product is installed using the Altiris Agent rollout procedures.
   
   You can select entire domains, individual computers, or both. The Altiris Agent will be installed on these computers to let you manage them. If you cannot find a computer, you can manually specify it by entering its IP address or DNS name.
10. Verify that the configuration summary is correct.
    
    If there is an error, go back and make the needed changes.
11. When the installation completes, click Finish.
    
    If the installation is in progress, the Finish button is not available.

Now you can use the Solution Center to install other products, such as Out of Band Management Solution 6.1 SP1 and Network Discovery. See Installing on an Existing Notification Server.

Installing on an Existing Notification Server

If you have the Notification Server already installed, you can install products using the Solution Center.

To install other products

1. In the Altiris Console, click the Configuration tab.
2. In the left pane, click Upgrade/Install Additional Solutions.
3. In the right pane, click the Available Solutions tab.
4. Click Segments.
5. Click Components.
6. Select the products you want to install.
   Example: Altiris Network Discovery, Altiris Real-Time System Manager Solution, or
   Altiris Out of Band Management Solution 6.1 SP1.
7. Click Start.
8. Follow the steps in the wizard.

Installing SNMP Receiver

Altiris Connector Solution Event Integration Component, that you install as part of Out of Band Management Solution 6.1 SP1 (see Solution Requirements), lets you receive and analyze SNMP traps sent by managed computers with Intel vPro technology.

To make this component work, you must also install Microsoft Windows SNMP receiver on the Notification Server computer.

To install Microsoft Windows SNMP receiver

1. From the Notification Server computer, select Start > Control Panel > Add or Remove Programs > Add/Remove Windows Components.
2. The Windows Components Wizard appears.
3. In the Components window, select Management and Monitoring Tools and click Details. The Management and Monitoring Tools dialog appears.
4. Select the check box next to Simple Network Management Protocol and click OK.
5. Click Next.
6. Click Finish.

Licensing

You do not need to purchase a license for Notification Server, Out of Band Management Solution, or Network Discovery. Real-Time System Manager Solution does require a license.

Each Altiris product that requires a license comes with a 7-day trial license that is installed by default. You can register and obtain a 30-day evaluation license through our Web site at www.altiris.com or purchase a full product license.

To view your current license, open the Altiris Console, click the Configuration tab and then Licensing. For more information, click the help button on the Licensing page.

Chapter 4: Getting Started with Altiris and Intel vPro Technology (Intel AMT)

These Getting Started tasks guide you through some basic setup and configuration of Real-Time System Manager Solution and Out of Band Management Solution 6.1 SP1 to use with Intel vPro technology (Intel AMT) computers.

This guide will also help you manually provision a single Intel vPro computer in enterprise mode for evaluation. For more details on other methods of provisioning (OEM provisioning, USB provisioning), see the Altiris Out of Band Management Solution Help (http://www.altiris.com/support/documentation).

Before you start, you must have the following.

• Altiris solutions installed on your Notification Server (see Installing Altiris Software).
• A client computer with Intel vPro technology, connected to the network and plugged into a power source.
• (Optional) The Altiris Agent installed on the client computer with Intel vPro technology.
  
  If you know exactly which computers can be configured for out-of-band management, the Getting Started tasks can be performed out-of-band without the Altiris Agent installed on the client computers.
  
  However, if you want to discover computers with Intel vPro technology in your environment, you must install the Altiris Agent to the client computers.
  
  For details on installing the Altiris Agent, see Altiris Notification Server Help (http://www.altiris.com/support/documentation).

Topics include:

• Discovering Computers with Intel vPro Technology
• Provisioning a Computer with Intel vPro Technology
• Configuring Default Intel AMT Settings

For information on all the tasks you can perform using Intel vPro technology, see the Altiris Out of Band Management Solution 6.1 SP1 Help and Altiris Real-Time System Manager Solution Reference Guide (http://www.altiris.com/support/documentation).

Discovering Computers with Intel vPro Technology

There are two methods for discovering and viewing computers with Intel vPro technology.

You can use Out of Band Management Solution to discover computers with Intel vPro capability in your environment. Out of Band Management Solution can detect Intel vPro capability even if it is not enabled in the BIOS or is misconfigured. This is an in-band discovery and requires the operating system running and the Altiris Agent installed on the client computers.

You can use Altiris Network Discovery to locate all configured computers with Intel vPro technology. This is an out-of-band discovery. The client computers only need to be connected to the network and plugged into a power source. This method will not discover misconfigured computers.

Topics include:

• Using Out of Band Management Solution to Discover Computers
• Using Network Discovery to Discover Computers

Using Out of Band Management Solution to Discover Computers

The Out of Band Discovery policy lets you find Intel vPro capable computers by running the Out of Band Discovery policy on the client computers with the Altiris Agent installed. The Out of Band Discovery policy will detect Intel vPro even if it is not enabled in the BIOS or is misconfigured.

To discover out-of-band capable computers

1. From the Altiris Console, click the Configuration tab (If you are using the Altiris Console 6.5, select View > Configuration).
2. Select Solution Settings > Platform Administration > Out of Band Management > Out of Band Discovery.
3. Select the Out of Band Discovery policy.
4. (Optional) To add or change the collections that the policy applies to, click the Applies to collections link. Select the collections to apply the policy to and click OK.
5. Select the Enable check box to run the policy.
6. Click Apply.

After the policy runs on client computers, the out-of-band capable computers are added to corresponding collections.

To view the out-of-band capable computers

1. From the Altiris Console, click the Resources tab (If you are using the Altiris Console 6.5, select View > Resources).
2. Select Resource Management > Collections > Out of Band Management.
3. Select the All Intel AMT capable systems collection to view the out-of-band capable systems.

Using Network Discovery to Discover Computers

You can use Network Discovery solution to discover configured computers with Intel vPro technology (Intel AMT). You must know the Intel AMT user name and password to discover computers. This discovery is useful when you want to populate the Notification Server database with Intel AMT computers, which have been previously configured but do not have the Altiris Agent installed.

Network Discovery will not discover unconfigured Intel AMT devices. To discover unconfigured computers use Out of Band Management Solution (see Using Out of Band Management Solution to Discover Computers.

To discover computers with Intel AMT

1. From the Altiris Console, click the Configuration tab (If you are using the Altiris Console 6.5, select View > Configuration).
2. In the left pane, select Configuration > Solutions Settings > Network Discovery.
3. Configure Network Discovery to create a Notification Server resource for discovered computers:
1. Click Network Discovery Settings.
2. Make sure that the following check boxes are selected:
• Create NS Resource for
• AMT/ASF Devices
3. Click Apply.
4. In the left pane, select Configuration > Solutions Settings > Network Discovery > Scan Groups > Default Scan Group.
5. Select a scan method:
• Seed Device - Discovers IP devices by reading the Address Resolution Protocol (ARP) tables from a seed (starting point of discovery) router. Enter the IP address of a router in the IP address field.
• Address ranges (Ping Sweep) - Searches the network for resources within a specified range of IP addresses. Click Add, and then enter the IP addresses in the Starting IP Address and Ending IP Address fields. You can add as many rows as needed, but the policy will only discover IP devices if the check box for the row defined is selected.
  
  When using an address range as the method for the scan, entries in both the Include and Exclude tabs are ignored. The Include and Exclude tabs are only used when a seed device is used as the scan method.
6. (Optional) Configure SNMP settings:
   1. Click the SNMP/ICMP tab.
   2. If using a community string other than Public, then add the appropriate name.
   3. Click Apply.
7. (Optional) Use the other tabs to configure your network settings as needed. For details, click the help icon in the upper-right corner of page.
8. Click the Advanced tab.
9. Select the AMT Scan check box. This activates the AMT Options.
10. Select the Small Business mode check box.
    This discovers Intel AMT devices configured in small business mode by only requiring a MEBx user name and password to gain access to the resource. Network communications for these types of devices are through HTTP.
11. Select the Enterprise Mode check box.
    This discovers Intel AMT devices provisioned in enterprise mode by requiring a user name, password, and an installed trusted certificate to gain access to the resource. Network communications for these types of devices are through HTTPS.
12. Enter a valid domain name.
    This is the domain name that discovery tries to access to scan for AMT provisioned devices. This is used for name resolution and is not used to authenticate.
13. Select the Collect AMT Inventory check box.
    This collects inventory from Intel AMT provisioned IP devices and stores it in the Notification Database. You can view the inventory through Resource Manager or the Network Discovery reports.
14. (Optional) Select the Write first discovery date and time to NVRAM check box. Select this option to write the date and time when the IP device was first discovered to NVRAM, a separate storage area on Intel AMT devices.
15. Click Apply.
16. Click Discover Now (upper-right corner) to run the policy immediately. The Schedule tab lets you select a scheduled time to run the task.

To view discovered computers with Intel AMT

After you have run the Network Discovery scan policy, you can view the list of discovered computers. You can do this by viewing the Intel AMT collections that are populated from the scan task results.

1. From the Altiris Console, click the Resources tab (If you are using the Altiris Console 6.5, select View > Resources).
2. Select Collections > Network Device Collections.
3. Click All AMT Devices.

The list of discovered computers appears.

Provisioning a Computer with Intel vPro Technology

To manage the Intel vPro technology computers out-of-band from the Altiris Console you must set up and configure (provision) the computers.

This section explains how to manually provision a single Intel vPro computer in enterprise mode for evaluation. In this section, only the basic steps are introduced, which will help you quickly provision a computer with default settings so you can start managing the computer using Out of Band Management Solution. For the complete description of configuration options and other methods of provisioning, see the Altiris Out of Band Management Solution Help (http://www.altiris.com/support/documentation).

Topics include:

• Creating a Profile
• Generating Security Keys
• Configuring Automatic Profile Assignments
• Pre-provisioning an Intel vPro Computer
• Provisioning an Intel vPro Computer
• Synchronizing Intel SCS and Notification Server Resources
• Provisioning Intel vPro Computer in Secure Mode

Creating a Profile

You must create a configuration profile that Intel vPro computers will use when provisioning.

To create a profile

1. In the Altiris Console 6.5, select View > Solutions > Out of Band Management.
2. Select Intel AMT Getting Started > Section 1. Provisioning > Basic Provisioning (without TLS) > Step 4. Create Profile.
3. From the Manage Profiles page, click . The Configure Intel AMT Setup & Configuration Service Profile dialog box appears.
4. On the General tab, in the Administrator Credentials section, select Manual.
5. Enter the new administrator password the Intel vPro computer will be configured with.
Note: You must enter a strong password. Example: P@ssw0rd.
6. For evaluation, keep the other settings in their default state.
7. Click OK.

Generating Security Keys

You must generate a security key pair that you will use to configure (pre-provision) the Intel vPro computer.

To generate security keys

1. In the Altiris Console 6.5, select View > Solutions > Out of Band Management.
2. Select Intel AMT Getting Started > Section 1. Provisioning > Basic Provisioning (without TLS) > Step 5. Generate Security Keys.
3. Click .
   The Generate Security Keys dialog appears.
4. Enter the number of security keys to generate.
   Example: 1.
5. Enter the Factory Default Intel Management Engine Password.
   The default value is “admin”.
6. Enter the New Intel Management Engine Password.
   This will become the new Intel Management Engine (MEBx) password after you configure (pre-provision) the Intel AMT device.
   Note: You must enter a strong password. Example: P@ssw0rd.
7. Click OK.

Intel SCS creates a list of Security Keys. Each record consists of an 8-byte PID, a 32- byte PPS, and the administrator’s password. You will use these keys to configure (preprovision) the Intel vPro computer.

Configuring Automatic Profile Assignments

Automatic profile assignments settings let you automatically map a provisioning profile (see Creating a Profile) to the computers in an unprovisioned state.

For automatic profile assignments to work, you must run the Out of Band Discovery task on the target Intel vPro computers (see Using Out of Band Management Solution to Discover Computers ). The inventory reported by the task will let Out of Band Management Solution map the unique identifier of the Intel AMT device to the computer’s FQDN. If automatic profile assignment succeeds, the Intel AMT device will be automatically provisioned with the computer’s FQDN.

If you cannot run the Out of Band Discovery task (Example: The target computer does not have the Altiris Agent installed), you can enter the FQDN and assign a profile manually (see To assign a profile manually).

To configure automatic profile assignments settings

1. In the Altiris Console 6.5, select View > Solutions > Out of Band Management.
2. Select Intel AMT Getting Started > Section 1. Provisioning > Basic Provisioning (without TLS) > Step 6. Configure Automatic Profile Assignments. The Resource Synchronization page appears.
3. Select the Enable check box.
4. Select the Intel® AMT 2.0+ to profile check box and choose the profile you created.
5. For evaluation, keep the other settings in their default state.
6. Click Apply.

Pre-provisioning an Intel vPro Computer

For evaluation, you can enter the security keys and the password you generated into the Intel vPro computer’s MEBx manually to pre-provision the computer. For other preprovisioning methods, see the Altiris Out of Band Management Solution Help (http://www.altiris.com/support/documentation).

To pre-provision the computer

1. Go to the physical location of the Intel vPro computer and do the following.
1. Connect the cables, a monitor, and a keyboard.
2. Power on the computer and press Ctrl-P to enter the Management Engine BIOS Extension (MEBx).
Notes:
• The MEBx access key may vary depending on the computer manufacturer. For details, refer to the computer manufacturer’s documentation.
• The default MEBx password for the computers in the factory-default state is “admin”.
• If you login to the MEBx for the first time, you must change the default password before making changes to the MEBx options. You must use a strong password. You can use the new password you entered while generating the security keys.
2. Enable Intel AMT 2.0 (or later) in the client computer’s MEBx, if not already enabled.
   For the additional Intel AMT configuration options to appear in the MEBx you may need to exit the MEBx and restart the computer.
3. From the MEBx, select Unprovision and choose Full unprovisioning to reset the Intel AMT device.
4. Set the Provision Model to Enterprise.
5. Modify the Provisioning Server settings. Enter the IP of the Intel SCS server and SCS port.
Notes:
• The Intel SCS is installed on the Notification Server as part of Out of Band Management Solution. Enter the IP of the Notification Server.
• The SCS port is the port the Intel SCS is listening to Hello messages sent by Intel vPro computers. By default, the port is 9971.
6. Enter the PID and PPS pair you generated (see To generate security keys).
7. Change the MEBx password to the New Password you entered while generating the security keys.
8. Exit the MEBx. The computer restarts, and the Intel AMT status appears on the screen.

The computer is ready for provisioning and sending the Hello messages to the Intel SCS. The computer entry should appear in the Altiris Console in the list of Intel AMT Systems known to the Intel SCS. The computer entry is in an UnProvisioned state.

Provisioning an Intel vPro Computer

From the list of Intel AMT Systems known to the Intel SCS, you can see the state of the computer you have pre-provisioned.

To view a list of known computers

1. In the Altiris Console 6.5, select View > Solutions > Out of Band Management.
2. Select Intel AMT Getting Started > Section 1. Provisioning > Basic Provisioning (without TLS) > Step 7. Monitor Provisioning Process.

Pre-provisioned computers are displayed as UnProvisioned. If the automatic profile assignment succeeds, the computer will change its status to Provisioned automatically (see Configuring Automatic Profile Assignments). If FQDN of the Intel vPro computer is not known to the Notification Server, you must enter the FQDN and assign a profile manually.

To assign a profile manually

1. In the Altiris Console 6.5, select View > Solutions > Out of Band Management.
2. Select Intel AMT Getting Started > Section 1. Provisioning > Basic Provisioning (without TLS) > Step 7. Monitor Provisioning Process.
3. Select the computer in an UnProvisioned state in the list.
4. Click .
   The Edit mapping dialog appears.
5. Enter the FQDN of the target Intel vPro computer.
   The Intel AMT device will be provisioned using this FQDN.
6. Select the profile you created.
7. Click OK.

Monitor the Intel AMT Systems list. After some time, the Intel AMT device will become provisioned and the status of the corresponding entry in the list will change to Provisioned. The Intel AMT device is provisioned with the FQDN of the host computer.

Synchronizing Intel SCS and Notification Server Resources

To manage a provisioned Intel vPro computer from the Altiris Console, a computer resource representing the computer must be visible in the Notification Server’s collections. Normally, the computer resource is created automatically when you install the Altiris Agent to the target computer. If for some reason you choose not to install the Altiris Agent, you can use the Resource Synchronization task to create the Notification Server resources for the provisioned Intel vPro computers found in the Intel SCS database.

To run the Resource Synchronization task

1. In the Altiris Console 6.5, select View > Solutions > Out of Band Management.
2. Select Intel AMT Getting Started > Section 1. Provisioning > Basic Provisioning (without TLS) > Step 6. Configure Automatic Profile Assignments.
   The Resource Synchronization page appears.
3. Under the Last synchronization statistics section, click Run now.

After the task runs, the computers, provisioned by Out of Band Management Solution, appear in the Provisioned Intel AMT Computers collection.

You can also configure this task to run automatically on schedule.

To view the Provisioned Intel AMT Computers collection

1. 1. In the Altiris Console 6.5, select View > Solutions > Out of Band Management.
2. 2. Select Collections > Provisioning > Provisioned Intel AMT Computers.

The computers displayed in the collection are ready to be managed by Out of Band Management Solution and Real-Time System Manager Solution (see Using Altiris Solutions with Intel vPro Technology).

Provisioning Intel vPro Computer in Secure Mode

The Transport Layer Security (TLS) feature of the Intel vPro technology secures communications between the Notification Server and Intel AMT devices. When TLS is enabled, the Intel SCS communicates with the Microsoft Certificate Authority (CA) to obtain a TLS certificate each time it sets up an Intel AMT device.

If you want to use this feature, your computer must meet the Intel SCS requirements and have the CA configured for Intel SCS (see Intel AMT Setup and Configuration Service Requirements).

To enable TLS

1. In the Altiris Console 6.5, select View > Solutions > Out of Band Management.
2. Select Intel AMT Getting Started > Section 1. Provisioning > Enable Security (TLS) > Step 1. Enable TLS Option in the Profile.
3. Select the configuration profile you used to provision the computer for evaluation and click .
   The Manage Profiles page appears.
4. Click the TLS tab.
5. Select the Use TLS check box.
6. Enter the FQDN of the CA server that you have set up.
7. Enter the name of the CA.
   
   The name is listed in the CA Administration Manager. On the CA server, click the Windows Start button and select Administrative Tools > Certificate Authority. The name is listed in the first sub-branch in the left pane.
8. Choose the type of CA you are using, Enterprise or Standalone.
   
   Enterprise CAs are integrated with Active Directory and use information stored in Active Directory. When a certificate is issued, the enterprise CA uses information in the certificate template to generate a certificate with the appropriate attributes for that certificate type.
   
   Standalone CAs do not require Active Directory but require that all information about the requested certificate type be included in the certificate request. By default, all certificate requests submitted to standalone CAs are held in a pending queue until a CA administrator approves them.
9. Enter the name of the customized Certificate Template.
   
   The name must be the LDAP name stored in Active Directory. When the template is displayed using the CA management tools, it is the Template Name and not the Displayed Name. A template allows customization of the content of the certificates issued by the Certificate Services.