Today - March 7, 2011 - is the official launch of 2nd Intel Core vPro Processor Family which includes Intel Active Management Technology version 7. Among the new items in the platform is an exciting new approach to configuring Intel AMT - Host Based Configuration
Host based configuration uses a local application and XML file to configure Intel AMT... locally... via the host operating system. This means that past requirements of configuration via a corporate wired LAN no longer apply. The system could be connected via wireless, VPN, or in some cases not connected to the network at all.
The following simplified diagram provides an overview of the Host Based Configuration process (click to enlarge):
In the Altiris OOB Site Service, Intel SCS 5.4 is used to authenticate out-of-band and apply the Intel AMT configuration settings over a secure tunnel. In contrast, the Host Based Configuration approach occurs more like a normal software delivery job. It will require use of Intel SCS 7 - which will post shortly - to generate the XML file containing the desired settings for the environment. (More on this will be shared shortly... including the "Unified Provisioning" capabilities of SCS7)
The configuration process is effectively distributed out to the individual client systems. If the Intel AMT configuration requires Kerberos, TLS, or other infrastructural settings, the ACU_configurator application running on the target client negotiates the necessary certificates or settings with the infrastructure based on the contents of the XML file.
My first experience with host based configuration was a client system that had no network connection. All I was given was the ACU_configurator application for the client and an XML file. Using a single and simple command, I was able to configure AMT via the local host operating system. Since the Altiris environment is flexible, I only needed to run OOB Discovery on the client and provide the necessary Intel AMT credentials in the target connection profile to interact with Intel AMT on the target client.
The traditional methods of provisioning certificates and keys still exist. The security model and some features were changed to allow for host based configuration. To help differentiate, there are two configuration states\modes as described below:
- Client Control Mode: Host Based Configuration was used to configure the client. This mode applies ONLY to host based configuration capable systems. All Intel AMT functionalities are accessible except for System Defense which is disabled. User consent is mandatory for KVM remote control, IDE Redirect, Serial-over-LAN, and boot options (i.e. force PXE, force local CD\DVD boot, etc).
- Admin Control Mode: Also referred to as legacy configuration, this mode applies to ALL generations of Intel AMT. It requires out-of-band authentication via certificates, preshared keys, or physically configuring the client via pre-boot methods. All AMT functionality is available, and the user consent option can be disabled for KVM remote control sessions.
During early customer trials, some were perfectly satisfied with Client Control Mode while others preferred admin control mode. More on switching between these two modes with Intel SCS 7 will be shared later. For a quick preview of Intel SCS 7 - see http://www.blip.tv/file/4829946.
A common question: Will Host Based Configuration be available for previous generations of Intel AMT? The short answer is that the firmware capabilities have been backported to Intel AMT 6.2. Adoption and availability of this firmware release is to the discretion of each individual OEM. With that - all Intel AMT 7.x and higher systems will support host based configuration.
More information on the ACU_configurator commands and Intel SCS 7 availability will be posted shortly. If you are actively introducing Intel AMT 7.x systems into your environment today and are anxious for more information - leave a comment below or send a private message via the community email.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.