Four Insights to OOB Site Service Installation and Usage
In recent weeks, a number of customer inquiries and training opportunities have focused on the OOB Site service, maintaining vPro configurations, and so forth. Those inquiries caused some searching in the Symantec Management Console. I stumbled across a few Job and Task Samples for the OOB Site Service that might be of interest. This article highlights four quick insights.
Insight #1: TaskServer Sample Jobs for Remote Management
The Out-of-Band Management solution with OOB Site Service will need to be installed, and these screens can be accessed by select Manage > Jobs and Tasks.
In the screen below, a few pre-defined jobs provide insight to the improvements made. For example - if the FQDN of a configured client system must be updated, prior to Symantec Management Platform the answer is posted at http://www.symantec.com/connect/articles/handling-vpro-amt-fqdn-issues-out-band-management-solution and required some database scripting. Now, the functionality is included in a sample job "FQDN Synchronization"
Another job which caused some interest is "Send Intel AMT Hello Message". This appears to have similar functionality to the vPro Activator tool referenced at http://www.symantec.com/connect/articles/provisioning-intel-vpro-technology-part-5-intel-vpro-activator-utility - the ability to initiate when and to what server the hello messages should be sent.
Other sample jobs help in installing the OOB Site Service, and so forth.
Insight #2: OOB Site Service Installation of Intel SCS Fails
Are you having problem getting OOB Site Service to install - specifically the Intel SCS with AMTconfig windows service?
Take a closer look at the screen below for Site Management. The default setting for the IntelAMT database, which is used by OOB Site service, requires Windows Authentication.
One approach to correcting this installation error is by setting the database authentication to Mixed Mode - where both SQL Server and Windows Authentication are allowed. The image below shows the database setting using SQL Server Management Studio Express.
A successful installation of the OOB Site Service with Intel SCS should show a screen similar to below.
Insight #3: Filters of Intel AMT Systems
An item that caught my attention is the use of Filters instead of Dynamic Collections. Filters provide a database view of systems that meet specific criteria. In previous postings, references to OOB Discovery and Dynamic Collections in Altiris 6 were referenced (see http://www.symantec.com/connect/blogs/do-i-have-intel-vpro-my-environment and http://www.symantec.com/connect/articles/provisioning-intel-vpro-technology-part-2-determining-what-systems-are-intel-amt-and-remote)
The OOB Discovery package is enabled as shown below, after accessing Settings > Agent/Plugs-in > All Agents/Plugs-ins, expanding Remote Management, expanding Out of Band Management, and select OOB Discovery
The OOB Discovery process populates the necessary database fields, to help identify what systems are Intel AMT Capable, Configured Intel AMT systems, systems that support remote configuration, and so forth. To access the screen below, select Home > Remote Management > Out of Band Management and expanding the Filters menu. Another approach to access is by selecting Manage > Filters and expanding Out of Band Management.
If a filter shows no members or fewer members than expected, click Update Membership to run the SQL query associated to the filter.
Using the predefined filter, an administrator is able to quickly assess how many Intel AMT capable systems are present, which ones are configured by the local OOB Site Service, and so forth.
Insight #4: Placement of the Remote Configuration Certificate
More than a year ago, an article was posted on obtaining and applying a VeriSign remote configuration certificate (see http://www.symantec.com/connect/articles/obtaining-and-applying-verisign-remote-configuration-certificate). Supporting materials on a remote configuration selection tool and whitepaper were also posted online (see http://communities.intel.com/docs/DOC-2432)
A few key differences in how the remote configuration certificates are placed:
- The Loadcert utility is no longer required
- More than one certificate can be applied (up to 50)
- The certificate(s) MUST be in the "My Certificate Store" of the AMTconfig logon account
First, is the Remote Configuration certificate installed and accessible to the OOB Site Service - primarily the Intel SCS v5 software. The following screen from Out of Band Management provides a clear indicate that no remote configuration certificate was found.
It is important to know what the logon account is for AMTconfig. This is done by opening the windows services, right clicking on AMTconfig, and selecting the Logon tab. If AMTconfig is not installed, refer to Insight #2 above.
The screenshot below shows the AMTconfig service logon uses a domain account.
Since the domain account is not the same as the logged on user, accessing the "My Certificate Store" will require a few extra steps.
The certificate store is accessible without logging off. As shown in the following screen, use the "runas" windows command to open MMC in the context of the logon account for AMTconfig. A prompt will appear for the user's password.
Once the MMC is started in the correct user context, add the certificate snap-in for "My User Account" which is the logged on users certificate store. This is the certificate store where the Intel SCS (i.e. AMTconfig) will look for remote configuration certificates.
Certificates should be imported with the operating system automatically handling where they are placed - all issued certificates will be located in the "Personal" folder.
This article provides 4 quick insights intended for those familiar with the Intel vPro technology, configuring and deploying the technology in Altiris 6 environment, and looking for key insights for Altiris 7 environments (aka Symantec Management Platform).
If you have a specific request for additional information - please indicate.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.