The Altiris Out of Band Management Solution (OOBM) helps administrators automate both profile and fully qualified domain name (FQDN) assignments. Profiles provide information on how the client system should behave in regards to Intel vPro usage, including access rights and functions availability. Slide on your spectacles and read on to get the full provisioning scoop.

Introduction

Altiris acts as a front-end user interface for the Intel SCS Server. Out of Band Management Solution has a Provisioning piece that can be used to provision Intel vPro systems with the Intel SCS Server. The following components must be installed:

1. Out of Band Management Solution —
Altiris_OutOfBandManagement_6_1.exe (This constitutes the UI elements and engine components for Out of Band Management Solution)
2. Out of Band Management Setup and Configuration Solution —
Altiris_OOBSC_6_1.exe (This constitutes the install of the Provisioning piece including a default install of Intel SCS Server)
3. Language Packs —
Altiris_OutOfBandManagementLP_6_1.exe, Altiris_OutOfBandSCLP_6_1.exe

All these items should be included if using AICM or Solution Center to install Out of Band Management Solution.

Intel vPro Provisioning: Authenticating and registering a vPro client system with an Intel SCS Server database, placing the system into a managed state. Altiris is the front end for this Management.

This document provides technical details on how the Provisioning process functions with Altiris Out of Band Management Solution in conjunction with Intel SCS. Note that systems must be pre-provisioned before the following process can occur. The Provisioning model does not support Small Business Mode. Systems must have a PID PPS password key-pair with a corresponding password before ‘hello’ messages will even be sent for us to capture. The actual provisioning process is covered here after we have received a ‘hello’ message from a pre-provisioned Intel AMT System.

Provisioning

The following details provide data on the Provisioning Process.

I. For Intel SCS to be able to provision an AMT box, Intel SCS requires two major things:

1. What profile should be used for each given UUID.
2. What FQDN (Fully Qualified Domain Name) should be set to each given UUID.

II. Altiris’ Out of Band Management Solution (OOBM) functions to assist an Administrator to automate both profile and FQDN assignments. Profiles provide information on how the client system should behave in regards to vPro usage, including access rights and functions availability. OOBM tool (oobprov.exe) registers within Intel SCS to be executed when the Intel SCS receives a hello message. The Oobprov tool makes the call to one of the Out of Band HTTP pages (provrequest.aspx passes to it the IP and UUID from the hello message) to create Profile+FQDN assignments for the given UUID/IP address. See IV for additional details on this step.

III. The following details provide details steps of how the steps are performed by oobprov.exe+provrequest.aspx on receiving the ‘hello’ message from the Intel SCS:

1. Discover if there is a profile assigned in the synchronization policy (found in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Intel AMT Systems > Resource Synchronization).
2. The call fails if no assignment is specified here. NOTE! The box next to the profile assignment MUST be checked for Provisioning to occur. See this screenshot:


Click to view.

3. Altiris next attempts to find the FQDN of the Intel AMT system from the Altiris CMDB based on the UUID. The CMDB will have data for this step if either it is an Agent-based scenario or the system has been properly discovered using a discovery method (ie: Network Discovery).
4. Try to find the FQDN in Altiris CMDB by IP Address.
NOTE! Given the DHCP environment we potentially can find a resource in the Notification Server database that is not the Intel vPro system. For example, if the IP Address changed on a computer resource and the previous one was assigned to the Intel AMT computer, but Altiris Agent Basic Inventory is not yet sent (Meaning the Altiris CMDB is not up to date with the correct IP Address for the former system, yet the vPro system has the same IP address and sends it in the hello message. In this case step e and f.
Additional NOTE: Basically CMDB will have data for this step only if Network Discovery was able to collect FQDN for the target box and populate the following inventory tables - Inv_AeX_AC_Location, Inv_AeX_A__TCPIP.
5. Altiris next tries to connect to the target box via WMI to get FQDN.
6. Following WMI, Altiris will conduct a DNS lookup by IP address if we still do not have the FQDN or if the FQDN is coming from CMDB based on IP address. This is done as a last step since DNS lookup can return more than one alias, and we need to see which one is best to use. The one found in the Altiris CMDB will be used. Thus if we had the FQDN collected from the Altiris CMDB by IP address, we will see if the DNS lookup results have it in the list of aliases returned. If the CMDB’s FQDN is not found in the list of aliases (that is, for some reason CMDB has incorrect FQDN for the given IP address) or no FQDN was found from the database, then we will just return resolved hostname.

IV. The details on the step II above are now presented:

1. First, Out of Band Management (OOBM) attempts to contact the Notification Server to find the exact same UUID as in the request (hello message). The possible tables we are searching in are:
2. Inv_AMT_Computer_System—this table is generated from Network Discovery Solution (if Network Discovery was not installed when the OOB Install occurred, OOB will have created it).
   Note: If this is the first time the Enterprise-mode AMT computer is provisioned, then Network Discovery will not be able to populate the AMT specific table until the AMT computer is provisioned because populating AMT specific tables requires calling AMT interfaces to collect inventory—this is possible only after the AMT box is provisioned. In general Network Discovery can probably be of use only if there is a host operating system installed and ND is able to collect enough data (FQDN and so on) to create Notification Server computer Resource. This potentially can be used later on by OOBM. If Network Discovery is unable to obtain the FQDN, then the Network Discovery data is not useful for Out of Band Provisioning.
3. Inv_OOB_Capability—this table is created from Out of Band Management Discovery, either through the “AMT Inventory” server task (if executed previously). OOB discovery is an executable that is downloaded and executed by Altiris agent’s Software Delivery subagent, which is required for the Discovery piece to function.
Note: This table is populated by OOB discovery policy which runs in-band on the target box and requires Altiris agent installed.

V. The following reviews how Provisioning functions two different scenarios: No Agent Scenario (but with host operating system installed), and Agent Based Scenario (operating system host installed and Altiris agent and subagents installed).

1. No Agent Scenario:
   In this case the Altiris CMDB does not have any resource created for the given AMT computer and does not have any inventory in the Altiris CMDB with a UUID populated for the given AMT box. Therefore OOB cannot find either a UUID or FQDN from the Altiris CMDB. Therefore OOB will try to connect to the host OS via WMI to get the FQDN, and if that is not possible it then uses a DNS lookup for the given IP Address.
2. Agent Based Scenario:
   The Agent-based scenario requires the Altiris Agent to be installed, and thus the Altiris Agent can be utilized to capture the required data. In this case the Task for OOB discovery will be sent down to the Altiris Agent and run to collect the UUID and the FQDN for the Notification Server computer resource. This is sent up to the Notification Server and loaded into the database, and OOBM will find this NS resource in the CMDB based on UUID in the hello message. Once the Notification Server resource is known, OOB will find the FQDN in the CMDB, will do additional verifications described previously, and create the correct mapping entry in Intel SCS for the given AMT box, allowing the Intel SCS to proceed.

Conclusion

Again note that the above details assume that the Intel vPro System has been pre-provisioned. If a system has not, it will not be sending out ‘hello’ messages, and will never show up in the Altiris Console under the Intel AMT Systems node.

When a System shows the status of Provisioned, a profile has been assigned it and it is now properly registered in the Intel SCS database:

Click to view.