Provisioning Intel vPro AMT systems as they are procured can follow a standard process that populates the Intel AMT and Altiris databases, providing full vPro or AMT functionality through the Altiris product suite: Altiris Manageability Toolkit for Intel vPro Systems, or any other suite that contains the products supporting the powerful features of the Intel vPro platform.

Yet what about those systems that may be out on the network that have Intel vPro technology but are undiscovered? Network Discovery answers this -- whether the systems are managed by Altiris or not. As an agentless product, it can discover Intel AMT capable computers and place them into managed collections, thus exposing the functionality available to AMT systems.

Preparing Network Discovery for AMT Capture

Prerequisites

Before Network Discovery can properly discover a system with AMT, a few items must be met. While this might limit which machines you can discover, AMT must be configured enough to be operable on the network. The list is as follows:

• AMT must be enabled in the Intel Management Engine (ME)
• A username and Password must be set. The defaults are:
  • Username: admin
  • Password: admin
• The scan must be set to use the correct username and password

ASF is also available for discovery using Network Discovery, but this document focuses on the Intel AMT functionality.

Network Discovery Settings

One setting is crucial for the Discovery process to properly discovery, create a record for, and populate the collections with Intel AMT systems.

The following screenshot shows the Network Discovery Settings page:

Click to view.

Automatic Resource creation is essential when discovering AMT systems. If the option is not checked, only the Discovery database tables will be populated. Not Notification Server computer resource will be created, thus any AMT system discovered without this option will not be populated into the Network Discovery AMT collections. Use the following steps to confirm/enable Automatic Resource creation for Intel AMT systems:

1. In the Altiris Console browse under View > Configuration > Solution Settings > Network Discovery > and select 'Network Discovery Settings'.
2. On the resulting right pane page, ensure that 'Create NS Resources for:' is checked.
3. Under that heading, ensure that 'AMT/ASF Devices' option is checked.
4. If changes were made, click 'Apply' to save them.

Scan Policy Configuration

When setting up the Scan Group policy for the specific Discovery task, certain options must be checked and fields filled out properly. The following list covers each item that must be met for a successful discovery of Intel AMT systems to occur.

1. In the Altiris Console, browse under View > Configuration > Solution Settings > Network Discovery > Scan Groups > right-click on the 'Default Scan Group' and choose 'Clone'.
2. Right-click on the new Policy icon in the left pane and choose 'Rename' and provide an appropriate name for the Scan Group Policy.
3. Highlight the Policy so the configuration page loads in the right-hand pane.
4. Under the Method tab either specify the IP of a Seed Device (like a Router) or place in an IP Address range that includes the Intel AMT Systems you wish to discover.
5. The Schedule, Include, and Exclude tabs should be utilized as per your Network Environment.
6. Under the Port Scan and SNMP/ICMP tab, several scanning methods are configurable here. It is recommended to configure those options that are available and permissible to be utilized on the network so that any data we capture from them will be included when Managed Resource computer records are created for the Intel AMT Systems. The port numbers may be different depending on how the Network Administrator has configured the environment.
7. Click on the Advanced tab. This is where most of the Intel AMT configuration options are located. Refer to this screenshot:
   

   Click to view.

8. It is recommended to keep the Circular DNS resolution and NetBIOS name and domain options checked for the same reason stated before: to capture the most information possible.
9. The AMT Scan box must be checked.
10. Depending on the environment, check 'Small Business mode', 'Enterprise mode', or both to discover Intel AMT machines in one or the other mode, or both.
    Note: If you are running in Enterprise Mode but without TLS enabled, you must use the Small Business mode option as the Enterprise mode option always assumes an https URL type when making the AMT calls.
11. Provide the Intel AMT username and password. The same Login and Password will be used in both modes, though the Domain name is only used in Enterprise mode.
12. You have the option of collection AMT Inventory. This is recommended as a nice add-on to the discovery process.
13. Make sure to click 'Apply' when all configuration steps are complete.

Capturing AMT Devices and using Collections

Running a Discovery

There are two options for running a discovery:

• Run Discovery on a Schedule -- You can set a specific schedule for Discovery to run. This is especially useful when Production times are restricted and the discovery network traffic is not allowed during business hours. A Discovery can be run late at night or early in the morning. A huge added benefit of Intel AMT is it will be active even if the system is powered down.
• Run Discovery Now -- Click the 'Discover Now' button to initiate an immediate Network Discovery of the select Scan Group.

When discovery is running, you can view a progress bar by clicking on the 'Discovered Devices' node, as shown:

Click to view.

There are 4 phases that must complete before a Discovery is finished. Depending on the range of IP Address that needs to be queried, a Network Discovery can take a significant amount of time. The first two phases take the most time, while the third and fourth phases are relatively short.

Discovery Results

Under the same screen you'll see the results the Network Discovery. Note the following:

• When a Discovery completes, it does not automatically refresh the 'Discovered Devices' page. You may see no results until you click the refresh button on the icon bar.
• The asterisk '*' normally indicates a managed device, while the absence of one indicates a device that is not managed by Notification Server. The UI provides an 'enable' button to create managed Notification Server resources. This process does not work for AMT discovered systems. We've already taken care of the creation by pre-configuring the Network Discovery Settings as covered previously.
• Under 'Management Device' AMT marks those systems that have been discovered having AMT functionality. These should have already populated into the Network Discovery collections.

Network Discovery Collection Population

The following collections are created and maintained by Network Discovery. You can use these collections to conduct Task Server Tasks via OOB, or to launch the Real Time System Manager console for a direct one-to-one session.

Click to view.

1. All AMT Devices -- This collection contains all AMT devices discovered by Network Discovery while Automatic Resource Creation is enabled.
   • The SQL Query behind this Collection:

     Guid IN
       (
         SELECT [_ResourceGuid]
         FROM Inv_AMT_Network_Info
       )
     
     

   • This query is part of the standard Collections parameters where a Computer is a managed Resource, but also has data in the Inv_AMT_Network_Info database table.
2. All AMT Discovered Machines Without an Altiris Agent -- This collection contains all AMT devices discovered by Network Discovery while Automatic Resource Creation is enabled where the system does not have the Altiris Agent installed.
   • The SQL Query behind this Collection:

     Guid IN 
       (
         SELECT [_ResourceGuid]
         FROM Inv_AMT_Network_Info
         WHERE [_ResourceGuid] NOT IN (select [_ResourceGuid] 
         FROM Inv_AeX_AC_Client_Agent) 	
       )
         
     

   • This query checks the same data is the All AMT Devices query, but also adds a check with the _ResourceGuid against the Basic Inventory table Inv_AeX_AC_Client_Agent. Only systems with the Altiris Agent installed (or at least installed in the past and have data in this table) will qualify for this collection.
3. All ASF Devices -- This collection contains all ASF devices discovered by Network Discovery while Automatic Resource Creation is enabled.
   • The SQL Query behind this collection:

     Guid IN
       (
         SELECT [_ResourceGuid]
         FROM Inv_ASF_Network_Info
       )
         
     

   • Similar to the All AMT Devices collection save it keys off the table Inv_ASF_Network_Info.
4. All ASF Discovered Machines with an Altiris Agent -- This collection contains all ASF devices discovered by Network Discovery while Automatic Resource Creation is enabled where the system does not have the Altiris Agent installed.
   • The SQL Query behind this collection:

     Guid IN
       (
         SELECT [_ResourceGuid]
         FROM Inv_ASF_Network_Info
         WHERE [_ResourceGuid] NOT IN SELECT [_ResourceGuid] 
         FROM Inv_AeX_AC_Client_Agent) 
       )
         
     

   • This query checks the same data is the All ASF Devices query, but also adds a check with the _ResourceGuid against the Basic Inventory table Inv_AeX_AC_Client_Agent. Only systems with the Altiris Agent installed (or at least installed in the past and have data in this table) will qualify for this collection.

Conclusion

Once systems are in the Network Discovery collections you can use those collections in Out of Band Management jobs and to launch the Real-Time tab within Resource Manager to directly control the AMT functions on a given system. In a collection view you can right-click and choose Real-Time System Manager > Manage to launch the RTSM console with direct ability to view and manipulate AMT functionality. In Task Server you can assign AMT devices singly or the collection as a whole to any Server-Tasks executing AMT functions.