The golden rule to remember with Intel® Active Management Technology (AMT) is that once the management engine is configured, any authenticate and authorized request is accepted. The details to further explain "authenticate and authorized" refers to the settings within the provision profile which define to what authentication protocol, whether TLS certificates are used, access control, and so forth.
When used within the Altiris RTSM or TaskServer consoles, the Real-Time Console Infrastructure Configuration Profile and settings define the correct authentication credentials and related information. In essence, this data is abstracted from the console user. But what if you have another solution outside of Altiris Notification Server which could greatly benefit in using some of the core Intel® AMT functionalities. For example, what about Altiris Deployment Server usage? Wouldn't it be great to use Intel® AMT remote power-on functionality instead of Wake-on-LAN? Perhaps you want to force a PXE Boot using Intel® AMT. Even better - you're environment is not yet ready to utilize Altiris TaskServer, yet you simply want to remotely power-on systems using Intel® AMT for software distribution events and so forth. Full integration and usage of Altiris TaskServer or the combination of Notification Server and Deployment Server in version 7 is the end goal - yet you really want a solution today.
It will require some scripting knowledge and awareness.
Obtaining Intel® AMT Commandline Utilities
If you download the Intel® AMT SDK (http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk), there are a few files you may be interested to try out. Once you download and extract the SDK files, navigate to the \Windows\Intel_AMT\Bin directory and locate the file RemoteControl.exe
There are other utilities and documents to reference, yet for the focus of this article only remotecontrol.exe will be highlighted. The following information assumes you've completed the provisioning and configuration of the technology, and that the client is in a Basic or Standard provisioned state (for explanation see Options and Core Criteria to Provisioning Intel vPro Technology.)
In the same directory where you found remotecontrol.exe, another important file is statusstrings.dll. When using the remotecontrol.exe utility, the DLL must be in the same directory context as the executable.
What Can RemoteControl.exe Accomplish?
If you run the remotecontrol.exe within a command window, a number of options will be shown as follows:
Usage:
remotecontrol <opt> [-verbose] [-user <username> -pass <password>] [-ce
rtName <name>] [-proxy <proxy ip:port> -proxyUserName <proxyUserName> -proxyPass
word <proxyPassword>] http[s]://<Hostname>:<Port>/<RemoteControlUri>
Where <opt> is :
-p : GetSystemPowerstate
-c : GetRemoteControlCapabilities
-r : RemoteControl
-A : perform API test
-B : perform API test without boot
To run API test in verbose mode include -verbose option
If -user <username> -pass <password> are defined the Digest authentication scheme is used, otherwise the Kerberos authentication scheme will be attempted.
Client authentication options (TLS Mutual Authentication mode only):
-certName: If option defined, <name> specifies the client certificate's
Common Name (CN). If option is not specified the sample application will search the certificate store for a client certificate matching Intel(R) AMT requirements. The first one found will be used for authentication.
Example:
remotecontrol -p -user admin -pass Admin!123 http://hostname:16992/RemoteControlService
remotecontrol -p -certName MyCert -user admin -pass Admin@98 https://hostname:16993/RemoteControlService
Furthermore, if you review the attached ZIP file, it contains four samples of output which highlight what the remotecontrol.exe can do. In each sample, please note that MD5 Digest credentials were directly specified (i.e. admin\P@ssw0rd), along with target system IP address (could be FQDN or hostname), and the target Intel® AMT server (i.e. RemoteControlService).
The following is only a summary of what is shown in each text file:
- PowerState.txt - When executed, this returns the hardware power state of the system. State 0 means the system is powered on. State 3 means the target system is in a sleep power state. State 5 means the system is hibernated or off.
- Capabilities.txt - When executed, this returns the reported Intel® AMT capabilities of the target platform. You will notice that some of the redirection capabilities shown in Altiris RTSM are mentioned, specifically forcing a PXE, harddrive, or local optical drive boot.
- APItest.txt - When executed, this returns the combination of the two samples mentioned above. However, a warning in your own testing. Use the -B option to avoid a power-off of the target client.
- Powerupsample.txt - This shows the full list of options and menus which must be selected to direct a normal power-on of the target client. As you review the options, you may come across a few items and possibility of interest. As will be noted in the next section, the responses and selections can be piped in.
The remotecontrol.exe is only one sample tool in the Intel® AMT SDK. As stated earlier, it would be easiest to use the integrate Intel® AMT functionality of the Altiris console. However, when a unique need or circumstance arises - having other options is always helpful.
All I want to do is power on a known set of Intel® AMT clients
With the foundational information noted above, integrating an Intel® AMT remote power-on command to your script is relatively simple. You will need to know the authentication credentials and target system name or address (i.e. IP address, FQDN, or hostname if in same DNS context). The key part is piping in the desired actions.
To remotely power-on a system, the sequence to be piped into the command is:
Please those five numerical values in a text file (i.e. PowerUp.txt) and run the following command:
RemoteControl.exe -r -user admin -pass P@ssw0rd http://<IPaddress>:16992/RemoteControlService < powerup.txt
If successful in your tests, the above command could be integrated into a batch script, VBscript, Perl script, or other script of your preference. Even better, to avoid having using see the authentication details (username and password), use a secure or encrypted script - a custom built and owned application - with the access control user details embedded and thus hidden from users of your internal script or application.
The examples shown in this article utilize the Intel® AMT admin account. In production environments, a preferred user account as defined by the provision profile and access control list for the Intel® AMT device should be used. The Intel® AMT admin account password can be randomized by the provision service, and the user account ACL can be limited to only a subset of allowed functions.
Conclusion
Once Intel® AMT is configured, any authenticate and authorized request can utilize the technology. In addition, there are a host of sample tools which can be easily integrated into a command line or other script environment. Having a configured management console such as Altiris with RTCI, OOBM, TaskServer, and RTSM is optimal in utilizing the Intel® AMT technology. However, when the need arises, such as an Altiris Deployment Server v6 environment, the administrator can still utilize the Intel® AMT functionality.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.
License: | AJSL By clicking the download link below, you agree to the terms and conditions in the Altiris Juice Software License |
Support: | User-contributed tools on the Juice are not supported by Altiris Technical Support. If you have questions about a tool, please communicate directly with the author by visiting their profile page and clicking the 'contact' tab. |