I've provisioned an AMT machine in Enterprise mode with TLS security and it's working fine, but when I change to "Use TLS Security + XXX" following required steps the machine is not seen by AMT Director and then provision is not finished, requiring I manually reset the AMT system and swithing to "Use TLS Security".
Which version of AMT are you using? How did you unprovision the system before switching to "use TLS + XXX"? Was it through the Director? If so, did you go for partial or full unprovisioning?
I've continue trying different approaches and now It's working with TLS+console authentication. The thing is that I used to click on "toggle trust" on the certificate that I selected for the Profile and what I tried now it was creating a certificate, not toggle trusting it and then selecting it for the Security Profile.
Please verify me is is this the working flow:
-The AMT machine authenticates the server using a certificate issued by the Root certificate.
-The server authenticates the AMT machine 'cause machine is using a certificate in which one the server trust.
And please verify me if when it says console configuration is talking about any application trying to connect to the AMT machine? or it's talking specifically about Director and when it talks about agent is referring to any application using the "agent presence" feature on the AMT machine.
The mutual authentication process of Remote Configuration is as follows:
- The ProvisonServer requests the self-signed certificate of the Intel AMT client.
- The Intel AMT management engine requests the Intel Client Setup Certificate from the ProvisionServer. Based on the self-signed certificate form the client, the ProvisionServer generates TLS key 1 and encrypts this using the public key obtained from client's self-signed certificate. The encrypted TLS key 1, Intel Client Setup Certificate, and PEM file are then sent to the management engine.
- At this point, the Intel AMT client does some validation. Extracts and stores Key 1. Using the PEM file and Intel Client Setup certificate, the management engine extracts the root certificate, generates a certificate hash and validates to the local active certificate hash. NOTE: If the two hashes do not match, the process stops. Validates the OU assignment of the Intel Client Setup certificate to the DNS suffix received via DHCP IP lease with option 15. For this reason, each ProvisionServer MUST have a unique Intel Client Setup certificate. A wildcard certification (e.g. *.company.com) is supported (AMT version 2.6 and beyond)
- If the previous validation steps complete successfully, the Intel AMT management engine creates TLS key 2, encrypts with the public key of the Intel Client Setup Certificate obtained from the ProvisionServer, and transmits.
- With TLS key 1 and key 2 obtained by both the ProvisionServer and the Intel AMT management engine, mutual authentication has occurred and an MTLS session is established.
At this point, the configuration process occurs where the FQDN and UUID are matched, the assigned Intel AMT profile is sent to the management engine, and the changes are committed.
Regarding the question on console - I assume you are asking whether a Management Console is any application that can manage an AMT system, not just the Director; and that is correct.
A software agent is any application like Antivirus or Firewall running on the AMT system. More details on this can be seen at Agent Presence Checking Use caseand System Defence and Agent Presence Guide