Hi Sree,

Thanks for the information you provided, but i have some more questions.

I am using Intel AMT 2.1, are the APIs described in the link you have provided supported in AMT 2.1?

I've seen the following Network Administration/Security Administration APIs that i believe are supported in AMT 2.1.

1. Unprovision - can i use this API to unprovision the AMT Device? Is it still needed to turn off and unplug the AMT Device when remote unprovision is done?

After successfull remote unprovision of the AMT device, i would like to configure it back. I have seen the following APIs that i believe i can use for this purpose:

1. SetProvisioningMode - set provisioning mode (in my case i would like to set it to Enterprise Mode)
2. SetTLSPSK - set the PID and PPS
3. ? - but i still need an API to set the Provisioning Server and Port Number that the AMT Device should be sending the hello message once configured. Is there an existing API for this purpose?

Is what i am doing correct? Is there a better approach/APIs that i can use to implement what i want?

One more question, is there a way for a server to know if a system has an AMT device? I know an AMT device will be sending hello message once it's configured to Enterprise mode, this could be one way to to know that a system has an AMT device. But how about if its set to Small Business mode?

Thanks in advance.

Hi,

1. Yes, you can use the Unprovision API to unprovision the AMT Device. You don't have to turn off and unplug the AMT device after remote un provisioning

2. If your system is currently in SMB mode and you would like to re-provision it to Enterprise mode, you have to do it locally through MEBx.

If it is already in Enterprise mode and you would like to re-provision it, you can set the provisioning mode and TLS/PSK with the APIs you have mentioned, but then you should go for only partial un provision to retain the PSK. If you go for a full un provision, you will have to locally set the PSK.

3. There is no API for setting the Provisioning Server and Port Number remotely

4. You can use generally any API to know if a system has an AMT device. If you get a reasonable response, you know that AMT is present. If you get a SOAP error indicating there was no response (even no error response), then you can assume that AMT is not there or not enabled.

Thanks,

Sree

Hi Sree,

I have inserted some questions and clarifications on your replies in blue.

1. Yes, you can use the Unprovision API to unprovision the AMT Device. You don't have to turn off and unplug the AMT device after remote un provisioning

2. If your system is currently in SMB mode and you would like to re-provision it to Enterprise mode, you have to do it locally through MEBx. - Is this the only way to do it, i would like todo the changesfrom the server (remotely) as long as possible. Can i not use the SetProvisioningMode API to do this?

If it is already in Enterprise mode and you would like to re-provision it, you can set the provisioning mode and TLS/PSK with the APIs you have mentioned, but then you should go for only partial un provision to retain the PSK. If you go for a full un provision, you will have to locally set the PSK. - I'm confused, because you mentioned that i can set the TLS/PSK with the API i mentioned but then i should only go for partial un provision to retain the PSK. What information are part of the PSK and what are part of TLS? Why is there a need toretain the PSK information when it will be changed later on?

3. There is no API for setting the Provisioning Server and Port Number remotely - I would like to know if how could the AMT device automatically look for a provisioning server that it will be sending hello messages if the provisioning server is set to 0.0.0.0. I have read document that discussed this but was not able to fully understand. It stated there that it will perform a query on the DNS server for a host name of "ProvisioningServer". Does this mean the computer name of the servershould beProvisioningServer?

For the port number, i have read that it will send to port 9971 by default. Does this mean that if i will not supply any value for port number it will be sending to 9971?

4. You can use generally any API to know if a system has an AMT device. If you get a reasonable response, you know that AMT is present. If you get a SOAP error indicating there was no response (even no error response), then you can assume that AMT is not there or not enabled.

Thanks in advance. Please forgive me if i am asking a lot of questions. I'm new to AMT Technology and would like to know/clarify a lot of things.

Hi,

Please see my comments in purple below.

2. If your system is currently in SMB mode and you would like to re-provision it to Enterprise mode, you have to do it locally through MEBx. - Is this the only way to do it, i would like todo the changesfrom the server (remotely) as long as possible. Can i not use the SetProvisioningMode API to do this?

If it is in the SMB mode currently, using the SetProvisioningMode API to change it to Enterprise mode wont work. You have to do it locally through MEBx.

If it is already in Enterprise mode and you would like to re-provision it, you can set the provisioning mode and TLS/PSK with the APIs you have mentioned, but then you should go for only partial un provision to retain the PSK. If you go for a full un provision, you will have to locally set the PSK. - I'm confused, because you mentioned that i can set the TLS/PSK with the API i mentioned but then i should only go for partial un provision to retain the PSK. What information are part of the PSK and what are part of TLS? Why is there a need toretain the PSK information when it will be changed later on?

When an AMT device is unprovisioned, all information is erased including PID/PPS information. After a successful call to unprovision() will not be possible to send any messages to that AMT device again until a new PID/PSS is entered or a certificate is used from one of the supported provisioning certificate authorities. PartialUnProvision() allows you to unprovision the device but re-establish a connection again using previously set PID/PPS.

3. There is no API for setting the Provisioning Server and Port Number remotely - I would like to know if how could the AMT device automatically look for a provisioning server that it will be sending hello messages if the provisioning server is set to 0.0.0.0. I have read document that discussed this but was not able to fully understand. It stated there that it will perform a query on the DNS server for a host name of "ProvisioningServer". Does this mean the computer name of the servershould beProvisioningServer?

You can set the provisioning server IP or have a DNS entry called ProvisionServer that points to your server. If you have a DNS entry that points to your server then you dont need to enter the IP address in the MeBX. In either case, the name of the server can anything.

For the port number, i have read that it will send to port 9971 by default. Does this mean that if i will not supply any value for port number it will be sending to 9971?

Yes

Thanks,

Sree

Hi Sree,

Thanks for the information. One last question, is it possible to flushAMT settings similar to flushing of BIOS settings? What settings can be setin doing this?

calsBoy

Hi,

Could you please clarify what you mean by flushing the AMT settings? Do you meanrestoring them to default or setting the various AMT configurations?

Thanks,

Sree

Hi,

I'm referring to setting the various AMT configurations.

Thanks,

Hi Sree,

I would like to ask some more clarifications in one of your statements:

When an AMT device is unprovisioned, all information is erased including PID/PPS information. After a successful call to unprovision() will not be possible to send any messages to that AMT device again until a new PID/PSS is entered or a certificate is used from one of the supported provisioning certificate authorities. PartialUnProvision() allows you to unprovision the device but re-establish a connection again using previously set PID/PPS.

In the underlined phrase above, does this mean that if i have a certificate that is created for that specificAMT device i don't need to manually add the PID/PPS in the AMT device through the MEBx? Can i use the API SetTLSServerCertificate to do this? Then after i have successfully sent the the certificate i can send any command to the AMT device again, configure the deviceand subscribe alerts?

BTW, i have tried not setting up the the Provisioning Server IP and Port Number in the AMT device.Then iadded a DNSentry with the "ProvisionServer" and was pointing to my server. The device correctly sent Hello Messages to my server at port 9971.

Thanks a lot for your help.

Hi. A few points on this. If you perform a full un-provision, the computer will return more or less to it's original manufacturing state. In the portion your underlined, they are talking about the "Provisioning certificate authorities", this is not the TLS certificate, it's referring to the remote configuration certificate hashes. When performing full un-provision, the TLS certificate is eraced and you will not be able to call "SetTLSServerCertificate()" anymore unless you re-provision the computer.

Personnaly, I would never do a full un-provision. I would stick with partial-unprovision where you can remotly setup the PID/PSK or remote config cert hashs and get in touch with the computer again.

If you do full-unprovisioning and the computer supports remote config, I think you will start getting a hello message, but you will need a certificate signed by one of the default signing authrities.

Hope this helps,
Ylian (Intel AMT Blog)

Hi,

You can go for the One touch configuration using a USB key. You can save the PPS/PID, administrator password and other configuration data from the Config server and plug this USB to the AMT client. For more details, please refer to http://software.intel.com/en-us/articles/intel-amt-use-case-10-one-touch-configuration

Thanks,

Sree

Hi Sree and Ylian,

Thanks for the information. This helped me a lot to better understand AMT setup and configuration.