- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
According to the Developer's Guid to the Sample SCA, one of the initial conditions for using Remote Configuration is that the SCA is on the same domain with some hostname that's set on the AMT device. However, for the PID approach, you are able to supply an IP address instead.
1) For Remote Configuration, can I also supply an IP address of an SCA server on the internet instead of the host name of an SCA on the LAN?
2) If I can, can I supply this IP address in a USB key configuration thing? Better yet, is there a way that my ISV agent can set this IP address and other configuration info instead?
3) According to the PDF there is a sample USBFile header in the SDK but I cannot find it anywhere, so I can't check into the first part of #2 myself. Does anyone know where I can find a sample USB file for setting Remote Configuration values in the BIOS?
Thanks
According to the Developer's Guid to the Sample SCA, one of the initial conditions for using Remote Configuration is that the SCA is on the same domain with some hostname that's set on the AMT device. However, for the PID approach, you are able to supply an IP address instead.
1) For Remote Configuration, can I also supply an IP address of an SCA server on the internet instead of the host name of an SCA on the LAN?
2) If I can, can I supply this IP address in a USB key configuration thing? Better yet, is there a way that my ISV agent can set this IP address and other configuration info instead?
3) According to the PDF there is a sample USBFile header in the SDK but I cannot find it anywhere, so I can't check into the first part of #2 myself. Does anyone know where I can find a sample USB file for setting Remote Configuration values in the BIOS?
Thanks
Link Copied
16 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - mugwump
Hi,
According to the Developer's Guid to the Sample SCA, one of the initial conditions for using Remote Configuration is that the SCA is on the same domain with some hostname that's set on the AMT device. However, for the PID approach, you are able to supply an IP address instead.
1) For Remote Configuration, can I also supply an IP address of an SCA server on the internet instead of the host name of an SCA on the LAN?
2) If I can, can I supply this IP address in a USB key configuration thing? Better yet, is there a way that my ISV agent can set this IP address and other configuration info instead?
3) According to the PDF there is a sample USBFile header in the SDK but I cannot find it anywhere, so I can't check into the first part of #2 myself. Does anyone know where I can find a sample USB file for setting Remote Configuration values in the BIOS?
Thanks
According to the Developer's Guid to the Sample SCA, one of the initial conditions for using Remote Configuration is that the SCA is on the same domain with some hostname that's set on the AMT device. However, for the PID approach, you are able to supply an IP address instead.
1) For Remote Configuration, can I also supply an IP address of an SCA server on the internet instead of the host name of an SCA on the LAN?
2) If I can, can I supply this IP address in a USB key configuration thing? Better yet, is there a way that my ISV agent can set this IP address and other configuration info instead?
3) According to the PDF there is a sample USBFile header in the SDK but I cannot find it anywhere, so I can't check into the first part of #2 myself. Does anyone know where I can find a sample USB file for setting Remote Configuration values in the BIOS?
Thanks
Hi,
You can find the USBFIle folder in the SDK - it is under the Configuration folder that is under the Windows folder:..Intel AMT 5.1 SDK GoldWindowsIntel_Manageability_ConfigurationConfiguration
There is a Readme file in the USBFile directory that describes all of the available options on building your own setup.bin file. I did not see options to input IP addresses - it looks like it wants Domain names and FQDN information. I know that if you are typing in the PID/PPS on the console, you can use IP Addresses. I am currently trying to find out whether or not your assumptions are correct... Stay tuned for more info.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - Gael Holmes (Intel)
Hi,
You can find the USBFIle folder in the SDK - it is under the Configuration folder that is under the Windows folder:..Intel AMT 5.1 SDK GoldWindowsIntel_Manageability_ConfigurationConfiguration
There is a Readme file in the USBFile directory that describes all of the available options on building your own setup.bin file. I did not see options to input IP addresses - it looks like it wants Domain names and FQDN information. I know that if you are typing in the PID/PPS on the console, you can use IP Addresses. I am currently trying to find out whether or not your assumptions are correct... Stay tuned for more info.
Thanks
Weird. It's there in the zip but not on my hard drive. I guess that directory magically wasn't extracted by the Window zip open file thing. ugh.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess one alternative to provisioning over the internet would be to have the computer provision itself. Is that possible?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - mugwump
I guess one alternative to provisioning over the internet would be to have the computer provision itself. Is that possible?
I'm not sure what you mean about having the system provision itself.. You have to use some tool to provision it, either via writing your own Setup and Config Server, using the DTK "Director", using the SCS Lite (6.0) for basic Enterprise, no TLS, or you can use the full SCS 5.1 or 6.0 - all these tools are available on our Manageability community. The SCS Lite is very easy to use - I would suggest downloading them and reading through the documents and then see which one fits your needs the best. The SCS Lite tool uses the Activator too during the provisioning process and it has it's own utility for creating the setup.bin file for the USB key. You can also use the Activator GUI to provision your system locally. Again, there are quite a few different ways to provision a system so I would suggest downloading these tools and reading through their documentation so that you can get a feel for how they are different.
How many systems are you needing to provision? Are you requiring them to be in Enterprise Mode? (with or without TLS?) I need to test this, but I don't think you need to have a domain controller in order to provision.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - Gael Holmes (Intel)
I'm not sure what you mean about having the system provision itself.. You have to use some tool to provision it, either via writing your own Setup and Config Server, using the DTK "Director", using the SCS Lite (6.0) for basic Enterprise, no TLS, or you can use the full SCS 5.1 or 6.0 - all these tools are available on our Manageability community. The SCS Lite is very easy to use - I would suggest downloading them and reading through the documents and then see which one fits your needs the best. The SCS Lite tool uses the Activator too during the provisioning process and it has it's own utility for creating the setup.bin file for the USB key. You can also use the Activator GUI to provision your system locally. Again, there are quite a few different ways to provision a system so I would suggest downloading these tools and reading through their documentation so that you can get a feel for how they are different.
How many systems are you needing to provision? Are you requiring them to be in Enterprise Mode? (with or without TLS?) I need to test this, but I don't think you need to have a domain controller in order to provision.
I would like to provision thousands of computers in remote locations around the world which are not on my LAN. I cannot use Small Business Mode because I need the communications be safe (TLS). This should all preferably fit into an automatic service which doesn't require administration interaction to provision things. I'll try reading through more of the DTK stuff I guess.
By "provision itself" I mean running the SCA server on the box that is being provisioned so it can provision itself.
Using the Activator to provision locally sounds promising, i'll look into that, thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - mugwump
I would like to provision thousands of computers in remote locations around the world which are not on my LAN. I cannot use Small Business Mode because I need the communications be safe (TLS). This should all preferably fit into an automatic service which doesn't require administration interaction to provision things. I'll try reading through more of the DTK stuff I guess.
By "provision itself" I mean running the SCA server on the box that is being provisioned so it can provision itself.
Using the Activator to provision locally sounds promising, i'll look into that, thanks.
I think that the Activator /local provisioning would be more suitable for a small business environment - you have to touch every system in this case, which is also the case with the USB key. You should probably look at using the Certificate-based provisioning where instead of having to use the PID/PPS keys to enable the provisioining packets to be sent/received, you can do the certificate based provisioning where you do not have to touch the AMT systems. The ME has a number of Certificate Hashes from vendors such as Verisign and Godaddy burnt into it - you would need to purchase the root certs from the vendor of your choice. Note that this certificate is different than the certificate you need to set your systems up for Enterprise/TLS mode. The provisioning certificate is simply used for the same purpose that the PID/PPS key is used for - opening the network so that the hello packet can be sent and received.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - Gael Holmes (Intel)
I think that the Activator /local provisioning would be more suitable for a small business environment - you have to touch every system in this case, which is also the case with the USB key. You should probably look at using the Certificate-based provisioning where instead of having to use the PID/PPS keys to enable the provisioining packets to be sent/received, you can do the certificate based provisioning where you do not have to touch the AMT systems. The ME has a number of Certificate Hashes from vendors such as Verisign and Godaddy burnt into it - you would need to purchase the root certs from the vendor of your choice. Note that this certificate is different than the certificate you need to set your systems up for Enterprise/TLS mode. The provisioning certificate is simply used for the same purpose that the PID/PPS key is used for - opening the network so that the hello packet can be sent and received.
While for local provisioning I would technically have to touch every system, I can use a local agent to touch them as long as I don't have to do something complicated like rebooting and editing the BIOS.
Using a certificate for Enterprise sounds great, I just got scared at the documentation which suggested it was only possible over a LAN. In particular in the SCA guid section 4.1.1: Initial Conditions, condition 4 is makes it sound like the SCA and AMT device must be on the same LAN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - mugwump
I would like to provision thousands of computers in remote locations around the world which are not on my LAN. I cannot use Small Business Mode because I need the communications be safe (TLS). This should all preferably fit into an automatic service which doesn't require administration interaction to provision things. I'll try reading through more of the DTK stuff I guess.
By "provision itself" I mean running the SCA server on the box that is being provisioned so it can provision itself.
Using the Activator to provision locally sounds promising, i'll look into that, thanks.
Hi mugwump,
How exactly are you planning on talking to each system once it's configured if they aren't on your network?
Regards,
Roger
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - mugwump
While for local provisioning I would technically have to touch every system, I can use a local agent to touch them as long as I don't have to do something complicated like rebooting and editing the BIOS.
Using a certificate for Enterprise sounds great, I just got scared at the documentation which suggested it was only possible over a LAN. In particular in the SCA guid section 4.1.1: Initial Conditions, condition 4 is makes it sound like the SCA and AMT device must be on the same LAN.
Ohhhhh yeah.. You are correct about having to be connected on the same lan. darnit! And I'm pretty sure that using the Activator locally is an SMB mode only deal.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - rogerb
Hi mugwump,
How exactly are you planning on talking to each system once it's configured if they aren't on your network?
Regards,
Roger
Hopefully using CIRA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - mugwump
Hopefully using CIRA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm a bit confused of how I can setup remotely Intel AMT machines that are in factory setup mode.
In 3.7.3 (page 33) section of security configuration guide document states that it needs a host named "ProvisionServer", so an un-configured machine will query for this host through the LAN ?
Moreover I tried to catch up reading the docs of IntelAMTSCS but I cannot clearly find some info on how to setup remotely an Intel AMT machine without USB or manually configure the settings.
As I understood there are many that a machine can be configured remotely over LAN ?
Thanks.
I'm a bit confused of how I can setup remotely Intel AMT machines that are in factory setup mode.
In 3.7.3 (page 33) section of security configuration guide document states that it needs a host named "ProvisionServer", so an un-configured machine will query for this host through the LAN ?
Moreover I tried to catch up reading the docs of IntelAMTSCS but I cannot clearly find some info on how to setup remotely an Intel AMT machine without USB or manually configure the settings.
As I understood there are many that a machine can be configured remotely over LAN ?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - ph3ar
Hello,
I'm a bit confused of how I can setup remotely Intel AMT machines that are in factory setup mode.
In 3.7.3 (page 33) section of security configuration guide document states that it needs a host named "ProvisionServer", so an un-configured machine will query for this host through the LAN ?
Moreover I tried to catch up reading the docs of IntelAMTSCS but I cannot clearly find some info on how to setup remotely an Intel AMT machine without USB or manually configure the settings.
As I understood there are many that a machine can be configured remotely over LAN ?
Thanks.
I'm a bit confused of how I can setup remotely Intel AMT machines that are in factory setup mode.
In 3.7.3 (page 33) section of security configuration guide document states that it needs a host named "ProvisionServer", so an un-configured machine will query for this host through the LAN ?
Moreover I tried to catch up reading the docs of IntelAMTSCS but I cannot clearly find some info on how to setup remotely an Intel AMT machine without USB or manually configure the settings.
As I understood there are many that a machine can be configured remotely over LAN ?
Thanks.
If you haven't changed the name of the server in MEBx, or specified the IP address of your configuration server, then yes, the system will look for a configuration server named "provisionserver". So, you do need to give your configuration server that name.
If you have a remote configuration certificate, then you can tell the system in a remote call that you want it to start the remote configuration process. If you haven't purchased a cert from one of the default providers, then you will need to touch each system and apply the hash for your own root cert server to each system. Or, if your OEM offered pre-provisioning of AMT, and you bought it, then you just need to setup the configuration server on the network with the name of "provisionserver" and the systems will get configured.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - rogerb
If you haven't changed the name of the server in MEBx, or specified the IP address of your configuration server, then yes, the system will look for a configuration server named "provisionserver". So, you do need to give your configuration server that name.
If you have a remote configuration certificate, then you can tell the system in a remote call that you want it to start the remote configuration process. If you haven't purchased a cert from one of the default providers, then you will need to touch each system and apply the hash for your own root cert server to each system. Or, if your OEM offered pre-provisioning of AMT, and you bought it, then you just need to setup the configuration server on the network with the name of "provisionserver" and the systems will get configured.
Do you know which tools I can use for provisioning?
An sdk sample maybe?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quoting - ph3ar
Thanks for your reply.
Do you know which tools I can use for provisioning?
An sdk sample maybe?
Do you know which tools I can use for provisioning?
An sdk sample maybe?
The DTK has provisioning tools: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit/
More provisioning info: http://software.intel.com/en-us/blogs/2007/06/13/Intel-SCS-SCA-AMT-Director-Youve-Been-Provisioned/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup, the DTK is one possible source for a provisioning mechanism (as always with the DTK, it's intended as a development tool as opposed to a production ready deployment)
Other possibilities are the Configuration code that is part of the SDK (in the /WindowsIntel_Manageability_ConfigurationConfigurationConfigurationServer directory), if you're interested in creating your own provision server. If you're not interested in creating your own provision server, the SCS that is available is a robust implementation built using the Configuration server example.

Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page