Enterprise Provisioning

mugwump · ‎07-16-2009

Hi,

According to the Developer's Guid to the Sample SCA, one of the initial conditions for using Remote Configuration is that the SCA is on the same domain with some hostname that's set on the AMT device. However, for the PID approach, you are able to supply an IP address instead.

1) For Remote Configuration, can I also supply an IP address of an SCA server on the internet instead of the host name of an SCA on the LAN?

2) If I can, can I supply this IP address in a USB key configuration thing? Better yet, is there a way that my ISV agent can set this IP address and other configuration info instead?

3) According to the PDF there is a sample USBFile header in the SDK but I cannot find it anywhere, so I can't check into the first part of #2 myself. Does anyone know where I can find a sample USB file for setting Remote Configuration values in the BIOS?

Thanks

Gael_H_Intel · ‎07-17-2009

Quoting - mugwump

Hi,

According to the Developer's Guid to the Sample SCA, one of the initial conditions for using Remote Configuration is that the SCA is on the same domain with some hostname that's set on the AMT device. However, for the PID approach, you are able to supply an IP address instead.

1) For Remote Configuration, can I also supply an IP address of an SCA server on the internet instead of the host name of an SCA on the LAN?

2) If I can, can I supply this IP address in a USB key configuration thing? Better yet, is there a way that my ISV agent can set this IP address and other configuration info instead?

3) According to the PDF there is a sample USBFile header in the SDK but I cannot find it anywhere, so I can't check into the first part of #2 myself. Does anyone know where I can find a sample USB file for setting Remote Configuration values in the BIOS?

Thanks

Hi,
You can find the USBFIle folder in the SDK - it is under the Configuration folder that is under the Windows folder:..Intel AMT 5.1 SDK GoldWindowsIntel_Manageability_ConfigurationConfiguration

There is a Readme file in the USBFile directory that describes all of the available options on building your own setup.bin file. I did not see options to input IP addresses - it looks like it wants Domain names and FQDN information. I know that if you are typing in the PID/PPS on the console, you can use IP Addresses. I am currently trying to find out whether or not your assumptions are correct... Stay tuned for more info.

Thanks

mugwump · ‎07-17-2009

Quoting - Gael Holmes (Intel)

Hi,
You can find the USBFIle folder in the SDK - it is under the Configuration folder that is under the Windows folder:..Intel AMT 5.1 SDK GoldWindowsIntel_Manageability_ConfigurationConfiguration

There is a Readme file in the USBFile directory that describes all of the available options on building your own setup.bin file. I did not see options to input IP addresses - it looks like it wants Domain names and FQDN information. I know that if you are typing in the PID/PPS on the console, you can use IP Addresses. I am currently trying to find out whether or not your assumptions are correct... Stay tuned for more info.

Thanks

Weird. It's there in the zip but not on my hard drive. I guess that directory magically wasn't extracted by the Window zip open file thing. ugh.

mugwump · ‎07-17-2009

I guess one alternative to provisioning over the internet would be to have the computer provision itself. Is that possible?

Gael_H_Intel · ‎07-17-2009

Quoting - mugwump

I guess one alternative to provisioning over the internet would be to have the computer provision itself. Is that possible?

I'm not sure what you mean about having the system provision itself.. You have to use some tool to provision it, either via writing your own Setup and Config Server, using the DTK "Director", using the SCS Lite (6.0) for basic Enterprise, no TLS, or you can use the full SCS 5.1 or 6.0 - all these tools are available on our Manageability community. The SCS Lite is very easy to use - I would suggest downloading them and reading through the documents and then see which one fits your needs the best. The SCS Lite tool uses the Activator too during the provisioning process and it has it's own utility for creating the setup.bin file for the USB key. You can also use the Activator GUI to provision your system locally. Again, there are quite a few different ways to provision a system so I would suggest downloading these tools and reading through their documentation so that you can get a feel for how they are different.

How many systems are you needing to provision? Are you requiring them to be in Enterprise Mode? (with or without TLS?) I need to test this, but I don't think you need to have a domain controller in order to provision.

mugwump · ‎07-17-2009

Quoting - Gael Holmes (Intel)

I'm not sure what you mean about having the system provision itself.. You have to use some tool to provision it, either via writing your own Setup and Config Server, using the DTK "Director", using the SCS Lite (6.0) for basic Enterprise, no TLS, or you can use the full SCS 5.1 or 6.0 - all these tools are available on our Manageability community. The SCS Lite is very easy to use - I would suggest downloading them and reading through the documents and then see which one fits your needs the best. The SCS Lite tool uses the Activator too during the provisioning process and it has it's own utility for creating the setup.bin file for the USB key. You can also use the Activator GUI to provision your system locally. Again, there are quite a few different ways to provision a system so I would suggest downloading these tools and reading through their documentation so that you can get a feel for how they are different.

How many systems are you needing to provision? Are you requiring them to be in Enterprise Mode? (with or without TLS?) I need to test this, but I don't think you need to have a domain controller in order to provision.

I would like to provision thousands of computers in remote locations around the world which are not on my LAN. I cannot use Small Business Mode because I need the communications be safe (TLS). This should all preferably fit into an automatic service which doesn't require administration interaction to provision things. I'll try reading through more of the DTK stuff I guess.

By "provision itself" I mean running the SCA server on the box that is being provisioned so it can provision itself.

Using the Activator to provision locally sounds promising, i'll look into that, thanks.

Gael_H_Intel · ‎07-17-2009

Quoting - mugwump

I would like to provision thousands of computers in remote locations around the world which are not on my LAN. I cannot use Small Business Mode because I need the communications be safe (TLS). This should all preferably fit into an automatic service which doesn't require administration interaction to provision things. I'll try reading through more of the DTK stuff I guess.

By "provision itself" I mean running the SCA server on the box that is being provisioned so it can provision itself.

Using the Activator to provision locally sounds promising, i'll look into that, thanks.

I think that the Activator /local provisioning would be more suitable for a small business environment - you have to touch every system in this case, which is also the case with the USB key. You should probably look at using the Certificate-based provisioning where instead of having to use the PID/PPS keys to enable the provisioining packets to be sent/received, you can do the certificate based provisioning where you do not have to touch the AMT systems. The ME has a number of Certificate Hashes from vendors such as Verisign and Godaddy burnt into it - you would need to purchase the root certs from the vendor of your choice. Note that this certificate is different than the certificate you need to set your systems up for Enterprise/TLS mode. The provisioning certificate is simply used for the same purpose that the PID/PPS key is used for - opening the network so that the hello packet can be sent and received.

mugwump · ‎07-17-2009

Quoting - Gael Holmes (Intel)

I think that the Activator /local provisioning would be more suitable for a small business environment - you have to touch every system in this case, which is also the case with the USB key. You should probably look at using the Certificate-based provisioning where instead of having to use the PID/PPS keys to enable the provisioining packets to be sent/received, you can do the certificate based provisioning where you do not have to touch the AMT systems. The ME has a number of Certificate Hashes from vendors such as Verisign and Godaddy burnt into it - you would need to purchase the root certs from the vendor of your choice. Note that this certificate is different than the certificate you need to set your systems up for Enterprise/TLS mode. The provisioning certificate is simply used for the same purpose that the PID/PPS key is used for - opening the network so that the hello packet can be sent and received.

While for local provisioning I would technically have to touch every system, I can use a local agent to touch them as long as I don't have to do something complicated like rebooting and editing the BIOS.

Using a certificate for Enterprise sounds great, I just got scared at the documentation which suggested it was only possible over a LAN. In particular in the SCA guid section 4.1.1: Initial Conditions, condition 4 is makes it sound like the SCA and AMT device must be on the same LAN.

RBens2 · ‎07-17-2009

Quoting - mugwump

I would like to provision thousands of computers in remote locations around the world which are not on my LAN. I cannot use Small Business Mode because I need the communications be safe (TLS). This should all preferably fit into an automatic service which doesn't require administration interaction to provision things. I'll try reading through more of the DTK stuff I guess.

By "provision itself" I mean running the SCA server on the box that is being provisioned so it can provision itself.

Using the Activator to provision locally sounds promising, i'll look into that, thanks.

Hi mugwump,

How exactly are you planning on talking to each system once it's configured if they aren't on your network?

Regards,
Roger

Gael_H_Intel · ‎07-17-2009

Quoting - mugwump

While for local provisioning I would technically have to touch every system, I can use a local agent to touch them as long as I don't have to do something complicated like rebooting and editing the BIOS.

Using a certificate for Enterprise sounds great, I just got scared at the documentation which suggested it was only possible over a LAN. In particular in the SCA guid section 4.1.1: Initial Conditions, condition 4 is makes it sound like the SCA and AMT device must be on the same LAN.

Ohhhhh yeah.. You are correct about having to be connected on the same lan. darnit! And I'm pretty sure that using the Activator locally is an SMB mode only deal.

mugwump · ‎07-17-2009

Quoting - rogerb

Hi mugwump,

How exactly are you planning on talking to each system once it's configured if they aren't on your network?

Regards,
Roger

Hopefully using CIRA

RBens2 · ‎07-17-2009

Quoting - mugwump

Hopefully using CIRA

Then I would say that you've got problems. The usage model for AMT is that the system gets configured on your enterprise LAN, and then (post-configuration) it can communicate with the management system through CIRA. There really isn't a way to get your systems configured without getting access to the network where each system resides. The ME needs hardware access to the configuration server in order for the process to complete, not just a tunneled connection in the OS. If you could get access to a system on each of the resident networks, you could run the SCA, and configure the systems, and shutdown the SCA on that network. The communication would be secure, and once the systems were configured, they could use CIRA to communicate back to a central management console. Mostly, you would need to pay very close attention to the certificates that were used in the process of configuring the systems.

ph3ar · ‎07-17-2009

Hello,

I'm a bit confused of how I can setup remotely Intel AMT machines that are in factory setup mode.
In 3.7.3 (page 33) section of security configuration guide document states that it needs a host named "ProvisionServer", so an un-configured machine will query for this host through the LAN ?

Moreover I tried to catch up reading the docs of IntelAMTSCS but I cannot clearly find some info on how to setup remotely an Intel AMT machine without USB or manually configure the settings.

As I understood there are many that a machine can be configured remotely over LAN ?

Thanks.

RBens2 · ‎07-17-2009

Quoting - ph3ar

Hello,

I'm a bit confused of how I can setup remotely Intel AMT machines that are in factory setup mode.
In 3.7.3 (page 33) section of security configuration guide document states that it needs a host named "ProvisionServer", so an un-configured machine will query for this host through the LAN ?

Moreover I tried to catch up reading the docs of IntelAMTSCS but I cannot clearly find some info on how to setup remotely an Intel AMT machine without USB or manually configure the settings.

As I understood there are many that a machine can be configured remotely over LAN ?

Thanks.

If you haven't changed the name of the server in MEBx, or specified the IP address of your configuration server, then yes, the system will look for a configuration server named "provisionserver". So, you do need to give your configuration server that name.

If you have a remote configuration certificate, then you can tell the system in a remote call that you want it to start the remote configuration process. If you haven't purchased a cert from one of the default providers, then you will need to touch each system and apply the hash for your own root cert server to each system. Or, if your OEM offered pre-provisioning of AMT, and you bought it, then you just need to setup the configuration server on the network with the name of "provisionserver" and the systems will get configured.

ph3ar · ‎07-17-2009

Quoting - rogerb

If you haven't changed the name of the server in MEBx, or specified the IP address of your configuration server, then yes, the system will look for a configuration server named "provisionserver". So, you do need to give your configuration server that name.

If you have a remote configuration certificate, then you can tell the system in a remote call that you want it to start the remote configuration process. If you haven't purchased a cert from one of the default providers, then you will need to touch each system and apply the hash for your own root cert server to each system. Or, if your OEM offered pre-provisioning of AMT, and you bought it, then you just need to setup the configuration server on the network with the name of "provisionserver" and the systems will get configured.

Thanks for your reply.

Do you know which tools I can use for provisioning?
An sdk sample maybe?

mugwump · ‎07-17-2009

Quoting - ph3ar

Thanks for your reply.

Do you know which tools I can use for provisioning?
An sdk sample maybe?

The DTK has provisioning tools: http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool...

More provisioning info: http://software.intel.com/en-us/blogs/2007/06/13/Intel-SCS-SCA-AMT-Director-Youve-Been-Provisioned/

Andrew_S_Intel2 · ‎07-20-2009

Yup, the DTK is one possible source for a provisioning mechanism (as always with the DTK, it's intended as a development tool as opposed to a production ready deployment)

Other possibilities are the Configuration code that is part of the SDK (in the /WindowsIntel_Manageability_ConfigurationConfigurationConfigurationServer directory), if you're interested in creating your own provision server. If you're not interested in creating your own provision server, the SCS that is available is a robust implementation built using the Configuration server example.