Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.

Remote AMT Provisioning

odla0024
Beginner
907 Views
Hello,

I am trying to figure out how to configure a machine over the internet without ever having direct contact with the machine.

The machine will be sent to the location and needs to be provisioned. The BIOS can be set up by the manufacturer and there will be someone on location who can do minimal tasks (ie: insert USB drive or type one word) if need be but the less the better.

I've been trying to accomplish this using SCS 6. The machines will have AMT 5 on them.

Thanks
0 Kudos
6 Replies
RBens2
Valued Contributor I
907 Views
What info can your OEM pre-load into the system?

Thanks,
Roger
0 Kudos
odla0024
Beginner
907 Views
Quoting - rogerb
What info can your OEM pre-load into the system?

Thanks,
Roger

Not exactly sure. It will most likely be a machine ordered from Dell. We should be able to have a decent amount of control over settings.

The goal is to do this completely over the interent which I'm not even sure is possible. I've done a lot of looking and I've only been able to find a few references to people even trying it. Any idea if it is possible when they aren't on the same LAN?
0 Kudos
Richard_B_Intel1
Employee
907 Views
The system needs to be inside the "corporate" network to provision it with SCS. Additionally, to manage the system outside the "corporate" network requires a vPro Enabled Gateway in your DMZ (please see the "Intel AMT Remote Access Overview.pdf" in the SDK)
0 Kudos
odla0024
Beginner
907 Views
Quoting - RB (Intel)
The system needs to be inside the "corporate" network to provision it with SCS. Additionally, to manage the system outside the "corporate" network requires a vPro Enabled Gateway in your DMZ (please see the "Intel AMT Remote Access Overview.pdf" in the SDK)

Is the same true for using the Intel AMT SCA?

edit: Nevermind. It say that it has to be on the same intranet in that document.
0 Kudos
RBens2
Valued Contributor I
907 Views
Quoting - odla0024

Is the same true for using the Intel AMT SCA?

edit: Nevermind. It say that it has to be on the same intranet in that document.
Hi odla,

You actually could do internet provisioning of a box, but you would have to be very careful about security. The provisioning process is setup to allow a secure connection between the system and the provisioning server. You would just have to make sure that the AMT system could connect to the IP address of the server running the SCA, and the AMT system couldn't access the SCA through a VPN connection. If you can setup the SCA in a DMZ, and you can put the AMT system on the internet without going through NAT, then the two system should be able to establish a secure connection and complete the configuration process. Again, you would need to be very careful about security and network visibility.

Regards,
Roger
0 Kudos
Richard_B_Intel1
Employee
907 Views
Quoting - rogerb
Hi odla,

You actually could do internet provisioning of a box, but you would have to be very careful about security. The provisioning process is setup to allow a secure connection between the system and the provisioning server. You would just have to make sure that the AMT system could connect to the IP address of the server running the SCA, and the AMT system couldn't access the SCA through a VPN connection. If you can setup the SCA in a DMZ, and you can put the AMT system on the internet without going through NAT, then the two system should be able to establish a secure connection and complete the configuration process. Again, you would need to be very careful about security and network visibility.

Regards,
Roger

While this may be technically feasible, Intel does not recommend doing this because of the securityconcerns Roger is calling out.
0 Kudos
Reply