Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Help with getting vPro set up.

Comfy
Beginner
3,848 Views

Hi - im trying to get a proof of concept set up for my workplace. I think its a great platform for RDP and remote access. Ive had some limited wins so far with regards to setup but far from getting something that i can present....ive got quite a few issues and, questions also. If anyone could help that'd be great. I might jump around a bit but please bear with me!

1. Im using Mesh commander from a client/connection point of view. Is there anything better? ( i know of the real vnc viewer that has the AMT connection.

2. Initially ive got my desktop machine (on domain) and a test laptop (a precision 3551) which is in workgroup. ME software is installed. However in the network connection status is show as dhcp connected (but no ip address - there is an ip address and i can ping it but mesh commander doesnt want to know...!

3. I did have another laptop which i was using (an old latitude) but i dont have access to that all of the time....its set up no different (that i know of) but it does appear in Mesh Commander? (not sure why) that i used to be able to get a connection to but while experimenting have lost connection but, when i did get connection it was asking for some sort of number (which ive never been able to find where to configure....

As i say im new to this but very eager to learn as i think its a great platform....if anyone can point me to some walk through's/software to use that'd be great.

 

Thanks to anyone that takes a punt at it....

0 Kudos
38 Replies
Comfy
Beginner
1,334 Views

Here's a snip.

Thats all i see (only the 3 options)

 

EMA.JPG

0 Kudos
Jimmy_Wai_Intel
Employee
1,326 Views

Hi Comfy, you are not seeing the options to create Endpoint Groups, create AMT Profiles and manage PCs because you have logged in as the global administrator. To see the other options, you need to login as a tenant administrator.

0 Kudos
Comfy
Beginner
1,322 Views

Brilliant - got it - thanks very much. I will have more questions im sure but ive got enough to be on with for the moment. Thanks so much for your help.

 

Andy

0 Kudos
Comfy
Beginner
1,318 Views

Ok - next question....im creating an 802.1x profile.....

In the AD part it wants the Organizational unit and the security group...?

Which are these....is the OU group where the server is located or where the laptop is located and which is the security group...is that an IT security group for example?

0 Kudos
SergioS_Intel
Moderator
1,295 Views

Hello Comfy,


The Organization Unit is the AD syntax.


For the security groups, the AD object created for the Intel(R) AMT device by default is automatically added to the AD Security group named "Domain Computers" if necessary, it is also possible to define additional security groups to which the object will be added in case the RADIUS server requires objects to be members of the specific security group.


If you do not have a Radius server you can skip that part.

 

 Best regards,

 Sergio S.

 Intel Customer Support Technician


0 Kudos
Comfy
Beginner
1,286 Views

OK- well, we have multiple OU's with computers in each one (different sites). So, do i create different AMT profiles for the different OU's?

Another question is regarding the PKI cert.

1. Is this cert a specific cert for the job (ie do i have to go to a cert provider to get a "PKI" cert) 

2. If the above is the case the way i read it is that i bundle that pki cert into the amt profile which gets applied to all of our laptops and in turn we can then remote control them without need for user interaction?

 

Again - thanks for the help so far...im more of a doing type person when it comes to learning these things!!

 

 

0 Kudos
Comfy
Beginner
1,274 Views

Hi - Another PKI cert question.

Does the cert csr have to be created on the ema server itself? one of the admins created one on another server but when i create the cert request on the EMA server and load it on i dont get the option to "export"

 

Cheers

 

0 Kudos
SergioS_Intel
Moderator
1,271 Views

Hello Comfy,


In order to upload a certificate, you have to be logged in as a Tenant Administrator.

 

AMT PKI certificates.


To upload a certificate:


1. From the navigation pane at the left, click Settings, then select Server Settings > Certificates. A list of certificates

available for use is displayed.


2. Click Upload.


3. The Certificate dialog is displayed.


4. Enter the Entry Name then click Choose File. Certificate files ending in .CER do not require a Password. Certificate files ending in .PFX requires a Password. Note that the certificate file to be uploaded must be less than 1MB.


5. In the Certificate dialog, click Upload.


The certificate is stored in the Intel EMA database and loaded into memory for optimal performance. If an updated

certificate file (which includes any of the certificates in the certificate chain) is re-uploaded with a change, it may take

up to 15 minutes for the change to be processed and reflected for usage.


You can also download and delete certificates. Note that if the certificate is still used by another certificate (in the

certificate chain), or if it is used in an Intel AMT Profile or Intel AMT setup, it cannot be deleted.

If you are performing an initial Tenant setup, proceed to section 3.6 to enable Intel AMT autosetup.


You can find more information on page 26 of the following link:


https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf


Best Regards.


 Sergio S.

 Intel Customer Support Technician


0 Kudos
Comfy
Beginner
1,254 Views

Hi Sergio,

Ive got the PKI cert uploaded/installed. Im trying to now do an auto provision but im not getting the pull down option (im only seeing Host Based Provisioning)

 

Im stuck a little bit at the moment. I can use the mesh commander to auto connect to the Latitdue 7480 and the precision 3551 but it always prompts for authorization (needing the 6 digit code) 

Both of the above only connect using the mesh commander with the Digest/TLS turned off (cant get a connection with intel EMA) 

 

 

Cheers.

 

Andy

0 Kudos
JoseH_Intel
Moderator
1,249 Views

Hello Comfy,


If you are getting the user consent at the remote machine is because it is provisioned in Client Control Mode (CCM). The whole purpose of the provisioning cert is to have the systems provisioned in Admin Control Mode (ACM) and get rid of the user consent when attempting to remote. If you are using your own generated certificate then you need to upload it to the system MEBx before running the EMAagent.exe so it will provision in ACM. Alternatively, you can use a commercial CA like GoDaddy, Comodo, Entrust, Sectigo, and DigiCert since their root hash is already preloaded to the ME.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Comfy
Beginner
1,239 Views

Hi there Jose

Thanks for the reply. First and foremost yes, weve got an PKi cert from GoDaddy installed on the server.  As you say if my laptop is stuck in CCM mode how do i switch to ACM mode, and, how do i get the cert from the server installed on the laptop. Im presuming that once the cert is on the laptop it then switches to CCM mode?

 

Just to add to this ( as i think we're in different timezones ) i started again and removed the endpoints, currently using a laptop on our domain. ive created an msi which on initial installation showed the trusted policy and the trusted hash. That installed but now, when i try to provision the laptop remotely the AMT profile is greyed out so i cant proceed?

 

0 Kudos
SergioS_Intel
Moderator
1,230 Views

Hello Comfy,


Please allow us to check on your question and we will get back to you.


Regards


Sergio S

Intel Customer Support Technician


0 Kudos
Comfy
Beginner
1,220 Views

Thanks very much, sorry for the multitude of questions....its how i tend to learn! - "find 50 ways of not doing it right for the one way to do it right, and then it sinks in!"

 

Cheers

0 Kudos
SergioS_Intel
Moderator
1,183 Views

Hello Comfy,


Thank you for waiting for our updates,


If you are planning to create Self-Certificate we do recommend checking the How to Create a Self-Certificate Hash for Intel® Active Management Technology (Intel® AMT) Version 14 site


https://www.intel.com/content/www/us/en/support/articles/000059996/software.html


If you already created the certificate please send us pictures of the enhanced key usage the OID the certification path and details tab for the certs in the certification path.


Looking forward to your updates


Regards

Sergio S

Intel Customer Support Technician


0 Kudos
SergioS_Intel
Moderator
1,006 Views

Hello Comfy,


We are following your thread and would like to know if you need further assistance or if we can close it.


Regards

Sergio S

Intel Customer Support Technician


0 Kudos
SergioS_Intel
Moderator
878 Views

Hello Comfy,


We are following up on a thead that is still open, we know that this is important for you to get it resolved and it is also equally important for us to get you the right solution. Since we have not seen an update for several days, the thread will automatically close after 2 business days.


Regards

Sergio S

Intel Customer Support Technician


0 Kudos
Comfy
Beginner
839 Views

Hi there - no, not had a reply yet...maybe now ive got the server installed start a thread for each issue that ive got going forward? (might be better!)

0 Kudos
SergioS_Intel
Moderator
831 Views

Hello Comfy,


Absolutely, you can contact us in the future in case you found any more issues or if you have any more questions.


Please let us know if you agree to close this thread.


Regards

Sergio S

Intel Customer Support Technician


0 Kudos
Reply