Hi S4m,
As Jose described for AMT Admin Control Mode you will have to meet general Intel AMT FW design requirements:
- Intel AMT Wired built in LAN + AMT Provisioning certificate issued by one of Intel AMT supported/trusted Public CAs -which for obvious reasons of DV process you can get for your publicly registered domain name + DHCP Option 15 set to value that will match domain name part of AMT provisioning cert CN.
OR - Add your own self signed CA Root cert hash to AMT FW so you can have cert CN domain name part matching any DHCP Option 15 you want. Note 1 - you still need ntel AMT Wired built in LAN
OR - set PKI DNS Suffix in Intel AMT FW to value of your publicly registered domain name. Once it is set it will make AMT FW to validate AMT Provisioning certificate domain name vs PKI DNS Suffix instead of network interface DHCP Option 15 and it will work for BOTH AMT Wired and Wireless networks as well.
With Intel EMA AMT configuration to ACM will even work over ANY network interface including non Intel AMT docks, USB-LAN dongles etc.
Note 2 - Intel AMT remote management access still requires Intel AMT enabled LAN, AMT WLAN or AMT LAN in TBT4 dock with Intel 11th Core vPro notebooks or newer (and vPro over TBT4 must be enabled by OEM in Intel ME FW in factory).
You can add your own CA root cert hash and /or set PKI DNS suffix (you can do both 2. and 3. above in one Pre-setup) via Intel MEBx manual interface or USB Pre-Provisioning which both require physical access and "touch" of each device.
OEM may do it for you in their factory but only for devices which are still in manufacturing mode and they usually charge approx $5-10 per device.
Fortunately there is pretty easy workaround for invalid internal domain names as long as your DHCP server is based on MS Windows service (or other solution that will support DHCP User classes and DHC Policies).
you need to ask DHCP Admin to:
-
Create new User Class in DHCP server, Name it ex. AMT , you may also add description and Define its Class ID – ex. AMT
(enter Class ID name in ASCII column). -
Define new DHCP Policy, name it ex. AMT, you may also add description, Add Condition for User Class = name you defined in New Class (select from the list), Add it
-
In DHCP Standard Options for this new Policy scroll down to Option 015 DNS Domain Name,
Select it and provide your company publicly registered domain name (ex. your site.net.au), Review settings and Finish
New Policy is added to DHCP server - then you have to deploy this new DHCP Policy for Intel AMT configuration time and purpose only:
in your EMAAgent.exe deployment script include in following order:
ipconfig /setclassid Ethernet AMT
where AMT shall be replaced by class ID you configured in first step. It will request from DHCP server to assign IP address within this New DHCP Policy with public domain name in Option 15.
EMAAgent.exe –fullinstall
TIMEOUT /T 180 /Nobreak
it will deploy EMAAgent which will register endpoint and start configuring Intel AMT automatically.
AMT configuration to ACM may take some time to complete so hence Timeout /T 180 /Nobreak command.
You may adjust time to be longer than those 3 min.
This is quick and not perfect example of giving Intel EMA time to complete AMT configuration to ACM mode.
other way is to query AMT configuration status to reach ACM with Intel® EMA Configuration Tool on 30-60 sec interval within script.
and than
ipconfig /setclassid Ethernet
which will revert back to default DHCP Policy (with your internal .local domain name in ?Option 15).
so your EMA Agent deployment script will look like:
ipconfig /setclassid Ethernet AMT
EMAAgent.exe –fullinstall
TIMEOUT /T 180 /Nobreakipconfig /setclassid Ethernet
Kudos to my team peer Josh Copeland for figuring out this "trick" - I am just sharing it
rgds
Dariusz Wittek
Biz Client Technical Sales Specialist | Intel EMEA CCG Technical Sales
Link Copied
Hi S4m,
As Jose described for AMT Admin Control Mode you will have to meet general Intel AMT FW design requirements:
- Intel AMT Wired built in LAN + AMT Provisioning certificate issued by one of Intel AMT supported/trusted Public CAs -which for obvious reasons of DV process you can get for your publicly registered domain name + DHCP Option 15 set to value that will match domain name part of AMT provisioning cert CN.
OR - Add your own self signed CA Root cert hash to AMT FW so you can have cert CN domain name part matching any DHCP Option 15 you want. Note 1 - you still need ntel AMT Wired built in LAN
OR - set PKI DNS Suffix in Intel AMT FW to value of your publicly registered domain name. Once it is set it will make AMT FW to validate AMT Provisioning certificate domain name vs PKI DNS Suffix instead of network interface DHCP Option 15 and it will work for BOTH AMT Wired and Wireless networks as well.
With Intel EMA AMT configuration to ACM will even work over ANY network interface including non Intel AMT docks, USB-LAN dongles etc.
Note 2 - Intel AMT remote management access still requires Intel AMT enabled LAN, AMT WLAN or AMT LAN in TBT4 dock with Intel 11th Core vPro notebooks or newer (and vPro over TBT4 must be enabled by OEM in Intel ME FW in factory).
You can add your own CA root cert hash and /or set PKI DNS suffix (you can do both 2. and 3. above in one Pre-setup) via Intel MEBx manual interface or USB Pre-Provisioning which both require physical access and "touch" of each device.
OEM may do it for you in their factory but only for devices which are still in manufacturing mode and they usually charge approx $5-10 per device.
Fortunately there is pretty easy workaround for invalid internal domain names as long as your DHCP server is based on MS Windows service (or other solution that will support DHCP User classes and DHC Policies).
you need to ask DHCP Admin to:
-
Create new User Class in DHCP server, Name it ex. AMT , you may also add description and Define its Class ID – ex. AMT
(enter Class ID name in ASCII column). -
Define new DHCP Policy, name it ex. AMT, you may also add description, Add Condition for User Class = name you defined in New Class (select from the list), Add it
-
In DHCP Standard Options for this new Policy scroll down to Option 015 DNS Domain Name,
Select it and provide your company publicly registered domain name (ex. your site.net.au), Review settings and Finish
New Policy is added to DHCP server - then you have to deploy this new DHCP Policy for Intel AMT configuration time and purpose only:
in your EMAAgent.exe deployment script include in following order:
ipconfig /setclassid Ethernet AMT
where AMT shall be replaced by class ID you configured in first step. It will request from DHCP server to assign IP address within this New DHCP Policy with public domain name in Option 15.
EMAAgent.exe –fullinstall
TIMEOUT /T 180 /Nobreak
it will deploy EMAAgent which will register endpoint and start configuring Intel AMT automatically.
AMT configuration to ACM may take some time to complete so hence Timeout /T 180 /Nobreak command.
You may adjust time to be longer than those 3 min.
This is quick and not perfect example of giving Intel EMA time to complete AMT configuration to ACM mode.
other way is to query AMT configuration status to reach ACM with Intel® EMA Configuration Tool on 30-60 sec interval within script.
and than
ipconfig /setclassid Ethernet
which will revert back to default DHCP Policy (with your internal .local domain name in ?Option 15).
so your EMA Agent deployment script will look like:
ipconfig /setclassid Ethernet AMT
EMAAgent.exe –fullinstall
TIMEOUT /T 180 /Nobreakipconfig /setclassid Ethernet
Kudos to my team peer Josh Copeland for figuring out this "trick" - I am just sharing it
rgds
Dariusz Wittek
Biz Client Technical Sales Specialist | Intel EMEA CCG Technical Sales
