Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2942 Discussions

Intel EMA and CIRA Provisioning for AMT Features on Remote Endpoints

nojp
Beginner
3,148 Views

In the EMA platform video series, the presenter alludes in one slide to "TLS Provisioning" vs "CIRA Provisioning".

 

Is it possible using EMA to provision AMT when a system is not on the corporate network, without manually performing a MEBx operation on each endpoint?

 

I couldn't find documentation that described how this product could get around the DHCP option 15 check for the AMT provisioning certificate, without requiring the end user or an IT person to perform a MEBx manual operation to add the DNS suffix.

 

Here is our use case: we used Intel SCS in the past and while it worked fine, the required configurations with AD object and certificates per endpoint became too cumbersome.

 

We have recently heard about the EMA product and wanted to test it out for use with systems that are both on and off the corporate network. The CIRA feature seems to support a number of security improvements for these features so we wanted to try that out.

 

The EMA videos do not make it clear though if it is required for the systems to be provisioned for AMT while on the corporate network before leaving, or if it is supported to provision AMT for use with EMA on remote systems on the internet - say through EMA in-band connectivity or through a mass deployment tool like SCCM.

0 Kudos
1 Solution
Jimmy_Wai_Intel
Employee
3,079 Views

If you were using an AMT provisioning certificate to activate AMT on your devices, the situation is similar as with Intel SCS regarding DHCP option 15 or setting PKI DNS suffix in the MEBx. AMT on the device can be activated by EMA if it is on the corporation network with DHCP option 15 matching the DNS suffix in the provisioning certificate installed on EMA server, or outside the corporate network but having the PKI DNS suffix manually entered in MEBx matching the certificate.

View solution in original post

0 Kudos
5 Replies
JoseH_Intel
Moderator
3,079 Views

Hello nojp,

 

Thank you for joining the Intel community

 

Intel EMA is a really new product and we don't have that much information yet. We know its related to AMT but not the exact functioning. Your doubts will be my doubts too. But I will research on this and will let you know as soon as I have any updates.

 

In the meantime let me share with you this document in case you don't have it yet

 

Regards

 

Jose A.

Intel Customer Support

0 Kudos
Jimmy_Wai_Intel
Employee
3,080 Views

If you were using an AMT provisioning certificate to activate AMT on your devices, the situation is similar as with Intel SCS regarding DHCP option 15 or setting PKI DNS suffix in the MEBx. AMT on the device can be activated by EMA if it is on the corporation network with DHCP option 15 matching the DNS suffix in the provisioning certificate installed on EMA server, or outside the corporate network but having the PKI DNS suffix manually entered in MEBx matching the certificate.

0 Kudos
nojp
Beginner
3,079 Views

OK, thanks for clarifying Jimmy - and thanks Jose for your assistance. That is all I needed - we will proceed with trialing EMA, I just wanted to be clear if there was some sort of change to the underlying process there. Have a great week!

0 Kudos
MichaelA_Intel
Employee
3,079 Views

Hi Joel,

 

Jimmy's response is accurate. Just one more thing. When provisioning outside of the corporate domain, you will be provisioning in "host based configuration", meaning it will be in "client control mode" which will require user permission for KVM.

 

Regards,

Michael

0 Kudos
MichaelA_Intel
Employee
3,079 Views

Joel, if you need further assistance let us know. For now, I will go ahead and close out this case.

 

Regards,

Michael

0 Kudos
Reply