Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2949 Discussions

Intel EMA and CIRA Provisioning for AMT Features on Remote Endpoints

nojp
Beginner
‎05-23-2020 04:12 PM
3,166 Views
Solved Jump to solution

In the EMA platform video series, the presenter alludes in one slide to "TLS Provisioning" vs "CIRA Provisioning".

 

Is it possible using EMA to provision AMT when a system is not on the corporate network, without manually performing a MEBx operation on each endpoint?

 

I couldn't find documentation that described how this product could get around the DHCP option 15 check for the AMT provisioning certificate, without requiring the end user or an IT person to perform a MEBx manual operation to add the DNS suffix.

 

Here is our use case: we used Intel SCS in the past and while it worked fine, the required configurations with AD object and certificates per endpoint became too cumbersome.

 

We have recently heard about the EMA product and wanted to test it out for use with systems that are both on and off the corporate network. The CIRA feature seems to support a number of security improvements for these features so we wanted to try that out.

 

The EMA videos do not make it clear though if it is required for the systems to be provisioned for AMT while on the corporate network before leaving, or if it is supported to provision AMT for use with EMA on remote systems on the internet - say through EMA in-band connectivity or through a mass deployment tool like SCCM.

0 Kudos
1 Solution
Jimmy_Wai_Intel
Employee
‎05-25-2020 10:27 AM
3,097 Views
Solved Jump to solution

If you were using an AMT provisioning certificate to activate AMT on your devices, the situation is similar as with Intel SCS regarding DHCP option 15 or setting PKI DNS suffix in the MEBx. AMT on the device can be activated by EMA if it is on the corporation network with DHCP option 15 matching the DNS suffix in the provisioning certificate installed on EMA server, or outside the corporate network but having the PKI DNS suffix manually entered in MEBx matching the certificate.

View solution in original post

0 Kudos
Copy link

Link Copied

5 Replies
JoseH_Intel
Moderator
‎05-25-2020 01:55 AM
3,097 Views
Solved Jump to solution

Hello nojp,

 

Thank you for joining the Intel community

 

Intel EMA is a really new product and we don't have that much information yet. We know its related to AMT but not the exact functioning. Your doubts will be my doubts too. But I will research on this and will let you know as soon as I have any updates.

 

In the meantime let me share with you this document in case you don't have it yet

 

Regards

 

Jose A.

Intel Customer Support

0 Kudos
Copy link
Jimmy_Wai_Intel
Employee
‎05-25-2020 10:27 AM
3,098 Views
Solved Jump to solution

If you were using an AMT provisioning certificate to activate AMT on your devices, the situation is similar as with Intel SCS regarding DHCP option 15 or setting PKI DNS suffix in the MEBx. AMT on the device can be activated by EMA if it is on the corporation network with DHCP option 15 matching the DNS suffix in the provisioning certificate installed on EMA server, or outside the corporate network but having the PKI DNS suffix manually entered in MEBx matching the certificate.

0 Kudos
Copy link
nojp
Beginner
‎05-25-2020 03:18 PM
3,097 Views
Solved Jump to solution
In response to Jimmy_Wai_Intel

OK, thanks for clarifying Jimmy - and thanks Jose for your assistance. That is all I needed - we will proceed with trialing EMA, I just wanted to be clear if there was some sort of change to the underlying process there. Have a great week!

In response to Jimmy_Wai_Intel
0 Kudos
Copy link
MichaelA_Intel
Employee
‎05-26-2020 11:40 PM
3,097 Views
Solved Jump to solution

Hi Joel,

 

Jimmy's response is accurate. Just one more thing. When provisioning outside of the corporate domain, you will be provisioning in "host based configuration", meaning it will be in "client control mode" which will require user permission for KVM.

 

Regards,

Michael

0 Kudos
Copy link
MichaelA_Intel
Employee
‎05-29-2020 09:17 PM
3,097 Views
Solved Jump to solution

Joel, if you need further assistance let us know. For now, I will go ahead and close out this case.

 

Regards,

Michael

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.