Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2835 Discussions

Managing clients that are already provisioned

Terry_C_Intel
Employee
‎06-13-2008 04:51 PM
2,058 Views

I have heard the request several times for an OEM or service provider capability to fully provision an Intel vPro/AMT system BEFORE it arrives onsite at the customer. The following idea may also be of use\interest for large lab environments.

In doing lab tests – I find this possible in many situations\cases. The key is knowing the provision profile ACL settings (at least the Intel AMT admin password), with an assumption only BASIC or STANDARD mode provisioning (e.g. no TLS, no Kerberos, no 802.1x).

Once in the environment – if the mgmt ISV supports a network discovery or agent based update process, then the mgmt console has "full control" of the client. In my lab tests – provisioned a group of systems with a primary Altiris server. Then I loaded up a second Altiris environment, redirected the in-band Altiris agent to it, and thus populated "in-band". After running the Altiris OOB Discovery – then had an awareness of what systems were AMT capable. Could have also done an Altiris Network Discovery. In the end – the second Altiris environment NEVER provisioned the systems. In fact – I totally disabled the provisioning aspects of the environment. However, both Altiris servers can send mgmt commands. Interested to know if anyone has tried this in a mixed environment – SMS and Altiris, LANDesk and SMS, etc. Thus far – don't see any issues.

Since the configured client will be imaged with an OS, and the FQDN will likely change once or twice – the Intel AMT reflector Utility can be used to resync the FQDN between OS and AMT FW. This utility has a command line\script capability.

If the target environment decides they want to reprovision the systems – changing of the provision profile or other – then again, use Intel AMT Reflector or the unprovision.exe utility to fully unprovision the client. After this – initiate a provisioning process via Remote Configuration, or have pre-shared keys installed on the client. (At one point I considered partial unprovision – yet that would require the OEM or service provider to dump their generated PID|PPS pairs to a setup.bin and give to the customer… not likely).

The Intel vPro Activator utility could be used to initiate the hello packets remotely.

The key item to keep in consideration – this idea could be applied to mixed environments, whether or not all client mgmt solutions utilize Intel SCS… in fact, the systems could be small-medium business (SMB) or enteprise mode (without TLS, Kerberos, etc)

Thoughts on this? Have others tried it? if so - like to hear about your experiences in doing so.

0 Kudos

Link Copied

3 Replies
idata
Employee
‎06-14-2008 02:41 AM
453 Views

Hi Terry,

You raise two themes in your post; fully provisioning clients before shipping and managing clients with heterogenous management suites.

We have used Intel vPro clients in a heterogenous management environment using both SMS and ALTIRIS to manage clients provisioned in BASIC mode (formerly known as SMB mode) and STANDARD mode (formerly known as ENTERPRISE mode w/o Kerberos or TLS). This gave us the benefit of being able to use either suite without the hassle of having to re-provision when switching suites. This has worked well with no issues as long as the credentials used to access the Management Engine (ME) are coordinated between the management suites.

We also have an integrator who has a slight twist on your theme of fully provisioning Intel vPro clients before shipping them. This integrator has negotiated to have an extension of the customers network piped into their integration premises over a VPN link and routed to a specific bench in their integration area. This allows the integrator to build and configure Intel vPro systems for the customer on their normal integration line and then at the end of that process to take clients to the bench with the extension of the customer network and fully provision unitd (including Kerberos credentials) before packing and shipping to the customers site. When units arrive they can be connected and are ready to go complete with strong authentication.

Clearly this took some time to negotiate network connectivity, but with the prevalence of closer cooperation between customers and their suppliers the customer already had processes in place for connecting suppliers via Intranet link. A little effort with a firewall policy so that only Intel vPro provisioning related traffic flows over the link means the customer feels comfortable the integrator cannot attack their network, the process is also fully auditable (courtesy of the firewall) and the customer knows that systems that arrive onsite are ready to go without needing to be staged.

Hope this was useful.

vProUser

0 Kudos
Copy link
Terry_C_Intel
Employee
‎06-16-2008 10:13 PM
453 Views
In response to idata

Thank you for sharing your experience and confirming a concept that has been tossed about with others.

Will be looking to promote and spread the story on this one further.

In response to idata
0 Kudos
Copy link
Terry_C_Intel
Employee
‎09-21-2008 04:59 PM
453 Views
In response to idata

BTW: Take a look at the following thread - http://communities.intel.com/message/5767

In response to idata
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.