I have heard the request several times for an OEM or service provider capability to fully provision an Intel vPro/AMT system BEFORE it arrives onsite at the customer. The following idea may also be of use\interest for large lab environments.
In doing lab tests – I find this possible in many situations\cases. The key is knowing the provision profile ACL settings (at least the Intel AMT admin password), with an assumption only BASIC or STANDARD mode provisioning (e.g. no TLS, no Kerberos, no 802.1x).
Once in the environment – if the mgmt ISV supports a network discovery or agent based update process, then the mgmt console has "full control" of the client. In my lab tests – provisioned a group of systems with a primary Altiris server. Then I loaded up a second Altiris environment, redirected the in-band Altiris agent to it, and thus populated "in-band". After running the Altiris OOB Discovery – then had an awareness of what systems were AMT capable. Could have also done an Altiris Network Discovery. In the end – the second Altiris environment NEVER provisioned the systems. In fact – I totally disabled the provisioning aspects of the environment. However, both Altiris servers can send mgmt commands. Interested to know if anyone has tried this in a mixed environment – SMS and Altiris, LANDesk and SMS, etc. Thus far – don't see any issues.
Since the configured client will be imaged with an OS, and the FQDN will likely change once or twice – the Intel AMT reflector Utility can be used to resync the FQDN between OS and AMT FW. This utility has a command line\script capability.
If the target environment decides they want to reprovision the systems – changing of the provision profile or other – then again, use Intel AMT Reflector or the unprovision.exe utility to fully unprovision the client. After this – initiate a provisioning process via Remote Configuration, or have pre-shared keys installed on the client. (At one point I considered partial unprovision – yet that would require the OEM or service provider to dump their generated PID|PPS pairs to a setup.bin and give to the customer… not likely).
The Intel vPro Activator utility could be used to initiate the hello packets remotely.
The key item to keep in consideration – this idea could be applied to mixed environments, whether or not all client mgmt solutions utilize Intel SCS… in fact, the systems could be small-medium business (SMB) or enteprise mode (without TLS, Kerberos, etc)
Thoughts on this? Have others tried it? if so - like to hear about your experiences in doing so.
You raise two themes in your post; fully provisioning clients before shipping and managing clients with heterogenous management suites.
We have used Intel vPro clients in a heterogenous management environment using both SMS and ALTIRIS to manage clients provisioned in BASIC mode (formerly known as SMB mode) and STANDARD mode (formerly known as ENTERPRISE mode w/o Kerberos or TLS). This gave us the benefit of being able to use either suite without the hassle of having to re-provision when switching suites. This has worked well with no issues as long as the credentials used to access the Management Engine (ME) are coordinated between the management suites.
We also have an integrator who has a slight twist on your theme of fully provisioning Intel vPro clients before shipping them. This integrator has negotiated to have an extension of the customers network piped into their integration premises over a VPN link and routed to a specific bench in their integration area. This allows the integrator to build and configure Intel vPro systems for the customer on their normal integration line and then at the end of that process to take clients to the bench with the extension of the customer network and fully provision unitd (including Kerberos credentials) before packing and shipping to the customers site. When units arrive they can be connected and are ready to go complete with strong authentication.
Clearly this took some time to negotiate network connectivity, but with the prevalence of closer cooperation between customers and their suppliers the customer already had processes in place for connecting suppliers via Intranet link. A little effort with a firewall policy so that only Intel vPro provisioning related traffic flows over the link means the customer feels comfortable the integrator cannot attack their network, the process is also fully auditable (courtesy of the firewall) and the customer knows that systems that arrive onsite are ready to go without needing to be staged.
Hope this was useful.
Thank you for sharing your experience and confirming a concept that has been tossed about with others.
Will be looking to promote and spread the story on this one further.