Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2834 Discussions

Out of Band management - design considerations

JSank
Beginner
‎07-15-2015 08:07 AM
1,458 Views

Hello,

 

We are planning to implement out of band management. The plan is to provision AMT devices from SCCM using the add on package and manage devices from Intel Platform solution manager. We cam up with few points and i am trying to find out an answer. Can you please help understand below points or point to a blog or document that will help understand the process better. Thank you

 

  • As part of creating Intel AMT Configuration profile, an Active directory OU is specified. What information gets written to this OU. I have seen machine accounts in this OU. Does this move the machine out of existing OU or is it just an duplicate entire

  • We specify a certificate when profile is created, is there a document or article that explains the process of how the clients gets authenticated.

  • If the profile information is written to the non-volatile memory of the chipset, how this information can be revoked. Is un-provisioning the only method to take the data back.

Thank you

0 Kudos

Link Copied

2 Replies
TKrem1
New Contributor I
‎10-09-2015 01:28 AM
537 Views

Hello,

let me try to share some light on your questions.

 

1. The Provisioning Process doesn't move your existing machine account from one group to another. In fact a new machine account item is created. If you use scripts that work with the common name you probably can get some problems cause the common name is identical but the sAMAccountName has the addition $iME. In the Attribute Editor you will also find some differences to the 'normal' account.

At the moment this step doesn't work because Microsoft released the patch MS15-096 that changed some AD Attributes. Now the Object will be created but the acuconfig.exe can't set the right attributes and the management via SCCM doesn't work.

2. The SCS Deployment-Guide Chapter 6 explains some things for the certificate question. If you look at the internet there are some older but still actual instructions from Intel or Microsoft how to build the certificate templates and what they do.

 

Following Links are great resources for implementing SCS in SCCM.

https://sccmguru.wordpress.com/2013/12/20/integrating-configuration-manager-2012-r2-with-intel-scs-9-0-part-1/ Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 1 : Introduction | SCCM GURU

And

http://blogs.bamits.com.au/2012/09/integrating-sccm-2012-with-scs-81.html Blair Muller's Blog: Integrating SCCM 2012 with SCS 8.1

3.You can wipe the Data via a Mebx-Reset in the Bios but you have to do it manually for each computer and you have to confirm the step after a restart. No scripting for that at the moment. Or you can use the Full-unprovision task that comes with the add one.

 

0 Kudos
Copy link
ABogg1
Beginner
‎11-20-2015 01:48 AM
537 Views
In response to TKrem1

Why don't you try http://www.mcafee.com/in/products/epo-deep-command.aspx ePO Deep Command, you can provision systems with few clicks. No need to use Intel SCS or buy provisioning certificate. You can get it going in less than 30 minutes. ePO is also a robust security management platform where many other security products are integrated into.

In response to TKrem1
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.