Out of Band management - design considerations

JSank · ‎07-15-2015

Hello,

We are planning to implement out of band management. The plan is to provision AMT devices from SCCM using the add on package and manage devices from Intel Platform solution manager. We cam up with few points and i am trying to find out an answer. Can you please help understand below points or point to a blog or document that will help understand the process better. Thank you

As part of creating Intel AMT Configuration profile, an Active directory OU is specified. What information gets written to this OU. I have seen machine accounts in this OU. Does this move the machine out of existing OU or is it just an duplicate entire

We specify a certificate when profile is created, is there a document or article that explains the process of how the clients gets authenticated.

If the profile information is written to the non-volatile memory of the chipset, how this information can be revoked. Is un-provisioning the only method to take the data back.

Thank you

TKrem1 · ‎10-09-2015

Hello,

let me try to share some light on your questions.

1. The Provisioning Process doesn't move your existing machine account from one group to another. In fact a new machine account item is created. If you use scripts that work with the common name you probably can get some problems cause the common name is identical but the sAMAccountName has the addition $iME. In the Attribute Editor you will also find some differences to the 'normal' account.

At the moment this step doesn't work because Microsoft released the patch MS15-096 that changed some AD Attributes. Now the Object will be created but the acuconfig.exe can't set the right attributes and the management via SCCM doesn't work.

2. The SCS Deployment-Guide Chapter 6 explains some things for the certificate question. If you look at the internet there are some older but still actual instructions from Intel or Microsoft how to build the certificate templates and what they do.

Following Links are great resources for implementing SCS in SCCM.

https://sccmguru.wordpress.com/2013/12/20/integrating-configuration-manager-2012-r2-with-intel-scs-9... Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 1 : Introduction | SCCM GURU

And

http://blogs.bamits.com.au/2012/09/integrating-sccm-2012-with-scs-81.html Blair Muller's Blog: Integrating SCCM 2012 with SCS 8.1

3.You can wipe the Data via a Mebx-Reset in the Bios but you have to do it manually for each computer and you have to confirm the step after a restart. No scripting for that at the moment. Or you can use the Full-unprovision task that comes with the add one.

ABogg1 · ‎11-20-2015

Why don't you try http://www.mcafee.com/in/products/epo-deep-command.aspx ePO Deep Command, you can provision systems with few clicks. No need to use Intel SCS or buy provisioning certificate. You can get it going in less than 30 minutes. ePO is also a robust security management platform where many other security products are integrated into.