- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm trying to setup Intel EMA and want to bring my testclient to ACM (Admin Controlled Mode) to get the KVM working without user consent.
I already bought a AMT SSL Cert from Comodo and installed it to IIS and uploaded it to EMA with private key (showing up with blue PKI tag).
I want to use CIRA tunnel (server in cloud, client in remote network without VPN).
AMT is provisioned (Host Based Provisioning) with CIRA, but the client is only in Client Control Mode. What do I need to do to get it to ACM mode?
I've created a profile for AMT autosetup with HBP and one with TLS-PKI. Which is the right one? What do I need to fill in as "Administrator Password"? Do I need to set one on the client-side? Can this be done with ACUConfig remotely?
Thanks in advance!
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ManuelK1,
Thank you so much for contacting Intel customer support,
To check this further we will require the information below:
What EMA version is the one currently being used?
How many endpoints do you have in your deployment and how many are being affected?
What AMT versions are the ones being used on your deployment?
Are the endpoints in your deployment as well as your server fully updated?
Is your installation a multi-server or a single-server one?
Is the ema server installed in a physical server or a virtual machine? Also what OS is the one being used on the server?
Could you please let us know the type of cryptographic version the Certificate you have is using? If you are not sure, please go to the EMA server, open the section called Manage Computer Certificates>Personal Store>Open the EMA Certificate, and review the cryptographic version. AMT 14 and later requires SHA256 Certificates; previous AMT versions work with SHA1.
Additionally, to further validate the information you find, please send us screenshots of the EMA certificate and all of the other three certificates in its certificate chain (the screenshots needed from each of the certificate lines are from 3 tabs each: General, Details, and Certificate Path).
The following logs will be needed as well:
EMA logs from Server:
[System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs
ECT log from endpoint:
Intel® EMA Configuration Tool
Installation:
Double-click the .msi file and follow the prompts.
Run:
a- Open a command prompt as administrator.
b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).
c- Run the command: EMAConfigTool.exe -filename XXXX --verbose
Best regards,
Victor G.
Intel Technical Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Victor,
meanwhile I've tried several things and came up to the solution with the temporary DNS suffix change (because we're using a company.local domain for our clients) from Solved: Intel AMT Provisioning Certificate with a .local domain - Intel Community
Now I've my first client in ACM
Just some short questions to solve my problem:
Must the domain for the EMA server be a sub from the DHCP option 15 domain (e.g. amt.company.local)?
Is the DHCP option 15 workaround only needed during initial setup or also at a later time (cert renewal, reboot, after BIOS/FW/ME upgrade, ...)?
Is there a way to install our own root certificate from an elevated windows prompt, or do I need to install it through USB stick in bios?
I'm using the latest EMA 1.11.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ManuelK1,
Thank you so much for your response.
Please find your questions answered below:
1-Must the domain for the EMA server be a sub from the DHCP option 15 domain (e.g. amt.company.local)?
R/The DHCP option 15 from your company must match the DNS suffix from your company. The DNS from EMA can be either your company's DNS or a subdomain.
Additionally, we suggest creating or requesting the certificate with the domain of your company; however, if your domain ends in .local that is not supported, you can see the supported verification methods in the link below
If you need to change the certificate you currently have based on the information above, please contact your certificate vendor.
2-Is the DHCP option 15 workarounds only needed during initial setup or also at a later time (cert renewal, reboot, after BIOS/FW/ME upgrade, ...)?
R/The DHCP option 15 is important during the provisioning stage of your machines when it’s being done remotely, after that is completed it is not important anymore since all the provisioned machines will have the DNS suffix installed.
3-Is there a way to install our own root certificate from an elevated Windows prompt, or do I need to install it through a USB stick in bios?
R/No, you will need to do it manually on each endpoint.
Best regards,
Victor G.
Intel Technical Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ManuelK1,
Were you able to check the previous message we sent?
Please let us know if you need further assistance.
Best regards,
Victor G.
Intel Technical Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ManuelK1,
We have not heard back from you.
If you need any additional information, please submit a new question as this thread will no longer be monitored.
Regards,
Victor G.
Intel Technical Support Technician
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page