Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

User-consent for KVM not working on new 8.1-firmwarelevels

idata
Employee
1,309 Views

We are using Intel SCS-Server to configure all our systems with the same AMT/VPRO-Settings.

One of the functions we are configuring/enabling using a SCS-profile/xml is KVM, specially the user-consent-function (6 digits-dialog).

Everything works fine for several month, but now we run in a security-trouble, cause with the new delivered HW-systems we got the first systems

with 8.1-AMT-firmware and on this systems the user-consent-settings are not working - KVM-access is now possible simply using userid/password

without user-confirmation which is normally given by user-consent.

Meanwhile we found the reason - manually configuring the VPRO-Settings we found a paramenter "Opt-in configurable from Remote IT" which is

ENABLED by default. Setting this paramter to DISABLED manually, the user-consent is working fine.

Unfortunately we found no corresponding parameter in the INTEL SCS/Profiles or in the ACUCONFIG command to allow to disable this setting.

How can this parameter be set to disabled - best with INTEL SCS/Profile or ACUCONFIG - doing it manually is really not the solution :-))

0 Kudos
4 Replies
Joseph_O_Intel
Employee
313 Views

In order to diagnose why you are getting a difference in User Control actions I will need a little more information.

What version of SCS are you using?

What method of Provisioning are you using?

What VNC application are you using?

What "older" clients are working "correctly" (make/model)?

What "new" AMT 8.1 clients are working "correctly" (make/model)?

In general, when using the 3 basic methods of provisioning, they each will yeild differing results in regards to User Consent settings.

In general the setting you are talking about is controlled by the option "User consent required for redirection sessions" this is configurable when performining one touch provisioning (USB).

If you are performing provisioning using acuconfig /configamt the profiles used will default to Client Control Mode (CCM). While in CCM the default setting is User Consent Required.

If you are performing provisioning using acuconfig /configviarcsonly the profiles used will default to Admin Control Mode (ACM). While in ACM the default setting is User Consent not-Required.

So if you are provisioning in ACM and using RealVNC, User consent within RealVNC can be set as required under the Expert Option "AMTRequire Consent"

Waiting for your reply;

Joe

0 Kudos
idata
Employee
313 Views

Sorry for the delay response - i try to answer your questions :-)

- We are using SCS 8.1.4.16

- We have created a xml using SCS, then we use on each client the command "acuconfig configamt .... /Decryptionpassword .... /AbortonFailure /Adminpassword ...." to setup the amt device

- We are using VNC Viewer Plus for kvm-success

- Above described method works fine since month for all our Lenovo-machines like X220, T410, T420 and and and... - trouble starts with the new models X230 / T430

- Directly going in the AMT-settings using CTRL-P we found a new parameter

Opt-in Configurable from Remote IT. Setting this parameter manually to

"Disable Remote Control of Opt-In Policy" - user consent is working like configured in the xml.

Regards,

Rolf

0 Kudos
idata
Employee
313 Views

I got the exact oppose result !!!!

I used to able to access the remote x230 without consent but now all the connections asking for the consent !!!

 

Any idea what's wrong ????
0 Kudos
idata
Employee
313 Views

Hi,

I have the same problem with the X230 but my situation is from "No Consent" becomes "Need Consent".

Now all my systems ask for consent when I want to access remotely.

Any idea on what's wron ???

0 Kudos
Reply