We are using Intel SCS-Server to configure all our systems with the same AMT/VPRO-Settings.
One of the functions we are configuring/enabling using a SCS-profile/xml is KVM, specially the user-consent-function (6 digits-dialog).
Everything works fine for several month, but now we run in a security-trouble, cause with the new delivered HW-systems we got the first systems
with 8.1-AMT-firmware and on this systems the user-consent-settings are not working - KVM-access is now possible simply using userid/password
without user-confirmation which is normally given by user-consent.
Meanwhile we found the reason - manually configuring the VPRO-Settings we found a paramenter "Opt-in configurable from Remote IT" which is
ENABLED by default. Setting this paramter to DISABLED manually, the user-consent is working fine.
Unfortunately we found no corresponding parameter in the INTEL SCS/Profiles or in the ACUCONFIG command to allow to disable this setting.
How can this parameter be set to disabled - best with INTEL SCS/Profile or ACUCONFIG - doing it manually is really not the solution :-))
In order to diagnose why you are getting a difference in User Control actions I will need a little more information.
What version of SCS are you using?
What method of Provisioning are you using?
What VNC application are you using?
What "older" clients are working "correctly" (make/model)?
What "new" AMT 8.1 clients are working "correctly" (make/model)?
In general, when using the 3 basic methods of provisioning, they each will yeild differing results in regards to User Consent settings.
In general the setting you are talking about is controlled by the option "User consent required for redirection sessions" this is configurable when performining one touch provisioning (USB).
If you are performing provisioning using acuconfig /configamt the profiles used will default to Client Control Mode (CCM). While in CCM the default setting is User Consent Required.
If you are performing provisioning using acuconfig /configviarcsonly the profiles used will default to Admin Control Mode (ACM). While in ACM the default setting is User Consent not-Required.
So if you are provisioning in ACM and using RealVNC, User consent within RealVNC can be set as required under the Expert Option "AMTRequire Consent"
Waiting for your reply;
Sorry for the delay response - i try to answer your questions :-)
- We are using SCS 18.104.22.168
- We have created a xml using SCS, then we use on each client the command "acuconfig configamt .... /Decryptionpassword .... /AbortonFailure /Adminpassword ...." to setup the amt device
- We are using VNC Viewer Plus for kvm-success
- Above described method works fine since month for all our Lenovo-machines like X220, T410, T420 and and and... - trouble starts with the new models X230 / T430
- Directly going in the AMT-settings using CTRL-P we found a new parameter
Opt-in Configurable from Remote IT. Setting this parameter manually to
"Disable Remote Control of Opt-In Policy" - user consent is working like configured in the xml.