Intel® vPro™ Technology

  Section 3 of 11  

Configuring Intel® Active Management Technology

Background and Problem Description

Client System Deployment Strategies for IT
The Intel® Active Management Technology (Intel® AMT) configuration procedures should be seamlessly integrated into the existing client system deployment model of the IT organization. There are probably as many different deployment procedures as there are businesses. Nonetheless, in the case of Intel AMT configuration, we have identified two major deployment strategies that call for distinct Intel AMT configuration methods:

1. Direct shipment. Client systems are shipped directly from the system manufacturer to the enterprise end-user.
2. IT staging-area setup. Systems undergo an initial setup by an IT technician prior to shipment to the end-user.

As well as the aforementioned methods, some system manufacturers offer their customers the option of purchasing customized PC client systems. Typically, this is done in order to simplify the deployment process: for example, by pre-loading the enterprise’s operating system (OS) image.

Intel AMT configuration can be incorporated into the two types of deployment models we mention. Furthermore, Intel is providing the system manufacturer with the capability to pre-configure various Intel AMT settings, which we explore in subsequent sections of this article.

Security
Before the advent of Intel AMT, manageability technologies such as the Alert Specification Format (ASF) [1] and Wired for Management (WfM) [2] were configured through the host OS. For example, configuration of Intel’s ASF management controller was performed through a Windows Management Instrumentation* (WMI) provider [3], on the local Microsoft Windows* OS, which could be used by any software application to configure ASF, specify ASF policies, and designate remote management servers. From a security perspective, malware applications, such as computer viruses and Trojan horses operating on a PC client OS, could exploit the capabilities provided by ASF. However, since these capabilities are limited to alerts and remote power-up/power-down operations, the consequences of such misuse were typically low, as was the overall vulnerability of the system. Intel AMT offers much stronger protections to the enterprise IT group, including the capability to boot systems from a remotely-situated media and to share data between local and remote software agents. With this in mind and with the ongoing rise in PC client malware vulnerability incidents [4], Intel AMT requires a more resilient configuration method that can withstand such malware. The Intel configuration methodology aims to establish a trusted and secure channel between the device-given Intel AMT instance and the authoritative enterprise’s management server, such as the Microsoft System Center Configuration Manager* (SCCM), thereby reducing the likelihood of a malware attack and lowering the overall exposure of Intel AMT to such attacks.

Scalability
Intel AMT can be used by businesses of any size from Fortune 500 enterprises or other large businesses, to small- and medium-sized businesses. We consider a business to be small if it has less than 100 employees; a medium business would have 100 to 1000 employees; and any business with over 1000 employees is a large business. Each of these types of businesses may have a different set of requirements for how they would like to configure Intel AMT. A cost-effective deployment solution might not be the same for all: it will differ depending on the size of the business. A simple, manual option would best meet the needs of a small business, while a fully-automated, yet infrastructure-dependent, solution would best meet the needs of an enterprise. Intel AMT offers both configuration options.

  Section 3 of 11  

Back to Top