January 15, 2015 at 09:42

Introducing Intel® Active Management Technology 10

Original author: Colleen Culbertson
  • Transfer


Intel Active Management Technology (Intel AMT) is a component of Intel vPro2 technology. Platforms equipped with Intel AMT support remote management, even if the operating system is unavailable or the computer is turned off.
Independent software vendors have the opportunity to create applications that efficiently use Intel AMT features using the software package based on Intel AMT. This package includes the Intel AMT High Level API (Intel AMT HLAPI), a very simple, consistent API for all AMT versions and Intel product lines.
Now we’ll take a closer look at the Intel AMT’s capabilities and configuration process, and in conclusion, add a few more words about the AMT SDK.

To use Intel AMT Out-of-Band Management, you must use Intel Ethernet or an Intel Wireless adapter that supports Intel ME firmware.
Please note that to use Intel AMT 10.0 release on the platform, you need to install version 10 of the Intel ME firmware and driver. The 10.0 driver can be installed on systems that originally used 8.x firmware. 9.x or 10.0. Always use the firmware provided by your system supplier.
Intel AMT supports remote applications running on Microsoft Windows * or Linux *; at the same time, this technology supports local applications only for Windows.

New features introduced in Intel AMT 10.0 release

The Intel AMT 10 release is backward compatible with systems that use the Intel 7, 8, and 9 series chipsets.
  • The most important change. OpenSSL * is now used without a ripple flag. For this reason, systems upgraded to AMT10 need to revoke and reissue certificates, and change passwords.
  • Added Intel AMT client screen cleaning feature (remote access) to the HLAPI and KVM application tool.
  • Updated MOF and XSL files, like the class reference, are now in version 10.0.25.1048.
  • The version of Real VNC * on Linux and KVM has been updated to 1.2.5.
  • Connected Standby / InstantGo on Windows is supported for Windows 7 and later (also available in HLAPI).
  • Correct power management operations are supported on 32-bit and 64-bit platforms of Windows Vista, 7 and 8, including (in Windows 8) the modes of Connected Standby / InstantGo, as well as the generation of UNS events. This feature has also been added to the HLAPI API.
  • Initialization is now supported in management modes for the administrator and for the client with secure FQDNs.

Preparing the Intel AMT Client for Use

The process of configuring (initializing) an AMT client involves switching the client from installation and configuration to online mode. To enter the configuration mode, it is necessary for the system provider to configure the initial information (which depends on the AMT version). To activate Intel AMT, the Intel Manageability Engine BIOS (Intel MEBx) extension, implemented by the system vendor, is required. You can use the remote control application for installation and configuration. There are different installation methods for different versions of AMT.

AMT IssuesInstallation method
1.x; plus 2.x, 3.x in the old modeOld
2.x, 3.x, 4.x, 5.x SMB
2.0 and later PSK
2.2, 2.6, 3.0 and later PKI (remotely)
6.0 and later Manually
7.0 and later Management mode for the client and management mode for the administrator
10.0Secure FQDNs are now supported.
Intel Setup and Configuration Software (Intel SCS) can initialize systems with Intel AMT 2.X.

Manual setup tips

Manual configuration is performed in the Intel MEBx menu, which becomes available immediately after the BIOS startup screen is displayed (usually you need to press the keys ) Sometimes the BIOS provides the ability to hide the prompt to click.
To manually configure the Intel AMT client, follow these steps:
  1. Enter the default Intel MEBx password (admin).
  2. Replace the default Intel MEBx password with a new secure password (required). This password must contain at least eight characters and at least one uppercase letter, one lowercase letter, one number and one special character. Note. The management console application can change the Intel AMT password without changing the Intel MEBx password.
  3. Select Intel AMT Configuration .
  4. Select Manageability Feature Selection .
  5. Select ENABLED to enable Intel AMT technology.
  6. Select SOL / IDE-R / KVM and activate all of these features. Enabling Legacy Redirection Mode provides compatibility with management consoles designed to work with the old SMB mode, which does not have a receiver enable mechanism. Please note that if SOL / IDER / KVM is not enabled in Intel MEBx, they will not be available for management consoles.
  7. Select User Consent . Select the options you want for KVM and Remote IT operations. If user permission mode is enabled, each time you remotely access the Intel AMT client, you will need to obtain user permission.
  8. Enter Network Setup to configure network settings for Intel ME.
  9. Enter Activate Network Access to enable Intel AMT.
  10. Return to the main menu.
  11. Select MEBx Exit to continue the system boot process.

The platform is configured. Additional parameters can be set using the web interface or the remote control console application.

Management mode for the client and management mode for the administrator

Upon completion of the installation, regardless of the method, Intel AMT 7.0 and later will go into one of two control modes.
Management mode for the administrator - after installation using the Intel MEBx menu or remote installation, Intel AMT enters the management mode for the administrator. In this mode, all Intel AMT functions are available due to the high level of trust in the user who applied these installation methods.
Management mode for the client - Intel AMT switches to this mode after the basic installation on the server (locally). Some Intel AMT features are unavailable due to the low level of trust required for installation on the server. The following restrictions apply.
  1. System protection is not available.
  2. To perform redirection actions (IDE-R and KVM, but not initiating a SOL session) and changing boot parameters (including downloading to SOL), you must first obtain user permission. However, in this case too
  3. IT professionals can remotely solve end-user problems with Intel AMT.
  4. If an auditor account has been created, then auditor permission is not required to cancel initialization.
  5. A number of functions are blocked to prevent an unreliable user from managing the platform.

In AMT 9.0 and later versions, the ability to remotely configure a platform that is not equipped with monitoring tools without the permission of a local user is added.

Access to Intel AMT Clients via Web Interface

A user with administrator rights can remotely connect to the Intel AMT client via the web interface by entering the IP address or FQDN of the client and then the port number in the address bar of the browser. If TLS is NOT configured, use http and port 16992; otherwise, use https and port 16993.

To access the Intel AMT client using Serial Over LAN (SOL) technology, you must install the SOL driver.


Intel AMT Local Management Services (LMS) and User Notifications (UNS)

The Local Management Service (LMS) runs locally on the Intel AMT device and allows local management applications to send requests and receive device responses. The LMS listens for and intercepts requests directed to the local Intel AMT server, and then forwards them to Intel ME through the Intel ME interface driver.


Note that on Intel AMT 9.0 and later, local management services and user notifications are combined. UNS registers with the Intel AMT device to receive a set of alerts. Upon receiving an alert, UNS logs it in the Windows Application event log. The source of events is Intel AMT.

Intel Management and Security Status Tool (IMSS)

To access the IMSS tool, use the blue key icon in the Windows notification area.


The General tab in the IMSS tool indicates the status of Intel vPro services available on the platform, as well as the event history. Other tabs provide additional information.


The Advanced tab of the IMSS tool provides more detailed information on Intel AMT configuration and features. The screen shot below confirms that Intel AMT is configured on the system.


Intel AMT-based Software Development Kit (SDK)

The Intel AMT - based software development toolkit provides low-level programming capabilities with which you can create management applications that use all the features of Intel AMT.
The Intel AMT-based software development toolkit is a sample of code and a set of APIs that allow developers to quickly and easily add Intel AMT support to applications. In addition, the package includes a full set of documentation. This software development kit supports C ++ and C # on Microsoft Windows and Linux operating systems. Important information on sample assembly is provided in the User Guide and in the Readme files in each directory.
The SDK is provided as a set of directories that can be copied to any selected location in the development system. Since the components are interconnected, the entire directory structure must be copied. At the top level are three folders, one of which is called DOCS (documentation). The other two contain sample code for Linux and for Windows.

Other Intel AMT SDK Information Resources

The Intel AMT SDK contains platforms and samples for simplified application development based on the WS-Management standard. In addition, this package includes examples of using the advanced features of this product. Further information is provided on the following pages:

There are many different development tools for which they write software with Intel AMT support. Intel vPro Enablement Tools are only available in C ++ (the C # shell in the software development kit), and they require a COM object prepared by Microsoft (not just .NET). SOAP support has been completely removed from the software development kit in AMT 9.0 and later.
Tags:

Also popular now: