Setting up and configuring Intel AMT in HP Business Notebooks, Desktops, and Workstations - White Paper
27
Enterprise mode setup and configuration
This section provides instructions and guidelines for Intel AMT setup and configuration (provisioning) in Enterprise mode.
Intel AMT is designed to support a range of SMB and enterprise provisioning scenarios that involve tradeoffs between
security, cost, and convenience. At one end of the spectrum, it is possible to manually configure Intel AMT in a matter of
minutes on a local machine. Alternatively, it is possible to configure a vast array of machines with Intel AMT in a large
enterprise environment without physically touching these machines once; moreover, they can be configured in such a way
that the process is trusted and secure, and not vulnerable to being attacked or snooped on by malware or prying eyes.
SMBs can perform all setup and configuration tasks manually, with no need for third-party software. However, enterprise IT
departments typically automate the provisioning process by allowing Intel AMT systems to connect over the network to a
setup and configuration server (SCS) application (such as Symantek Notification Server, LANDesk Management Suite, or
Microsoft System Center Configuration Manager) that is integrated with the remote management console. Provisioning can
then be achieved by establishing a secure Transport Layer Security (TLS) tunnel between the Intel AMT system and SCS, and
then automatically downloading the necessary provisioning information to the Intel AMT system. Various levels of security
are supported, including public-key infrastructure (PKI) and pre-shared key (PSK) implementations.
Intel AMT can support a range of provisioning scenarios:
Direct shipment – The Intel AMT system is shipped from the OEM to the end-user; provisioning takes place locally – either
manually or via an SCS.
IT staging area – For larger customers, systems are shipped to an IT staging area where they undergo provisioning
before being given to end-users.
OEM-customized system – The OEM may apply a custom image to the client; no provisioning would then be required at
the customer’s site; alternatively, the OEM may pre-configure various Intel AMT settings. See also OEM TLS-PSK
provisioning.
Intel AMT offers a range of options for carrying out the actual provisioning:
Manual setup and configuration – The Manual mode for Intel AMT setup and configuration is intended for customers that
do not have an SCS or the necessary network and security infrastructures to use TLS. Here, setup and configuration is
performed manually through the MEBx, as described in Manual mode setup and configuration.
Legacy provisioning – As soon as the Intel AMT system is powered on for the first time, it begins sending out “hello”
messages looking for an SCS. When the SCS is found and authentication has taken place, the SCS provisions the Intel AMT
system. This zero-touch method may place a significant burden on the network, depending on the number of systems
being provisioned concurrently.
Note
Zero-touch provisioning uses the default MEBx setup.
Remote provisioning – With remote provisioning (also known as remote configuration or host-based configuration), the
Intel AMT system has an OS up-and-running, as well as a local Intel agent – the Intel AMT Configuration Utility
(ACU_configurator). As soon as the system is powered up, it begins sending “hello” messages to request provisioning.
However, if the system is not provisioned within six hours, the “hello” messages stop; you would then need to re-use the
agent to initiate remote configuration.
Remote provisioning uses the TLS-PKI method and can be zero-touch at the client side. For more information, refer to
Using the TLS-PKI method.
Delayed remote provisioning – The Intel AMT system has its OS up-and-running and a local agent has been installed.
Provisioning, which can take place whenever convenient so as not to burden the network, is initiated when the local agent
contacts the SCS.
For more information, refer to Using the TLS-PKI method.
TLS-PSK provisioning – For stronger security, TLS-PSK can be used for remote provisioning. For more information, refer
to Using the TLS-PSK method.
– OEM-TLS-PSK provisioning – HP supports zero-touch TLS-PSK provisioning by pre-configuring key Intel AMT settings
at the factory. For more information, refer to OEM TLS-PSK provisioning.