The computer has to be configured before the Intel® AMT capabilities are ready
to interact with the management application. Two methods are available to complete the
provisioning process (in order from least complex to most complex):
Configuration service — A configuration service allows
you to complete the provisioning process from a GUI console on their server
with only one touch on each of the Intel AMT capable computers. The PPS and
PID fields are completed using a file created by the configuration service
saved to a USB mass storage device.
MEBx interface — The IT administrator manually
configures the Management Engine BIOS Extension (MEBx) settings on each
Intel AMT ready computer. The PPS and PID fields are completed by typing the
32 character and 8 character alpha-numeric keys created by the configuration
service into the MEBx interface.
Using a Configuration Service
to Complete Provisioning
Using a USB Storage Device
This section discusses Intel® AMT setup and configuration using a USB
storage device. You can set up and locally configure password, provisioning ID (PID),
and provisioning passphrase (PPS) information with a USB drive key. This is also
called USB provisioning. USB provisioning allows you to manually set up and
configure computers without the problems associated with manually typing in
entries.
USB provisioning only works if the MEBx password is set to the factory default
of admin. If the password has been changed, reset it to the factory
default by clearing the CMOS.
For instructions, see "System Setup" in the User's Guide for your
computer.
An IT technician inserts a USB drive key into a computer with a management
console.
The technician requests local setup and configuration records from a setup
and configuration server (SCS) through the console.
The SCS does the following:
Generates the appropriate passwords, PID, and PPS sets
Stores this information in its database
Returns the information to the management console
The management console writes the password, PID, and PPS sets to a setup.bin
file in the USB drive key.
The technician takes the USB drive key to the staging area where new Intel
AMT capable computers are located. The technician then does the following:
If necessary, npacks and connects computers
Inserts the USB drive key into a computer
Turns on that computer
The computer BIOS detects the USB drive key.
If found, the BIOS looks for a setup.bin file at the
beginning of the drive key. Go to step 7.
If no USB drive key or setup.bin file is found, then
restart the computer. Ignore the remaining steps.
The computer BIOS displays a message that automatic setup and
configuration will occur.
The first available record in the setup.bin file is
read into memory. The process accomplishes the following:
Validates the file header record
Locates the next available record
If the procedure is successful, the current record is invalidated
so it cannot be used again
The process places the memory address into the MEBx parameter block.
The process calls MEBx.
MEBx processes the record.
MEBx writes a completion message to the display.
The IT technician turns off the computer. The computer is now in the setup
state and is ready to be distributed to users in an Enterprise mode
environment.
Repeat step 5 if you have more than one computer.
Refer to the management console supplier for more information on USB drive
key setup and configuration.
USB Storage Device Key Requirements
The USB storage device key must meet the following requirements to be able to
set up and configure Intel AMT:
It must be greater than 16 MB.
It must be formatted with the FAT16 file system.
The sector size must be 1 KB.
The USB drive key is not bootable.
The setup.bin file must be the first file landed on the
USB drive key. The USB key must not contain any other files whether hidden,
deleted, or otherwise.
Configuring Intel AMT With the Dell Client Management Application
The default console package provided is the Dell™ Client Management (DCM)
application. This section provides the procedure to set up and configure Intel®
AMT with the DCM package. As mentioned earlier in the document, several other
packages are available through third-party vendors.
The computer must be configured and seen by the DNS server before you begin
this process. Also, a USB storage device is required and must conform to the
requirements listed in the previous section.
The nature of management software is that it is not always dynamic or real time.
In fact, sometimes if you tell a computer to do something, such as to reboot,
you may have to reboot again for it to work.
Setup and Configuration Using a USB Storage Device
Format a USB device with the FAT16 file system and no volume label and then
set it aside.
Open the Altiris® Dell Client Manager application by double-clicking the
desktop icon or through the Start menu.
Select AMT Quick Start from the left navigation menu to open
the Altiris Console.
Click the plus (+) to expand the Intel AMT Getting Started
section.
Click the plus (+) to expand the Section 1. Provisioning
section.
Click the plus (+) to expand the Basic Provisioning (without TLS)
section.
Select Step 1. Configure DNS.
The notification server with an out-of-band management solution installed
must be registered in DNS as "ProvisionServer."
Click Test on the DNS Configuration screen
to verify that DNS has the ProvisionServer entry and that it resolves to the
correct Intel setup and configuration server (SCS).
The IP address for the ProvisionServer and Intel SCS are now visible.
Select Step 2. Discovery Capabilities.
Verify that the setting is Enabled. If Disabled,
click the checkbox next to Disabled and click Apply.
Select Step 3. View Intel AMT Capable Computers.
Any Intel AMT capable computers on the network are visible in this list.
Select Step 4. Create Profile.
Click the plus (+) to add a new profile.
On the General tab the administrator can modify the profile
name, description, and password. The administrator sets a standard
password for easy maintenance in the future. Select the manual
radio button and enter a new password.
The Network tab provides the option to enable ping
responses, VLAN, WebUI, Serial over LAN, and IDE Redirection. If you are
configuring Intel AMT manually, all these settings are also available in the
MEBx.
The TLS (Transport Layer Security) tab provides the ability
to enable TLS. If enabled, several other pieces of information are required
including the certificate authority (CA) server name, CA common name, CA type,
and certificate template.
The ACL (access control list) tab is used to review users
already associated with this profile and to add new users and define their
access privileges.
The Power Policy tab has configuration options to select the
sleep states for Intel AMT and an Idle Timeout setting.
It is recommended that Idle timeout is always set to 1 for optimal performance.
Select Step 5. Generate Security Keys.
Select the icon with the arrow pointing out to Export Security Keys
to USB Key.
Select the Generate keys before export radio button.
Enter the number of keys to generate (depends on the number of computers that
need to be provisioned). The default is 50.
The Intel ME default password is admin. Configure the new
Intel ME password for the environment.
Click Generate. Once the keys have been created, a link
appears to the left of the Generate button.
Insert the previously formatted USB device into a USB connector on the
ProvisioningServer.
Click the Download USB key file link to download setup.bin
file to the USB device. The USB device is recognized by default; save the file
to the USB device.
If additional keys are needed in the future, the USB device must be reformatted
before saving the setup.bin file to it.
Click Save in the File Download dialog
box.
Verify the Save in: location is directed to the USB
device. Click Save.
Click Close in the Download complete
dialog box.
The setup.bin file is now visible in the drive explorer
window.
Close the Export Security Keys to USB Key and drive explorer
windows to return to the Altiris Console.
Take the USB device to the computer, insert the device, and turn on the
computer. The USB device is recognized immediately and the following message
appears:
Continue with Auto Provisioning (Y/N)
Press <y>.
Press any key to continue with system boot...
Once complete, turn off the computer and move back to the management server.
Verify that the setting setting is enabled. In the Intel AMT 2.0+
dropdown, select the profile created previously. Configure the other settings
for the environment.
Select Step 7. Monitor Provisioning Process.
The computers for which the keys were applied begin to appearing in the
system list. At first the status is Unprovisioned, then the
system status changes to In provisioning, and finally it
changes to Provisioned at the end of the process.
Select Step 8. Monitor Profile Assignments.
The computers for which profiles were assigned appear in the list. Each
computer is identified by the FQDN, UUID, and Profile
Name columns.
Once the computers are provisioned, they are visible under the Collections
folder in All configured Intel AMT computers.
Using MEBx Interface to Complete Provisioning
Intel® AMT can be set up for either Enterprise or Small and Medium Business operational modes (also called provisioning models). Both
operational modes support dynamic and static IP networking.
If you use dynamic IP networking (DHCP), the Intel AMT host name and the operating system host name must match. You must also configure
both the operating system and Intel AMT to use DHCP as well.
If you use static IP networking, the Intel AMT IP address must be different from the operating system's IP address. Additionally, the
Intel AMT hostname must be different from the operating system's hostname.
Enterprise mode – This mode is for large organizations. This is an advanced networking mode that supports Transport Layer Security (TLS)
which requires a configuration service. Enterprise mode allows IT administrators to set up and configure Intel AMT securely for
remote management. The Dell™ computer is defaulted to Enterprise mode when it leaves the factory. The mode can be changed during
the setup and configuration process.
Small Medium Business (SMB) mode – This mode is a simplified operational mode that does not support TLS
and does
not require a setup application. SMB mode is for customers who do not have independent software vendor (ISV) management consoles or
the necessary network and security infrastructures to use encrypted TLS. In SMB mode, Intel AMT setup and configuration is a manual
process completed through the Intel ME BIOS Extension (MEBx). This mode is the easiest to implement since it does not require much
infrastructure, but it is the least secure since all network traffic is not encrypted.
Intel AMT Configuration sets up all other Intel AMT options not covered in Intel AMT Setup, such as enabling the computer for Serial-Over-LAN (SOL)
or IDE-Redirect (IDE-R).
You can change the settings modified in the configuration phase many times over the course of a computer's life span.
Changes can be made to
the computer locally or through a management console.
Enterprise Mode Provisioning Methods
There are two methods of provisioning a computer with Enterprise mode:
Legacy
IT TLS-PSK
Legacy
If you want Transport Layer Security (TLS), execute the legacy method of Intel AMT setup and configuration on an isolated network separate from
the corporate network. A setup and configuration server (SCS) requires a secondary network connection to a certification authority (an
entity which issues digital certificates) for TLS configuration.
Initially the computers are shipped in the factory-default state with Intel AMT ready for configuration and provisioning. These computers
must go through Intel AMT setup in order to go from the factory-default state to the
setup state. Once the computer is in the setup state,
you can continue to configure it manually or connect it to a network where it connects with an SCS and begin Enterprise Mode Intel AMT
configuration.
IT TLS-PSK
IT TLS-PSK Intel AMT setup and configuration is usually performed in a company's IT department. The following are required:
Setup and configuration server
Network and security infrastructure
Intel AMT capable computers in the factory-default state are given to the IT department, which is responsible for Intel AMT setup and
configuration. The IT department can use any method to input Intel AMT setup information, after which the computers are in Enterprise
mode
and in the In-Setup phase. An SCS must generate PID and PPS sets.
Intel AMT configuration must occur over a network. The network can be encrypted using the Transport Layer Security Pre-Shared Key (TLS-PSK)
protocol. Once the computers connect to an SCS, Enterprise mode configuration occurs.
Enterprise Mode
The Intel® Management Engine BIOS Extension (MEBx) is an optional ROM module that Intel provides to Dell™ to be included in the
Dell BIOS. The MEBx has been customized for Dell computers.
Enterprise mode (for large corporate customers) requires a setup and configuration server (SCS). An SCS runs an application over a
network that performs Intel AMT setup and configuration. The SCS is also known as a provisioning server as seen in the MEBx. An SCS is
typically provided by independent software vendors (ISVs) and is contained within the ISV management console product. Consult with the
management console supplier for more information.
ME Configuration:
Enabling Management Engine for Enterprise Mode
To enable Intel ME configuration settings on the target platform, perform the following
steps:
Turn on the computer and during the boot process, press <Ctrl><p>
when the Dell logo screen appears to enter the MEBx application.
Type admin in the Intel ME Password field. Press <Enter>. Passwords are case sensitive.
You must change the default password before making changes to the MEBx options.
Select Change Intel ME Password. Press <Enter>. Type the new password twice for verification.
The new password must include the following elements:
Eight characters
One uppercase letter
One lowercase letter
A number
A special (nonalphanumeric) character, such as !, $, or ; excluding the :, ", and , characters.)
The underscore ( _ ) and spacebar are valid password characters but do NOT add to the password complexity.
Change the password to establish Intel AMT ownership. The computer then goes from the factory-default state to the setup state.
Select Intel ME Configuration. Press <Enter>.
ME Platform Configuration allows you to configure ME features such as power options, firmware update capabilities,
and so on.
The following message appears:
System resets after configuration change. Continue (Y/N).
Press <y>.
Intel ME State Control is the next option. The default setting for this option is
Enabled.
Do not change this setting to Disabled. If you want to disable Intel AMT, change the
Manageability Feature
Selection option to None.
Select Intel ME Firmware Local Update. Press <Enter>.
Select
Always Open.
Press <Enter>. The default setting for this option is Disabled.
Select Intel ME Features Control. Press <Enter>.
Manageability Feature Selection is the next option. This feature sets the platform management mode.
The default setting is Intel AMT.
Selecting the None option disables all remote management capabilities.
Select Return to Previous Menu. Press <Enter>.
Select Intel ME Power Control. Press <Enter>.
Intel ME ON in Host Sleep States is the next option. The default setting is
Mobile: ON in S0.
Select Return to Previous Menu. Press <Enter>.
Select Return to Previous Menu. Press <Enter>.
Exit the MEBx Setup and save the ME configuration. The computer displays an
Intel ME Configuration Complete message and then restarts.
After the ME configuration is complete, you can configure the Intel AMT settings.
For instructions, see Intel AMT
Configuration: Enabling Intel AMT for Enterprise Mode.
Intel AMT Configuration: Enabling Intel AMT for Enterprise Mode
To enable Intel AMT configuration settings on the target platform, perform the following
steps:
Turn on the computer and during the boot process, press <Ctrl><p>
when the Dell logo screen appears to enter the MEBx application.
A prompt for the password appears. Enter the new Intel ME password.
Select Intel AMT Configuration. Press <Enter>.
Select Host Name. Press <Enter>. Then type in a unique name for this Intel AMT machine. Press <Enter>.
Spaces are not accepted in the host name. Make sure there is not a duplicate host name on the network. Host names can be used
in place of the computer's IP for any applications requiring the IP address.
Select TCP/IP. Press <Enter>.
The following messages appear:
Disable Network Interface: (Y/N)
Press <n>.
If the network is disabled, then all remote AMT capabilities are disabled and TCP/IP settings are not necessary. This option is a
toggle, and the next time it is accessed you are prompted with the opposite setting.
[DHCP Enable] Disable DHCP (Y/N)
Press <n>.
Domain Name
Type the domain name into the field.
Select Provision Server from the menu. Press <Enter>.
Type the provisioning server IP in the Provisioning
server address field and press <Enter>.
NOTE:
The default setting is 0.0.0.0. This default setting
works only if the DNS server has an entry that can resolve tech
provision server to the IP of the provisioning server.
Type the port in the Port number field and press
<ENTER>.
NOTE:
The default setting is 0. If left at the default setting
of 0, the AMT attempts to contact the provisioning server on
port 9971. If the provisioning server is listening on a
different port, enter it here.
The following message appears:
[Intel (R) AMT 2.6 Mode] [Enterprise] change to Small Business: (Y/N)
Press <n>.
Set PID and PPS is the next option. The PID and PPS can be input manually or by using a USB key once the
SCS generates the codes.
This option is for entering the provisioning ID (PID) and provisioning passphrase (PPS). PIDs are eight characters and PPS are 32
characters. There are dashes between every set of four characters, so including dashes, PIDs are nine characters and PPS are 40
characters. An SCS must generate these entries.
Select SOL/IDE-R. Press <Enter>.
The following messages appear, and require the response indicated in the
following bulleted list:
[Caution] System resets after configuration changes. Continue: (Y/N)
Press <y>.
User name & Password
Select Enabled and then press <Enter>.
This option allows you to add users and passwords from the WebGUI. If the option is disabled, then only the administrator has MEBx
remote access.
Serial Over LAN
Select Enabled and then press <Enter>.
IDE Redirection
Select Enabled and then press <Enter>.
Secure Firmware Update is the next option. The default setting is Enabled.
Skip Set PRTC.
Idle Timeout is the next option. The default setting is
1. This timeout is applicable only when a WoL option is selected in
step 13 of the
process for enabling ME for the Enterprise operating mode.
The computer restarts. Turn off the computer and disconnect the power cable. The computer is now in setup state and is ready for
deployment.
SMB Mode
The Intel® Management Engine BIOS Extension (MEBx) is an optional ROM module that Intel provides to Dell™ to be included in the
Dell BIOS. The MEBx has been customized for Dell™ computers.
Dell also supports setup and configuration of Intel AMT in the Small and Medium
Business (SMB) mode. The only setting not
required in the SMB mode is the Set PID and PPS option. Also, the Provision Model option is set
to Small Business instead of Enterprise.
ME Configuration: Enabling Management
Engine for SMB Mode
To enable Intel ME configuration settings on the target platform, perform the following
steps:
Turn on the computer and during the boot process, press <Ctrl><p>
when the Dell logo screen appears to enter the MEBx application.
Type admin in the Intel ME Password field. Press <Enter>.
Passwords are case sensitive.
You must change the default password before making changes to the MEBx options.
Select Change Intel ME Password. Press <Enter>. Type the new password twice for verification.
The new password must include the following elements:
Eight characters
One uppercase letter
One lowercase letter
A number
A special (nonalphanumeric) character, such as !, $, or ; excluding the :, ", and , characters.)
The underscore ( _ ) and spacebar are valid password characters but do NOT add to the password complexity.
Change the password to establish Intel AMT ownership. The computer then goes from the factory-default state to the setup state.
Select Intel ME Configuration. Press <Enter>.
ME Platform Configuration allows you to configure ME features such as power options, firmware update capabilities,
and so on.
The following message appears:
System resets after configuration change. Continue (Y/N).
Press <y>.
Intel ME State Control is the next option. The default setting for this option is Enabled.
Do not change this setting to Disabled. If you want to disable Intel AMT, change the
Manageability Feature Selection
option to None.
Select Intel ME Firmware Local Update. Press <Enter>.
Select Disabled.
Press <Enter>. The default setting for this option is Disabled.
Select Intel ME Features Control. Press <Enter>.
Manageability Feature Selection is the next option. This feature sets the platform management mode.
The default setting is Intel AMT. Selecting the None option disables all remote management capabilities.
Select Return to Previous Menu. Press <Enter>.
Select Intel ME Power Control. Press <Enter>.
Intel ME ON in Host Sleep States is the next option. The default setting is Mobile: ON in
S0.
Select Return to Previous Menu. Press <Enter>.
Select Return to Previous Menu. Press <Enter>.
Exit the MEBx Setup and save the ME configuration. The computer displays an
Intel ME Configuration Complete message and then restarts.
After the ME configuration is complete, you can configure the Intel AMT settings.
Intel AMT Configuration: Enabling Intel
AMT for SMB Mode
To enable Intel AMT Configuration settings on the target platform, perform the following
steps:
Turn on the computer and during the boot process, press <Ctrl><p>
when the Dell logo screen appears to enter the MEBx application.
A prompt for the password appears. Enter the new Intel ME password.
Select Intel AMT Configuration. Press <Enter>.
Select Host Name. Press <Enter>.
Then type in a unique name for this Intel AMT machine. Press <Enter>.
Spaces are not accepted in the host name. Make sure there is not a duplicate host name on the network. Host names can be used in
place of the computer's IP for any applications requiring the IP address.
Select TCP/IP. Press <Enter>.
The following messages appear and require the response indicated in the
following bulleted list:
Disable Network Interface: (Y/N)
Press <n>.
If the network is disabled, then all remote Intel AMT capabilities are disabled and TCP/IP settings are not necessary. This option
is a toggle, and the next time it is accessed you are prompted with the opposite setting.
[DHCP Enable] Disable DHCP (Y/N)
Press <n>.
Domain Name
Type the domain name into the field.
Select Provision Model from the menu. Press <Enter>.
The following message appears:
The following message appears:
Change to Intel AMT 1.0 Mode: (Y/N)
Press <y>.
Skip the Un-Provision option. This option returns the computer to factory defaults. See
Return to Default for more information about
unprovisioning.
Select SOL/IDE-R. Press <Enter>.
The following messages appear and require the response indicated in the
following bulleted list:
[Caution] System resets after configuration changes. Continue: (Y/N)
Press <y>.
User name & Password
Select Enabled and then press <Enter>.
This option allows you to add users and passwords from the WebGUI. If the option is disabled, then only the administrator has MEBx
remote access.
Serial Over LAN
Select Enabled and then press <Enter>.
IDE Redirection
Select Enabled and then press <Enter>.
Secure Firmware Update is the next option. The default setting is Enabled.
Skip Set PRTC.
Idle Timeout is the next option. The default setting is
1. This timeout is applicable only when a WoL option is selected in
step 13 of the process
for enabling the ME for SMB operating mode.
<
Select Return to Previous Menu. Press <Enter>.
Select Exit. Press <Enter>.
The following message appears:
Are you sure you want to exit? (Y/N):
Press <y>.
The computer restarts. Turn off the computer and disconnect the power cable. The computer is now in setup state and is ready for
deployment.
