Hi all! It's been a while since I last blogged. So, yesterday I updated the server machine that runs Meshcentral.com. I swapped the 2 hard disks for two RAID1 600G SSD's. I also updated the OS for Microsoft Server 2012 and the database to SQL server 2012. All this should make the server a lot faster, not that it was loaded very much before. Even with all the traffic, the CPU on Meshcentral.com is almost never over 1%.

The one big thing I wanted out of the upgrade is the move from IIS7 to IIS8. With it, comes built-in websocket support and this week I added IIS8 web socket support in my code. In the past, I have a web socket server on port 8085, but some people have any ports except 443 blocked and they could not perform a lot of the interactive functions. Now with IIS8, I can accept web socket connections on port 443.

In general, in the last month I have been working on the server side of things... I want to get to a point where I can setup a new Meshcentral.com instance almost fully automaticaly and in a few minutes. I also want to be able to upgrade all of the server software automaticaly and, if I can pull this off, add a way to move from one instance to another in the back of a load balancer so I can automaticaly update software on one machine while another is handling the traffic.

Ok, back to coding...
Ylian

Welcome to the RTFB (Reaching Technology From Blogs) Episode 13 Blog. Guests on RTFB are given an opportunity to talk about and promote their blogs.

Ylian Saint-Hilaire joins us today to talk to us about his Raspberry Pi and how he has added support for this device in Meshcentral.com:  Meshcentral.com- Now with Raspberry Pi Support!. "Many of you probably already know about the Raspberry Pi, an inexpensive 35$ computer intended to give kids around the world access to a computer they can use to learn on and make projects. Well, about 6 months ago, I ordered one myself. It took no less than 5 months for me to get one. When I got the first one, I wanted a second for home, so this time I went on eBay and got one in 3 days for double the price..."
The device did not come with a case - Ylian had to purchase that separately. As an alternative, you could probably use an individual serving size cereal box as a case. It boots from an SD Card.	Above is a picture of Ylian's Raspberry Pi. He purchased a transparent case so he could show it off at demo's. He just plugged the power and Ethernet  since he uses it to monitor his other machines and doesn't need the display, mouse, keyboard.
You can view the video on YouTube: Reaching Technology From Blogs 13 You can view the video here, on IDZ.

• View more of Ylian's blogs here.
• Get to Meshcentral.com.
• Find out more about the Raspberry Pi

See Gael's Blog Author Page

Corporate enterprise, government entities, healtcare and more are looking to add additional security to protect access to their network and business information. Intel® Identity Protection Technology on the latest PCs with Intel® Core® vPro™ processor can be combined with authentication security solutions to address the need of these business, government and heathcare entities. Intel® Identify Protection Technology (Intel® IPT) is meant to augment security features that allow for user identification and encryption by adding a hardware layer of protection. Intel® IPT with Public Key Infrastructure (PKI) acts as a hardware security module, similar to a Smart Card. However, it is as easy to manage as software PKI deployments. Intel® IPT with protected transaction display further protects PKI certificates with a PIN code entry generated in Intel technology using Intel’s integrated graphics. Display and entry of the PIN code is handled by secure hardware, making PIN theft very difficult. This document provides an overview of Intel® IPT with PKI and protected transaction display and describes the most common use cases such as secure VPN Login, email/document signing, and secure web access. Read the Intel® Identity Protection Technology with PKI technical overview paper, to learn the technical details.

Ok, this is going to be a really technical post. First, I want to highlight that Meshcentral.com can work on many computers, processors and operating systems... from Windows to OSX to the Raspberry Pi. You don't need to have an Intel vPro computer to use Meshcentral.com, however if you happen to have Intel Active Management Technology (Intel AMT) Meshcentral can make use of it.

Today I added a new feature that allows Meshcentral.com to poll for platform power state over a CIRA connection. In general, Meshcentral can see that a computer with Intel AMT was sleeping because other meshed computers on the same network poll Intel AMT for state and report that information back to Meshcentral. Well, if you have CIRA enabled, Intel AMT is no longer accessible to computers on the local network and now, the job of periodically polling for power state falls on Meshcentral.com.

Before today, if you have CIRA enabled and the computer that is sleeping or soft-off, Meshcentral would report the computer as being in an unknown power state. Now, it will poll the state every 4 minutes and 40 seconds and update the timeline accordingly. Below you can see a screen shot of the development server with an Intel AMT computer setup with CIRA and the power state and power history updates correctly.

Enjoy!
Ylian
meshcentral.com

Welcome to my blog about the Intel vPro Platform Solution Manager (PSM). This tool is available for download on the Intel Developer Zone and is applicable to managing Intel AMT clients that have already been enabled. It comes with a set of Intel AMT feature-based plugins as well as source code.

Description: The Intel® vPro™ Platform Solution Manager (PSM) is a framework application that allows you to launch plug-in applications to remotely manage your Intel vPro technology based PC clients. The available plugins perform tasks such as Alarm Clock, Asset Inventory, Event Log, IDE-Redirection, KVM Remote Control, Power Management, and Serial Over Lan.
Documentation: Folder/Main Page: VSPM/Source Code/Doc/ Intel_vPro_Platform_Solution_Manager.htm Requirements: vPRO PSM console OS: Windows 7 (English)  vPRO PSM console: .NET Framework 3.5 or newer  Intel AMT Client: Intel AMT 2.5 or newer  Wired or Wireless connection Browser Requirements for HTML Documentation: Cannot be viewed using Chrome – Internet Explorer works

The Main Screen The image to the right shows what the main screen looks like when you run the Intel vPRO PSM executable. (The image  below comes from the documentation referenced above.)

Key: This is a display that shows which AMT clients you have added and wish to manage. This is the system you are currently connected to. These are the categories of the available plug-ins. This is the Plug-in pane.  For the Intel AMT category, this shows all the feature plug-ins that are available. Settings:  You can specify saving machine list on exit, automatically connecting to machines in list, ability to save the log data on exit and you can view the log file. When you select a plug-in, you will get another window pertaining to the plug-in you selected.

Before you can manage your AMT Client, you must connect to it. 

Connecting to an Intel AMT Client From item 2, above you can connect to Intel AMT Clients. Click on the down arrow in the menu box and select settings. If you are already connected to your AMT Client, the box will say "Disconnect", otherwise it will say "Connect."   Enter either the IP address or the FQDN of the AMT Client you wish to connect to. You will need to specify the credentials for accessing AMT on the system.  Enter them in the Credentials section. Next specify the security level for which the AMT Client was provisioned. (with or without TLS) You can then specify whether or not to automatically connect to the AMT Client. When you are finished, click on Save.

Once you have connected to your Intel AMT Client, you can manage your system via the Intel AMT Plugins. Alarm Clock:  The Alarm Clock plug-in will let you set up an alarm on your AMT Client. The Alarm feature is used to wake up an AMT Client at a specific time and recurrence so it can have work done on it, such as applying patches during times when the User is typically not going to be trying to get work done. Select the Alarm Clock Plug-in and click on "Add" on the menu in the Alarm Clock settings window.  Enter the Date and recurrence information and save it.  You can give the alarm a name as well.  You can always select an existing alarm and edit its information.

Serial-Over-LAN: The Serial Over Lan plug-in allows you to connect to the managed client and interact with it below the operating system level.  For example, you can remotely connect to a rebooted client via Serial Over LAN and interact with the BIOS screens remotely.   In order to successfully configure your SOL session, you will need to do the following: Go into the IDE-r menu, select a boot option and actually start an IDER session. Click on "Connect" at the bottom of the window. Go into the "Pwr mgmt" menu, Select BIOS Select Reboot The screen-shot below is the SOL console.  I expanded it from its smaller size.  The IDE-r menu that you need to edit is within the SOL Plug-in.

Booting to BIOS using Serial-Over-LAN: After you have rebooted your managed client (to BIOS) you will be able to see the screen as it is booting. After it has successfully booted to BIOS, you can interact with the BIOS using keyboard entry. Shown here, is what the SOL console looks like once you are in a successful SOL session after booting to BIOS.

KVM Remote Control: Below is what the KVM Remote Control Plug-in looks like.  The KVM feature allows you to have desk-top access to your managed system.  You can watch it boot, boot to BIOS (and change the settings), and you can also have an IDE-r session using the KVM plug-in.  Currently the KVM plug-in uses the Redirection Ports (not the KVM standard IANA port 5900.)  For that reason, you will not need to specify an RFB password. Note that this version of the software uses the "free" version of Real VNC and because of that you will notice there is a splash screen that does not go away.  You will need to purchase the licensed version of Real VNC in order to get rid of the splash screen. IDE-r works the same way with KVM as it does outside of a KVM Session. Set it up and start it from the "Pwr mgmt" menu. A note about SOL vs KVM:  Since SOL sessions only show text based output, it is often more desireable to have a KVM Session instead of a SOL session for the purpose of being able to watch the desktop as the client is booting and to edit the BIOS.

The MISC Plug-in Category This category only has one available plug-in:  The Quick Launcher.  Here you can add the capability to quickly launch your own applications from within the vPro PSM.   Select the "Quick Launcher" icon and you will get a Quick Launcher settings windowl on the right side of the screen.  An editor will come up where you can edit the name of the button, the color and specify the executable to run. When you are finished, click on "Save"

See Gael's Blog Author Page

I am very happy to announce that Meshcentral.com now supports Intel AMT power actions directly from the web site. So, if you happen to be managing Intel AMT computers with Meshcentral.com, you can now using Hardware KVM or Serial-over-LAN from the web site to take control of the computer and, in the same screen, perform Intel AMT power actions like: Power up, Powerd down, Reset, Boot to BIOS, etc. This can come handy in many situations. For example: You see a computer is not responding anymore, you using Hardware KVM to see what is going on and use Intel AMT reset to look at the boot sequence, all remotely and all on the web site.

To showcase this feature, I also recorded a new tutorial video:

I also have a YouTube playlist with many more Meshcentral related tutorial videos.

Enjoy!
Ylian
Meshcentral.com

A quick note to mention that I just updated the Mesh Connector tool to support adding and removing the mesh certificate from the mesh policy. For most people this is probably not important, but if you use Meshcentral.com for larget networks, you may want to keep your mesh certificate completely private for more security. Well, the new Mesh Connector tool can do that quickly and easily. I have a new tutorial video that explains how it works.

Enjoy!
Ylian
meshcentral.com

Over the last few weeks, I have been having Meshcentral.com reliability problems, the site would just go down. When looking into it, the database seemed locked and all the queries for data would hang and timeout. This would affect all server components: the web site (IIS), the binary routing server (Swarm Server) and the HTTP routing server (AJAX server). It's like someone was holding a lock on the database and not releasing it. I would reset software and it would run again, for a time, and the problem would happen again.

Last night, I finally figured it out (I think). Each time there was a lock up, the log files showed this like:

Autogrow of file 'MeshCentral_log' in database 'MeshCentral' was cancelled by user or timed out after 896 milliseconds.  Use ALTER DATABASE to set a smaller FILEGROWTH value for this file or to explicitly set a new file size.

In a nutshell, the database file on disk was too small and needed to be resized to be larger. The database was about 4 gigaytes in size and the policy was set to enlarge it by 1 megabyte increments. Even if it did grow by a little, it was not long it would need to grow again. So, last night I made the database file 10 gigabytes in length, giving it plenty of room. I am likely going to go back in a few days and make it 100 gigabytes. Since it's a dedicated server, there is no need to by stingy.

Sorry to anyone who noticed the site was down. If this was the problem, and I am confident it was, it was a very easy fix and should not happen again.

Thanks,
Ylian

I am glad to annonce a new Mesh graph feature into Meshcentral.com. When you install mesh agents in computers, the agents form a mesh, discovering and monitoring each other. Well, it's not important to know the details of how the mesh is formed, but just for fun, I added a way to visualize the mesh nodes and links between nodes.

To see it, go into the "Account" tab, click on a mesh and select "Graph". I used the D3js library to render the data into something quite fun. The data is sent once to the web page and Javascript takes care of rendering it. You can also use the mouse to move nodes around and there are configuration boxes at the top to change the graph around. In general, you see all the computers in the mesh you selected, but if computers that are part of a mesh see other computers that are not part of your mesh, they will be drawn in a different color.

Below is a picture of my own mesh on my development machine.

Enjoy!
Ylian
meshcentral.com

Every few weeks, I try to add more Intel AMT support in Meshcentral.com. This time around, I added multi-display support for Intel AMT on the hardware KVM viewer. So, when you connect to Intel AMT KVM from meshcentral.com, you not only get the new power control icon that allows you to reboot, power on, power off the computer. If the remote computer has two or three displays hooked up to the built-in graphics adapter, you see a new icon that allows you to toggle between displays. I recorded a video demonstration of the entire process.

I don't have multi-display support for the software KVM yet, but that has been a often requested feature. So, as soon as I can, I will be working on that.

Enjoy!
Ylian
Meshcentral.com

Download PDF

Intel SBA Integration Guide [98 KB]

Introduction

Intel® Small Business Advantage (Intel® SBA) provides an out-of-the-box, hardware-based security and productivity suite designed for small business users. Intel SBA includes a customizable user interface and several bundled Intel applications. Original equipment manufacturers (OEMs) and resellers can customize Intel SBA after installation (using a customization wizard).

For developers, Intel SBA will allow easy integration of an application into the carousel utilizing the Intel SBA Software Development Kit (SDK). Users will experience this app as an integrated part of their platform and developers will know that their apps will be effectively installed on their systems taking full advantage of the appropriate Intel® Business Client technologies.

This paper discusses the tips and tricks for developers using the Intel SBA SDK, troubleshooting common issues with SDK integration, and the recommended flows for adding the application to Intel SBA UI.

Intel SBA Components

Intel SBA software includes the following components:

• Application Manager – The main graphical user interface (GUI) of Intel SBA that lets users configure the settings and applications they want to use in their business.
• Service – A windows service that runs in the background and provides communication between the main GUI, the applications, and the firmware.
• Applications – Applications that provide useful features for small businesses. These include the bundled applications supplied by Intel and applications added by OEMs and resellers. This SDK can be used to add applications to the main carousel/grid and to integrate applications with bundled Intel® applications (PC Health Center and Software Monitor).

Intel SBA SDK

Intel SBA SDK contains C# sample code based on the Microsoft .NET framework environment (Version 3.5 Service Pack 1 or above). With this SDK, the application developer can do the following:

• Integrate any application into the Intel SBA software by adding an icon, application description and image, and a redirection URL. Offload routine maintenance tasks to non-business hours by adding the tasks to the PC Health Center.
• Ensure critical components are always running by registering them with the Software Monitor.
• Interact/communicate with end users by updating the application status using the alert messaging feature.

For more information on working with the Intel SBA SDK, see the following blog: Intel® Small Business Advantage – Download and try out the Intel SBA SDK.

Application Development

Microsoft Visual Studio* 2010 Service Pack 1 or higher is recommended for working with Intel SBA SDK. To use the SDK in your application:

• Add a reference to the Intel.SBA.IsvSdk.Common.dll file.
• Add the Intel.SBA.IsvSdk.Common namespace to the project.

Intel SBA requires all the applications that are integrated to be signed with code-signing certificates. A signed application would have a digital signature similar to the one shown below (Figure 1). If the application is not signed, Intel® SBA responds with an “AuthenticationException” that can be caught in the ISV application to remediate the situation.

Whether or not an application is signed can be checked by right-clicking on the executable file and checking the “Digital Signatures” tab in the properties UI. The following image provides an example.

There are couple of ways to code-sign your application:

1. From within Visual Studio go to this URL to learn how to Sign Application and Deployment Manifest - http://msdn.microsoft.com/en-us/library/che5h906%28v=vs.100%29.aspx
2. From a command line, here is an example usage
   "C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\SignTool.exe" sign /f
   "C:\Projects\Authenticode\XYZSoftware.pfx" /p "P@ssw0rd" /v /t
   http://timestamp.comodoca.com/authenticode %1.exe >SignIt_Output.txt

Recommended Integration Flow

For an application to be added to Intel SBA, consent from the end user is required. If an end user denies the integration at any point, the ISV application can expect the “UserDeclinedException” and when possible, attempt the SDK integration at a later point.
ISV applications can be integrated into SBA in two ways:

1. Intel SBA SDK integration support is added to the installer of the ISV application. Upon the installation of the ISV software, an application icon along with other details is added to the Intel SBA application.
   • Pros: ISV application installation and SBA integration completed at one time.
   • Cons: If the SBA integration is missed either due to Intel SBA software not installed or the user declined the consent, reinstallation of the ISV application is the only way to integrate the application with Intel SBA.
2. Intel SBA SDK integration is added to the ISV application. During run time or upon first launch of the ISV application, Intel SBA integration can begin.
   • Pros: Intel SBA integration can be done when the ISV application runs for the first time. Also, the ISV application can check that the Intel SBA software is installed and initiate SDK integration upon a system restart or every time the ISV application is started.
   • Cons: The ISV application needs to be restarted to initiate the SDK integration.

FAQs and Troubleshooting Tips

The following table summarizes some common questions and troubleshooting tips discussed above:

About the Author

Ajith received his MSCE from the University of New Mexico and has over 15 years of engineering experience and 13 of those years with Intel. He is currently working as an Application Engineer on the Business Client Enabling team helping ISVs adopt Intel® vPro™ technologies.

References

1. Intel® SBA for Software Developers
2. What is the big deal about the new Intel® Small Business Advantage platform?
3. Comparison of Intel® SBA Platform and Intel® vPro™ Technology
4. Intel® Small Business Advantage – Download and try out the Intel® SBA SDK

Intel, the Intel logo and Xeon are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others.
Copyright© 2013 Intel Corporation. All rights reserved.

Meshcentral.com is of course a cloud service, but it can also be run as an Intranet service. I do exactly that within Intel and so, I get a bunch of users that give me feedback about the Intranet version of Meshcentral.com from time-to-time. Well, I supported two ways of routing traffic to Intel AMT... using a another node as traffic relay or use Intel AMT Client Initiated Remote Access (CIRA). Someone gave me feedback last week that within the Intranet he could not access his lone machine, this was surprising since the Intranet version of Meshcentral has direct connectivity and would not have to do any complicated routing to perform management operations. With all the cloud techniques I use, I never bothered to support the simplest routing of them all. So this week, I added "direct routing" from the server to the nodes.

I still have a flaw with my implementation... I realized it last night. This new direct routing to Intel AMT only works if the Mesh Agent is alive and running to report it's presense to the server. So, there is a blog about a new feature... but I still have work to do to make it fully work.

In the picture below, we see all 3 ways Meshcentral can route traffic to Intel AMT. CIRA only works passed NAT routers, traffic relay works passed NAT's and HTTPS proxies. The direct routing could be useful if computers are exposed with a public IP address, or at least the Intel AMT ports.

Ylian
Meshcentral.com

Welcome to my blogs.  Today's blog is about a forum question that we received.  Since we seem to get a lot of SCCM questions I thought it would be good to blog about it.

Solution:

The solution is covered in the Intel SCS 8 Deployment Guide on pg 55-56 (although it doesn't specifically call it out).  As SCCM uses the local system account to deploy software to doman machines, by adding <DOMAIN>\Domain Computers to the WMI security settings for Intel SCS components, it will then allow localsystem to run the ACUConfig.exe on domain machines.  Make sure to add it to DCOM group too as per instructions on those pages.

See Gael's Blog Author Page

Download Article

Intel® Active Management Technology (Intel® AMT) Start Here Guide (Intel AMT 9.0) [PDF 804KB]

Contents

1 Introduction

2 Getting Started

       2.1 What is Intel® Active Management Technology?

       2.2 What is new with the Intel® AMT Release 9.0

       2.3 Preparing your Intel® AMT Client for use

3 Manual Configuration Tips

      3.1 Manual Setup

4 Client Control Mode and Admin Control Mode

      4.1 Client Control Mode Limitations

      4.2 Manually Configuring an Intel AMT 9.0 Client

5 Accessing Intel® AMT via the WebUI Interface

6 Intel® AMT Drivers and Services

6.1 NIC: Intel Ethernet Connection

6.2 Intel® Management Engine Interface

6.3 Serial-Over-LAN (SOL) Driver

6.4 Intel® Active Management Technology LMS Service

6.5 Intel® AMT User Notification Service (Pre Intel AMT 9.0)

6.6 Intel Management and Security Status Tool

7 Intel® AMT Software Development Kit (SDK)

7.1 Other Intel AMT SDK Resources

Appendix A

1 Introduction

This document contains information that aids developers in getting started with implementing Intel® Active Management Technology (Intel® AMT). It provides an overview of the features in various versions of Intel AMT, as well as information on minimum system requirements, configuration of an Intel AMT client, and the various developer tools that are available to help program for Intel AMT.

Intel AMT supports remote applications running on Microsoft Windows* or Linux*. Intel AMT Release 2.0 and higher support only Windows-based local applications. For a complete list of system requirements, please refer to the documentation in the latest Intel® AMT Software Development Kit (SDK).

2 Getting Started

In order to begin managing an AMT client or running samples from the SDK, you will need a separate system to use as a management console for remotely managing your Intel AMT client. For more detailed explanations, please refer to the Intel® AMT Implementation and Reference Guide located in the Docs folder of the Intel AMT SDK.

2.1 What is Intel® Active Management Technology?

Intel AMT is part of the Intel® vPro™ technology[i] offering. Platforms equipped with Intel AMT can be managed remotely, regardless of whether they are powered up or whether they have a functioning OS.

The Intel® Manageability Engine (Intel® ME) is the steam behind Intel Active Management Technology. As a component of the Intel vPro platform, Intel AMT uses a number of elements in the Intel vPro platform architecture. The following figure shows the relationship between these elements.

Notice that there is a network connection directly associated with the Intel ME. The specific NIC will change according to which Intel AMT release you are using.

The Intel AMT functionality is contained in the Intel ME firmware.

• The firmware image is stored in flash memory.
• The Intel AMT capability is enabled using the Intel® Manageability Engine (Intel® ME) BIOS extension as implemented by an OEM platform provider. A remote application can be used to perform enterprise setup and configuration.
• On power-up, the firmware image is copied into the Double Data Rate (DDR) random-access memory (RAM).
• The firmware executes on the Intel® processor with Intel ME and uses a small portion of the DDR RAM (Slot 0) for storage during execution. RAM slot 0 must be populated and powered on for the firmware to run.
• Intel AMT stores the following information in flash (ME Data):
  1. OEM-configurable parameters
  2. Setup and configuration parameters such as passwords, network configuration, certificates, and access control lists (ACLs)
  3. Other configuration information, such as lists of alerts and System Defense policies
  4. The hardware configuration captured by the BIOS at startup

Details for 2013 platforms with Intel vPro technology (Release 9.x) are as follows:

• 22nm process
• Platform (Mobile and Desktop): 4th generation Intel® Core™ processor (codename Shark Bay)
• CPU: Haswell (code name)
• PCH: Lynx Point (code name)

2.2 What is new with the Intel AMT Release 9.0

• Any configuration software can now synchronize the Intel AMT network time to coordinate with UTC. See the section called “Enable Local Time Sync” in the Intel® AMT Implementation and Reference Guide.
• The Intel AMT network can now be enabled and disabled. See the section called “Enable/Disable Intel AMT Network” in the Intel® AMT Implementation and Reference Guide.
• The User Notification Service and Local Manageability Service capabilities have been unified into a single group of capabilities now referred to collectively as the Local Manageability Service. See the section called “Local Manageability Service” in the Intel® AMT Implementation and Reference Guide.
• The ability to configure a headless platform remotely without the need for local user-consent has been added.
• Intel AMT 9.0 supports 5 new power states in order to support the added Graceful Shutdown feature. See the section called “Change System Power State” in the Intel® AMT Implementation and Reference Guide.The new power states are:
  • 4: Sleep-Deep, corresponding to ACPI state G1, S3, or D2
  • 7: Hibernate (Off Soft), corresponding to ACPI state S4, where the state of the managed element is preserved and will be recovered upon powering on
  • 11: Diagnostic Interrupt (NMI) corresponding to the system reaching ACPI state S5 followed by ACPI state S0. This is used to represent system non-maskable interrupt.
  • 12: Off – Soft Graceful, equivalent to Off Soft but preceded by a request to the managed element to perform an orderly shutdown.
  • 14: Master Bus Reset Graceful, equivalent to Master Bus Reset but preceded by a request to the managed element to perform an orderly shutdown.
• Intel AMT devices will no longer have the ability to integrate into Cisco NAC systems.

2.3 Preparing your Intel AMT Client for use

The following diagram illustrates the modes or stages that an Intel AMT device passes through before it becomes operational.

Before an Intel AMT device can receive its configuration setting from the Setup and Configuration Application (SCA), it first must be prepared with initial setup information and placed into Setup Mode. The initial information will be different, depending on the available options in the Intel AMT release, and the settings performed by the platform OEM. The following table summarizes the methods you can use to perform setup and configuration on the different releases of Intel AMT.

Note that the Intel® Setup and Configuration Software (Intel® SCS) is capable of provisioning systems back to Intel AMT 2.X. For more information about the Intel SCS and provisioning methods as they pertain to the various Intel AMT Releases, visit the download page: Download the latest version of Intel® Setup and Configuration Service (Intel® SCS)

3 Manual Configuration Tips

Since the 6.0 release, there are no feature limitations when configuring a platform manually, but there are some system behaviors to be noted:

• API methods will not return a PT_STATUS_INVALID_MODE status, as there is only one mode.
• TLS is disabled by default and should be explicitly enabled during configuration. This will always be the case with manual configuration, as there is no way to set TLS parameters locally.
• The local platform clock will be used until the network time is set remotely. Automatic configuration will not complete successfully unless the network time was set (and this can be done only when TLS or Kerberos was configured). Enabling TLS or Kerberos after configuration completion will not succeed if the network time was not set.
• WEB UI is enabled by default, unless a configuration server disables it.
• SOL and IDE-R are enabled by default, but the redirection listener is disabled by default.
• If KVM is enabled locally via the MEBx, it still will not be enabled until an administrator activates it over the network.

3.1 Manual Setup

During power up, the Intel AMT platform first displays the BIOS startup screen, and then the BIOS Extensions are processed. Entry into the Intel AMT BIOS Extension is BIOS vendor dependent. Some OEM platforms display a screen prompting you to press <Ctrl+P>. When you press <Ctrl+P>, control passes to the Intel ME BIOS extension (Intel MEBx) Main Menu. Some OEMs integrate the Intel MEBx configuration inside the BIOS, and some OEMs have an option in the BIOS to show/hide the <Ctrl+P> prompt.

4 Client Control Mode and Admin Control Mode

When any method of setup completes, Intel AMT 7.0 and later versions are placed into one of two control modes:

• Client Control Mode – Intel AMT enters this mode after performing a basic host-based setup (see Host-Based (Local) Setup). This mode limits some of Intel AMT functionality, reflecting the lower level of trust required to complete a host-based setup.
• Admin Control Mode – After performing any of the existing setup and configuration methods—remote setup (TLS-PSK or remote configuration) or a manual setup via the Intel MEBx—Intel AMT enters Admin Control Mode. Also, performing a host-based AdminSetup before any provisioning is done or an UpgradeClientToAdmin when Intel AMT is already in Client Control mode moves Intel AMT to Admin Control mode. In this mode, there are no limitations to Intel AMT functionality. This reflects the higher level of trust associated with these setup methods.

4.1 Client Control Mode Limitations

When a simple host-based configuration completes, the platform enters Client Control Mode, which imposes the following limitations:

1. The System Defense feature is not available.
2. Redirection (IDE-R and KVM) actions (except initiation of an SOL session) and changes in boot options (including boot to SOL) require user consent in advance. This still enables IT support personnel to remotely resolve end-user problems using Intel AMT.
3. If an Auditor user is defined, the Auditor’s permission is not required to perform unprovisioning.
4. A number of functions are blocked from execution to prevent an untrusted user from taking over control of the platform.

4.2 Manually Configuring an Intel AMT 9.0 Client

During power up, the Intel AMT platform first displays the BIOS startup screen, and then the BIOS Extensions are processed. Entry into the Intel AMT BIOS Extension is BIOS vendor dependent. Intel AMT reference platforms display a screen prompting you to press <Ctrl+P>. When you press <Ctrl+P>, control passes to the Intel Management Engine BIOS extension (Intel MEBx) Main Menu.

To manually set up an Intel AMT client, perform these steps:

1. Enter the Intel MEBx default password (“admin”).
2. Change the default password to a new value (this step is required in order to proceed). The new value must be a “strong” password. It should contain at least one upper case letter, one lower case letter, one digit and one special character, and be at least eight characters. A management console application can change the Intel AMT password without modifying the Intel MEBx password.
3. Select Intel(R) AMT Configuration.
4. Select Manageability Feature Selection.
   1. Select ENABLED to enable Intel(R) AMT.
5. Select SOL/IDE-R/KVM and enable all of these features. Enabling Legacy Redirection Mode ensures compatibility with management consoles created to work with the legacy SMB mode that did do not have a mechanism implemented to enable the listener. Note that if SOL/IDER/KVM features are not enabled in the Intel MEBx they will not be available to Management Consoles.
6. Select User Consent
   1. Select desired options for KVM and Remote IT operations. Enabling User consent means that anytime the Intel AMT Client is to be accessed remotely the user will need to agree.
7. Enter Network Setup to enter network preferences for the Intel ME.
8. Enter Activate Network Access to enable Intel AMT.
9. Exit to the Main Menu.
10. Select MEBx Exit to continue booting your system.

The platform is now configured. You can set some additional parameters using the Web User Interface (Web UI) or a remote console application.

Note that configuring the Intel AMT Client via the Intel MEBx menus will result in the system being in Admin Control Mode.

5 Accessing Intel AMT via the Web UI Interface

An administrator with user rights can remotely connect to the Intel AMT device via the Web UI by entering the IP address and one of the following port numbers into the address bar of the web browser:

• 16992 – Use if TLS is NOT configured (use http)
• 16993 – Use if TLS is configured (use https)

For example: http://134.134.176.1:16992

The Intel AMT device can also be addressed using the device’s fully qualified domain name (FQDN). If using TLS, Intel recommends using the Intel AMT FQDN instead of the IP.

For example: https://amtsystem.domain.com:16993

The following web browsers have been validated and can be used remotely to connect to any configured Intel AMT system.

• Microsoft Internet Explorer* 6.0 SP1 or later
• Netscape* 7.2 or later for Windows* and Linux*
• Mozilla* Firefox* 1.0 or newer for Windows and Linux
• Mozilla 1.7 or later for Windows and Linux

6 Intel AMT Drivers and Services

In addition to having the BIOS and ME extensions set up correctly, there are also drivers and services to be installed and running in order to fully utilize Intel AMT once it has been properly configured. To verify that the Intel AMT drivers and services are loaded correctly, look for them in the host operating systems’ Device Manger and Services. Note that every Intel AMT system should have a CD that includes all of the required firmware and drivers. Be sure to check the OEM’s download site frequently for upgraded versions of the BIOS, firmware, and drivers.

Here is a list of drivers and services that should appear in the host operating system:

• Intel® Ethernet Network Connection i217-LM^#
• Intel® Centrino® Advanced-N 6205 AGN^#
• Intel Management Engine Interface
• Serial-Over-LAN (SOL) Driver
• Intel® AMT LMS Service
• Intel® AMT Management and Security Status Service

^# Network controller and wireless interface versions will vary depending on the generation of Intel vPro platform.

Note: The version level of the drivers must match the version level of the firmware and BIOS. If non-compatible versions are installed, Intel AMT will not work with the features that require those interfaces.

6.1 NIC: Intel Ethernet Connection

If you are wanting to check your system for Intel® AMT capability, the following network adapter needs to be present: Intel® Ethernet Network Connection i217-LM.

6.2 Intel® Management Engine Interface

Note that for Intel AMT 9.0, the platform will require a 9.x version of the MEFirmware and Driver.

6.3 Serial-Over-LAN (SOL) Driver

The system should also have the SOL drivers listed in the Device Manager.

6.4 Intel Active Management Technology LMS Service

The Local Manageability Service (LMS) runs locally in an Intel AMT device and enables local management applications to send requests and receive responses to and from the device. The LMS listens for and intercepts requests directed to the Intel AMT local host and routes them to the Intel ME via the Intel ME Interface driver.

Note that for Intel AMT 9.0, the User Notification Service is combined with the Local Management Service.

6.5 Intel AMT User Notification Service (Pre Intel AMT 9.0)

The User Notification Service (UNS) is a Windows service installed on the host platform with Intel AMT Release 2.5 or greater. The UNS registers with the Intel AMT device to receive a set of alerts. When UNS receives an alert, it logs the alert in the Windows “Application” event log. The Event Source will be “Intel(R) AMT.”

6.6 Intel Management and Security Status Tool

The Intel Management and Security Status (IMSS) tool can be accessed by the “blue key” icon in the Windows tray.

The General tab of the IMSS tool shows the status of Intel vPro services available on the platform and an event history. There are tabs for additional details of each.

Note that in the above screen shot, the system time was not set (AMT 9.0 did not exist in 2001). In order for Intel AMT to work correctly, it is important that the time be set. If there is a huge time difference between the system time and the AMT time, the firmware will “think” the system is under attack.

The Advanced tab of the IMSS tool shows more detailed information on the configuration of Intel AMT and its features. The following screen shot verifies that Intel AMT has been configured on this system.

7 Intel AMT Software Development Kit (SDK)

The Intel® AMT Software Development Kit (SDK) provides the low-level programming capabilities to enable developers to build manageability applications that take full advantage of Intel AMT.

The Intel AMT SDK provides sample code and a set of application programming interfaces (APIs) that let developers easily and quickly incorporate Intel AMT support into their applications. The SDK also has a full set of documentation. The SDK supports C++ and C# on Microsoft Windows and Linux operating systems. Refer to the User Guide and the Readme files in each directory for important information on building the samples. Also see the video tutorials Introduction to Intel® AMT SDK and How to compile Intel® AMT SDK sample code.

The SDK is delivered as a set of directories that can be copied to a location of the developer's choice on the development system. Because of interdependencies between components, the directory structure should be copied in its entirety. There are three folders at the top level: one called DOCS (which contains SDK documentation), and one each for Linux and Windows (which contain all of the sample code.) For more information regarding how to get started and how to use the SDK, see the "Intel® AMT Implementation and Reference Guide.”

Below is a screen shot of the Intel AMT Implementation and Reference Guide. For more information on system requirements and how to build the sample code, read through the “Using the Intel® AMT SDK” section. The documentation is available on the Intel® Software Network here: Intel® AMT SDK (Latest Release)

7.1 Other Intel AMT SDK Resources

The Intel AMT SDK provides frameworks and samples that simplify WS-Management development and demonstrates how to take advantage of the advanced product features. For more information, see the following:

• High Level API
• Intel vPro Platform Solution Manager
• KVM Application Developer’s Guide
• Redirection Library
• C++ CIM Framework API
• C# CIM Framework API
• WS-Management Clients Supporting C# and C++ Development
• Intel ME WMI Provider
• Management Presence Server Sample
• Posture Validation (NAC)
• System Health Validation (NAP)
• User Consent Tool

There are a variety of development environments for which to write software that supports Intel AMT. Please see the figure below for more details.

Intel® vPro Enablement Tools

1. Available only in C++ (C# wrapper in SDK)
2. COM object by MSFT
3. Not just .NET

Appendix A:

The following table provides a snapshot of features supported by Intel AMT Releases 7, 8, and 9.

The two major changes with Intel AMT 9.0 are the addition of the Graceful Shutdown feature and the SOAP API has been deprecated in favor of the WS-Management API. In the AMT 9.0 release, SOAP support has been completely removed from the SDK.

Read about all the features in the Intel AMT SDK Implementation and Reference Guide (“Intel AMT Features” section.)

About the Author

Gael Hofemeier earned her BS in Math/Computer Science and an MBA from the University of New Mexico and has over 20 years of engineering experience. Gael started her career with Intel in 2000 and has been working with Intel® vPro™ technology since 2006.

Any software source code reprinted in this document is furnished under a software license and may only be used or copied in accordance with the terms of that license.

Intel, the Intel logo, and vPro are trademarks of Intel Corporation in the U.S. and/or other countries.
Copyright © 2013 Intel Corporation. All rights reserved.
*Other names and brands may be claimed as the property of others.

[i] Intel® vPro™ Technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and configuration of your hardware, software and IT environment. To learn more visit: http://www.intel.com/technology/vpro.

ⁱ Requires activation and a system with a corporate network connection, an Intel® AMT-enabled chipset, network hardware and software. For notebooks, Intel AMT may be unavailable or limited over a host OS-based VPN, when connecting wirelessly, on battery power, sleeping, hibernating or powered off. Results dependent upon hardware, setup and configuration. For more information, visit Intel® Active Management Technology.

Two days ago I started updating the Windows x86 Mesh Agent with the latest v1.67 version. In this latest agent, the major change is the new use of the Windows Crypto API. In the past, I would use OpenSSL for everything across platforms. This new version stull uses OpenSSL, but on Windows I now make more use of Windows Crypto API to generate and store cryptographic keys. Should make machines that use the new agent more officult to spoof. In addition, added improved support for Intel Remote Wake, the mesh agent will make use of this technology when available to make the computer wakable over the Internet.

Many computers have a Trusted Platform Module (TPM) and in the 64bit version of the Windows Mesh Agent, I added support for TPM. Sadly, I don't release the 64bit version of the Mesh Agent right now, but that may come later once I get everything validated. There is not much benefits to the 64bit version, except that I allow use of newer Windows API's that would break the Mesh Agent running on Windows XP and Vista.

So, in total the new mesh agent has a lot more support for Intel Platform Technologies. Below I have a picture of what the Mesh Agent looks like. Not bad for a single self-updating executable. All of the code is tightly integrated so there is very little wasted size. It's almost as tight as it can be. Click on the picture for a larger view.

Ylian
meshcentral.com

Intel® Trusted Execution Technology (Intel® TXT) provides a hardware- based root of trust to ensure that a platform boots with a known good configuration of firmware, BIOS, virtual machine monitor, and operating system. For more information, please refer to http://www.intel.com/technology/malwarereduction/index.htm

Trusted Boot (tboot) on Sourceforge:
Trusted Boot (tboot) is an open source, pre- kernel/VMM module that uses Intel® Trusted Execution Technology (Intel® TXT) to perform a measured and verified launch of an OS kernel/VMM.

Project details: http://sourceforge.net/projects/tboot/

Production SINIT ACM Download:
The appropriate production release of the SINIT ACM (authenticated code module) is available for download for the targeted platform as per the table below. Each kit download contains relevant change log and error file for that SINIT ACM. While most internet browsers are supported, table below is best viewed in Google Chrome. 

Revocation SINIT ACM and Tools:
In response to Intel Security Advisory SA-0035, Intel is releasing updated SINIT ACM, Revocation (RACM) SINIT, and Revocation Tools. Please visit this link to download Revocation Tools to mitigate this issue.

More questions? Go to the Intel Business Client Developer Forum

SINIT AC Modules

Hi everyone. First, for people in the US, happy long weekend! I just wanted to give an update on what is going on with Meshcentral.com. Here is a lot of interest in the technology and so, I have been busy fixing and improving all sorts of things, most of the focus is on the server side and underlying peer-to-peer routing. But I got two fun things to report:

Intel Remote Wake.As annonced previously, Meshcentral supports Intel Remote Wake, this is a technology that allows users to wake up sleeping computers on the Internet. It's like an internet version of wake-on-lan. I have been improving the was I handle this feature on Intel based platforms in the last two weeks, with some more fixes coming soon. Motherboards with Intel Remote Wake are starting to be avaialble, one user pointed me to the ASRock web site where they show their users how to use Meshcentral.com to wakeup their PC remotely including from a cellphone.

Intel Developer Forum. This year Intel IDF is in San Francisco September 10 to 12th and I will be a speaker at a lab. I am just about to start working on the content that will focus on how to connect Intel Platforms to the cloud. What makes me excited about this presentation is the there are plenty of platform and processor features (Intel AMT, Intel Remote Wake, AES-NI, RANDRD, Wake-on-LAN, TPM) that can be used to connect platforms to the cloud. Since Meshcentral uses all of these, I will be able to help understand what all of these can do and how build them into your product.

Ok, that is it for now. Hope to see many of you at IDF!
Ylian
meshcentral.com

Yesterday I updated Meshcentral.com along with the release of the Microsoft Windows Mesh Agent v1.70 to add a new location feature. First, this is a optional feature, you need to have it enabled in the mesh access policy for this to work, and existing meshes have this feature off by default. If you create a new mesh, just select it during mesh creation. For existing meshes, you need to use Mesh Connector to edit the policy and add the new feature.

Once location access is enabled, the Windows v1.70 Mesh agent will periodically send nearby WIFI access points and signal strength to the Mesh Server. This is similar with that other services do on mobile phones. Meshcentral.com will compile a list of know access points and keep only the last seen access points for each node.

I have not yet put any web site features using this data, but I do have a C# API that can connect to Meshcentral.com and ask the following questions:

• What WIFI location enabled nodes are present in my account?
• What access points does a given node see?
• What nodes are visible from a given access point?
• What nodes are near a given node?

All queries only return nodes that are present in your Meshcentral.com account. So even if another node belonging to someone else is in the area, it will no show up in these queries. Initialy the idea is to use this information to know what nodes are located physically near each other. This can be used for ad-hoc collaboration, or other uses. In the future, I will be looking at converting this data into real coordinates using some type of 3rd party service so that users can see a map of the location of all nodes on their account. Could be useful for asset tracking and as an anti-theft feature.

If someone want to try to mesh location API right away, let me know. Otherwise, I will be making it available generally when I get time. I also want to add some use of this data on the web site itself.

Ylian
meshcentral.com

Just a quick follow up on the new Meshcentral.com location feature from my previous post. I just added in the web UI a new entry in the device page that shows which other devices are physically nearby. The new entry is just below the Intel AMT line, and is ranked starting with the nearest node. The distance is determined by how many WIFI access points both devices can see in common. If you hover the mouse over the links, a little box will show the number of AP's in common.

Ok, that is it. Again, this wifi feature is opt-in only and you need to set the mesh policy to enable it. Also, nodes need to have Wifi to have this work and it will show only other nearby devices that are also in your account.

Ylian
meshcentral.com

If you are using Intel® WS-Management Java Client Library in order to play with vPro Machines Logs, one thing that its missing from the examples its a way to get the username that try to perform a KVM session for example. So, the following piece of code can help you.

When colleting log, If Initiator Type == 1, so, we have the user from AD SID, using this SID we can retrieve all user info from AD.

in the KerberosSIDInitiatorType you have this information:

typedef _KerberosSIDInitiatorType
{
uint32 UserInDomain;
uint8 Domain_length;
uint8 Domain[];
} KerberosSIDInitiatorType;

The SID is the composition from Domain + UserInDomain

In Java, we need some Libraries to get the user from AD. You can see the part of our code here:

byte bytesUser[] = HandleBytesUtil.getDataArrayByEventRecordBytes(5, 4, EventRecordBytes);
int domainLength = EventRecordBytes[9];
byte kerberosDomainBytes[] = HandleBytesUtil.getDataArrayByEventRecordBytes(10,domainLength, EventRecordBytes);
timestampOffset = domainLength + 10;
usuarioEvent = HandleBytesUtil.getUserKerberos(bytesUser, kerberosDomainBytes);

Here is the class that manipulates SID related data:

import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Calendar;

import br.com.infoserver.collector.LogCreator;

import com.sun.jna.platform.win32.Advapi32Util;
import com.sun.jna.platform.win32.WinNT;
import com.sun.jna.platform.win32.Advapi32Util.Account;
import com.sun.jna.platform.win32.WinNT.PSID;

public class HandleBytesUtil {

/**
* @param idx index
* @param length length of bytes the data
* @param eventRecordBytes byteArray with all informations
* @return the bytes that represent the data
*/
public static byte[] getDataArrayByEventRecordBytes(int idx,int length,byte eventRecordBytes[]){
byte byteArray[] = new byte[length];
for(int i = 0;i < byteArray.length; i++) {
byteArray[i] = eventRecordBytes[idx++];
}
return byteArray;
}

/**
* Combine both arrays of bytes to get SID of User
* @param bytesUser
* @param kerberosDomainBytes
* @return domain\\user
*/
public static String getUserKerberos(byte[] bytesUser, byte[] kerberosDomainBytes) {

//combine the bytes of the user with bytes of the domainKerberos to convert to SID
//using con.sun.jna.*
byte domainUserBytes[] = new byte[kerberosDomainBytes.length + bytesUser.length];
domainUserBytes = Arrays.copyOf(kerberosDomainBytes, domainUserBytes.length);

int i = kerberosDomainBytes.length;
for(byte b : bytesUser){
domainUserBytes[i]= b;
i++;
}

try{
PSID sid = new WinNT.PSID(domainUserBytes);
Account ac = Advapi32Util.getAccountBySid(sid);
return ac.fqn;
}catch (Exception e) {
LogCreator.doWriteTxt("Erro obtendo SID do usuario");
}
return "NA";
}

/**
* convert the timestamp bytes to calendar in UTC
* @param byteArray of 4 positions 32 bits
* @return Calendar
*/
public static Calendar getTimestampToCalendar(byte[] byteArrayTime){
// convert the timestamp bytes to timeInUTC
ByteBuffer timeBuffer = ByteBuffer.wrap(byteArrayTime);
timeBuffer = ByteBuffer.allocate(byteArrayTime.length);
Calendar calendar = Calendar.getInstance();

for(int i = 0; i < byteArrayTime.length ;i++){
timeBuffer.put(i,byteArrayTime[i]);
}
long timeInUTC = timeBuffer.getInt();
// convert timeInUTC to Java dateTime format. Note that
// Audit log return time in UTC time. You may want to
// convert to local time
// multiply by 1000 ... the time returned is second
calendar.setTimeInMillis((timeInUTC) * 1000);

return calendar;
}

}

Feel free to contact me if you need.