Realizing the Value of Intel vpro processor technology within Altiris Client Management Suite Terry Cutler Enterprise Solution Architect Intel Corporation Joel Smith Principal Support Engineer Symantec Corporation
Course Objectives Discuss main steps to Activate Intel vpro Processor Technology Identify key considerations and plans for deployment Establish a community of knowledge sharing (whether in- or outside this session)
Related Sessions, Events, and Material ManageFusion Sessions: AP L03 Lab: Using Intel vpro with Altiris Client Management Suite, 4:45pm Tues. AP B06 Session: Economics of Deploying Intel vpro in the Enterprise, 3:15pm Wed. AP L02 Session: Dell Client Manageability AP B01 Session: HP Client Manageability Intel Demonstration Booth Partner Expo Check out the vpro Challenge win prizes Talk and see more on vpro integration to Altiris Altiris Juice http://juice.altiris.com/intel
Short Quiz (Prizes included) Does Altiris CMS with Intel vpro allow for 1-to- 1 or 1-to-many client management? When was the current production version of RTCI, RTSM, OOBM, and OOBSC released? Bonus: What is the production Intel SCS embedding in OOBSC? How do you know if an Intel AMT version is supported within the Altiris console?
Main Considerations for Deployment Today s Focus Current and Future State - Understanding of the target environment, especially the future state of enterprise client manageability and security Client Platform Readiness In addition to OS and application compatibility, validate the provision, reprovision and unprovision of Intel vpro desktops and\or laptops. Management ISV Readiness Altiris runs great on vpro Today s Focus Enterprise Infrastructure Planning and preparing enterprise for Intel vpro solution deployment (e.g., DHCP, DNS, PKI/CA, etc.) IT Governance and Processes Preparing for process changes to deployment, maintenance, support requests, and related tasks. Successful Deployments Require a Collaborative Effort
Discussion: What usage models desired? Intel Core 2 Duo (CPU) Remotely power on\off Out-of-band asset inventory Discovery of connected systems Intel PRO/1000 LAN Intel Q965 Express Chipset (G)MCH Manageability Engine ICH8-DO Filters Sensors MAC DDR2 DDR2 FLASH BIOS NVM Redirect (Serial-over-LAN and IDE-R) Copyright 2007, Intel Corporation, All Rights Reserved Alerting and eventing subscription* System Defense (Network Filter) View Intel vpro as a tool in the overall Altiris CMS toolset *Some features are specific to vendor implementations
Preparation of the Client Platform Future plans around Microsoft Vista? Mobile Environment? Driver and firmware recommendations Intel Active Management Technology (AMT) firmware Intel Management Engine Interface (MEI) driver Serial-over-LAN (SOL) driver Local Management Service (LMS) driver User Notification Service (UNS) driver Altiris client management agent AMT 3.0 or higher
Integration with Altiris Client Management Suite Microsoft SQL Intel vpro Out of Band Management RTSM and RTCI Network Discovery Remote Boot IDE Redirect Serial Over LAN AMT Inventory SNMP Alerts System Defense Microsoft IIS Task Server Provisioning Server Notification Server Software Delivery Patch Management Inventory Solution Application Metering/Management Altiris Helpdesk Asset Management
Enterprise Infrastructure Overview wireless network wired network Public network DHCP RADIUS DNS Management Console VPN\Firewall Gateway PKI\CA Microsoft Active Directory Microsoft SQL Microsoft IIS Provisioning Server Copyright 2007, Intel Corporation, All Right Reserved
Intel AMT Provisioning Overview Small Business or Enterprise Mode: This session focuses on Enterprise Intel AMT configuration states: Factory Default, Setup, and Configured Provisioning Approaches Pre-Shared Key or Remote Configuration Maintenance actions and routines ReProvisioning and UnProvisioning
Small-Medium Business or Enterprise mode? SMB Mode 1-to-1 provisioning and communication (Note: Altiris CMS enables 1-to-many) Manual setup using BIOS / MEBx Open network communication with AMT HTTP Digest user authentication Suitable for lower volume deployments with no PKI infrastructure Enterprise Mode 1-to-Many provisioning and communication Automated setup using USB drive key Encrypted AMT network communication during provisioning TLS, Kerberos, and HTTP Digest Authenication Maintain multiple Intel AMT profile configurations Suitable for volume deployments Support for discovery, heal, and protect use cases
Intel AMT configuration states Provisioning Data entered Intel AMT profile assigned Factory Default Setup Configured Intel AMT profile removed (partial UnProvision) Fully UnProvisioned* *Full UnProvision does not reset CMOS for one-touch provisioning
Pre-shared Key or Remote Configuration? TLS-Preshared Key (TLS-PSK) Manual or One-Touch provision Best perform before Intel AMT client in production environment Supported on all Intel AMT platforms Remote Configuration (PKI-CH) Formerly called zero touch configuration (ZTC) Agent initiated or baremetal provisioning Supported first on AMT 3.0 platforms, than AMT 2.2 and AMT 2.6 Reading Material http://juice.altiris.com/article/1673/part-3-enterpriseintegration-intel-amt-provisioning http://juice.altiris.com/article/2161/remote-configurationpreview
Required, Suggested, and Optional Required: Setup and Configuration Application Intel Setup and Configuration Service Network ports 16992-16995 (Intel AMT registered ports) Required for One Touch Provisioning DHCP, DNS, ProvisionServer, USB key with setup.bin Network port 9971 Altiris Resource Synchronization and Network Discovery Suggested: Infrastructure items DHCP with option 15 WMI, DDNS, ISV client agent, Domain membership Optional: Certificate server, Active Directory, Kerberos, Wireless Profiles, Network Access Control (NAC), 802.1x, VLAN
Pre-Shared Key Provisioning SQL DB 1 Provision Server 4 DNS/ DHCP 3 Management Console 2 http://juice.altiris.com/article/1673/part-3-enterprise-integration-intel-amt-provisioning Copyright 2007, Intel Corporation, All Rights Reserved
Provisioning Data: What s Needed? How Obtained? PID, PPS, and new password Created in Setup and Configuration Application; setup.bin Manually entered due to pre-provisioning UUID Universally Unique Identifier Assigned by OEM at the factory; unique to ever system Obtained by Intel AMT for hello packet Obtained by management console via WMI or agent Altiris Network Discovery with AMT options enabled FQDN Fully Qualified Domain Name Stored on host OS based on system name and domain Obtained via WMI, reverse DNS lookup (DDNS), and DHCP option 15 (DNS suffix from server) and 81 (from client) Stored in management database with matching UUID Manually entered at management console by administrator
Remote Configuration Process Overview Certificate based authentication Intel Client Setup Certificate per DNS domain Matching thumbprint (e.g. cert. hash) on client Support for 3 rd party of custom in-house Infrastructure Dependencies DHCP option 15 with DNS domain suffix DNS entry for ProvisionServer Altiris Agent for Intel AMT 2.2 and 2.6 Required Initiate Delayed Provisioning Intel AMT 3.0 systems have Bare-metal option More details in backup and online
Remote Configuration Process Overview Agent Initiated (AMT 2.2, 2.6, 3.0) Baremetal (AMT 3.0) Secure Authentication Configuration (Intel AMT Profile sent) http://juice.altiris.com/article/2161/remote-configuration-preview
Call to Action: Activate and Realize the value! If you are considering Intel vpro with Altiris CMS assess the value and plan Coordinate with internal IT resources client, server, infrastructure, security, and so forth Validate plans and usages in test environment Utilize external community resources Visit Intel booth for more discussion and Take the vpro challenge!
Additional Reference Material Coming Soon to Altiris Juice (http://juice.altiris.com/intel) Index of articles Altiris Console configuration video Enterprise provisioning sequence Use case video demonstrations Intel vpro Expert Center http://www.intel.com/go/vproexpert
Altiris Juice: Fresh squeezed, info enriched. Breaking product news In-depth articles Tips from the trenches Tools and utilities Training videos Podcasts RSS feeds Rewards program juice.altiris.com
THANK YOU Altiris and ManageFusion are registered trademarks of Symantec, Inc. in the U.S. and in other countries. The other company names or products mentioned are or may be trademarks of their respective owners.
Preparations for Agent Initiated Management Console Update Package Request AMT state 1 2 Agent provided data Send One Time Password 3 Intel AMT client Operating System with management agent MEI Intel Core 2 Duo (CPU) DNS Provision Server Request ProvisionServer Send Hello Packet 4 5 Intel PRO/1000 LAN Intel Q965 Express Chipset (G)MCH Manageability Engine ICH8-DO Filters Sensors MAC DDR2 DDR2 FLASH BIOS NVM
Preparations for Bare Metal Create self signed certificate DNS/ DHCP Provision Server Request ProvisionServer Send Hello Packet 2 3 Intel PRO/1000 LAN Intel Core 2 Duo (CPU) Intel Q965 Express Chipset (G)MCH Manageability Engine ICH8-DO Filters Sensors MAC DDR2 DDR2 FLASH BIOS NVM 1
Provision Server Setup Certificate RCFG: Mutual Authentication 2 3 4 1 SCA requests selfsigned certificate Setup Certificate Request Includes Key1 and PEM Intel AMT verifies Setup Certificate (CH, Domain, etc) Key 2 sent to SCA Intel PRO/1000 LAN 1 5 MTLS established 1 OTP sent to SCA 2 2 Intel AMT client Operating System with management agent MEI Intel Core 2 Duo (CPU) Intel Q965 Express Chipset (G)MCH Manageability Engine ICH8-DO Filters Sensors MAC Self-signed certificate DDR2 DDR2 FLASH BIOS NVM
Discussion: IT Governance and Process 1 2 3 4 Initial Setup (bare-metal provisioning) User Profile Setup Maintenance EOL Purchase Order placed AD/Domain Entries update Asset DB update Inventory DB updated Enterprise policies,certs (CA) DB updated Support/ Call DB AD Network DB update Asset DB updated Management Console updated Asset & Patch Management DB EOL:DB Ready for resale or donation Example future discussions
Discussion: IT Governance and Process 1 2 3 4 Initial Setup (bare-metal provisioning) User Profile Setup Maintenance EOL Purchase Order placed Install, Setup Inventory Setup & Config DB Services 1 AD time updated schema only changes 1 time only PID/PPS Asset entry DB in setup/config updated DB AMT hostname AD/Domain assigned Entries update AMT Object Enterprise AD policies,certs additions (CA) DB CA updated distributes Certs. DB updated Management Console MC updated updated with AMT entries Policy changes Support/ for Call DB asset and patch management Asset & Patch Management DB Asset DB update Remove AMT AD entries AD Network Unprovision DB update (S&C update) Delete from MC EOL:DB Ready for resale or donation Example future discussions