http://en.wikipedia.org/wiki/Intel_Active_Management_Technology

Intel Active Management Technology

From Wikipedia, the free encyclopedia
 
 

Intel AMT web page available even when the computer is sleeping.

Intel Active Management Technology (AMT) is hardware-based technology for remotely managing and securing PCs out-of-band.[1][2][3][4][5] Currently, Intel AMT is available in desktops, servers, ultrabooks, tablets, and laptops with Intel Core vPro processor family, including Intel Core i3, i5, i7, and Intel Xeon processor E3-1200 product family.[1][6][7][8]

Contents

[hide

Overview of Intel AMT[edit]

Intel AMT is hardware and firmware technology that builds certain functionality into business PCs in order to monitor, maintain, update, upgrade, and repair PCs.[1] Intel AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology.[2] Intel AMT is designed into a secondary (service) processor located on the motherboard. Intel AMT has moved towards increasing support for DMTF Desktop and mobile Architecture for System Hardware (DASH)standards and AMT Release 5.1 and later releases are an implementation of DASH version 1.0/1.1 standards for out-of-band management.[9] AMT provides similar functionality to IPMI, although AMT is designed for client computing systems as compared with the typically server-based IPMI.

AMT is not intended to be used by itself; it is intended to be used with a software management application.[1] It gives a management application (and thus, the system administrator who uses it) better access to the PC down the wire, in order to remotely and securely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.[1][3][10][11]

Hardware-based management and software-based management[edit]

Hardware-based (or out-of-band) management is different from software-based (or in-band) management and software management agents.[1][2] Hardware-based management works at a different level than software applications, uses a communication channel (through the TCP/IP stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does not depend on the presence of an OS or locally installed management agent.

Benefits of Intel AMT hardware-based management[edit]

Hardware-based management has been available on Intel/AMD based computers in the past, but it has largely been limited to auto-configuration using DHCP or BOOTPfor dynamic IP allocation and diskless workstations, as well as Wake-on-LAN (WOL) for remotely powering on systems.[12]

Intel AMT uses TLS-secured communication and strong encryption, to provide additional security.[2]

Intel AMT features[edit]

Intel AMT includes hardware-based remote management, security, power-management, and remote-configuration features.[1][13] These features allow an IT technician to access an AMT featured PC remotely.[10]

Intel AMT relies on a hardware-based out-of-band (OOB) communication channel[1] that operates below the OS level, the channel is independent of the state of the OS (present, missing, corrupted, down). The communication channel is also independent of the PC's power state, the presence of a management agent, and the state of many hardware components (such as hard disk drives and memory).

Most AMT features are available OOB, regardless of PC power state.[1] Other features require the PC to be powered up (such as console redirection via serial over LAN (SOL), agent presence checking, and network traffic filtering).[1] Intel AMT has remote power-up capability.

Hardware-based features can be combined with scripting to automate maintenance and service.[1]

Hardware-based AMT features in laptop and desktop PCs[edit]

Hardware-based AMT features include:

  • Encrypted, remote communication channel for network traffic between the IT console and Intel AMT.[1][2]
  • Ability for a wired PC (physically connected to the network) outside the company's firewall on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console.[1][2] Examples of an open LAN include a wired laptop at home or at an SMB site that does not have a proxy server.
  • Remote power up / power down / power cycle through encrypted WOL.[1][2]
  • Remote boot, via integrated device electronics redirect (IDE-R).[1][2]
  • Console redirection, via serial over LAN (SOL).[1]
  • Keyboard, video, mouse (KVM) over network.
  • Hardware-based filters for monitoring packet headers in inbound and outbound network traffic for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters.[1][2][14]
  • Isolation circuitry (previously and unofficially called "circuit breaker" by Intel) to port-block, rate-limit, or fully isolate a PC that might be compromised or infected.[1][2][14]
  • Agent presence checking, via hardware-based, policy-based programmable timers. A "miss" generates an event; you can specify that the event generate an alert.[1][2][14]
  • OOB alerting.[1][2]
  • Persistent event log, stored in protected memory (not on the hard drive).[1][2]
  • Access (preboot) the PC's universal unique identifier (UUID).[1][2]
  • Access (preboot) hardware asset information, such as a component's manufacturer and model, which is updated every time the system goes through power-on self-test (POST).[1][2]
  • Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information.[1][2]
  • Remote configuration options, including certificate-based zero-touch remote configuration, USB key configuration (light-touch), and manual configuration.[1][2][15]
  • Protected Audio/Video Pathway for playback protection of DRM-protected media.

Additional AMT features in laptop PCs[edit]

Laptops with AMT also include wireless technologies:

Intel vPro platform features[edit]

Intel AMT is security and management technology that is built into PCs with Intel vPro technology.[1][12] PCs with Intel vPro include many other "platform" (general PC features) technologies and features.

Using Intel AMT[edit]

Almost all AMT features are available even if PC power is off, the OS is crashed, the software agent is missing, or hardware (such as a hard drive or memory) has failed.[1][2] The console-redirection feature (SOL), agent presence checking, and network traffic filters are available after the PC is powered up.[1][2]

Intel AMT supports these management tasks:

  • Remotely power up, power down, power cycle, and power reset the computer.[1]
  • Remote boot the PC by remotely redirecting the PC’s boot process, causing it to boot from a different image, such as a network share, bootable CD-ROM orDVD, remediation drive, or other boot device.[1][10] This feature supports remote booting a PC that has a corrupted or missing OS.
  • Remotely redirect the system’s I/O via console redirection through serial over LAN (SOL).[1] This feature supports remote troubleshooting, remote repair, software upgrades, and similar processes.
  • Access and change BIOS settings remotely.[1] This feature is available even if PC power is off, the OS is down, or hardware has failed. This feature is designed to allow remote updates and corrections of configuration settings. This feature supports full BIOS updates, not just changes to specific settings.
  • Detect suspicious network traffic.[1][14] In laptop and desktop PCs, this feature allows a sys-admin to define the events that might indicate an inbound or outbound threat in a network packet header. In desktop PCs, this feature also supports detection of known and/or unknown threats (including slow- and fast-moving computer worms) in network traffic via time-based, heuristics-based filters. Network traffic is checked before it reaches the OS, so it is also checked before the OS and software applications load, and after they shut down (a traditionally vulnerable period for PCs[citation needed]).
  • Block or rate-limit network traffic to and from systems suspected of being infected or compromised by computer viruses, computer worms, or other threats.[1][14] This feature uses Intel AMT hardware-based isolation circuitry that can be triggered manually (remotely, by the sys-admin) or automatically, based on IT policy (a specific event).
  • Manage hardware packet filters in the on-board network adapter.[1][14]
  • Automatically send OOB communication to the IT console when a critical software agent misses its assigned check in with the programmable, policy-based hardware-based timer.[1][14] A "miss" indicates a potential problem. This feature can be combined with OOB alerting so that the IT console is notified only when a potential problem occurs (helps keep the network from being flooded by unnecessary "positive" event notifications).
  • Receive Platform Event Trap (PET) events out-of-band from the AMT subsystem (for example, events indicating that the OS is hung or crashed, or that apassword attack has been attempted).[1] You can alert on an event (such as falling out of compliance, in combination with agent presence checking) or on a threshold (such as reaching a particular fan speed).
  • Access a persistent event log, stored in protected memory.[1] The event log is available OOB, even if the OS is down or the hardware has already failed.
  • Discover an AMT system independently of the PC's power state or OS state.[1] Discovery (preboot access to the UUID) is available if the system is powered down, its OS is compromised or down, hardware (such as a hard drive or memory) has failed, or management agents are missing.
  • Perform a software inventory or access information about software on the PC.[1] This feature allows a third-party software vendor to store software asset or version information for local applications in the Intel AMT protected memory. (This is the protected third party data store, which is different from the protected AMT memory for hardware component information and other system information). The third-party data store can be accessed OOB by the sys-admin. For example, an antivirus program could store version information in the protected memory that is available for third-party data. A computer script could use this feature to identify PCs that need to be updated.
  • Perform a hardware inventory by uploading the remote PC's hardware asset list (platform, baseboard management controllerBIOSprocessormemory, disks, portable batteries, field replaceable units, and other information).[1] Hardware asset information is updated every time the system runs through power-on self-test (POST).

VNC-based KVM remote control[edit]

From major version 6, Intel AMT embeds a proprietary VNC server, so you can connect out-of-band using dedicated VNC-compatible viewer technology, and have full KVM (Keyboard, Video, Mouse) capability throughout the power cycle - including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from RealVNC also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER).

Out-of-band (OOB) communication with AMT[edit]

Intel AMT is part of the Intel Management Engine. All access to the Intel AMT features is through the Intel Management Engine in the PC’s hardware and firmware.[1] AMT communication depends on the state of the Management Engine, not the state of the PC’s OS.

As part of the Intel Management Engine, the AMT OOB communication channel is based on the TCP/IP firmware stack designed into system hardware.[1] Because it is based on the TCP/IP stack, remote communication with AMT occurs via the network data path before communication is passed to the OS.

AMT out-of-band (OOB) communication for wired vs. wireless PCs[edit]

Intel AMT supports wired and wireless networks.[1][6][16][18] For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down. OOB communication is also available for wireless or wired notebooks connected to the corporate network over a host OS-based virtual private network (VPN) when notebooks are awake and working properly.

AMT out-of-band (OOB) secure communication outside the corporate firewall[edit]

AMT version 4.0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall.[1][19] In this scheme, a management presence server (Intel calls this a "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel between the IT console and the PC, and mediates communication.[1][20] The scheme is intended to help the user or PC itself request maintenance or service when at satellite offices or similar places where there is no on-site proxy server or management appliance.

Technology that secures communications outside a corporate firewall is relatively new. It also requires that an infrastructure be in place, including support from IT consoles and firewalls.

How it works[edit]

An AMT PC stores system configuration information in protected memory. For PCs version 4.0 and higher, this information can include the name(s) of appropriate "whitelist" management servers for the company. When a user tries to initiate a remote session between the wired PC and a company server from an open LAN, AMT sends the stored information to a management presence server (MPS) in the "demilitarized zone" ("DMZ") that exists between the corporate firewall and client (the user PC's) firewalls. The MPS uses that information to help authenticate the PC. The MPS then mediates communication between the laptop and the company’s management servers.[1]

Because communication is authenticated, a secure communication tunnel can then be opened using TLS encryption. Once secure communications are established between the IT console and Intel AMT on the user's PC, a sys-admin can use the typical AMT features to remotely diagnose, repair, maintain, or update the PC.[1]

Intel AMT security measures[edit]

Because AMT allows access to the PC below the OS level, security for the AMT features is a key concern.

Security for communications between Intel AMT and the provisioning service and/or management console can be established in different ways depending on the network environment. Security can be established via certificates and keys (TLS public key infrastructure, or TLS-PKI), pre-shared keys (TLS-PSK), or administrator password.[1][2]

Security technologies that protect access to the AMT features are built into the hardware and firmware. As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such as a hard drive or memory) has failed.[1][2][21]

Using AMT in a secure network environment[edit]

Because in-band remote management does not usually occur over a secured network communication channel, businesses have typically had to choose between having asecure network or allowing IT to use remote management applications without secure communications to maintain and service PCs.[1]

Modern security technologies and hardware designs allow remote management even in more secure environments. For example, Intel AMT supports IEEE 802.1xPreboot Execution Environment (PXE), Cisco SDN, and Microsoft NAP.[1]

All AMT features are available in a secure network environment. With Intel AMT in the secure network environment:

  • The network can verify the security posture of an AMT-enabled PC and authenticate the PC before the OS loads and before the PC is allowed access to the network.
  • PXE boot can be used while maintaining network security. In other words, an IT administrator can use an existing PXE infrastructure in an IEEE 802.1xCiscoSDN, or Microsoft NAP network.

Intel AMT in a secured network environment: how it works[edit]

Intel AMT can embed network security credentials in the hardware, via the Intel AMT Embedded Trust Agent and an AMT posture plug-in.[1][2] The plug-in collects security posture information, such as firmware configuration and security parameters from third-party software (such as antivirus software and antispyware),BIOS, and protected memory. The plug-in and trust agent can store the security profile(s) in AMT's protected, nonvolatile memory, which is not on the hard disk drive.

Because AMT has an out-of-band communication channel, AMT can present the PC's security posture to the network even if the PC's OS or security software is compromised. Since AMT presents the posture out-of-band, the network can also authenticate the PC out-of-band, before the OS or applications load and before they try to access the network. If the security posture is not correct, a system administrator can push an update OOB (via Intel AMT) or reinstall critical security software before letting the PC access the network.

Security postures supported by Intel AMT versions[edit]

Support for different security postures depends on the AMT release:

Intel AMT security technologies and methodologies[edit]

AMT includes several security schemes, technologies, and methodologies to secure access to the AMT features during deployment and during remote management.[1][2][21] AMT security technologies and methodologies include:

As with other aspects of Intel AMT, the security technologies and methodologies are built into the chipset.

Versions[edit]

Main article: Intel AMT versions

Intel AMT versions can be updated in software to the next minor version. New major releases of Intel AMT are built into a new chipset, and are updated through new hardware.[2]

Management Engine firmware modules[edit]

  • Active Management Technology (AMT)
  • Alert Standard Format (ASF)
  • Quiet System Technology (QST), formerly Advanced Fan Speed Control (AFSC)
  • Trusted Platform Module (TPM)

Provisioning and integration of Intel AMT[edit]

AMT supports certificate-based or PSK-based remote provisioning (full remote deployment), USB key-based provisioning (“one-touch” provisioning), manual provisioning[1] and provisioning using an agent on the local host ("Host Based Provisioning"). An OEM can also pre-provision AMT.[15]

The current version of AMT supports remote deployment on both laptop and desktop PCs. (Remote deployment was one of the key features missing from earlier versions of AMT and which delayed acceptance of AMT in the market.)[10] Remote deployment, until recently, was only possible within a corporate network.[24]Remote deployment lets a sys-admin deploy PCs without “touching” the systems physically.[1] It also allows a sys-admin to delay deployments and put PCs into use for a period of time before making AMT features available to the IT console.[25] As delivery and deployment models evolve, AMT can now be deployed over the Internet, using both "Zero-Touch" and Host-Based methods.[26]

Intel vPro PCs can be sold with AMT enabled or disabled[edit]

PCs with Intel AMT can be sold with AMT enabled or disabled. The OEM determines whether to ship AMT with the capabilities ready for setup (enabled) or disabled. Your setup and configuration process will vary, depending on the OEM build.[15]

Intel AMT includes a Privacy Icon application, called IMSS,[27] that notifies the system's user if AMT is enabled. It is up to the OEM to decide whether they want to display the icon or not.

Disabling and re-enabling Intel AMT[edit]

Intel AMT supports different methods for disabling the management and security technology, as well as different methods for reenabling the technology.[1][25][28][29]

Disabling Intel AMT[edit]

AMT can be partially unprovisioned using the Configuration Settings, or fully unprovisioned by erasing all configuration settings, security credentials, and operational and networking settings; or by resemotherboard.[30]

A partial unprovisioning leaves the PC in the setup state. In this state, the PC can self-initiate its automated, remote configuration process. A full unprovisioning erases the configuration profile as well as the security credentials and operational / networking settings required to communicate with the Intel Management Engine. A full unprovisioning returns Intel AMT to its factory default state.

Re-enabling Intel AMT[edit]

Once AMT is disabled, in order to enable AMT again, an authorized sys-admin can reestablish the security credentials required to perform remote configuration by either:

  • Using the remote configuration process (full automated, remote config via certificates and keys).[1] This probably means that AMT is always listening to open ports to the wild and cannot be disabled at all.
  • Physically accessing the PC to restore security credentials, either by USB key or by entering the credentials and MEBx parameters manually.[1]

Returning AMT to factory default[edit]

There is a way to totally reset AMT and return in to factory defaults. This can be done in two ways:

  1. Setting the appropriate value in the BIOS.
  2. Clearing the CMOS memory and/or NVRAM.

Setup and integration tools[edit]

Setup and integration of Intel AMT is supported by a setup and configuration service (for automated setup), an AMT Webserver tool (included with Intel AMT), and AMT Commander, an unsupported and free, proprietary application available from the Intel website.

Implementation[edit]

The management controller for AMT is embedded in the northbridge of the motherboard for recent versions, or network card for AMT 1.0 (as compared with e.g. typical IPMI implementations where the management controller is a discrete part). On current Intel chipsets, an ARC4 RISC microcontroller running the Nucleus RTOS is used as the service processor.

See also[edit]

 
Platforms
 
Discontinued
 
Current
 
Upcoming

http://en.wikipedia.org/wiki/Intel_AMT_versions

Intel AMT versions

From Wikipedia, the free encyclopedia
 
 

Intel Active Management Technology (AMT) is hardware-based technology built into PCs with Intel vPro technology. AMT is designed to help sys-admins remotely manage and secure PCs out-of-band when PC power is off, the operating system (OS) is unavailable (hung, crashed, corrupted, missing), software management agents are missing, or hardware (such as a hard disk drive or memory) has failed.[1][2][3][4][5]

Versions[edit]

Intel AMT is built into a small secondary processor located on the motherboard. This OOB controller has embedded firmware that runs on the Manageability Engine (ME), a separate small ARC architecture processor built into the northbridge (or network card for AMT 1.0) of the motherboard. The AMT firmware is stored in the same SPI flash memory component used to store the BIOS and is generally updated along with the BIOS. FWH (Firmware Hub) or LPC firmware storage is not supported for AMT.[2]

In general, an AMT version can be updated in software to the next minor version. New major releases of Intel AMT are built into a new chipset, and are updated through new hardware.

  • Intel AMT 9.0 — Intel 8 Series chipset (Lynx Point). SOAP(EOI) protocol removed.
  • Intel AMT 8.0 — Intel Q75 and Q77 (Maho Bay: Panther Point) chipset, mobile QM77 and QS77 (Chief River: Panther Point) chipset.
  • Intel AMT 7.0 — Intel Q67 (Sugar Bay: Cougar Point) chipset, mobile QM67 and QS67 (Huron River: Cougar Point) chipset.
  • Intel AMT 6.0 — Intel Core i5/7 vPro desktop platforms based on the Q57 (Piketon: Ibex Peak) chipset, Core i5/7 vPro mobile platforms based on the QM57 and QS57 (Calpella: Ibex Peak) chipset, and Xeon 3400 series/Core i5 vPro entry workstation platforms based on the 3450 chipset.
  • Intel AMT 5.0 — Intel Core 2 vPro desktop platforms (launched September 22, 2008) based on the Intel Q45 (McCreary: Eaglelake-Q, ICH10) chipsets.[6]
  • Intel AMT 4.1 — Intel AMT 4.0 + Intel Anti-Theft Technology. Supported on same mobile platforms as Intel AMT 4.0, and based on the GM45 (Montevina, ICH9M) chipset.[7]
  • Intel AMT 4.0 — Mobile platforms with Intel Centrino 2 with vPro based on the GM45 or 47/PM45 (Montevina: Cantiga, ICH9M) chipsets.[1][5][8][9]
  • Intel AMT 3.2 — Intel AMT 3.0 + extra DASH 1.0 (simplified configuration) support and bug fixes (supported on same desktop platforms as Intel AMT 3.1 and Intel AMT 3.0).[1][9]
  • Intel AMT 3.1 — Intel AMT 3.0 + Linux (Red Hat and SUSE) support (supported on same desktop platforms as Intel AMT 3.0; uses same firmware).[1][9]
  • Intel AMT 3.0 — Intel vPro desktop platforms based on the Intel Q35 (Weybridge: Bearlake-Q, ICH9) chipsets, e.g., the Intel DQ35MP motherboard.[1][4]
  • Intel AMT 2.6 — Intel AMT 2.5 + Remote Configuration and bug fixes (supported on same platforms as Intel AMT 2.5).[10]
  • Intel AMT 2.5 — Intel Centrino Pro mobile platforms based on the GM965/PM965 (Santa Rosa: Crestline, ICH8M) chipsets.[4][10]
  • Intel AMT 2.2 — Intel AMT 2.1 + Remote Configuration and bug fixes (supported on same platforms as Intel AMT 2.1 and Intel AMT 2.0).[10]
  • Intel AMT 2.1 — Intel AMT 2.0 + AMT Power Savings (Intel Management Engine Wake on LAN) and bug fixes (supported on same platforms as Intel AMT 2.0).[10]
  • Intel AMT 2.0 — Intel vPro desktop platforms based on the Intel Q963/Q965 (Broadwater-Q, ICH8) chipsets, e.g., the Intel DQ965GF motherboard.[10]
  • Intel AMT 1.0 — Intel platforms based on the Intel 82573E (Tekoa; usually 945, ICH7) Gigabit Ethernet Controller, e.g., the Intel D975XBX2 motherboard. This version provides basic NVRAM, hardware asset, event log and other basic features. It does not provide Intel System Defense network filters.

Comparison of AMT versions[edit]

The following is a comparison of the various features supported by each version of Intel AMT[11][12][13]

Feature AMT 1.0
(Desktop)
AMT 2.0/2.1
(Desktop)
AMT 2.5/2.6
(Mobile)
AMT 3.0
(Desktop)
AMT 4.0
(Mobile)
AMT 5.0
(Desktop)
6.0
(Desktop & Mobile)
7.0 & 8.0
(Desktop & Mobile)
9.0
(Desktop & Mobile)
Hardware Inventory Yes Yes Yes Yes Yes Yes Yes Yes Yes
Persistent ID Yes Yes Yes Yes Yes Yes Yes Yes Yes
Remote Power On/Off Yes Yes Yes Yes Yes Yes Yes Yes Yes
SOL/IDER[note 1] Yes Yes Yes Yes Yes Yes Yes Yes Yes
Event Management Yes Yes Yes Yes Yes Yes Yes Yes Yes
Third-party Data Storage Yes Yes Yes Yes Yes Yes Yes Yes Yes
Built-in web server Yes Yes Yes Yes Yes Yes Yes Yes Yes
Flash Protection Yes Yes Yes Yes Yes Yes Yes Yes Yes
Firmware Update Yes Yes Yes Yes Yes Yes Yes Yes Yes
TCP/IPSOAP XML/EOI Yes Yes Yes Yes Yes Yes Yes No[note 2] No[note 2]
HTTP Digest/TLS Yes Yes Yes Yes Yes Yes Yes Yes Yes
Static and dynamic IP Yes Yes Yes Yes Yes Yes Yes Yes Yes
System Defense No Yes Yes Yes Yes Yes Yes Yes Yes
Agent Presence No Yes Yes Yes Yes Yes Yes Yes Yes
Power Policies No Yes Yes Yes Yes Yes Yes Yes Yes
Mutual Authentication No Yes Yes Yes Yes Yes Yes Yes Yes
Kerberos No Yes Yes Yes Yes Yes Yes Yes Yes
TLS-PSK No Yes Yes Yes Yes Yes Yes Yes Yes
Privacy Icon No 2.1 and up Yes Yes Yes Yes Yes Yes Yes
ME Wake-on-LAN No 2.1 and up Yes Yes Yes Yes Yes Yes Yes
Remote Configuration No 2.2 and up 2.6 and up Yes Yes Yes Yes Yes Yes
Wireless Configuration No No Yes No Yes No Yes Yes Yes
Endpoint Access Control (EAC) 802.1 No No Yes Yes Yes Yes Yes Yes Yes
Power Packages No No Yes No Yes No Yes Yes Yes
Environment Detection No No Yes No Yes No Yes Yes Yes
Event Log Reader Realm No No 2.6 and up Yes Yes Yes Yes Yes Yes
System Defense Heuristics No No No Yes No Yes Yes Yes Yes
WS-Management interface No No No Yes Yes Yes Yes Yes Yes
VLAN settings for Intel AMT network interfaces No No No Yes No Yes Yes Yes Yes
Fast Call For Help (CIRA) No No No No Yes Yes Yes Yes Yes
Access Monitor No No No No Yes Yes Yes Yes Yes
MS NAP support No No No No Yes Yes Yes Yes Yes
Virtualization Support for Agent Presence No No No No No Yes Yes Yes Yes
PC Alarm Clock No No No No No 5.1 and up Yes Yes Yes
KVM Remote Control No No No No No No Yes Yes Yes
Wireless Profile Synchronization No No No No No No Yes Yes Yes
Support for IPv6 No No No No No No Yes Yes Yes
Host-based Provisioning No No No No No No No Yes Yes
Host-based over the Internet Provisioning No No No No Yes Yes Yes Yes Yes
Zero-touch over the Internet Provisioning No No No No Yes Yes Yes Yes Yes
Gracefull Shutdown No No No No No No No No Yes
  1. Jump up^ Serial Over LAN/IDE-Redirection is an Intel AMT protocol that allows the host computer to access the floppy disk or CD drive of the connecting computer[14]
  2. Jump up to:a b SOAP (EOI) was deprecated from AMT 6.0 onwards in favour of WS-MAN, AMT 9.0 is WS-MAN only[15]
 
 

vPro hardware requirements[edit]

The first release of Intel vPro was built with an Intel Core 2 Duo processor.[4] The current versions of Intel vPro are built into systems with 22 nm Intel 4th Generation Core i5 & i7 processors.

PCs with Intel vPro require specific chipsets. Intel vPro releases are usually identified by their AMT version.[1][4]

Laptop PC requirements[edit]

Laptops with Intel vPro require:

  • For Intel AMT release 9.0 (4th Generation Intel Core i5 and Core i7):

    • 22 nm Intel 4th Generation Core i7 Mobile Processors.[30]
    • 22 nm Intel 4th Generation Core i5 Mobile Processors.[31]
    • Mobile QM87 Chipsets [32]
  • For Intel AMT release 8.0 (3rd Generation Intel Core i5 and Core i7):

    • 32 & 45 nm Intel 3rd Generation Core i7 Mobile Processors.[33]
    • 32 & 45 nm Intel 3rd Generation Core i5 Mobile Processors.[34]
    • Mobile QM77 & Q77 Chipsets [32]
  • For Intel AMT release 4.1 (Intel Centrino 2 with vPro technology):[35]

    • 45 nm Intel Core2 Duo processor T, P sequence 8400, 8600, 9400, 9500, 9600; small form factor P, L, U sequence 9300 and 9400, and Quad processor Q9100.
    • Mobile 45 nm Intel GS45, GM47, GM45 and PM45 Express Chipsets (Montevina with Intel Anti-Theft Technology) with 1066 FSB, 6 MB L2 cache, ICH10M-enhanced.
  • For Intel AMT release 4.0 (Intel Centrino 2 with vPro technology):[1][5]

    • 45 nm Intel Core2 Duo processor T, P sequence 8400, 8600, 9400, 9500, 9600; small form factor P, L, U sequence 9300 and 9400, and Quad processor Q9100.
    • Mobile 45 nm Intel GS45, GM47, GM45 and PM45 Express Chipsets (Montevina) with 1066 FSB, 6 MB L2 cache, ICH9M-enhanced.
  • For Intel AMT release 2.5 and 2.6 (Intel Centrino with vPro technology):[4][6][36]

    • Intel Core2 Duo processor T, L, and U 7000 sequence3, 45 nm Intel Core2 Duo processor T8000 and T9000
    • Mobile Intel 965 (Broadwater-Q) Express Chipset with ICH8M-enhanced.

Note that AMT release 2.5 for wired/wireless laptops and AMT release 3.0 for desktop PCs are concurrent releases.

Desktop PC requirements[edit]

Desktop PCs with vPro (called "Intel Core 2 with vPro technology") require:

  • For AMT release 5.0:[37]

    • Intel Core2 Duo processor E8600, E8500, and E8400 ; 45 nm Intel Core2 Quad processor Q9650, Q9550, and Q9400.
    • Intel Q45 (Eaglelake-Q) Express Chipset with ICH10DO.
  • For AMT release 3.0, 3.1, and 3.2:[1][4][5]
    • Intel Core2 Duo processor E6550, E6750, and E6850; 45 nm Intel Core2 Duo processor E8500, E8400, E8300 and E8200; 45 nm Intel Core2 Quad processor Q9550, Q9450 and Q9300.
    • Intel Q35 (Bearlake-Q) Express Chipset with ICH9DO.

Note that AMT release 2.5 for wired/wireless laptops and AMT release 3.0 for desktop PCs are concurrent releases.

  • For AMT release 2.0, 2.1 and 2.2:[4][6][36]

    • Intel Core 2 Duo processor E6300, E6400, E6600, and E6700.
    • Intel Q965 (Averill) Express Chipset with ICH8DO.

vPro, AMT, Core i relationships[edit]

There are numerous Intel brands. However, the key differences between vPro (an umbrella marketing term), AMT (a technology under the vPro brand), Intel Core i5 and Intel Core i7 (a branding of a package of technologies), and Core i5 and Core i7 (a processor) are as follows:

The Core i7, the first model of the i series was launched in 2008, and the less-powerful i5 and i3 models were introduced in 2009 and 2010, respectively. The microarchitecture of the Core i series was code-named Nehalem, and the second generation of the line was code-named Sandy Bridge.

Intel Centrino 2 was a branding of a package of technologies that included Wi-Fi and, originally, the Intel Core 2 Duo.[3] The Intel Centrino 2 brand was applied to mobile PCs, such as laptops and other small devices. Core 2 and Centrino 2 have evolved to use Intel's latest 45-nm manufacturing processes, havemulti-core processing, and are designed for multithreading.

Intel vPro is a brand name for a set of Intel technology features that can be built into the hardware of the laptop or desktop PC.[1] The set of technologies are targeted at businesses, not consumers. A PC with the vPro brand often includes Intel AMT, Intel Virtualization Technology (Intel VT), Intel Trusted Execution Technology (Intel TXT), a gigabit network connection, and so on. There may be a PC with a Core 2 processor, without vPro features built in. However, vPro features require a PC with at least a Core 2 processor. The technologies of current versions of vPro are built into PCs with Core 2 Duo or Core 2 Quad processors and more recently some versions of Core i5 and Core i7 processors.

Intel AMT is part of the Intel Management Engine that is built into PCs with the Intel vPro brand. Intel AMT is a set of remote management and security hardware features that let a sys-admin with AMT security privileges access system information and perform specific remote operations on the PC.[4] These operations include remote power up/down (via wake on LAN), remote / redirected boot (via integrated device electronics redirect, or IDE-R), console redirection (via serial over LAN), and other remote management and security features.

http://www.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html

Intel® Active Management Technology

Query, restore, upgrade, and protect devices remotely

Increase efficiency and effectiveness, automatically

Using integrated platform capabilities and popular third-party management and security applications, Intel® Active Management Technology (Intel® AMT) allows IT or managed service providers to better discover, repair, and protect their networked computing assets. Intel AMT enables IT or managed service providers to manage and repair not only their PC assets, but workstations and entry servers as well, utilizing the same infrastructure and tools across platforms for management consistency. For embedded developers, this means that devices can be diagnosed and repaired remotely, ultimately lowering IT support costs. Intel AMT is a feature of Intel® Core™ processors with Intel® vPro™ technology1,2 and workstation platforms based on select Intel® Xeon® processors.

The solution to challenging IT and intelligent systems issues

Intel design teams determined that better asset management, reduced downtime, and minimized desk-side visits were best addressed through platform architectural enhancements, resulting in the following features and benefits for supporting those needs.

Out-of-band system access

With built-in manageability, Intel AMT allows IT to discover assets even while platforms are powered off.1,2

Remote troubleshooting and recovery

With out-of-band management capabilities, including Keyboard-Video-Mouse (KVM) Remote Control,3 Intel AMT allows IT to remotely remediate and recover systems after OS failures. Out-of-band alerting and event logging also help to reduce downtime.

Hardware-based agent presence checking

Ensuring better protection for your enterprise, hardware-based agent presence checking proactively detects when software agents are running. When missing agents are detected, alerts are sent to the management console.

Proactive alerting

Intel® AMT System Defense Manager proactively blocks incoming threats, containing infected clients before they impact the network and alerting IT when critical software agents are removed.

Remote hardware and software asset tracking

Intel AMT helps keep software and virus protection up-to-date across the enterprise, enabling third-party software to store version numbers or policy data in non-volatile memory for off-hours retrieval or updates.

Expanded capabilities

With the Intel® vPro™ Technology Module for Microsoft Windows PowerShell*, IT has direct access to Intel AMT and can use Windows PowerShell scripts to take advantage of features not available in their existing management console—for example, remotely configuring alarm clock settings.

Increase efficiency and effectiveness

Windows PowerShell scripts integrate seamlessly into existing tools, enabling IT to quickly and easily execute Intel AMT commands on their Intel vPro-based managed clients and workstations and Intel AMT-capable entry servers.

1. Intel® vPro™ technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and configuration of your hardware, software, and IT environments. To learn more visit: www.intel.com/content/www/us/en/architecture-and-technology/vpro/vpro-technology-general.html.

2. Requires activation and a system with a corporate network connection, an Intel® AMT-enabled chipset, network hardware, and software. For notebooks, Intel AMT may be unavailable or limited over a host OS-based VPN, when connecting wirelessly, on battery power, sleeping, hibernating, or powered off. Results dependent upon hardware, setup, and configuration. For more information, visit www.intel.com/technology/vpro/index.htm.

3. KVM Remote Control (Keyboard, Video, Mouse) is only available with the Intel® Xeon® processor family, Intel® Core™ i5 vPro™ processor, and Intel® Core™ i7 vPro™ processor running activated and configured Intel® Active Management Technology with integrated graphics. Discrete graphics are not supported.

http://linux.die.net/man/7/amt-howto

Name

amt-howto - Intel AMT with linux mini howto

Description

What is AMT and why I should care?

AMT stands for "Active Management Technology". It provides some remote management facilities. They are handled by the hardware and firmware, thus they work independant from the operation system. Means: It works before Linux bootet up to the point where it activated the network interface. It works even when your most recent test kernel deadlocked the machine. Which makes it quite useful for development machines ...

Intel AMT is part of the vPro Platform. Recent intel-chipset based business machines should have it. My fairly new Intel SDV machine has it too.

Documentation

Look here for documentation beyond this mini howto:
http://www.intel.com/technology/platform-technology/intel-amt/
Most useful to get started: "Intel AMT Deployment and Reference Guide"

Very short AMT enabling instructions.

Enter BIOS Setup.
* Enable AMT
Enter ME (Management Extention) Setup. Ctrl-P hotkey works for me.
* Login, factory default password is "admin".
* Change password. Trivial ones don't work, must include upper- and lowercase letters, digits, special characters.
* Enable AMT Managment.
Reboot, Enter ME Setup again with AMT enabled.
* Configure AMT (hostname, network config, ...)
* Use SMB (Small Business) management mode. The other one (Enterprise) requires Active Directory Service Infrastructure, you don't want that, at least not for your first steps ...

Testing AMT

Take your browser, point it to http://machine:16992/. If you configured AMT to use DHCP (which is the default) the OS and the management stack share the same IP address.

You must do that from a remote host as the NIC intercepts network packets for AMT, thus it doesn't work from the local machine as the packets never pass the NIC then. If everything is fine you'll see a greeting page with a button for login.

You can login now, using "admin" as username and the password configured during setup. You'll see some pages with informations about the machine. You can also change AMT settings here.

Control Machine

You might have noticed already while browing the pages: There is a "Remote Control" page. You can remotely reset and powercycle the machine there, thus recover the machine after booting a b0rken kernel, without having someone walk over to the machine and hit the reset button.

Serial-over-LAN (SOL) console

AMT also provides a virtual serial port which can be accessed via network. That gives you a serial console without a serial cable to another machine.

If you have activated AMT and SOL the linux kernel should see an additional serial port, like this on my machine:

[root@xeni ~]# dmesg | grep ttyS2
0000:00:03.3: ttyS2 at I/O 0xe000 (irq = 169) is a 16550A

Edit initab, add a line like this:

S2:2345:respawn:/sbin/agetty ttyS2 115200 vt100-nav

You should add the serial port to /etc/securetty too so you are able to login as root. Reload inittab ("init q"). Use amtterm to connect. Tap enter. You should see a login prompt now and be able to login.

You can also use that device as console for the linux kernel, using the usual "console=ttyS2,115200" kernel command line argument, so you see the boot messages (and kernel Oopses, if any).

You can tell grub to use that serial device, so you can pick a working kernel for the next boot. Usual commands from the grub manual, except that you need "--port=0xe000" instead of "--unit=0" due to the non-standard I/O port for the serial line (my machine, yours might use another port, check linux kernel boot messages).

The magic command for the Xen kernel is "com1=115200,8n1,0xe000,0" (again, you might have to replace the I/O port). The final '0' disables the IRQ, otherwise the Xen kernel hangs at boot after enabling interrupts.

Fun with Xen and AMT

The AMT network stack seems to become slightly confused when running on a Xen host in DHCP mode. Everything works fine as long as only Dom0 runs. But if one starts a guest OS (with bridged networking) AMT suddenly changes the IP address to the one the guest aquired via DHCP.

It is probably a good idea to assign a separate static IP address to AMT then. I didn't manage to switch my machine from DHCP to static IP yet though, the BIOS refuses to accept the settings. The error message doesn't indicate why.

More fun with AMT

You might want to download the DTK (Developer Toolkit, source code is available too) and play with it. The .exe is a self-extracting rar archive and can be unpacked on linux using the unrar utility. The Switchbox comes with a linux binary (additionally to the Windows stuff). The GUI tools are written in C#. Trying to make them fly with mono didn't work for me though (mono version 1.2.3 as shipped with Fedora 7).

See Also

amtterm(1)gamt(1)amttool(1)

http://www.intel.com/technology/platform-technology/intel-amt/

Written by

Gerd Hoffmann <kraxel@redhat.com>

Intel Active Management Technology的更多相关文章

  1. Data Management Technology(1) -- Introduction

    1.Database concepts (1)Data & Information Information Is any kind of event that affects the stat ...

  2. Data Management Technology(5) -- Recovery

    Recovery Types of Failures Wrong data entry Prevent by having constraints in the database Fix with d ...

  3. Data Management Technology(4) -- 关系数据库理论

    规范化问题的提出 在规范化理论出现以前,层次和网状数据库的设计只是遵循其模型本身固有的原则,而无具体的理论依据可言,因而带有盲目性,可能在以后的运行和使用中发生许多预想不到的问题. 在关系数据库系统中 ...

  4. Data Management Technology(3) -- SQL

    SQL is a very-high-level language, in which the programmer is able to avoid specifying a lot of data ...

  5. Data Management Technology(2) -- Data Model

    1.Data Model Model Is the abstraction of real world Reveal the essence of objects, help people to lo ...

  6. Intel Naming Strategy--2

    http://en.wikipedia.org/wiki/Intel_Corporation#Naming_strategy Naming strategy[edit] In 2006, Intel ...

  7. Intel CPUs

    http://en.wikipedia.org/wiki/Intel_cpus List of Intel Atom microprocessors List of Intel Xeon microp ...

  8. Lenovo ThinkPad W520 4282-A76

    processor: Intel Quad Core i7-2630QM (2GHz, 8MB L3, 1333MHz FSB, 45W) graphics adapter: NVIDIA Quadr ...

  9. DASH----Desktop and mobile Architecture for System Hardware----桌面和移动系统硬件架构(DASH)计划

    http://baike.baidu.com/subview/813787/11301142.htm http://sites.amd.com/cn/business/it-solutions/man ...

随机推荐

  1. HDU 2476 区间DP String painter

    题解 #include <iostream> #include <cstdio> #include <cstring> #include <algorithm ...

  2. websphere8.5 与cxf2.x冲突问题

    一个客户was部署的小问题,记录一下. 问题现象 在我们的服务中用调用别人的webservice服务报错,框架用的cxf. 报错关键信息有: E com.ibm.ws.webcontainer.web ...

  3. ubuntu 终端查看图片(eog)

    远程登陆服务器的话,是没有办法直接查看图片的,这时我们需要进入图片所在目录,然后通过终端命令查看图片. 想要查看图片,需要通过ssh -X登陆,然后在终端输入命令: eog 图片名

  4. [adb 命令学习篇] adb 命令总结

    https://testerhome.com/topics/2565 Android 常用 adb 命令总结 针对移动端 Android 的测试, adb 命令是很重要的一个点,必须将常用的 adb ...

  5. cell左右滑动展开更多按钮-MGSwipeTableCell

    MGSwipeTableCell是一个UITableViewCell的子类, 它实现了左,右滑动展开更多按钮用来实现一些相关操作就和QQ好友列表滑动展开的按钮一样,封装的很好,动画效果也处理很到位,废 ...

  6. iossharesdk微信登录出错

    只用下面的初始化就行了 //    //添加微信应用 注册网址 http://open.weixin.qq.com //    [ShareSDK connectWeChatWithAppId:mod ...

  7. 【Luogu】P2051中国象棋(DP)

    题目链接 去看STDCALL的题解吧 #include<cstdio> #include<cctype> #define mod 9999973 inline long lon ...

  8. 【Luogu】P2831愤怒的小鸟(手算抛物线+状压DP)

    题目链接 设f[s]表示二进制集合表示下的s集合都打掉用了多少小鸟. 预处理出lne[i][j]表示i.j确定的抛物线能打掉的小鸟集合. 于是就有f[s|lne[i][j]]=min(f[s|lne[ ...

  9. 【shell】shell编程(一)-入门

    如今,不会Linux的程序员都不意思说自己是程序员,而不会shell编程就不能说自己会Linux.说起来似乎shell编程很屌啊,然而不用担心,其实shell编程真的很简单.背景 什么是shell编程 ...

  10. 转载 cc、gcc、g++、CC的区别概括

    gcc是C编译器:g++是C++编译器:linux下cc一般是一个符号连接,指向gcc:gcc和g++都是GUN(组织)的编译器.而CC则一般是makefile里面的一个名字,即宏定义,嘿,因为Lin ...