Management Suite supports devices using Intel vPro technology, a hardware and firmware technology that enables remote device management and security. Intel vPro uses out-of-band (OOB) communication for access to devices regardless of the state of the operating system or power to the device.
In this product, the term "Intel vPro" refers to technologies provided on desktop and mobile computers with Intel vPro support. This product also supports devices with earlier versions of Intel Active Management Technology (Intel AMT). The process for provisioning devices with different versions of Intel vPro varies according to the version numbers. The information in this section applies to all versions except as noted.
The following table lists Intel vPro features supported in this product in different versions of Intel vPro.
| Feature | Intel AMT 1.0 | Intel vPro 2.0/2.1/2.2 | Intel vPro 2.5/2.6 | Intel vPro 3.0 | Intel vPro 4.0 | Intel vPro 5.0 | Intel vPro 6.0 |
|---|---|---|---|---|---|---|---|
| Provision devices | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| System Defense | No | Yes | Yes | Yes | Yes | Yes | Yes |
| Enhanced System Defense | No | No | No | Yes | Yes | Yes | Yes |
| Agent Presence | No | Yes | Yes | Yes | Yes | Yes | Yes |
| Wireless profile & device management | No | No | Yes* | No | Yes | Yes | |
| Serial-over-LAN & IDE redirection | Yes | Yes |
LAN connection: Yes Wireless mode: Yes, if wireless profile exists |
Yes | Yes | Yes | Yes |
| Remote configuration (zero touch provisioning) | No |
2.0/2.1: No 2.2: agent-based only |
2.5: No 2.6: agent-based only |
Yes | Yes | Yes | Yes |
| Network Environment Detection | No | No | No | Yes | Yes | Yes | Yes |
| Client-Initiated Remote Access | No | No | No | Yes | Yes | Yes | Yes |
*A wireless profile is required for wireless management of Intel Centrino 2.5 notebooks. For Intel Centrino 2.6 notebooks, a wireless profile is required only to use Serial-over-LAN and IDE redirection features; other wireless management features can be used whether or not a wireless profile exists on the notebook.
This chapter contains information on the following:
When devices are configured with Intel vPro, a limited number of management features are available even if the device does not have a LANDesk agent installed. As long as devices are connected to the network and have standby power, they can be discovered and can be added to the database to be managed with other devices on the network.
If a device has Intel vPro but no management agent installed, it can be discovered, added to the inventory database, and viewed in the network view Devices folder. Management features that are available for Intel vPro-configured devices include:
Other Management Suite management options are available only when a management agent is installed on the device. For more information about management options, see Intel vPro device management.
Devices can be discovered as Intel AMT 1.0 devices only after you have accessed the Intel AMT Configuration Screen on the device's BIOS and changed the manufacturer's default password to a secure password (refer to the manufacturer's documentation for information on accessing the Intel AMT Configuration Screen). If you haven't done this, the devices will be discovered but not identified as Intel AMT devices, and you won't be able to view the same inventory summary information as you otherwise would.
In order for the core server to authenticate with discovered Intel AMT devices, the username/password credentials you enter in the device BIOS must match the credentials that you enter in the Intel vPro general configuration dialog box (click Configure > Intel vPro options > General configuration).
When an Intel AMT device is added to the core database to be managed, Management Suite automatically provisions it, regardless of whether it has already been provisioned. Small business mode provides basic management without network infrastructure services and is non-secure, while Enterprise mode is designed for large enterprises and uses DHCP, DNS, and a TLS certificate authority service to ensure secure communication between the managed device and the core server.
When you provision an Intel AMT device in Enterprise mode, the core server installs a certificate on the device for secure communication. If another computer attempts to access the Intel AMT functionality on the device, it will not succeed because it does not have a matching certificate.
Devices equipped with Intel vPro functionality should be configured when they are first set up and powered on, to enable Intel vPro features. This process includes several security measures to ensure that only authorized users have access to the Intel vPro management features.
Intel vPro devices communicate with a provisioning server on the network. This provisioning server listens for messages from Intel vPro devices on the network and allows IT staff to manage servers through out-of-band communication regardless of the state the device’s OS is in. The LANDesk core server acts as a provisioning server for Intel vPro devices and includes features that help you provision devices when you set them up. You can then manage the devices with or without additional management agents.
This section outlines a recommended process for configuring new Intel vPro devices. During this process you will use Management Suite to generate a set of provisioning IDs (PID and PPS). These IDs are entered in the device BIOS to ensure a secure connection with the provisioning server during the initial provisioning process. This "one-touch" process can be used to configure devices with release 2.0 and later.
Devices with release 2.2/2.6 and later can also be configured using remote configuration (also referred to as zero-touch provisioning). This process does not require the transfer of PID/PPS IDs, but is initiated automatically after the device's "hello" packet is received by the provisioning server (core server) or after a LANDesk management agent is deployed on the Intel vPro device. An Intel Client Setup certificate from an authorized certificate vendor must be installed on the core server to use remote configuration.
For devices with Intel vPro release 3.0 and later, a "bare metal" or agentless remote configuration is also supported.
Devices with Intel AMT version 1.0 use a similar process but don't use the PID and PPS keys. For details, see Discovering Intel AMT 1.0 devices .
NOTE: Note that the information in this section is a general description of the Intel vPro configuration process. However, individual manufacturers implement Intel vPro functionality in different ways and there may be differences in such areas as accessing the Intel AMT or ME BIOS screens, resetting the device to factory mode (unprovisioning), or in the way that PID/PPS key pairs are provided. Consult the documentation and support information provided by device manufacturers before you begin the configuration process.
This section includes information about:
This section describes the process of using one-touch provisioning for Intel vPro 2.0 and later.
When an Intel vPro device is received, the IT technician assembles the computer and powers it on. After powering on the device, the technician logs in to the BIOS-based Intel ME (Management Engine) Configuration Screen and changes the default password (admin) to a strong password. This allows access to the Intel AMT Configuration Screen.
In the Intel AMT Configuration Screen, the following pre-provisioning information is entered:
The PPS is shared by the provisioning server and the managed device, but can't be transmitted on the network for security purposes. It needs to be entered manually on the device (at the Intel AMT Configuration Screen). PID/PPS pairs are generated by Management Suite and stored in the database. You can print a list of generated ID pairs for use in provisioning, or you can export the ID pairs to a key file on a USB drive.
The IT technician should enter the IP address of the Management Suite core server for the Provisioning Server and specify port 9971. Otherwise, by default, the Intel vPro device sends a general broadcast that can be received only if the configuration server is listening on port 9971.
The default username and password for accessing the Intel AMT Configuration Screen are "admin" and "admin". The username stays the same, but the password must be changed during the provisioning process to a strong password. The new password is entered in the Intel vPro general configuration dialog box, as described in the procedural steps below. After each device is configured you can change the password individually per device, but for provisioning purposes you use the password that is found in the general configuration dialog box.
After the above information is entered in the Intel AMT Configuration Screen, the device sends “hello” messages when it is first connected to the network, attempting to communicate with the provisioning server. If this message is received by the provisioning server, the provisioning process will begin as the server establishes a connection with the managed device.
When the core server receives the hello message and verifies the PID, it provisions the Intel vPro device to TLS mode. TLS (Transport Layer Security) mode establishes a secure channel of communications between the core server and the managed server while the provisioning is completed. This process includes creating a record in the database with the device’s UUID and encrypted credentials. When the device’s data is in the database, the device appears in the list of unmanaged devices.
When an Intel vPro device has been provisioned by the core server, it can be managed using only Intel vPro functionality. To do this, you can select it in the list of unmanaged devices and move it to the inventory database. You can also deploy management agents to the device to use additional management features.
The recommended process for provisioning Intel vPro devices is as follows. Specific instructions for items 1 and 2 are given in the following procedural steps. If you choose to provision devices with a key file on a USB drive, steps 3-5 below are replaced with the steps described in Importing and exporting key files using a USB drive.
The new password must be entered here before you can generate a batch of provisioning IDs.
The provisioning keys are stored in the database for future reference as you provision new Intel vPro devices. As the devices are provisioned and the provisioning keys are consumed, the Generate Intel vPro IDs page will display shading for the IDs that have been consumed, so you can track which IDs have been used.
A PID prefix is added for your convenience in identifying the IDs as PIDs, but you are not required to use a prefix. We recommend using 0-4 characters; you can use a maximum of 7 characters for the prefix.
To identify batches of provisioning keys, specify a batch name. This should be a descriptive name that indicates which devices the IDs apply to. For example, you could generate batches for each organization in your company and name the batches Development, Marketing, Finance, and so forth. If you later want to view the generated IDs, type the batch name and click View batch IDs to see a list with only those IDs.
If you enter a PID and PPS that are not paired correctly (that is, the PPS is paired with the wrong PID), you will see an error message in the alert log and provisioning will not continue with that device. You will need to restart the device and re-enter a correct PID/PPS pair in the Intel AMT Configuration Screen.
If, as you type a PID or PPS, the Intel AMT Configuration Screen displays an error message, you have mis-typed the PID or PPS. A checksum is performed to ensure that the PID and PPS are correct.
You can generate provisioning IDs and export them to a key file for use in provisioning Intel vPro devices with a USB drive. The exported IDs are saved to a setup.bin file that you can copy to a USB drive. With that USB drive you can automatically populate the PID/PPS fields in the Intel AMT BIOS as you provision new Intel vPro devices, before you discover and manage them.
If a device manufacturer provides you with a set of provisioning IDs for the Intel vPro devices you have purchased, you can import those provisioning IDs into the core database so that the core server will recognize those devices as Intel vPro devices and discover them automatically.
These two processes are described below.
Management Suite generates provisioning IDs (PID/PPS pairs) that you use to provision new Intel vPro devices. You can print a list of the generated IDs and enter them manually when you provision each device. Alternately you can export the IDs to a setup.bin key file, save that file on a USB drive, and then use the USB drive to provision the devices. This can reduce errors in provisioning because you don’t need to type the IDs manually at each device.
The USB drive you use must be in FAT-16 format for this process to work.
The setup.bin file is created with a specific key file format defined by Intel. When you provision the new Intel vPro device, you connect the USB drive to the device and reboot it. During the boot process a pair of provisioning IDs (PID and PPS) is taken from the setup.bin file and entered into the device's Intel AMT BIOS. When the device sends its “hello” message on the network, the core server will recognize it and be able to communicate securely with it because the provisioning IDs are found in the core database.
NOTE: The IDs you generate are listed with other IDs you have generated on the Generate Intel vPro IDs page. IDs that have been consumed are shaded in the list to indicate that they are not available for provisioning other devices.
As the device boots, it accesses the setup.bin file and takes an available provisioning ID pair (PID and PPS) for use in the provisioning process. It then marks the provisioning ID pair as used so it will not be used by another device. The next device you provision will then take the next available provisioning ID pair.
Note that for this process to work correctly, the default username and password for accessing the Intel AMT BIOS must not have been changed (the default is typically admin/admin). You should not have already entered provisioning IDs on the device.
If a device manufacturer provides you with a set of provisioning IDs for the Intel vPro devices you have purchased, you can import those provisioning IDs into the core database so that the core server will recognize those devices as Intel vPro devices and discover them automatically. The manufacturer supplies these IDs in a setup.bin key file when you purchase the devices.
To import the IDs into the core database, browse to the location of the setup.bin file that the manufacturer provided (this can be on a CD or DVD, or you can copy the file to any drive). After these IDs are saved to the database, when you start up the Intel vPro devices and they send a “hello” message, the core server recognizes them and discovers the devices.
The provisioning IDs are added to the core database and are listed on the Generate Intel vPro IDs page.
Because Intel vPro devices have two components that are assigned an IP address—the Intel vPro chip and the device’s operating system—you can potentially have two entries in your list of discovered devices for the same Intel vPro device. This happens only if you want to use a static IP address rather than using DHCP.
To use static IP addresses with Intel vPro devices, the Intel vPro firmware should be configured with its own MAC address. (For instructions on how to re-install the firmware and configure it properly, contact Intel.)
Once configured, the Intel vPro device will have a different MAC address, IP address, and host name than the device OS. To be able to manage Intel vPro devices correctly, you need to use the following settings for DHCP and static IP addresses:
If an Intel vPro 2.x machine is provisioned in Enterprise mode, the only way to communicate with it is via the “hello” packet being sent to the setup and configuration server. After the machine is managed by LANDesk software, Intel vPro operations may be performed on it like normal. What you should not do is discover and manage the OS IP address: if you do, you will have two computer entries that represent the same computer. Because the only common identifier between the two devices is the AMT GUID, and because the AMT GUID can't be found remotely for the OS device, the two entries can't be merged.
If you want to install the LANDesk agents, you can't push the agents, because the only IP address in the database is the Intel vPro IP address, and the push utility needs access to the OS. Instead, the agents need to be pulled (from the managed Intel vPro device) by mapping a drive to the ldlogon share on the core server and running ServerConfig.exe.
Before pulling the agents, we recommend changing a setting in the Configure Services utility:
After you change this setting, when the Inventory scan from the managed Intel vPro device is imported into the database, the Inventory service matches the Intel AMT GUID from the device that’s already in the database with the OS information in the scan file.
This section describes the process for remote configuration of devices with Intel vPro 2.2/2.6 and later.
Remote configuration lets you configure a device in a factory default state through the setup process and then add an Intel AMT profile to make the device ready for out of band management. When the device is first powered on and connected to a network, it begins sending "hello" messages to the Setup and Configuration Server (when you manage devices with LANDesk products, the core server acts as the Setup and Configuration Server). If the Setup and Configuration Server is running, it establishes a secure connection with the Intel vPro device and begins the configuration process.
When this process is successful, the device is added to the list of discovered devices and can then be managed from the core server. Limited management is available with only the Intel vPro functionality, or a management agent can be deployed to the device for full management features.
Remote configuration has two requirements:
If an Intel vPro device is powered on but does not receive a response from the Setup and Configuration Server after a certain period of time (typically 6 to 12 hours, depending on the manufacturer's settings), it stops sending hello packets and waits. At this point Intel vPro functionality is not enabled on the device.
To provision a device in this state, you can install the standard LANDesk management agent on the device. When the agent determines that the device has Intel vPro capabilities it enables Intel vPro functionality on the device and sends a call to the Web service on the core server to receive the "hello" packet. The provisioning process is then initiated from the core server.
Intel vPro 3.0 and later devices support a bare-metal (or agentless) approach to remote configuration. With the Setup and Configuration Server correctly set up, a DNS entry, and the correct certificate installed on the core server, the configuration process is completed without the use of agents.
NOTE: If an Intel vPro device is powered on but does not begin sending "hello" messages as described above, remote configuration may not be enabled on the device. This is dependent on the manufacturer enabling remote configuration by setting Manageability Mode to "AMT" on the device. If this appears to be the case, you can deploy a LANDesk management agent to the device to enable the Intel vPro functionality and begin provisioning the device as described under "Delayed provisioning" above.
An Intel Client Setup Certificate is required on every Setup and Configuration Server. The certificate is valid for one namespace on one domain, so if your core server is used on multiple namespaces within a domain you need to purchase a certificate for each namespace.
The certificate must be purchased from an approved certificate vendor and must be a supported class. The following vendors are supported for LANDesk products on the following devices.
NOTE: Before you purchase a certificate, verify in the vendor's documentation or support information which certificates are supported on your device.
| Vendor/Certificate class | Intel devices | Acer devices | Lenovo devices |
|---|---|---|---|
| Go Daddy class 2 CA | X | X | X |
| VeriSign class 3 Primary CA-G3 | X | X | X |
| VeriSign class 3 Primary CA-G1 | X | X | X |
| Comodo AAA CA | X | X | |
| Starfield class 2 CA | X |
When you purchase a certificate you need to provide a CSR (certificate signing request) file. This file is generated for your LANDesk product along with a private key file. After you receive the certificate files from the vendor, the private key file is saved in a directory with a shared public key file and the certificate file from the vendor. This procedure is described below.
AMTProvMgr2.exe -domainName name.domain.com -country
[2-letter country code] -state [state name] -city [city name]
-organization [organization name]trusted_cert.pem.corecacert.pem.corecakey.pem file (generated in step 2 above), to a
folder in Ldmain\amtprov\certStore\cert_1. You can store up to
eight certificates in subfolders named cert_1, cert_2, and so
on.When you run a device discovery scan, Intel AMT version 1.0 devices are discovered and added to the Intel vPro folder in the Unmanaged devices list. The devices are recognized as Intel AMT devices if they have been configured with a secure password that replaces the default set by the manufacturer.
When you add a secure password at the Intel AMT Configuration Screen, you can also enter the IP address of the provisioning server and specify port 9971, as is done with Intel vPro 2.x devices. However, no PID/PPS pairs are used in provisioning Intel AMT 1.0 devices. If you specify a provisioning server IP address, the core server acts as a provisioning server and you can manage the device as an agentless device.
Note that Intel AMT version 1.0 does not use the same level of security as vPro version 2.x. Intel recommends that devices with version 1.0 be configured on an isolated, secure network. After configuration is complete they can be moved to a less secure network for management.
A secure password is required to communicate with and to provision new Intel vPro devices. For devices that you will manage, the password you enter in the Intel AMT Configuration Screen (accessed in the device BIOS) should be the same as the password that you enter in the Intel vPro general configuration dialog box. That password is saved in the database and applied globally for provisioning Intel vPro devices.
Intel vPro requires the use of a strong password to enable secure communications. Passwords should meet these requirements:
After provisioning devices, you should regularly change passwords as part of your IT maintenance. You can use a different password for each Intel vPro device, or you can apply a new password to multiple devices. The new passwords you enter are stored in the database and used by Management Suite to communicate securely with managed Intel vPro devices.
Intel vPro (versions 2.0 and later) includes a System Defense feature, which enforces network security policies on managed devices. You can select and apply System Defense policies for managed devices.
When a System Defense policy is applied on an Intel vPro device, the device filters incoming and outgoing network packets according to the defined policies. When network traffic matches the alert conditions defined in a filter, an alert is generated and the device’s network access is blocked. The device is then isolated from the network until you complete the remediation steps for that policy.
LANDesk Management Suite contains predefined System Defense policies that you can apply to your Intel vPro devices. Each policy contains a set of filters that define what kind of network traffic is not allowed and what the resulting actions are when traffic meets the criteria of the filter.
When a System Defense policy is active on a managed device, the device monitors all incoming and outgoing network traffic. If a filter’s conditions are detected, the following occurs:
This process is described in more detail in the following sections.
Management Suite contains the following predefined System Defense policies that can be applied to Intel vPro devices. Policies are defined with parameters such as port number, packet type, and number of packets within a specific amount of time. When you enable a policy, it is registered with Intel vPro on the devices you have selected. Policies are saved as XML files on the managed device, in the CircuitBreakerConfig folder.
BlockFTPSrvr: This policy prevents traffic through an FTP port. When packets are sent or received on FTP port 21, the packets are dropped and network access is suspended.
LDCBKillNics: This policy blocks traffic on all network
ports except for the following management ports:
| Port description | Number range | Traffic direction | Protocol |
|---|---|---|---|
| LANDesk management | 9593-9595 | Send/receive | TCP, UDP |
| Intel vPro management | 16992-16993 | Send/receive | TCP only |
| DNS | 53 | Send/receive | UDP only |
| DHCP | 67-68 | Send/receive | UDP only |
LDCBSYNFlood: This policy detects a SYN flood denial-of-service attack: it allows no more than 10,000 TCP packets with the SYN flag turned on, in one minute. When that number is exceeded, network access is suspended.
UDPFloodPolicy: This policy detects a UDP flood denial-of-service attack: it allows no more than 20,000 UDP packets per minute on ports numbered between 0 and 1023. When that number is exceeded, network access is suspended.
RemoveAllPolicy: Select this to remove all policies, unregistering them with Intel vPro on the selected devices.
For devices equipped with Intel vPro 3.0 or later, you can enable Enhanced System Defense. This feature prevents malicious software attacks by continuously inspecting network traffic and evaluating it with enhanced heuristic filtering rules. It identifies and blocks suspicious behavior such as repeated actions generated by worms.
When suspicious behavior is detected, the device causing the problem is isolated from further network communication except for a remediation port, through which Management Suite can reinstate the System Defense policy and restore a network connection after the problem has been resolved.
If a device’s network access is suspended because of a System Defense policy, the device is listed in the remediation queue. It remains there until you remove it from the list, which reinstates the active policy on that device. Before you do that, you need to resolve the issue that placed the device in the queue. For example, if FTP traffic was detected, you need to verify that appropriate actions are taken to prevent further FTP traffic on the device.
To remediate devices with Enhanced System Defense, click Configure > Intel vPro options > Enhanced System Defense Remediation in step 1 above.
Intel vPro (release 2.0 and later) includes an Agent Presence tool that can monitor the presence of software agents on managed devices. You can enable Agent Presence monitoring to ensure that management agents on your devices are continually running, and you can be alerted when an agent stops even if other, software-based, agents can't detect the problem.
LANDesk Management Suite uses Intel vPro Agent Presence to monitor two agents: the standard management agent and the monitoring service. It is useful in situations where normal monitoring communications are not available. For example, a device’s communication layer may not be functioning or the monitoring agent itself may have stopped running. By default, Agent Presence also monitors its own monitoring process so you are alerted if it has stopped running.
Agent Presence monitoring is done by configuring a timer that listens for “heartbeat” messages from management agents on the device, to verify that the agents are running. If a timer expires because it has not received a heartbeat message, Intel vPro sends an alert to the core server.
When you set up Agent Presence configuration, the agent on the device registers with Intel vPro to send the heartbeats directly to Intel vPro; if the heartbeats stop, Intel vPro can then alert the core server through out-of-band communication that the device agent is not responding. Intel vPro sends a platform event trap (PET) alert to the core server with a description of the changed state. By default, this alert is logged with device health. You can configure other alert actions to be initiated when this alert is received (for information about configuring alert actions, see Configuring alert rulesets).
When you configure Agent Presence monitoring, you can enable or disable monitoring for two agents and set the following values:
Heartbeat: The maximum amount of time (in seconds) that can pass between heartbeat signals. If this time limit is exceeded without a new heartbeat being received, the agent is considered to be not responding. The default value is 120 seconds for the standard management agent and 180 seconds for the monitoring service; the minimum value for both is 30 seconds.
Startup time: The maximum amount of time (in seconds) that can pass after the operating system starts before a heartbeat must be received from the agent. If this time limit is exceeded the agent is considered to be not responding. Agent Presence is configured on Intel vPro when the agent is installed, so this should allow for enough time for the agent to start running and send its first heartbeat. The default value is 360 seconds; the minimum value is 30 seconds.
Intel vPro devices (version 2.5 and later) with wireless capabilities can be managed out-of-band via a wireless LAN connection when they are powered on and the wireless interface is active. If a notebook is in sleep mode, it can be managed out-of-band only if it is connected to a wired LAN and to AC power.
When the notebook is powered up, the Intel Active Management Technology (Intel AMT) chip on the notebook communicates with the wireless LAN driver. If Intel AMT finds a matching profile, the driver will route traffic addressed to the Intel AMT device. Even if there is a problem with the driver, Intel AMT can receive out-of-band management traffic from the wireless network interface.
For wireless management, an Intel vPro 2.5 notebook needs to have a wireless profile correctly configured by the network administrator so that Intel AMT communication with the notebook is secure. For Intel vPro 2.6 and later notebooks, the wireless profile is not required for most management features, but is required to use serial-over-LAN (SOL) and IDE-redirection (IDE-R) functionality.
IMPORTANT: For Intel AMT to work with a wireless LAN connection, it must share IP addresses with the notebook. To do this, Intel AMT must be configured to use DHCP and there must be a DHCP server available to allocate IP addresses. If Intel AMT is configured to use static IP addresses, wireless connectivity will be disabled.
LANDesk Management Suite lets you define a wireless profile for Intel Centrino Pro notebooks so you can manage them out of band as described above. When you define a profile you can then deploy it to one or more devices.
NOTE: When a notebook has been discovered and provisioned while connected to a wired network, it can be managed through the wired network immediately. However, when the notebook switches to a wireless connection there can be a delay before Intel vPro management is enabled for the notebook. This is due to a change in how the computer name is resolved in DNS on the network. The wireless IP address for the notebook is different than the IP address on the wired network, so there is a delay before the new IP address for the notebook matches the computer name.
After an Intel vPro device has been added to the core database to be managed, it can be managed in limited ways even if the device does not have a LANDesk agent installed. (For information on discovering devices and adding them to the core database, see Discovering Intel AMT devices).
The following table lists the management options available for a device that has Intel vPro only compared with a device that has Intel vPro and a Management Suite management agent installed.
| Intel vPro only | Intel vPro and agent | Agent only | |
|---|---|---|---|
|
Inventory summary |
summary |
X |
X |
|
Event log |
X |
X |
X |
|
Remote boot manager |
X |
X |
|
|
Inventory history |
|
X |
X |
|
Remote control |
|
X |
X |
|
Chat |
|
X |
X |
|
File transfer |
|
X |
X |
|
Remote execute |
|
X |
X |
|
Wake up |
|
X |
X |
|
Shut down |
|
X |
X |
|
Reboot |
|
X |
X |
|
Inventory scan |
|
X |
X |
|
Scheduled tasks and policies |
limited |
X |
X |
|
Group options |
|
X |
X |
|
Run inventory report |
|
X |
X |
|
Intel vPro alerting |
|
X |
X |
|
Network Environment Detection |
X |
X |
|
|
Client-Initiated Remote Access |
X |
X |
The summary shows general information about the device, such as device name and IP address, as well as information specific to the Intel AMT chip and the Intel vPro device hardware, such as AMT version number, BIOS, manufacturer, and serial number.
When you provision an Intel vPro device in Enterprise mode, the core server installs a certificate on the device for secure communication. If the device is to be managed by another core server, it must be unprovisioned and then re-provisioned by the new core server. If not, the device's Intel vPro access will not respond because the new core server does not have a matching certificate. Similarly, if any other computer attempts to access the Intel vPro functionality on the device, it will not succeed because it does not have a matching certificate.
Management Suite provides a view of the event log that Intel vPro devices generate. The settings determine what events are captured in this log. You can view the date/time of the event, the source of the event (Entity column), a description, and the severity as determined by the Intel vPro settings (Critical or Non-Critical). You can also export the log data in comma-separated value (CSV) format.
Management Suite includes options to power on and off Intel vPro devices. These options can be used even when a device's operating system is not responding, as long as the device is connected to the network and has standby power.
When Management Suite initiates power option commands, in some cases it is not possible to verify that the commands are supported on the hardware receiving the command. Some devices with Intel vPro may not support all power option features (for example, a device may support IDE-R reboot from CD but not from a floppy). Consult the hardware vendor's documentation if it appears that a power option is not working with a particular device. You may also check for any firmware or BIOS upgrades from Intel for the device if power options do not work as expected.
For Intel vPro devices, when you issue a power-on command, Management Suite will first send an Intel vPro wake up command. If that command is not successful, it will then send a normal Wake on LAN command to the device.
You can simply turn on or off the device's power, or you can reboot and specify how the device is rebooted. The options are described in the table below.
| Option | Description |
|---|---|
|
Power off |
Shuts down the power on the device |
|
Power on |
Turns on the power on the device |
|
Reboot |
Cycles the power off and on again on the device |
|
Normal boot |
Starts up the device using whatever boot sequence is set as the default on the device |
|
Boot from local hard drive |
Forces a boot from the device's hard drive regardless of the default boot mode on the device |
|
Boot from local CD/DVD drive |
Forces a boot from the device's CD or DVD drive regardless of the default boot mode on the device |
|
PXE boot |
When restarted, the PXE-enabled device searches for a PXE server on the network; if found, a PXE boot session is initiated on the device |
|
IDE-R boot |
Reboots the device using the IDE redirection option selected (see below) |
|
Enter BIOS setup on power on |
When the device is booted, it allows the user to enter the BIOS setup |
|
Show console redirection window |
When the device is booted, it starts in serial over LAN mode to display a console redirection window |
|
IDE redirection: Reboot from floppy |
When the device is booted, it starts from the floppy disk drive that is specified |
|
IDE redirection: Reboot from CD/DVD |
When the device is booted, it starts from the CD drive that is specified |
|
IDE redirection: Reboot from specified image file |
When the device is booted, it starts from the image file that is specified (floppy image files must be in .img format, and CD image files must be in .iso format; see note below) |
When using IDE redirection options, floppy image files must be in .img format and CD image files must be in .iso format. Some BIOSes may require the CD image to be located on a hard drive.
Intel vPro normally remembers the last IDE-R settings, but Management Suite clears the settings after 45 seconds, so on subsequent boots it will not restart the IDE-R feature. The IDE-R session on an Intel vPro device lasts 6 hours or until the Management Suite console is turned off. Any IDE-R operation still in progress after 6 hours will be terminated.
NOTE: In some situations, an IDE-R boot process may appear to time out on the serial-over-LAN (SOL) console, when the boot process is actually still in process. If the boot image takes too long to initialize and send data to the SOL console, the SOL console will stop communicating and keyboard connectivity is lost. This occurs when the media used for booting has a slow response time and takes longer than 60 seconds to initialize (which is the longest timeout value allowed). If you experience this problem when booting with a floppy disk or other media, we recommend that you boot from a boot image (.img) file rather than from a removable media.
Intel vPro devices (version 4.0 and later) can be managed remotely from a LANDesk Management Suite console. When an Intel vPro device is outside the network on which the Management Suite console is located, communication to the core server—through the network’s firewall and DMZ—is enabled by the remote access functionality.
Remote access for Intel vPro devices enables communication between a management console inside a secure network and Intel vPro devices located outside the network. This communication is through a TLS tunnel that connects the device outside the network with a server (called the Intel vPro Gateway Server) that is typically located in the network’s DMZ. Communications to the Intel vPro Gateway Server are in turn sent to the Management Suite core server by secure HTTP connections, using trusted root and server certificates.
For a managed device to use remote access, it must have a remote access policy applied in its firmware. It must also have two certificates, a trusted root certificate and a client certificate, that match the Management Suite core server certificates. (These are the same certificates that are used in LANDesk products.) Remote access features let you create a remote access policy and apply it to the firmware of the managed devices.
When you have configured the device and set up the Intel vPro Gateway Server, remote sessions from the managed device are opened on a regular schedule that you specify (typically once a day). When a remote session is initiated, the device is listed in the Open Session list in the Intel vPro Remote Access Configuration dialog box. In addition, the client status page in Management Suite indicates that the session is open.
NOTE: Note that as remote access was being developed, it was named Client-Initiated Remote Access, or CIRA. If you see references to CIRA, they refer to Remote Access. The Intel vPro Gateway Server was formerly named the Management Presence Server (MPS), so you may see references to MPS that are related to the Gateway Server. In addition, Intel documentation may refer to Fast Call for Help, which is the remote access option initiated by the client device.
You can enable remote access by using a server in your network to act as an Intel Gateway Server. This requires the following two general tasks:
Documentation for setting up remote access is located on your core server, in the \Programs Files\LANDesk\Management Suite\Install\vpro\remoteaccess folder. (This is the folder where the executable file is found.)