Management Suite supports devices using Intel vPro technology, a hardware and firmware technology that enables remote device management and security. Intel vPro uses out-of-band (OOB) communication for access to devices regardless of the state of the operating system or power to the device.
In this product, the term "Intel vPro" refers to technologies provided on desktop and mobile computers with Intel vPro support. This product also supports devices with earlier versions of Intel Active Management Technology (Intel AMT). The process for provisioning devices with different versions of Intel vPro varies according to the version numbers. The information in this section applies to all versions except as noted.
The following table lists Intel vPro features supported in this product in different versions of Intel vPro.
| Feature | Intel AMT 1.0 | Intel vPro 2.0/2.1/2.2 | Intel vPro 2.5/2.6 | Intel vPro 3.0 | Intel vPro 4.0 | Intel vPro 5.0 | Intel vPro 6.0 |
|---|---|---|---|---|---|---|---|
| Provision devices | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| System Defense | No | Yes | Yes | Yes | Yes | Yes | Yes |
| Enhanced System Defense | No | No | No | Yes | Yes | Yes | Yes |
| Agent Presence | No | Yes | Yes | Yes | Yes | Yes | Yes |
| Wireless profile & device management | No | No | Yes* | No | Yes | Yes | |
| Serial-over-LAN & IDE redirection | Yes | Yes |
LAN connection: Yes Wireless mode: Yes, if wireless profile exists |
Yes | Yes | Yes | Yes |
| Remote configuration (zero touch provisioning) | No |
2.0/2.1: No 2.2: agent-based only |
2.5: No 2.6: agent-based only |
Yes | Yes | Yes | Yes |
| Network Environment Detection | No | No | No | Yes | Yes | Yes | Yes |
| Client-Initiated Remote Access | No | No | No | Yes | Yes | Yes | Yes |
*A wireless profile is required for wireless management of Intel Centrino 2.5 notebooks. For Intel Centrino 2.6 notebooks, a wireless profile is required only to use Serial-over-LAN and IDE redirection features; other wireless management features can be used whether or not a wireless profile exists on the notebook.
LANDesk Management Suite includes the following features for managing Intel vPro devices:
When devices are configured with Intel vPro, a limited number of management features are available even if the device does not have a LANDesk agent installed. As long as devices are connected to the network and have standby power, they can be discovered and can be added to the database to be managed with other devices on the network.
If a device has Intel vPro but no management agent installed, it can be discovered, added to the inventory database, and viewed in the My devices list. Management features that are available for Intel vPro-configured devices include:
Other Management Suite management options are available only when a management agent is installed on the device. For more information about management options, see Managing Intel vPro devices.
Devices can be discovered as Intel AMT 1.0 devices only after you have accessed the Intel AMT Configuration Screen on the device's BIOS and changed the manufacturer's default password to a secure password (refer to the manufacturer's documentation for information on accessing the Intel AMT Configuration Screen). If you haven't done this, the devices will be discovered but not identified as Intel AMT devices, and you won't be able to view the same inventory summary information as you otherwise would.
In order for the core server to authenticate with discovered Intel AMT devices, the username/password credentials you enter in the device BIOS must match the credentials that you enter in the Intel vPro general configuration dialog.
When an Intel AMT device is added to the core database to be managed, Management Suite automatically provisions it, regardless of whether it has already been provisioned. Small business mode provides basic management without network infrastructure services and is non-secure, while Enterprise mode is designed for large enterprises and uses DHCP, DNS, and a TLS certificate authority service to ensure secure communication between the managed device and the core server.
When you provision an Intel AMT device in Enterprise mode, the core server installs a certificate on the device for secure communication. If another computer attempts to access the Intel AMT functionality on the device, it will not succeed because it does not have a matching certificate.
After an Intel vPro device has been added to the core database to be managed, it can be managed in limited ways even if the device does not have a LANDesk agent installed. (See Discovering Intel AMT devices for information on discovering devices and adding them to the core database).
The following table lists the management options available for a device that has Intel vPro only compared with a device that has Intel vPro and a Management Suite management agent installed.
| Intel vPro only | Intel vPro and agent | Agent only | |
|---|---|---|---|
|
Inventory summary |
summary |
X |
X |
|
Event log |
X |
X |
X |
|
Remote boot manager |
X |
X |
|
|
Inventory history |
X |
X |
|
|
Remote control |
X |
X |
|
|
Chat |
X |
X |
|
|
File transfer |
X |
X |
|
|
Remote execute |
X |
X |
|
|
Wake up |
X |
X |
|
|
Shut down |
X |
X |
|
|
Reboot |
X |
X |
|
|
Inventory scan |
X |
X |
|
|
Scheduled tasks and policies |
limited |
X |
X |
|
Group options |
X |
X |
|
|
Run inventory report |
X |
X |
|
|
Intel vPro alerting |
X |
X |
|
|
Network Environment Detection |
X |
X |
|
|
Client-Initiated Remote Access |
X |
X |
In the All devices list, right-click an Intel vPro device and select Intel vPro options > Intel vPro summary.
The summary shows general information about the device, such as device name and IP address, as well as information specific to the Intel AMT chip and the Intel vPro device hardware, such as AMT version number, BIOS, manufacturer, and serial number.
When you provision an Intel vPro device in Enterprise mode, the core server installs a certificate on the device for secure communication. If the device is to be managed by another core server, it must be unprovisioned and then re-provisioned by the new core server. If not, the device's Intel vPro access will not respond because the new core server does not have a matching certificate. Similarly, if any other computer attempts to access the Intel vPro functionality on the device, it will not succeed because it does not have a matching certificate.
Management Suite provides a view of the event log that Intel vPro devices generate. The settings determine what events are captured in this log. You can view the date/time of the event, the source of the event (Entity column), a description, and the severity as determined by the Intel vPro settings (Critical or Non-Critical). You can also export the log data in comma-separated value (CSV format).
Management Suite includes options to power on and off Intel vPro devices. These options can be used even when a device's operating system is not responding, as long as the device is connected to the network and has standby power.
When Management Suite initiates power option commands, in some cases it is not possible to verify that the commands are supported on the hardware receiving the command. Some devices with Intel vPro may not support all power option features (for example, a device may support IDE-R reboot from CD but not from a floppy). Consult the hardware vendor's documentation if it appears that a power option is not working with a particular device. You may also check for any firmware or BIOS upgrades from Intel for the device if power options do not work as expected.
For Intel vPro devices, when you issue a power-on command, Management Suite will first send an Intel vPro wake up command. If that command is not successful, it will then send a normal Wake on LAN command to the device.
You can simply turn on or off the device's power, or you can reboot and specify how the device is rebooted. The options are described in the table below.
|
Power off |
Shuts down the power on the device |
|
Power on |
Turns on the power on the device |
|
Reboot |
Cycles the power off and on again on the device |
|
Normal boot |
Starts up the device using whatever boot sequence is set as the default on the device |
|
Boot from local hard drive |
Forces a boot from the device's hard drive regardless of the default boot mode on the device |
|
Boot from local CD/DVD drive |
Forces a boot from the device's CD or DVD drive regardless of the default boot mode on the device |
|
PXE boot |
When restarted, the PXE-enabled device searches for a PXE server on the network; if found, a PXE boot session is initiated on the device |
|
IDE-R boot |
Reboots the device using the IDE redirection option selected (see below) |
|
Enter BIOS setup on power on |
When the device is booted, it allows the user to enter the BIOS setup |
|
Show console redirection window |
When the device is booted, it starts in serial over LAN mode to display a console redirection window |
|
IDE redirection: Reboot from floppy |
When the device is booted, it starts from the floppy disk drive that is specified |
|
IDE redirection: Reboot from CD/DVD |
When the device is booted, it starts from the CD drive that is specified |
|
IDE redirection: Reboot from specified image file |
When the device is booted, it starts from the image file that is specified (floppy image files must be in .img format, and CD image files must be in .iso format; see note below) |
When using IDE redirection options, floppy image files must be in .img format and CD image files must be in .iso format. Some BIOSes may require the CD image to be located on a hard drive.
Intel vPro normally remembers the last IDE-R settings, but Management Suite clears the settings after 45 seconds, so on subsequent boots it will not restart the IDE-R feature. The IDE-R session on an Intel vPro device lasts 6 hours or until the Management Suite console is turned off. Any IDE-R operation still in progress after 6 hours will be terminated.
NOTE: In some situations, an IDE-R boot process may appear to time out on the serial-over-LAN (SOL) console, when the boot process is actually still in process. If the boot image takes too long to initialize and send data to the SOL console, the SOL console will stop communicating and keyboard connectivity is lost. This occurs when the media used for booting has a slow response time and takes longer than 60 seconds to initialize (which is the longest timeout value allowed). If you experience this problem when booting with a floppy disk or other media, we recommend that you boot from a boot image (.img) file rather than from a removable media.
Intel vPro devices (version 4.0 and later) can be managed remotely from a LANDesk Management Suite console. When an Intel vPro device is outside the network on which the Management Suite console is located, communication to the core server—through the network’s firewall and DMZ—is enabled by the remote access functionality.
Remote access for Intel vPro devices enables communication between a management console inside a secure network and Intel vPro devices located outside the network. This communication is through a TLS tunnel that connects the device outside the network with a server (called the Intel vPro Gateway Server) that is typically located in the network’s DMZ. Communications to the Intel vPro Gateway Server are in turn sent to the Management Suite core server by secure HTTP connections, using trusted root and server certificates.
For a managed device to use remote access, it must have a remote access policy applied in its firmware. It must also have two certificates, a trusted root certificate and a client certificate, that match the Management Suite core server certificates. (These are the same certificates that are used in LANDesk products.) Remote access features let you create a remote access policy and apply it to the firmware of the managed devices.
When you have configured the device and set up the Intel vPro Gateway Server, remote sessions from the managed device are opened on a regular schedule that you specify (typically once a day). When a remote session is initiated, the device is listed in the Open Session list in the Intel vPro Remote Access Configuration dialog box. In addition, the client status page in Management Suite indicates that the session is open.
NOTE: Note that as remote access was being developed, it was named Client-Initiated Remote Access, or CIRA. If you see references to CIRA, they refer to Remote Access. The Intel vPro Gateway Server was formerly named the Management Presence Server (MPS), so you may see references to MPS that are related to the Gateway Server. In addition, Intel documentation may refer to Fast Call for Help, which is the remote access option initiated by the client device.
You can enable remote access by using a server in your network to act as an Intel Gateway Server. This requires the following two general tasks:
Documentation for setting up remote access is located on your core server, in the \Programs Files\LANDesk\Management Suite\Install\vpro\remoteaccess folder. (This is the folder where the executable file is found.)