Create a Profile with ACM
IntelĀ® AMT devices are capable of being activated into two modes:
-
Admin Control Mode (ACM): In this mode, there are no limitations to Intel AMT functionality. This reflects the higher level of trust associated with these setup methods. No user consent is required.
-
Client Control Mode (CCM): This mode limits some of Intel AMT functionality, reflecting the lower level of trust.
Features requiring User Consent:
- Keyboard, Video, Mouse (KVM) Control
- IDE-Redirection for sharing and mounting images remotely
Figure 1: Set up configuration and profiles for N number of clients.
What You'll Need¶
Provisioning Certificate¶
By purchasing a certificate, you'll be able to remotely activate an Intel AMT device in ACM. This feature enables you to disable User Consent. Provisioning Certificates are available from four different Certificate Authorities:
DNS Suffix¶
The DNS suffix encompasses the domain suffix (e.g., .com) and follows the hostname. Consider the following DNS Name example:
Example
DNS Name: cb-vending1.burgerbusiness.com
In this example, the hostname is cb-vending1 and the DNS suffix is burgerbusiness.com.
To set the DNS suffix:
- Manually modify it MEBX on the managed device. Find instructions here
- Alternately, change the DHCP Option 15 to DNS Suffix within the Router settings.
To find the the DNS suffix, use the following command:
ipconfig /all
ifconfig
Create a Profile¶
Profiles provide configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client (RPC).
Production Environment
In a production environment, devices are typically activated in ACM mode. ACM mode enables KVM access to devices without user consent. In most IoT use cases, edge devices such as digital signage or kiosks may not have immediate access to it or employees nearby. ACM mode proves immensely helpful in these scenarios.
To create an ACM profile:
-
Select the Profiles tab from the menu on the left.
-
Under the Profiles tab, click New in the top-right corner to create a profile.
-
Specify a Profile Name of your choice.
-
Uncheck Generate Random Password.
Production Environment
In a production environment, you typically generate a random password for each AMT device to create a stronger, more secure AMT environment.
-
Provide a strong AMT Password.
Important
This password must meet standard, strong password requirements:
-
8 to 32 characters
-
One uppercase, one lowercase, one numerical digit, one special character
-
-
Select the name of the CIRA Configuration you created previously from the drop-down menu.
-
Under Activation, select Admin Control Mode from the dropdown menu.
-
Click Create.
Figure 2: Create an ACM AMT profile.
Create a Domain Profile¶
In addition to a CIRA Config and an ACM AMT Profile, ACM requires the creation of a Domain profile.
Intel AMT checks the network DNS suffix against the provisioning certificate as a security check. During provisioning, the trusted certificate chain is injected into the AMT firmware. AMT verifies that the certificate chain is complete and is signed by a trusted certificate authority.
To create a domain:
-
Select the Domains tab from the left-hand menu.
-
In the top-right corner, click New.
Figure 3: Create Domain.
-
Specify a Domain Name of your choice.
-
Provide your Domain Suffix. This is the actual DNS Suffix of the network domain that is set in DHCP Option 15 or manually on the AMT device through MEBX.
-
Click Browse and select your purchased Provisioning Certificate. This certificate must contain the private key.
-
Provide the Password of the Provisioning Certificate used to encrypt the
.pfxfile. -
Click Create.
Example
Example Domain:
Figure 4: Add Provisioning Certificate. After successfully creating the domain, continue with the activation process by building and running the Remote Provisioning Client (RPC).