Skip to content

Create a Profile with ACM

Admin Control Mode (ACM) provides full access to IntelĀ® Active Management Technology (IntelĀ® AMT) functionality. No user consent is required.

assets/images/Profiles.png

Figure 1: Set up configuration and profiles for N number of clients.

What You'll Need

Provisioning Certificate

By purchasing a certificate, you'll be able to remotely activate an Intel AMT device in ACM. This feature enables you to disable User Consent. Provisioning Certificates are available from four different Certificate Authorities:

DNS Suffix

The DNS suffix encompasses the domain suffix (e.g., .com) and follows the hostname. Consider the following DNS Name example:

Example

DNS Name: cb-vending1.burgerbusiness.com

In this example, the hostname is cb-vending1 and the DNS suffix is burgerbusiness.com.

To set the DNS suffix:

  1. Manually set it using MEBX on the managed device. Find instructions here

  2. Alternately, change the DHCP Option 15 to DNS Suffix within the Router settings.

To find the the DNS suffix, use the following command: 

ifconfig

ipconfig /all


Create a Profile

Profiles provide configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client (RPC).

Production Environment

In a production environment, devices are typically activated in ACM mode. ACM mode enables KVM access to devices without user consent. In most IoT use cases, edge devices such as digital signage or kiosks may not have immediate access to it or employees nearby. ACM mode proves immensely helpful in these scenarios.

To create an ACM profile:

  1. Select the Profiles tab from the menu on the left.

  2. Under the Profiles tab, click New in the top-right corner to create a profile.

  3. Specify a Profile Name of your choice.

  4. Under Activation, select Admin Control Mode from the dropdown menu.

  5. Leave Generate Random AMT Password unchecked.

    Production Environment

    In a production environment, you typically generate a random password for each AMT device to create a stronger, more secure AMT environment.

  6. Provide a strong AMT Password.

    Important

    This password must meet standard, strong password requirements:

    • 8 to 32 characters

    • One uppercase, one lowercase, one numerical digit, one special character

  7. Leave Generate Random MEBX Password unchecked.

  8. Provide a strong MEBX Password.

  9. Select DHCP as Network Configuration.

  10. Select the name of the CIRA Configuration you created previously from the drop-down menu.

  11. Click Create.

Example

Example ACM Profile: RPS ACM Profile

Figure 2: Create an ACM AMT profile.

Create a Domain Profile

In addition to a CIRA Config and an ACM AMT Profile, ACM requires the creation of a Domain profile.

Intel AMT checks the network DNS suffix against the provisioning certificate as a security check. During provisioning, the trusted certificate chain is injected into the AMT firmware. AMT verifies that the certificate chain is complete and is signed by a trusted certificate authority.

To create a domain:

  1. Select the Domains tab from the left-hand menu.

  2. In the top-right corner, click New.

    RPS New Domain

    Figure 3: Create Domain.

  3. Specify a Domain Name of your choice.

  4. Provide your Domain Suffix. This is the actual DNS Suffix of the network domain that is set in DHCP Option 15 or manually on the AMT device through MEBX.

  5. Click Browse and select your purchased Provisioning Certificate. This certificate must contain the private key.

  6. Provide the Password of the Provisioning Certificate used to encrypt the .pfx file.

  7. Click Create.

    Example

    Example Domain:

    RPS Domain Creation Figure 4: Add Provisioning Certificate.

Next Up

Build & Run RPC