Create a Profile with ACM
Admin Control Mode (ACM) provides full access to Intel® Active Management Technology (Intel® AMT) functionality. User consent is optional for supported redirection features:
- Keyboard, Video, Mouse (KVM): Control multiple devices with one keyboard, monitor, and mouse.
- Serial-over-LAN (SOL): Manage devices with a command line interface (CLI) through SOL.
- IDE Redirection: Share and mount images remotely with a specified storage media (e.g., USB flash drive).
Important - IDE Redirection
While AMT supports this feature, the toolkit doesn't natively support it.
What You'll Need¶
Provisioning Certificate¶
By purchasing a certificate, you'll be able to remotely activate an Intel® AMT device in ACM. This feature enables you to disable User Consent. Provisioning Certificates are available from four different Certificate Authorities. Find more information about Provisioning Certificates.
Important - Intel AMT and using CAs
For ACM in Open Active Management Technology (Open AMT) Cloud Toolkit, use only certificate vendors that support Intel® AMT.
DNS Suffix¶
The DNS suffix encompasses the domain suffix (e.g., .com) and follows the hostname. Consider the following DNS Name example:
Example - DNS
DNS Name: cb-vending1.burgerbusiness.com
In this example, the hostname is cb-vending1 and the DNS suffix is burgerbusiness.com.
**To set the DNS suffix: **
-
Manually set it using MEBX on the managed device. Find instructions here.
-
Alternately, change the DHCP Option 15 to DNS suffix within the Router settings.
**To find the the DNS suffix, use the following command: **
ifconfig
ipconfig /all
Create a Profile¶
A Profile provides configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client (RPC).
Important - Production Environment
In a production environment, devices are typically activated in ACM mode. ACM mode enables KVM access to devices without user consent. In most IoT use cases, edge devices such as digital signage or kiosks may not have immediate access to it or employees nearby. ACM mode proves immensely helpful in these scenarios.
Note - More Information about Passwords
Passwords
Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview.
To create an ACM profile:
-
Select the Profiles tab from the menu on the left.
-
Under the Profiles tab, click Add New in the top-right corner to create a profile.
-
Specify a Profile Name of your choice.
-
Under Activation, select Admin Control Mode from the dropdown menu.
-
Enable desired redirection features for the profile under AMT Features - Enable/Disable features.
-
Choose level of User Consent. By default for ACM, None is selected. This will disable all User Consent for ACM.
-
Provide or generate a strong AMT Password. AMT will verify this password when receiving a command from a MPS server. This password is also required for device deactivation.
Warning - Viewing and Losing Random Passwords
The two buttons next to the password input are for toggling visibility and/or generating a new random password. Please note that if the Vault database is lost or corrupted (or container stopped), all credentials that aren't also stored somewhere else will be lost. There will be no way to login. The administrator will have to clear the CMOS battery on the managed devices!
-
Provide or generate a strong MEBX Password. This password can be used to access Intel® Manageability Engine BIOS Extensions (Intel® MEBX) on the AMT device.
-
Leave DHCP as the default for Network Configuration.
-
This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial.
-
Select CIRA (Cloud) for Connection Configuration.
-
Select the name of the CIRA Configuration you created previously from the drop-down menu.
-
Optionally, add Tags to help in organizing and querying devices as your list of managed devices grow.
-
Click Save.
Example ACM Profile
Create a Domain Profile¶
In addition to a CIRA Config and an ACM Profile, ACM requires the creation of a Domain profile.
Intel® AMT checks the network DNS suffix against the provisioning certificate as a security check. During provisioning, the trusted certificate chain is injected into the AMT firmware. AMT verifies that the certificate chain is complete and is signed by a trusted certificate authority.
To create a domain:
-
Select the Domains tab from the left-hand menu.
-
In the top-right corner, click Add New.
-
Specify a name of your choice for the Domain Profile for the Name field. This does not have to be the actual network Domain Name/Suffix.
-
Provide your DNS suffix as the Domain Name. This is the actual DNS suffix of the network domain that is set in DHCP Option 15 or manually on the AMT device through MEBX.
-
Click Choose File and select your purchased Provisioning Certificate. This certificate must contain the private key.
-
Provide the Provisioning Certificate Password used to encrypt the
.pfx
file. -
Click Save.
Example Domain