RPC CLI
On the managed device, a Remote Provisioning Client (RPC) communicates with the Remote Provision Server (RPS) in the process of activating or deactivating the device. In addition to activation and deactivation, the RPC provides informational and maintenance commands.
List Commands¶
On the managed device, open a Terminal (Linux) or Powershell/Command Prompt as Administrator (Windows).
Run the RPC application on the command line with no arguments to see supported commands:
sudo ./rpc
.\rpc.exe
| COMMAND | DESCRIPTION | EXAMPLE |
|---|---|---|
| activate | Activate this device with a specified profile | ./rpc activate -u wss://server/activate -profile profilename |
| deactivate | Deactivate this device. You will be prompted for the AMT password. | ./rpc deactivate -u wss://server/activate |
| maintenance | Execute a maintenance task for the device. You will be prompted for the AMT password. | ./rpc maintenance syncclock -u wss://server/activate |
| amtinfo | Display AMT status and configuration | ./rpc amtinfo |
| version | Display the current version of RPC and the RPC Protocol version | ./rpc version |
List Command Options¶
Run the application with a command to see available options for the command:
sudo ./rpc [COMMAND]
.\rpc [COMMAND]
activate¶
Activate and Configure the device using RPS:¶
Activate the device with a specified profile:
sudo ./rpc activate -u wss://server/activate -profile profilename
.\rpc activate -u wss://server/activate -profile profilename
Activate the device locally:¶
Currently, this capability is only supported for activating unprovisioned (e.g. pre-provisioning state) devices. This command only activates AMT. It does not do profile-based configuration.
sudo ./rpc activate -local -password NewAMTPassword
.\rpc activate -local -password NewAMTPassword
activate Options¶
| OPTION | DESCRIPTION |
|---|---|
| -d string | DNS suffix override |
| -h string | Hostname override |
| -json | JSON output |
| -l string | Log level (panic,fatal,error,warn,info,debug,trace) (default "info") |
| -lmsaddress string | LMS address (default "localhost"). Can be used to change location of LMS for debugging. |
| -lmsport string | LMS port (default "16992") |
| -local | Execute command to AMT directly without cloud interaction. |
| -n | Skip WebSocket server certificate verification |
| -name | Friendly name to associate with this device |
| -p string | Proxy address and port |
| -password | AMT password |
| -profile string | Name of the profile to use |
| -t duration | Time to wait until AMT is ready (e.g. 2m or 30s), the default is 2m0s |
| -tenant string | TenantID of profile. If not provided, then assumed empty string (i.e. no Multitenancy enabled) |
| -token string | JWT Token for Authorization |
| -u string | WebSocket address of server to activate against |
| -v | Verbose output |
For more information, see Build & Run RPC.
To learn how to use the RPC application to transition an already activated (provisioned) Intel vPro® Platform, see Transition Activated Device.
deactivate¶
Deactivate the device using RPS:¶
sudo ./rpc deactivate -u wss://server/activate
.\rpc deactivate -u wss://server/activate
Deactivate the device locally:¶
sudo ./rpc deactivate -local
.\rpc deactivate -local
deactivate Options¶
| OPTION | DESCRIPTION |
|---|---|
| -f | Force deactivate even if device is not registered with the RPS server |
| -json | JSON output |
| -l string | Log level (panic,fatal,error,warn,info,debug,trace) (default "info") |
| -lmsaddress string | LMS address (default "localhost"). Can be used to change location of LMS for debugging. |
| -lmsport string | LMS port (default "16992") |
| -local | Execute command to AMT directly without cloud interaction. |
| -n | Skip WebSocket server certificate verification |
| -p string | Proxy address and port |
| -password string | AMT password |
| -t duration | Time to wait until AMT is ready (e.g. 2m or 30s), the default is 2m0s |
| -token string | JWT Token for Authorization |
| -u string | WebSocket address of server to activate against |
| -v | Verbose output |
For more information, see Build & Run RPC.
maintenance¶
Execute a maintenance command for the managed device:
| SUBCOMMAND | DESCRIPTION |
|---|---|
| addwifisettings | Configure wireless 802.1x locally with RPC (no communication with RPS and EA) |
| changepassword | Change the AMT password. A random password is generated by default if -static is not provided. |
| syncclock | Sync the host OS clock to AMT. |
| synchostname | Sync the OS hostname to AMT Network Settings. |
| syncip | Sync the static IP of host OS to AMT Network Settings. |
Common maintenance Options¶
| OPTION | DESCRIPTION |
|---|---|
| -f | Force maintenance commands even if device is not registered with a server |
| -json | JSON output |
| -l string | Log level (panic,fatal,error,warn,info,debug,trace) (default "info") |
| -lmsaddress string | LMS address (default "localhost"). Can be used to change location of LMS for debugging. |
| -lmsport string | LMS port (default "16992") |
| -n | Skip WebSocket server certificate verification |
| -p string | Proxy address and port |
| -password string | AMT password |
| -t duration | Time to wait until AMT is ready (e.g. 2m or 30s), the default is 2m0s |
| -tenant string | TenantID of profile. If not provided, then assumed empty string (i.e. no Multitenancy enabled) |
| -token string | JWT Token for Authorization |
| -u string | WebSocket address of server to activate against |
| -v | Verbose output |
addwifisettings¶
Configure wireless 802.1x settings of an existing, activated AMT device by passing credentials and certificates directly to AMT rather than through RPS/EA/RPC. More information on configuring AMT to use 802.1x can be found in 802.1x Configuration.
On failure, the addwifisettings maintenance command will rollback any certificates added before the error occurred.
via Config file¶
-
Create a new file called
config.yaml. Copy and paste the template below.ieee801xConfig: name: 'profileName' # profile name (i.e. friendly name) authenticationMethod: 7 # wifi authentication method encryptionMethod: 4 # wifi encryption method clientCert: '' caCert: '' privateKey: '' ssid: '' # wifi SSID username: "" # 8021x username authenticationProtocol: 0 #8021x profile protocol (e.g. EAP-TLS(0)) priority: 1 -
Fill in fields with desired options.
-
Provide the
config.yamlfile using the-configflag.sudo ./rpc maintenance addwifisettings -config config.yaml.\rpc maintenance addwifisettings -config config.yaml
via CLI¶
Alternatively, provide all options directly in the command line.
Warning - Use Case and Security
The CLI option is intended for use as part of an integration of RPC as a shared library. The passing of secrets directly via command line is highly insecure and NOT recommended.
sudo ./rpc maintenance addwifisettings -name profileName -authenticationMethod 7 -encryptionMethod 4 -ssid "networkSSID" -username "username" -authenticationProtocol 0 -priority 1 -clientCert {CLIENT_CERT} -caCert {CA_CERT} -privateKey {CLIENT_PRIVATE_KEY}
.\rpc maintenance addwifisettings -name profileName -authenticationMethod 7 -encryptionMethod 4 -ssid "networkSSID" -username "username" -authenticationProtocol 0 -priority 1 -clientCert {CLIENT_CERT} -caCert {CA_CERT} -privateKey {CLIENT_PRIVATE_KEY}
| OPTION | DESCRIPTION |
|---|---|
| -authenticationMethod | Wifi authentication method. Valid Values = {5, 7} where 5 = WPA_IEEE8021X, 7 = WPA2_IEEE8021X |
| -authenticationProtocol | 802.1x profile protocol. Valid Values = {0} where 0 = EAP-TLS |
| -caCert | Trusted Microsoft root CA or 3rd-party root CA in Active Directory domain |
| -clientCert | Client certificate chained to the caCert. Issued by enterprise CA or mapped to computer account in Active Directory. AMT provides this certificate to authenticate itself with the Radius Server |
| -config | File path of a .yaml file with desired wireless 802.1x configuration, see via Config File |
| -encryptionMethod | Wifi encryption method. Valid Values = {3, 4} where 3 = TKIP, 4 = CCMP |
| -name | Profile name (Friendly name), must be alphanumeric |
| -priority | Ranked priority over other profiles |
| -privateKey | Private key of the clientCert |
| -ssid | Wifi SSID |
| -username | 802.1x username, must match the Common Name of the clientCert |
changepassword¶
Change the AMT password. A random password is generated by default if static option is not passed.
sudo ./rpc maintenance changepassword -u wss://server/activate
.\rpc maintenance changepassword -u wss://server/activate
| OPTION | DESCRIPTION |
|---|---|
| -static | New password to be used |
syncclock¶
Syncs the host OS clock to AMT.
sudo ./rpc maintenance syncclock -u wss://server/activate
.\rpc maintenance syncclock -u wss://server/activate
synchostname¶
Sync the OS hostname to AMT Network Settings.
sudo ./rpc maintenance synchostname -u wss://server/activate
.\rpc maintenance synchostname -u wss://server/activate
syncip¶
Sync the static IP of host OS to AMT Network Settings.
sudo ./rpc maintenance syncip -staticip 192.168.1.7 -netmask 255.255.255.0 -gateway 192.168.1.1 -primarydns 8.8.8.8 -secondarydns 4.4.4.4 -u wss://server/activate
.\rpc maintenance syncip -staticip 192.168.1.7 -netmask 255.255.255.0 -gateway 192.168.1.1 -primarydns 8.8.8.8 -secondarydns 4.4.4.4 -u wss://server/activate
| OPTION | DESCRIPTION |
|---|---|
| -staticip | IP address to be assigned to AMT If not specified, the IP address of the active OS newtork interface is used |
| -netmask | Network mask to be assigned to AMT If not specified, the network mask of the active OS newtork interface is used |
| -gateway | Gateway address to be assigned to AMT |
| -primarydns | Primary DNS address to be assigned to AMT |
| -secondarydns | Secondary DNS address to be assigned to AMT |
amtinfo¶
Display AMT status and configuration:
sudo ./rpc amtinfo [OPTIONS]
.\rpc amtinfo [OPTIONS]
Not passing [OPTIONS] will print all information.
| AMT INFO | OPTION | DESCRIPTION |
|---|---|---|
| -json | JSON Output | |
| Version | -ver | Intel AMT version. |
| Build Number | -bld | Intel AMT Build Number. |
| Certificate | -cert | Certificate Hashes |
| SKU | -sku | Product SKU |
| UUID | -uuid | Unique Universal Identifier of the device. Used when creating device-specific MPS API calls as part of the REST API's URL path. |
| Control Mode | -mode | Control Mode below indicates the managed device's state: a) pre-provisioning or deactivated (b) activated in client control mode (c) activated in admin control mode |
| DNS Suffix | -dns | DNS Suffix set according to PKI DNS Suffix in Intel MEBX or through DHCP Option 15. Requried for ACM activation. |
| DNS Suffix (OS) | -dns | |
| Hostname (OS) | -hostname | Device's hostname as set in the Operating System. |
| RAS Network | -ras | |
| RAS Remote Status | -ras | Unconnected or connected. State of connection to a management server. |
| RAS Trigger | -ras | User initiated or periodic. When activated, periodic signifies CIRA established. By default, CIRA sends a heartbeat to the server every 30 seconds to verify and maintain connection. |
| RAS MPS Hostname | -ras | IP Address or FQDN of the MPS server. |
---Wired/Wireless Adapters---
| WIRED/WIRELESS ADAPTER | OPTION | DESCRIPTION |
|---|---|---|
| DHCP Enabled | -lan | True/False. Whether or not the network is using DHCP or Static IPs. |
| DHCP Mode | -lan | |
| Link Status | -lan | Up/Down. Shows whether or not this adapter is being used by Intel AMT. |
| IP Address | -lan | If using CIRA or the device is unactivated, this field will show 0.0.0.0 |
| MAC Address | -lan | Device's MAC Address |
For more information, see Wireless Activation.
version¶
Display the current version of RPC and the RPC Protocol version:
sudo ./rpc version
.\rpc version