Skip to content

ACM Activation

Admin Control Mode (ACM) provides full access to Intel® Active Management Technology (Intel® AMT) functionality. User consent is optional for supported redirection features:

  • Keyboard, Video, Mouse (KVM): Control multiple devices with one keyboard, monitor, and mouse.
  • Serial-over-LAN (SOL): Manage devices with a command line interface (CLI) through SOL.
  • IDE Redirection: Share and mount images remotely with a specified storage media (e.g., USB flash drive).
Figure 1: Set up configuration and profiles for N number of clients
Figure 1: Set up configuration and profiles for n number of clients

What You'll Need

Provisioning Certificate

By purchasing a certificate, you'll be able to remotely activate an Intel® AMT device in ACM. This feature enables you to disable User Consent. Provisioning Certificates are available from four different Certificate Authorities. Find more information about Provisioning Certificates.

Important - Intel AMT and using CAs

For ACM in Open Active Management Technology (Open AMT) Cloud Toolkit, use only certificate vendors that support Intel® AMT.

Alternatively, for development, custom provisioning certificates can be generated. See Custom Provisioning Certificate for additional details.

DNS Suffix

The DNS suffix encompasses the domain suffix (e.g., .com) and follows the hostname. Consider the following DNS Name example:

Example - DNS

DNS Name: cb-vending1.burgerbusiness.com

In this example, the hostname is cb-vending1 and the DNS suffix is burgerbusiness.com.

To set the DNS suffix:

  1. Manually set it using MEBX on the managed device. See MEBx DNS Suffix.

  2. Alternately, change the DHCP Option 15 to DNS suffix within the Router settings.

To find the DNS suffix, use the following command:

ifconfig

ipconfig /all


Create a Domain Profile

ACM requires the creation of a Domain profile.

Intel® AMT checks the network DNS suffix against the provisioning certificate as a security check. During provisioning, the trusted certificate chain is injected into the AMT firmware. AMT verifies that the certificate chain is complete and is signed by a trusted certificate authority.

To create a domain:

  1. Select the Domains tab from the left-hand menu.

  2. In the top-right corner, click Add New.

    Figure 4: Create a new Domain profile
    Figure 4: Create a new Domain profile

  3. Specify a name of your choice for the Domain Profile for the Name field. This does not have to be the actual network Domain Name/Suffix.

  4. Provide your DNS suffix as the Domain Name. This is the actual DNS suffix of the network domain that is set in DHCP Option 15 or manually on the AMT device through MEBX.

  5. Click Choose File and select your purchased Provisioning Certificate. This certificate must contain the private key.

  6. Provide the Provisioning Certificate Password used to encrypt the .pfx file.

  7. Click Save.

    Example Domain

    Figure 5: Example Domain profile
    Figure 5: Example Domain profile

Create a Profile

A Profile provides configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client (RPC).

Note - More Information about Passwords

Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in Reference -> Architecture Overview.

To create an ACM profile:

  1. Select the Profiles tab from the menu on the left.

  2. Under the Profiles tab, click Add New in the top-right corner to create a profile.

    Figure 2: Create a new profile
    Figure 2: Create a new profile

  3. Specify a Profile Name of your choice.

  4. Under Activation, select Admin Control Mode from the dropdown menu.

  5. Enable desired redirection features for the profile under AMT Features - Enable/Disable features.

  6. Choose level of User Consent. By default for ACM, None is selected. This will disable all User Consent for ACM.

  7. Provide or generate a strong AMT Password. AMT will verify this password when receiving a command from Console. This password is also required for device deactivation.

    Warning - Viewing and Losing Random Passwords

    The two buttons next to the password input are for toggling visibility and/or generating a new random password. Please note that if the database is lost or corrupted, all credentials that aren't also stored somewhere else will be lost. There will be no way to login. The administrator will have to clear the CMOS battery on the managed devices!

  8. Provide or generate a strong MEBX Password. This password can be used to access Intel® Manageability Engine BIOS Extensions (Intel® MEBX) on the AMT device.

  9. Choose DHCP or Static based on environment for the Network Configuration.

  10. This express setup assumes the managed device (i.e. AMT device) is on a wired connection for quickest setup. To learn more about a Wireless Setup, see the Wireless Activation Tutorial.

  11. For quickest setup, select Non TLS under Provisioned Connection Configuration.

  12. Optionally, add Tags to help in organizing and querying devices as your list of managed devices grow.

  13. Click Save.

    Example ACM Profile

    Figure 3: Example ACM profile
    Figure 3: Example ACM profile

Next Up

Activate a Device