Realizing the Value of Intel vpro processor technology within Altiris Client Management Suite

(1)

Realizing the Value of Intel® vPro™ processor technology within Altiris Client Management Suite

Terry Cutler | Enterprise Solution Architect | Intel Corporation

(2)

Course Objectives

• Discuss main steps to Activate Intel vPro

Processor Technology

• Identify key considerations and plans for

deployment

• Establish a community of knowledge sharing

(3)

Related Sessions, Events, and Material

• ManageFusion Sessions:

– AP L03 – Lab: Using Intel® vPro™ with Altiris

Client Management Suite, 4:45pm Tues.

– AP B06 – Session: Economics of Deploying

Intel® vPro™ in the Enterprise, 3:15pm Wed.

– AP L02 – Session: Dell Client Manageability

– AP B01 – Session: HP Client Manageability

• Intel Demonstration Booth – Partner Expo

– Check out the vPro Challenge – win prizes

– Talk and see more on vPro integration to Altiris

(4)

Short Quiz (Prizes included)

• Does Altiris CMS with Intel vPro allow for

1-to-1 or 1-to-1-to-many client management?

• When was the current production version of

RTCI, RTSM, OOBM, and OOBSC released? – Bonus: What is the production Intel® SCS

embedding in OOBSC?

• How do you know if an Intel® AMT version is

(5)

Main Considerations for Deployment

• Current and Future State - Understanding of the target environment, especially the future state of enterprise client manageability and security

• Client Platform Readiness – In addition to OS and application compatibility, validate the “provision”, “reprovision” and “unprovision” of Intel® vPro™ desktops and\or laptops.

• Management ISV Readiness – Altiris “runs great on vPro”

• Enterprise Infrastructure – Planning and preparing enterprise for Intel® vPro™ solution deployment (e.g., DHCP, DNS, PKI/CA, etc.)

• IT Governance and Processes – Preparing for process changes to deployment, maintenance, support requests, and related tasks.

Successful Deployments Require a Collaborative Effort

T o d a y ’s F o c u s T o d a y ’s F o c u s

(6)

Discussion: What usage models desired?

I n te l ® Q 9 6 5 E x p r e s s C h ip s e t DDR2 FLASH NVM BIOS (G)MCH ICH8-DO Sensors Filters MAC

Intel® Core™ 2 Duo (CPU)

DDR2 Manageability Engine Intel® PRO/1000 LAN _ICH8-DO Sensors Filters MAC (G)MCH Manageability Engine Intel® PRO/1000 LAN

• Remotely power on\off

• Out-of-band asset inventory

• Discovery of connected systems

• Redirect (Serial-over-LAN and IDE-R) • Alerting and eventing subscription* • System Defense (Network Filter)

View Intel vPro as a tool in the overall Altiris CMS toolset

(7)

Preparation of the Client Platform

• Future plans around Microsoft Vista? • Mobile Environment?

• Driver and firmware recommendations

– Intel® Active Management Technology (AMT) firmware

– Intel® Management Engine Interface (MEI) driver

– Serial-over-LAN (SOL) driver

– Local Management Service (LMS) driver

– User Notification Service (UNS) driver

– Altiris client management agent

AMT 3.0 or higher

(8)

• Serial Over LAN

• AMT Inventory • SNMP Alerts • System Defense • Software Delivery • Patch Management • Inventory Solution • Application Metering/Management • Altiris Helpdesk • Asset Management Intel vPro

Out of Band Management RTSM and RTCI

Network Discovery

Task Server

(9)

Microsoft IIS

(10)

Intel® AMT Provisioning Overview

• Small Business or Enterprise Mode:

• This session focuses on Enterprise

• Intel® AMT configuration states:

• Factory Default, Setup, and Configured

• Provisioning Approaches

• Pre-Shared Key or Remote Configuration

• Maintenance actions and routines

(11)

Small-Medium Business or Enterprise mode?

SMB Mode

• 1-to-1 provisioning and communication

(Note: Altiris CMS enables 1-to-many)

• Manual setup using BIOS / MEBx

• Open network communication with AMT

• HTTP Digest user authentication

• Suitable for lower volume deployments with no PKI infrastructure

Enterprise Mode

• 1-to-Many provisioning and communication

• ‘Automated’ setup using USB drive key

• Encrypted AMT network communication during provisioning

• TLS, Kerberos, and HTTP Digest Authenication

• Maintain multiple Intel® AMT profile configurations

• Suitable for volume deployments

(12)

Intel® AMT configuration states

Factory

Default Setup Configured

Provisioning

Data entered Intel® AMT profile _assigned

Intel® AMT profile removed (partial UnProvision)

Fully

UnProvisioned*

(13)

Pre-shared Key or Remote Configuration?

• TLS-Preshared Key (TLS-PSK)

– Manual or One-Touch provision

– Best perform before Intel® AMT client in production environment

– Supported on all Intel® AMT platforms

• Remote Configuration (PKI-CH)

– Formerly called zero touch configuration (ZTC)

– Agent initiated or baremetal provisioning

– Supported first on AMT 3.0 platforms, than AMT 2.2 and AMT

2.6 • Reading Material – http://juice.altiris.com/article/1673/part-3-enterprise-integration-intel-amt-provisioning – http://juice.altiris.com/article/2161/remote-configuration-preview

(14)

Required, Suggested, and Optional

• Required: Setup and Configuration Application

– Intel® _{Setup and Configuration Service}

– Network ports 16992-16995 (Intel AMT registered ports)

• Required for One Touch Provisioning

– DHCP, DNS, ProvisionServer, USB key with setup.bin

– Network port 9971

– Altiris “Resource Synchronization” and “Network Discovery”

• Suggested: Infrastructure items

– DHCP with option 15

– WMI, DDNS, ISV client agent, Domain membership

• Optional:

– Certificate server, Active Directory, Kerberos, Wireless Profiles, Network Access Control (NAC), 802.1x, VLAN

(15)

Pre-Shared Key Provisioning

Management Console DNS/ DHCP Provision Server SQL DB

2

3 4

(16)

Provisioning Data: What’s Needed? How Obtained?

• PID, PPS, and new password

– Created in Setup and Configuration Application; setup.bin

– Manually entered due to pre-provisioning

• UUID – Universally Unique Identifier

– Assigned by OEM at the factory; unique to ever system – Obtained by Intel® AMT for hello packet

– Obtained by management console via WMI or agent

• Altiris Network Discovery with AMT options enabled

• FQDN – Fully Qualified Domain Name

– Stored on host OS based on system name and domain

– Obtained via WMI, reverse DNS lookup (DDNS), and DHCP option 15 (DNS suffix from server) and 81 (from client)

– Stored in management database with matching UUID

(17)

Remote Configuration Process Overview

• Certificate based authentication

– Intel® Client Setup Certificate per DNS domain

– Matching thumbprint (e.g. cert. hash) on client – Support for 3rd party of custom in-house

• Infrastructure Dependencies

– DHCP option 15 with DNS domain suffix

– DNS entry for “ProvisionServer”

• Altiris Agent for Intel® AMT 2.2 and 2.6 Required

– Initiate Delayed Provisioning

– Intel® AMT 3.0 systems have “Bare-metal” option

(18)

Remote Configuration Process Overview

Agent Initiated

(AMT 2.2, 2.6, 3.0)

Baremetal

(AMT 3.0)

Secure

Authentication

Configuration

(Intel® AMT Profile sent)

(19)

Call to Action:

• Activate and Realize the value!

• If you are considering Intel vPro with Altiris

CMS – assess the value and plan

• Coordinate with internal IT resources – client,

server, infrastructure, security, and so forth

• Validate plans and usages in test environment • Utilize external community resources

• Visit Intel booth for more discussion and • Take the vPro challenge!

(20)

Additional Reference Material

Coming Soon to Altiris Juice (http://juice.altiris.com/intel)

• Index of articles

• Altiris Console configuration video • Enterprise provisioning sequence • Use case video demonstrations

Intel® vPro™ Expert Center

(21)

juice.altiris.com

• Breaking product news • In-depth articles

• Tips from the trenches • Tools and utilities

• Training videos • Podcasts

• RSS feeds

• Rewards program

(22)

THANK YOU

Altiris and ManageFusion are registered trademarks of Symantec, Inc. in the U.S. and in other countries. The other company names or products mentioned are or may be

(23)

Request

ProvisionServer Update Package Request AMT state

Preparations for Agent Initiated

Management Console Provision Server DNS I n te l ® Q 9 6 5 E x p r e s s C h ip s e t DDR2 FLASH NVM BIOS (G)MCH ICH8-DO Sensors Filters MAC

DDR2 Manageability Engine Intel® PRO/1000 LAN _ICH8-DO Sensors Filters MAC (G)MCH Manageability Engine Intel® PRO/1000 LAN Operating System with management agent

Intel® _{AMT client}

M E

I

Agent provided data

Send

Hello Packet 5

4

Send

One Time Password 3

2 1

(24)

Preparations for Bare Metal

I n te l ® Q 9 6 5 E x p r e s s C h ip s e t DDR2 FLASH NVM BIOS (G)MCH ICH8-DO Sensors Filters MAC

DDR2 Manageability Engine Intel® PRO/1000 LAN _ICH8-DO Sensors Filters MAC (G)MCH Manageability Engine Intel® PRO/1000 LAN Provision Server DNS/ DHCP 1 2 3 Request ProvisionServer Send Hello Packet

Create self signed certificate

(25)

RCFG: Mutual Authentication

Provision Server I n te l ® Q 9 6 5 E x p r e s s C h ip s e t DDR2 FLASH NVM BIOS (G)MCH ICH8-DO Sensors Filters MAC

DDR2 Manageability Engine Intel® PRO/1000 LAN _ICH8-DO Sensors Filters MAC (G)MCH Manageability Engine Intel® PRO/1000 LAN Operating System with management agent

Intel® AMT client

M E I Setup Certificate Self-signed certificate SCA requests

self-signed certificate

Setup Certificate Request Includes Key1 and PEM

Intel® AMT verifies Setup Certificate (CH,

Domain, etc) Key 2 sent to SCA

MTLS established OTP sent to SCA

1 ₁

2 ₂

1 2 3 4 5

(26)

Discussion: IT Governance and Process

Purchase Order placed Enterprise policies,Certs (CA) DB updated Support/ Call DB Asset DB update AD Network DB update EOL:DB Ready for resale or donation 1 2 3 4 Initial Setup (bare-metal provisioning) User Profile

Setup Maintenance EOL

Inventory DB updated Asset DB updated AD/Domain Entries update Management Console updated

Asset & Patch Management

DB

(27)

Discussion: IT Governance and Process

Purchase Order placed Enterprise policies,Certs (CA) DB updated Support/ Call DB Asset DB update AD Network DB update EOL:DB Ready for resale or donation 1 2 3 4 Initial Setup (bare-metal provisioning) User Profile

Setup Maintenance EOL

Inventory DB updated Asset DB updated AD/Domain Entries update Management Console updated

Asset & Patch Management

DB

Install, Setup Setup & Config

Services 1 time only AMT hostname assigned AMT Object AD additions CA distributes Certs. DB updated MC updated with AMT entries PID/PPS entry in setup/config DB AD schema changes 1 time only Policy changes for

asset and patch management Remove AMT AD entries Unprovision (S&C update) Delete from MC