1. Intel® Active Management Technology For Embedded Systems
2017/4/17
Intel® Active Management
Technology For Embedded Systems
Intel Embedded and Communications Group

2. 2017/4/17
Legal Disclaimers
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL® PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. INTEL PRODUCTS ARE NOT INTENDED FOR USE IN MEDICAL, LIFE SAVING, OR LIFE SUSTAINING APPLICATIONS.
Intel may make changes to specifications and product descriptions at any time, without notice.
All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.
Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.
Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance.
Intel, Intel Core, vPro and the Intel logo are trademarks of Intel Corporation in the United States and other countries.
*Other names and brands may be claimed as the property of others.
Copyright © 2009 Intel Corporation.

3. Agenda Part 1: Introduction Part 2 : Architecture
2017/4/17
Agenda
Part 1: Introduction
What is Intel® Active Management Technology (Intel® AMT)?
Usage Models for Intel AMT
Industrial
Retail
Gaming
Military/Aerospace/Government
Medical
Telecommunication
Intel AMT Roadmap
Part 2 : Architecture
Hardware, Firmware, Software Overview
Software Development Kit (SDK)
Developer Tool Kit (DTK)
Part 3 : Implementation
Key Ingredients
Provisioning – Setup And Configuration
Summary

4. 2017/4/17
Introduction

5. What is Intel® Active Management Technology? (Intel® AMT)
2017/4/17
What is Intel® Active Management Technology? (Intel® AMT)
Hardware-based solution that enables:
Software and hardware inventory capabilities
Remote asset management
Out-of-Band (OOB) system management
Functions independent of system’s power state
Hardware-based security features including system defense network isolation
Power management features
Remote diagnosis and repair
Third-Party non-volatile storage
Remotely Discover, Heal and Protect
Networked Embedded Systems
Enablement technology that allows for remote management of embedded systems even when the system is powered off
Provides built-in manageability that improves IT efficiency in maintaining multiple platforms across enterprise
Inventory of software and hardware on remote embedded systems can be tracked even when the systems are off. This will explained in future slides
Hardware based security and Power Management features which to be addressed in future slides
Remotely discover, heal and protect
networked embedded systems

6. Intel® AMT Usage Model: Industrial
2017/4/17
Intel® AMT Usage Model: Industrial
Problem:
Real-time asset tracking (hardware and software) is expensive and time consuming
Devices are varied and built on different platforms:
Factory robots
Human Machine Interface (HMI) systems
Test and measurement systems
Industrial PCs
Automation and control systems
Intel AMT Solution:
In Industrial segment:
Focus has shifted from increasing productivity and reducing costs to increasing quality and flexibility in the manufacturing process
Increase in number of computing assets
Out of Band management feature of Intel® AMT allows to communicate with remote devices regardless of their power ON/OFF state.
Remotely boot system thus saving time and improves safety by reducing the number of people on factory floor
Allows for remote management so there is increase in system UP time and reduces technician time
OS Independent
Runs outside the context of the OS from tamper resistant firmware
Works the same way regardless of the installed OS
It is immune from mis-configuration or reconfiguration of the OS by the End-User
The same interfaces and FW image is the same whether Windows or Linux is installed on the PC.
Remote access to the log (can be used to read and clear the log)
Remote Hardware and Software Tracking
Eliminates time-consuming manual inventory tracking and human error, reducing asset accounting costs and increasing tracking accuracy
The BIOS gives the Manageability Engine a list of hardware components located in the system.
OOB management enables remote asset tracking irrespective of system power state
Third-party non-volatile memory stores information that can be accessed offline
Independent of platform and operating system
“iAMT Scan” tool identifies Intel AMT capable systems and is available at the Intel® vPro™ Expert Center

7. Factory Robots, HMI, Industrial PC, Test systems
2017/4/17
Hardware and Software Inventory Accurately track assets regardless of power state
Factory Robots, HMI, Industrial PC, Test systems
Management Console
Network
Management console polls embedded systems for hardware ID and software version information 1 2
Systems report asset details
HARDWARE
Hard drive: Make, Model
Memory: Size, Speed
CPU: Type, GHz
SOFTWARE
Virus software: Version
Management software: Version
OS: Version
HMI – Human Machine Interface
Perform faster audits and optimize maintenance and licensing configurations

8. Intel® AMT Usage Model: Retail
2017/4/17
Intel® AMT Usage Model: Retail
Problem:
Software/OS failure at point of sale (POS) terminal
Intel AMT Solution:
Software tools for remote diagnosis and repair
OOB remote management in case of system OS crash
Proactive alerting reduces system downtime by speeding diagnostics
Serial over LAN (SOL) capabilities can be used to redirect text and keyboard information
IDE-redirection helps in booting a remote system using a CD in local CD-ROM on management console
Remote Troubleshooting and Recovery
Significantly reduces desk-side visits, increasing the efficiency of IT technical staff
Proactive Alerting
Decreases downtime and minimizes time-to-repair

9. Remote Diagnostics and Repair
2017/4/17
Remote Diagnostics and Repair
ATM, Kiosks, POS
Management Console
Network
unable to boot 1
sends an alert 2
remotely rebooted from standard image on management server 3 4
Reduce User Downtime and Technician time with Intel® Active Management Technology
diagnoses problem and repairs
(remote software update, local hardware install)
Reduce downtime and technician time

10. Estimated Cost Savings* with Intel® AMT
2017/4/17
Estimated Cost Savings* with Intel® AMT
Retail Scenario:
20,000 kiosks
Assume 50% of kiosks need rebooting at least 1x each year
Estimate $100 per truck roll to reboot kiosk
If the kiosks are equipped with Intel AMT:
Reboot remotely, irrespective of power state or OS status
Save $100 per truck roll
10,000 reboots = $1 million savings/year*
Intel AMT reduces TCO
*This is a hypothetical scenario and an estimated value and is not based on actual data.
Actual results may vary depending on scenarios.

11. Intel® AMT Usage Scenario: Gaming
2017/4/17
Intel® AMT Usage Scenario: Gaming
Problem:
Hardware failure at one of the gaming terminals
Intel AMT Solution:
Event monitor sends alert and enables remote troubleshooting
Remote OOB access as long as the hardware is connected to a power supply and LAN
Obtain hardware inventory data stored in non-volatile memory
Diagnose the problem to prepare for on-site repairs
Fix the hardware in one trip
Remote Troubleshooting and Recovery
Significantly reduces desk-side visits, increasing the efficiency of IT technical staff
Proactive Alerting
Decreases downtime and minimizes time-to-repair

12. Slot, Poker and Lottery Machines
2017/4/17
Remote Hardware Troubleshooting and Local Repair
Slot, Poker and Lottery Machines
Management Console
Network
Failed hardware event received at management console, engineer alerted 1
Remote diagnosis performed by analyzing event logs and boot history 2
Hardware asset/inventory enables remote identification of failed component(s), provides make/model info for replacement 3
Technician and hardware dispatched; platform repaired
Reduce on-site visits and system downtime with remote diagnosis and hardware info acquisition
1. Failed hardware event may be received by console application -- user also may contact Admin
2. Engineer at Management Console diagnoses remotely, out-of-band via FW-resident event log & SOL/IDER remote boot (Serial over LAN and IDE-Redirection)
3. Engineer remotely identifies failed hardware; gathers make/model info for replacement
4. Technician & hardware dispatched; platform repaired
Note: 1 visit needed (rather than 2+)
VALUE: Reduce visits with remote diagnosis and hardware info acquisition
Reduce troubleshooting time & user downtime 4
Reduce on-site visits and system downtime with remote diagnosis and hardware info acquisition

13. Intel® AMT Usage Scenario: Military, Aerospace and Government
2017/4/17
Intel® AMT Usage Scenario: Military, Aerospace and Government
Problem:
Secure management
24x7 protection of resources
Intel AMT Solution:
System defense feature confirms presence of critical security agents and isolates infected systems
Event logging describes system behavior
OS independent feature makes the system immune to OS configuration issues
End-point access control (EAC) feature provides compliance with various network security protocols
Tamper-resistant agents
Remote Troubleshooting and Recovery
Significantly reduces desk-side visits, increasing the efficiency of IT technical staff
Proactive Alerting
Decreases downtime and minimizes time-to-repair

14. 2017/4/17
Block Harmful Viruses and Isolate Affected Devices Proactive security threat block, hardware-based isolation and recovery
COTS product, Embedded PC, Security devices
Network
Management Console
System defense capability scans incoming traffic for known viruses and worms 1
When virus is found, system defense capability alerts, isolates the infected system from the network or limits its transmission rate 2
System sends alert X 3
Management system recognizes when security agents or management features were disabled – alerts staff
Filter 4
Prevent Affected System from Infecting Others in the Network without User Intervention
1. System Defense capability scans incoming traffic for known viruses and worms
2. Based upon IT policy, System Defense capability alerts, then isolates infected PCs from the network or simply
limits their transmission rate until the problem can be investigated.
3. Using watchdog timers, Intel AMT quickly recognizes when critical management and security agents are disabled—either intentionally or accidentally—and immediately alerts IT staff.
-alert IT staff when personal firewall, anti-virus software or other software-based security agents are disabled, and
4. Intel AMT uses OOB communications to automatically query systems for software versions and make appropriate updates and patches—even if systems are powered down
Management system installs updates and patches 5
No user intervention required to prevent the spread of
viruses and worms across the network

15. Intel® AMT Usage Scenario: Medical
2017/4/17
Intel® AMT Usage Scenario: Medical
Problem:
Power management needed for systems when not in use:
MRI
X-Ray
Ultrasound
Diagnostic
Medical Clinical Assistants
Therapy systems
Systems must be kept up to date
Intel AMT Solution:
Mobile power management policies balance power and performance to ACPI specs
Power state monitoring of clients – graph of results helps identify most active periods
Alarm clock enables scheduled client wake up from any sleep state (or turn OFF); network connection not required
Local agents can perform scheduled tasks including software updates, information stored in non-volatile memory
Remote Troubleshooting and Recovery
Significantly reduces desk-side visits, increasing the efficiency of IT technical staff
Proactive Alerting
Decreases downtime and minimizes time-to-repair

16. Improve productivity and compliance by scheduling
2017/4/17
Increased Energy Efficiency Save energy costs with power management policy software and Intel® AMT
MRI, X-Ray, Portable Ultra Sound, Testing, Diagnostic, Medical Clinical Assistant
Management Console
Network
IT console sets energy management policy with agent 1
System powered down when inactive, based on policy 2
Enterprise
Energy
Management
Agent
System can be reliably activated for maintenance via secure management channel 3
Energy management agent protected via agent presence monitor 4
Improve productivity and compliance by scheduling
tasks for off hours

17. Intel® AMT Usage Scenario: Telecommunication
2017/4/17
Intel® AMT Usage Scenario: Telecommunication
Problem:
Virus-infected carrier board may infect other boards in the network
Intel AMT Solution:
Intel AMT continuously checks for the presence of management agent and policy-based security agents on remote devices and takes necessary steps in case of a missing agent
System defense feature can be used to block packet traffic through a network security policy
Audit logs and agent monitor allow for easy interaction of network security policy, heuristics filters and system defense features of Intel AMT
Remote Troubleshooting and Recovery
Significantly reduces desk-side visits, increasing the efficiency of IT technical staff
Proactive Alerting
Decreases downtime and minimizes time-to-repair

18.    Agent Presence Checking Keeps agent operating correctly 4 3 2 1
2017/4/17
Agent Presence Checking Keeps agent operating correctly
Carrier boards, telecommunication devices
Network
Management Console
Management console repairs non-working management agent 4
Remote device alerts that management agent is missing or non-functioning 3
Agent Present?
YES NO
Intel
AMT
Security Agent
Mgmt. Agent 
Agent Present?
YES NO
Intel®
AMT1
Security Agent
Mgmt. Agent 
Agent Present?
YES NO
Intel®
AMT1
Security Agent
Mgmt. Agent  (
Management agent fails to check in 2
Detect and contain viruses sooner to limit exposure of other systems
Management or security agent is continuously checking in with Intel® AMT 1 (
Detect and contain viruses sooner to limit
exposure of other systems

19. Intel® AMT Base Features
2017/4/17
Intel® AMT Base Features
Asset Management
OOB Features
Remote Inventory (Hardware/Software)
3rd party Data Storage
Access Log (Event Management)
System Defense
Network Outbreak Containment
Base Heuristics
Agent Presence
Remote Configuration
BIOS POST Code
BIOS Update
IDE-Redirection (IDE-R)
Serial Over LAN (SOL)
Legacy Sensors
Remote Boot Option
Intel® Management Engine Firmware 5.1 Corporate Production Version Intel® Active Management Technology 4.1 PV Maintenance Release

20. Intel® AMT Security Features
2017/4/17
Intel® AMT Security Features
Transport layer security for secure communications across OOB interface
Certificate authority issues digital certificates for each device before provisioning
HTTP digest authentication for remote access
Single point of administration in enterprise mode
System defense to isolate from network, yet allows management console connectivity
Pseudo-random number generator in firmware to generate session keys
Firmware and drivers digitally signed by Intel
Access controlled non-volatile data store and functionality
Remote Asset Management : Software and Hardware Inventory
Remote Diagnosis & Repair : Remote Troubleshooting and Recovery
Out of Band System Management allows for remote management even if the system’s are powered off or without OS as long as the systems’ are connected to the power supply and LAN. Runs on auxiliary power
System Defense Network Isolation is set of security features of Intel® AMT. For example, continuously checking for the presence of security software agents, checking for malicious packets, blocking ports used by suspicious software to disable it’s access to the network, isolating a system in case it is compromised etc.
Mobile Power Management Policies is set of power management features of Intel® AMT.
3rd Party Non Volatile Storage allows for a 3rd Party Flash Storage device to store AMT firmware information, Inventory information and other 3rdparty software information. Sending BIOS post codes (troubleshooting)
Non-Volatile Storage
Survives power outages and system rebuilds
BIOS uses inventory results in NVM. Remote access to stored inventories
Third party software agents that run on a managed system can register data into the NVM area. This data can be read later from their remote counterparts that run on a management console.

21. Low Power Intel® Embedded Platform for 2008
2017/4/17
Intel® AMT Roadmap
Intel AMT 4.0
(Low Power Platform)
Intel AMT 5.0
(Scalable Platform)
Access Monitor
Intel® Trusted Platform Module (TPM)
Fast Call for Help (Wired)
DASH 1.0
EAC extensions for Microsoft* NAP* and Cisco* NAC
Access Monitor
Intel TPM
Fast Call for Help (Wired)
DASH 1.0
EAC extensions NAP and NAC
Intel® Remote PC Assist Technology
Scalable Platform Based on Intel® Core™2 Duo Processor with Intel® vPro™ Technology
Low Power Intel® Embedded Platform for 2008
AMT 4.0:
Access Monitor is same as Event Management or Access Log
Support for Intel TPM : Provides iTPM information
Fast Call for Help: Clients can initiate communication with the Management Server and be managed. Fix problems
DASH 1.0: Support for DASH 1.0
EAC – MS NAP: AMT 4.0 provides support for Microsoft Network Access Protection (NAP): MS NAP is Microsoft’s technology for ensuring security and protection to clients in a network. Cisco NAC is the same competing technology. AMT 4.0 is in compliance with the MS NAP through End Point Access Control (EAC) feature.
Measured ME provides control, status, monitor and security for management sub-system
RPAT : CIRA over public network
Support for IPv6:
SHA2 Encryption HASH:
*Other names and brands may be claimed as the property of others.

22. 2017/4/17
Architecture

23. OOB Architectural Overview
2017/4/17
OOB Architectural Overview
Application Software
Management Console
Operating System
Processor
Non-Volatile Memory
Local Area Network (LAN)
Chipset
Ethernet NIC
Intel® AMT Ingredients
Intel® AMT Ingredients
The unique feature of Intel AMT that distinguishes it from other Remote Manageability solutions available in the market is it's Out of band capability which is The ability to connect to a remote system even while the system is powered off or the OS is inoperable as long as the system is connected to power supply and Local Area Network. Intel AMT provides OOB communication channel that operates regardless of the state of the system it's processor, OS or the Application software. AMT has it's non-volatile memory for it's operation and also enables 3rd party storage. This allows for storage for latest software updates and inventory information to be available out of band. Dedicated power rails provide power to various platform elements that assist in AMT functions. The Out of Band network connectivity is built in the LAN Controller through Intel AMT Chipset. The Out of Band Feature allow you to perform remote repair, out of band alerting and remote boot options.
Dedicated Power Rails (Always ON)
Dedicated Power Rails (Always ON)
OOB Communication and Control

24. Intel® AMT 4.0 Hardware Architecture
2017/4/17
Intel® AMT 4.0 Hardware Architecture
ME Controller built in the chipset is the Intel® Management Engine (ME) responsible for performing all Intel® AMT operations
I/O Controller (South Bridge) is enabled with ME subsystem and provides power to various power wells when the rest of the power wells are shut down during sleep states
Intel AMT enables OOB connectivity of LAN Controller and SPI through dedicated power rails (Always ON)
NVM in FLASH
Intel® Core™ 2 Duo Processor
LVDS CRT TV-Out
FSB
Intel® Express Chipset 4 Series ME
x4 DMI
C-Link 0
Gigabit Ethernet LAN PHY
ICH9
PCI Express* x1/GLCI
ME Subsystem
LAN
SPI
LAN
LAN Connect (LCI)
SPI Flash
NVM
For more information refer to the Platform Design Guide
*Other names and brands may be claimed as the property of others.

25. Intel® AMT Firmware Overview
2017/4/17
Intel® AMT Firmware Overview
Intel AMT FLASH memory is shared by Host, ME and LAN
Intel Management Engine BIOS extension (MEBx) as implemented by an OEM platform provider enables Intel AMT
Intel ME Firmware enables Intel AMT
LAN Firmware GbE EEPROM provides Intel AMT network connectivity
Minimum size ~ 32 Mb Flash
Platform Data - 3rd Party Data Store support
Descriptor has information on space allocated for each region on flash image, read-write permissions for each region, vendor specific data
Dedicated power rail to FLASH device for OOB operation
SPI FLASH
BIOS/MEBx
ME FW
GbE EEPROM
Platform Data
Descriptors
ME FW includes Intel AMT or ASF FW
The Flash memory associated with Intel AMT is shared by multiple masters (Host, ME, and LAN). The Flash protection scheme does not allow any master to perform a direct write to Flash, and read/write permissions to each Flash region are enforced in hardware. Each master has a Grant Override register that can override its descriptor permissions, giving other masters access to the region they own. A security-override strap is used during initial manufacturing and service returns to program (or re-program) the Flash.
Region boundaries are defined for BIOS, ME, GbE, and the Flash Descriptor. Master requester IDs are defined for BIOS, GbE, and ME, and read/write access is defined for each master in each region. The I/O controller hub hardware reads the Flash Descriptor at offset 0 at power-on reset. A 32-bit Flash signature is used to determine whether the system is operating in Descriptor Mode (with security). If an invalid signature is read, Descriptor Mode is disabled, and any master can have access to the entire Flash.
Intel AMT provides a general-purpose non-volatile data store for use by applications that provides security equivalent to that provided by the OS for the file system. This data store is not a trusted-platform module; it is provided through a Storage Manager implemented in the ME firmware.
The data store accepts storage commands over local host and network interfaces. Applications are uniquely identified using a concatenation of strings selected by the software vendor and platform owner, plus a unique user ID. It uses allocation lists to 'over-subscribe' the right to allocate, while only allocating actual storage to applications that are registered with the system, protecting the space allocated by one application from other applications unless the owning application grants permission.
The structure, meaning, and sensitivity of data placed into the non-volatile data store are transparent to the Storage Manager. Applications are responsible for any security mechanisms necessary to protect their stored data (e.g., encryption of sensitive data or keys). Applications are also responsible for backup and recovery of their Application ID, data-store configuration, and any stored data.
The current minimum Flash size is 8MB, defined as the sum of space allocated to BIOS, ME firmware, and 3PDS. It supports partner space for four partners at 48KB each, with no support for non-partner space.( This information is old)

26. Intel® AMT Firmware Release kit available at Intel Download Center
2017/4/17
Intel® AMT Software and Drivers
ISV Agent Applications:
Console
Agent UI
System Status Service monitors Intel AMT status
User Notification Service (UNS) listens to special events happening on the system as a direct result of Intel AMT execution and logs them in the Event Viewer of Microsoft Windows*
Local Management Service (LMS) runs in the host OS to provide standard interface for network communication
SOL driver: SOL communication
Intel® ME Interface driver: software Interface from the Host OS to the ME
Client SW/Drivers
Server SW
ISV Agent App
ISV Console App
System Status Service
Console Foundations
UNS
LMS
SOL
Intel® ME
Interface Driver
Intel® Active Management Technology (Intel® AMT)drivers are provided with Intel® AMT Firmware Release kit available at
Intel® AMT Firmware Release kit available at Intel Download Center
*Other names and brands may be claimed as the property of others.

27. Download the Intel AMT SDK FREE at Intel® Software Network
2017/4/17
Intel® AMT Software Development Kit (SDK)
Enables developers to build manageability applications that take full advantage of Intel AMT and its features
Includes full set of documentation, sample code and APIs needed for implementing Intel AMT
Supports C++ and C# on Microsoft* Windows* and Linux* operating systems
Delivered as set of directories that can be copied to a location of developer’s choice on the development system
Remote Asset Management : Software and Hardware Inventory
Remote Diagnosis & Repair : Remote Troubleshooting and Recovery
Out of Band System Management allows for remote management even if the system’s are powered off or without OS as long as the systems’ are connected to the power supply and LAN. Runs on auxiliary power
System Defense Network Isolation is set of security features of Intel® AMT. For example, continuously checking for the presence of security software agents, checking for malicious packets, blocking ports used by suspicious software to disable it’s access to the network, isolating a system in case it is compromised etc.
Mobile Power Management Policies is set of power management features of Intel® AMT.
3rd Party Non Volatile Storage allows for a 3rd Party Flash Storage device to store AMT firmware information, Inventory information and other 3rdparty software information. Sending BIOS post codes (troubleshooting)
Non-Volatile Storage
Survives power outages and system rebuilds
BIOS uses inventory results in NVM. Remote access to stored inventories
Third party software agents that run on a managed system can register data into the NVM area. This data can be read later from their remote counterparts that run on a management console.
Download the Intel AMT SDK FREE at Intel® Software Network
*Other names and brands may be claimed as the property of others.

28. Intel® AMT SDK Example – Redirection Library
2017/4/17
Intel® AMT SDK
Example – Redirection Library
Intel AMT software supports SOL (text/keyboard) and IDER (floppy/CD) redirection
Intel AMT SDK provides C interface for integration into third-party management consoles
Intel AMT SDK for redirection includes:
Redirection library: a C dynamic library (for Windows*) and C static library (for Linux*) that provide support for SOL, IDE etc.
Management console sample code for Windows and Linux to demonstrate the redirection capability
Header files that define the library API to external applications
Remote Asset Management : Software and Hardware Inventory
Remote Diagnosis & Repair : Remote Troubleshooting and Recovery
Out of Band System Management allows for remote management even if the system’s are powered off or without OS as long as the systems’ are connected to the power supply and LAN. Runs on auxiliary power
System Defense Network Isolation is set of security features of Intel® AMT. For example, continuously checking for the presence of security software agents, checking for malicious packets, blocking ports used by suspicious software to disable it’s access to the network, isolating a system in case it is compromised etc.
Mobile Power Management Policies is set of power management features of Intel® AMT.
3rd Party Non Volatile Storage allows for a 3rd Party Flash Storage device to store AMT firmware information, Inventory information and other 3rdparty software information. Sending BIOS post codes (troubleshooting)
Non-Volatile Storage
Survives power outages and system rebuilds
BIOS uses inventory results in NVM. Remote access to stored inventories
Third party software agents that run on a managed system can register data into the NVM area. This data can be read later from their remote counterparts that run on a management console.
*Other names and brands may be claimed as the property of others.

29. 2017/4/17
Intel® AMT Software Development Kit Example – Redirection Library (Continued)
Integrate the SOL and IDER functionality into third-party management console using the C dynamic library in the SDK and linking it to the software and platform
Use the sample code or the Windows* sample application to test the redirection capability
Intel® SDK Redirection Sample Console
Add the remote client
*Other names and brands may be claimed as the property of others.

30. 2017/4/17
Intel® AMT Software Development Kit Example – Redirection Library (Continued)
Provide information on security certificate to ensure secure session – example provided with the SDK
The client dialogue allows three group of controls: TCP parameters, IDER and SOL

31. Download the DTK and quickly build high quality Intel AMT Applications
2017/4/17
Intel® AMT Developer Tool Kit (DTK)
Provides tools to assist with training and development process when implementing Intel AMT in embedded systems
Installed on the server system that will run the management console
Tools include but not limited to:
Intel AMT Commander
Intel AMT Outpost
Intel AMT Director
Intel AMT Network Defense Tool
Intel Net Status
Intel Net Traffic
Console Tool
Agent Tool
Setup & Configuration Tool
Network Monitor
Network Check Tool
Traffic Generation Tool
Remote Asset Management : Software and Hardware Inventory
Remote Diagnosis & Repair : Remote Troubleshooting and Recovery
Out of Band System Management allows for remote management even if the system’s are powered off or without OS as long as the systems’ are connected to the power supply and LAN. Runs on auxiliary power
System Defense Network Isolation is set of security features of Intel® AMT. For example, continuously checking for the presence of security software agents, checking for malicious packets, blocking ports used by suspicious software to disable it’s access to the network, isolating a system in case it is compromised etc.
Mobile Power Management Policies is set of power management features of Intel® AMT.
3rd Party Non Volatile Storage allows for a 3rd Party Flash Storage device to store AMT firmware information, Inventory information and other 3rdparty software information. Sending BIOS post codes (troubleshooting)
Non-Volatile Storage
Survives power outages and system rebuilds
BIOS uses inventory results in NVM. Remote access to stored inventories
Third party software agents that run on a managed system can register data into the NVM area. This data can be read later from their remote counterparts that run on a management console.
Download the DTK and quickly build high quality
Intel AMT Applications

32. Intel® AMT Commander Manageability Commander Tool: Hardware Asset
2017/4/17
Intel® AMT Commander
Manageability Commander Tool:
Hardware Asset
Network Policies
Watchdog Timers
Third-party Storage
Events/Alerts
SOL/IDER
Remote Management

33. Intel® AMT Director Manageability Director Tool:
2017/4/17
Intel® AMT Director
Manageability Director Tool:
Certificate Management
One-Touch Setup
Remote Configuration
TLS Security Setup
USB Flash Support

34. Intel® AMT Outpost Manageability Outpost Tool: General Information
2017/4/17
Intel® AMT Outpost
Manageability Outpost Tool:
General Information
Watchdogs
Serial Agent
TLS Security

35. Intel® AMT Web Interface http://ipaddress:16992
2017/4/17
Intel® AMT Web Interface
Remote Asset Management : Software and Hardware Inventory
Remote Diagnosis & Repair : Remote Troubleshooting and Recovery
Out of Band System Management allows for remote management even if the system’s are powered off or without OS as long as the systems’ are connected to the power supply and LAN. Runs on auxiliary power
System Defense Network Isolation is set of security features of Intel® AMT. For example, continuously checking for the presence of security software agents, checking for malicious packets, blocking ports used by suspicious software to disable it’s access to the network, isolating a system in case it is compromised etc.
Mobile Power Management Policies is set of power management features of Intel® AMT.
3rd Party Non Volatile Storage allows for a 3rd Party Flash Storage device to store AMT firmware information, Inventory information and other 3rdparty software information. Sending BIOS post codes (troubleshooting)
Non-Volatile Storage
Survives power outages and system rebuilds
BIOS uses inventory results in NVM. Remote access to stored inventories
Third party software agents that run on a managed system can register data into the NVM area. This data can be read later from their remote counterparts that run on a management console.

36. 2017/4/17
Implementation

37. Intel® AMT 4.0 Implementation
2017/4/17
Intel® AMT 4.0 Implementation
Low Power Platform Requirements
Hardware
Firmware
Software
Processor
Intel® Core™2 Duo Processor P8400, T9400 (PGA)
Intel® Core™2 Duo Processor P8400, SL9380, SL9400, SU9300, SP9300, T9400 (BGA)
Intel AMT Firmware Kit (also includes Intel AMT drivers and BIOS extensions)
Intel Download Center
Operating Systems
Management Server
Windows* XP Pro 32/64-bit
Windows 2003 Server 32/64-bit
Windows Vista* 32/64-bit
SUSE Linux Enterprise Server 10 SP2 32/64-bit
Local AMT
Windows XP Pro 32/64-bit
Chipset
Mobile Intel® GM45 Express Chipset with Intel® 82801IEM I/O Controller
Mobile Intel® GS45 Express Chipset with Intel® 82801IUX-SFF I/O Controller
Intel AMT Setup and Configuration Server (SCS) Kit
Provision Server
Intel AMT SDK
Development System
Management Software (for Server):
Manageability DTK
Partner ISV using SDK - LANDesk*, BMC* Software, Computer Associates*, Symantec*, etc
LAN Controller
Intel® 82567LM Gigabit Ethernet PHY
Intel® Management Engine Firmware 5.1 Corporate Production Version Intel® Active Management Technology 4.1 PV Maintenance Release
*Other names and brands may be claimed as the property of others.

38. Intel® AMT 5.0 Implementation
2017/4/17
Intel® AMT 5.0 Implementation
Scalable Platform Requirements
Hardware
Firmware
Software
Processor
Intel® Core™2 Quad Processor Q9400
Intel® Core™2 Duo Processor E7400 & E4300
Intel® Core™2 Duo Processor E8400 & E6400
Intel AMT Firmware Kit (also includes Intel AMT drivers)
Intel Download Center
Operating Systems
Management Server
Windows* XP Pro 32/64-bit
Windows 2003 Server 32/64-bit
Windows Vista* 32/64-bit
SUSE* Linux* Enterprise Server 10 SP2 32/64-bit
Local AMT
Windows XP Pro 32/64-bit
Intel AMT Setup and Configuration Server (SCS) Kit
Provision Server
Chipset
Intel® Q45 Express Chipset with Intel® 82801JO I/O Controller
Intel AMT SDK
Development System
LAN Controller
Intel® 82567LM Gigabit Ethernet PHY
Management Software (for Server):
Manageability DTK
Partner ISV using SDK - LANDesk*, BMC* Software, Computer Associates*, Symantec*, etc
Intel® Management Engine Firmware 5.1 Corporate Production Version Intel® Active Management Technology 4.1 PV Maintenance Release
*Other names and brands may be claimed as the property of others.

39. Intel® AMT Setup and Configuration - Provisioning
2017/4/17
Intel® AMT Setup and Configuration - Provisioning
Definition:
“The process of enabling an Intel® Active Management Technology (Intel® AMT) device is called Provisioning”
Provisioning Approaches:
Manual installation and configuration
One-touch configuration – using USB
Zero-touch configuration – remote provisioning
Maintenance Actions and Routines:
Re-Provisioning
Un-Provisioning
Improve your Platform Manageability and Reduce Total Cost of Ownership with Intel® Active Management Technology

40. Intel® AMT Manual Installation and Configuration
2017/4/17
Intel® AMT Manual Installation and Configuration
Hardware Ready (Factory Default Configuration):
Intel AMT enabled - Processor, Chipset, LAN Controller
Intel FLASH Storage
Firmware Ready (Setup):
Update BIOS with Intel AMT BIOS extension provided with Intel AMT Firmware Kit
BIOS Vendors : AMI*, Phoenix*, Insyde* etc
Update FLASH with Intel AMT Management Engine (ME) Firmware, LAN Firmware
Software Ready (Configuration - Remote Management Console and In-Band Functions):
Install Operating System
Supported OS : Microsoft* Windows* XP, Windows 2003 etc.
Install Intel AMT Drivers provided with Intel AMT Firmware Kit
Independent Software Vendor can use Intel AMT Software Development Kit and Development Tool Kit (DTK) to develop their own management console and incorporate their management features
ISV: LANDesk*, BMC Software*, Computer Associates*, Symantec* etc.
Improve your Platform Manageability and Reduce Total Cost of Ownership with Intel® Active Management Technology
For more information download the OEM Bring Up Guide available with Intel AMT Firmware Release kit
*Other names and brands may be claimed as the property of others.

41. Provision Server (SCS)
2017/4/17
Intel® AMT SCS Enterprise Solution
SCS provides all the tools and performs the necessary steps to setup and configure a large number of Intel AMT enabled devices – remotely and automatically
Provision Server (SCS)
Workflow
Intel AMT
embedded devices
Install SCS and load the SCS server with initial data and the tools required for provisioning 1 2
Intel AMT devices send “hello” message to SCS 3
Secure communication is established through TLS 4
SCS generates and sends:
Public Key Infrastructure certificate
Access Control Lists
Setup parameters defined in device profile specific to the platform
For complete documentation and SDK download the Intel AMT SCS kit available at Intel® Software Network

42. For more information refer to the installation guide available with
2017/4/17
SCS Components
Main Service:
Windows* service that processes Setup and Configuration requests from Intel® AMT devices
SOAP API:
API used by SCS console to interact with main service
Database Server:
Secure repository to store setup and configuration data, installed as database instance in Microsoft* SQL Server
For more information refer to the installation guide available with
Intel® AMT SCS kit

43. One Touch Configuration using USB key
2017/4/17
One Touch Configuration using USB key
SQL DB
Provision Server
DNS/ DHCP
1. Keys generated and data stored to USB
Management
Console
Intel® AMT
embedded devices
2. One-touch provisioning
Revised for Manage Fusion – PKI\CA and Active Directory removed; focus on core provisioning automation
Keys generated or loaded on SCS system into database
Key loaded to USB key – key contains PID, PPS, and pwd; inserted to client and client powered up
Intel AMT that is ready for setup (i.e. in setup state NOT factory-default state) requests IP address from DHCP server
NOTE: If One Touch Configuration with USB key – file contains PPS, PID, and password. These are generated and stored in the SCS database. If external party generates keys\file, must be imported to local SCS system
AMT device performs DNS lookup with default SCS service server name (e.g. ProvisionServer)
NOTE: Only one SCS database instance. Other SCS components can be spread across systems,
AMT device sends TCP/IP “Hello” message
NOTE: Client hello packet contains UUID, PID, pwd, IP address, ROM versions, and firmware versions
Based on UUID in “Hello” message, SCS service searches database to locate the PROFILE and HOST NAME to be used for setup and configuration of the device
NOTE: OOBM attempts to resolve UUID\FQDN via the Altiris CMDB, DNS reverse lookup, or Altiris agent on the client. If the FQDN cannot be determined – such as a bare metal setup – the OOBM will wait for manual entry at the console
The following steps NOT applicable for this slide\scenario
SCS establishes a TLS session with client
Mgmt Console\Server requests certificate from CA
TLS session setup with PPS (known by client\server, yet not shared openly)
Certificate passed to client
Integration with ADS
Based on defined profile – vPro object created within ADS OU; users\groups associated
Additional SOAP messages exchanged to complete configuration and perform cleanup
An Intel AMT device supporting Release 2.0 or later can be initialized with a public identifier and a private key (a PID/PPS pair). The configuration server must have these
two values as well as the internal UUID of the Intel AMT device for the configuration process to start. The secure handshake done using this information allows the setup and
configuration process to take place on an open enterprise network.
• TLS requires that each Intel AMT device has a signed certificate that is traceable to a Certification Authority. The setup and configuration application implements the process
required to request, sign, and install a server certificate in an Intel AMT device.
• Mutual authentication requires that an Intel AMT device have a trusted root certificate installed. This certificate will be used to validate clients that attempt to access the Intel
AMT device. This includes both remote applications (generally referred to as management consoles), and applications running on the local host processor that communicate with Intel AMT, for example, an anti-virus application.
3. Client boots and requests provision server
4. Client sends “Hello” packet
5. Server assigns profile and provisions client
One-touch configuration automates the process of securely setting up and configuring embedded devices 43

44. Zero-Touch Configuration Via Network
2017/4/17
Zero-Touch Configuration Via Network
SQL DB
Provision Server
DNS/ DHCP
Hello
1. Client sends “hello” packet to SCS
2. SCS server sends trusted root certificate matching hash received with the “hello” message
Management Console
Intel® AMT client embedded devices, pre-programmed with at least one active root certificate hash
3. Client validates the SCS certificate
Embedded hashed root certificates:
The Intel AMT device contains one or more root certificate hashes from worldwide SSL certificate providers in the firmware image. As part of the “Hello” message, the Intel
AMT device sends all of the hashes to the SCS. When the SCS authenticates to the Intel AMT device, it must do so with a certificate compatible with one of the hashed root
certificates.
Self-signed certificate
The Intel AMT device produces a self-signed certificate that it uses to authenticate to the
SCS. The SCS must be configured to accept such a certificate.
Releases 2.2, 2.6 and 3.0 and later releases support “Remote Configuration”. This feature allows setup and configuration of an Intel AMT device without having to install a PID/PPS pair. Platforms that support Remote Configuration always use mutual authentication during setup and configuration. They have one or more pre-installed root certificate hashes used to authenticate the setup and configuration application. The Intel
AMT device sends a self-signed certificate used by the setup and configuration server to establish a secured connection with the Intel AMT device. The protocol used is PKI-CH (Public Key Infrastructure – Certificate Hash).
4. Client verifies domain suffix matched DNS suffix and establishes communication
5. Server assigns profile and provisions client
Remote configuration eliminates the need for IT personnel
to manually install security keys to enable setup

45. 2017/4/17
Summary
Intel® Active Management Technology enables embedded equipment OEMs to provide their customers with:
Decreased downtime
Increased security
State-of-the-art remote management
Out-of-Band management
Long life support
Rich ecosystem of hardware and software vendors
Improve your Platform Manageability and Reduce Total Cost of Ownership with Intel® Active Management Technology
Improve platform manageability and reduce TCO
with Intel Active Management Technology

46. For more information, visit the following links:
2017/4/17
For more information, visit the following links:
Intel® Active Management Technology for Embedded and Communication Applications
Manageability Technology for Embedded and Communications Applications
Intel® Product Technologies for Embedded and Communications Applications
Intel® Software Network – Manageability
Intel vPro Expert Center for blogs on Intel AMT by developers and manageability forums
Videos
Intel® Active Management Technology – Remote Platform Management
Intel® Active Management Technology – One Touch Setup using Intel® AMT Director Management Console
Intel® Active Management Technology Developer Tool Kit Video Pack

47. Intel® Active Management Technology Downloads
2017/4/17
Intel® Active Management Technology Downloads
Intel® Active Management Technology (Intel® AMT) Software Development Kit (SDK): contains the building blocks and documentation material needed to develop software that interacts with Intel AMT systems
Intel AMT Developer Tool Kit (DTK): Intel AMT DTK provides full set of documentation, sample code in C# and APIs needed for implementing Intel AMT
Intel AMT Setup and Configuration Service (SCS) : Includes tools and documentation to setup and configure Intel AMT devices remotely and automatically
Intel AMT Reference Design Kit : Includes set of open source building blocks similar to Intel AMT DTK, however it provides solution written in Java on Linux* and is based on older versions of (Intel AMT). This kit is no longer being updated or maintained
Intel AMT Open Source Drivers and Tools : The Openamt project is an open-source project providing drivers and tools to support Intel AMT on Linux and other operating systems
Intel AMT Add-on for Microsoft* SMS 2003 : includes a plug-in utility to extend the functionality of Microsoft SMS
Intel AMT WS-Management Translator for Intel® vPro™ Technology : makes it possible for WS-Management based software to be used in conjunction with Intel AMT platforms older than version 3.0
For full list of available downloads on Intel AMT :

48. 2017/4/17
Glossary of Terms
EAC: Endpoint Access Control feature allows the IT administrators to implement differentiated policy enforcement and configuration based on the security state of the end point.
ACPI: Advanced Configuration and Power Interface specification: It is a standard for universal device configuration and power management by Operating Systems.
SHA: Secure HASH Algorithm: SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency.
TLS: Transport Layer Security provides end point authentication and data encryption for communication over the internet.
PKI: Public Key Certificate also termed as Identity Certificate used to associate a digital signature to a public key with an identity so the owner of the digital signature can be identified.
SOAP: Simple Object Access Protocol.
OOB: Out Of Band management enables management irrespective of operating status or power state of a device as long as the device is connected to a power supple and Local Area Network (LAN).
IDE/IDER: Integrated Device Electronics is a parallel interface standard for connection to computer storage devices such as Hard Disks, Solid state devices, and CD-ROM. Integrated Device Electronics Redirection is a feature in Intel® Active Management Technology (Intel® AMT) that enables redirection of information from an IDE device on a server to a remote Intel AMT managed system.
NAC: Network Access Control is a networking solution that uses a set of protocols to implement a policy to screen devices that initially attempt to access a node or computer on a network.
NAP: Network Access Protocol is a networking solution by Microsoft* to control access to network resources based on a client’s identity and compliance with corporate governance policy.