Management and Security
Configuring Intel vPro devices
Devices equipped with Intel vPro functionality should be configured (or "provisioned") when they are first set up and powered on, to enable Intel vPro features. This process includes several security measures to ensure that only authorized users have access to the Intel vPro management features.
Intel vPro devices communicate with a provisioning server on the network. This provisioning server listens for messages from Intel vPro devices on the network and allows IT staff to manage servers through out-of-band communication regardless of the state the device’s OS is in. The core server acts as a provisioning server for Intel vPro devices and includes features that help you provision devices when you set them up. You can then manage the devices with or without additional management agents.
Intel vPro provisioning options
There are three general ways you can provision Intel vPro devices. The provisioning method you use depends on the Intel AMT version number of the devices you manage and also on your own preferences. Information about each provisioning method is provided in other help topics as noted below.
One-touch provisioning (using provisioning IDs)
With one-touch provisioning you can use Endpoint Manager to generate a set of provisioning IDs (PID and PPS). These IDs are entered in the device BIOS to ensure a secure connection with the provisioning server during the initial provisioning process. This one-touch process can be used to configure devices with release 2.0 and later.
For more information, see Using provisioning IDs (one-touch provisioning).
Zero-touch provisioning (remote configuration using certificates)
Devices with release 2.2/2.6 and later can also be configured using remote configuration (also referred to as zero-touch provisioning). This process does not require the transfer of PID/PPS IDs, but is initiated automatically after the device's "hello" packet is received by the provisioning server (core server) or after a Ivanti management agent is deployed on the Intel vPro device. An Intel Client Setup certificate from an authorized certificate vendor must be installed on the core server to use remote configuration.
For devices with Intel vPro release 3.0 and later, a "bare metal" or agentless remote configuration is also supported.
For more information, see Remote provisioning (zero-touch provisioning)
Automatic provisioning for Intel vPro 6.2 and higher
Endpoint Manager automatically provisions Intel vPro devices with AMT version 6.2 and higher. If you have entered a password in the Intel vPro General Configuration dialog box, but you have not set a PID on the devices or provided a zero-touch certificate, your devices are provisioned using Client Control mode. This mode limits some Intel vPro functionality, reflecting the lower level of trust required to complete the device setup.
If you have entered a password in the Intel vPro General Configuration dialog box and you have either set a PID on the devices or you have provided a zero-touch certificate, devices are provisioning using Admin Control mode, which has no limitations to Intel vPro functionality, reflecting the higher level of trust associated with the device setup.
For more information, see Host-based provisioning (automatic provisioning).
NOTE: Note that the information in this section is a general description of the Intel vPro configuration process. However, individual manufacturers implement Intel vPro functionality in different ways and there may be differences in such areas as accessing the Intel AMT or ME BIOS screens, resetting the device to factory mode (unprovisioning), or in the way that PID/PPS key pairs are provided. Consult the documentation and support information provided by device manufacturers before you begin the configuration process.
Using static IP addresses with Intel vPro devices
Because Intel vPro devices have two components that are assigned an IP address—the Intel vPro chip and the device’s operating system—you can potentially have two entries in your list of discovered devices for the same Intel vPro device. This happens only if you want to use a static IP address rather than using DHCP.
To use static IP addresses with Intel vPro devices, the Intel vPro firmware should be configured with its own MAC address. (For instructions on how to re-install the firmware and configure it properly, contact Intel.)
Once configured, the Intel vPro device will have a different MAC address, IP address, and host name than the device OS. To be able to manage Intel vPro devices correctly, you need to use the following settings for DHCP and static IP addresses:
- DHCP: Both the OS and Intel vPro use DHCP and the host names are the same.
- Static IP: Both the OS and Intel vPro are set to use static addresses and they are different from each other, the MAC addresses are different, and the host names are also different.
If an Intel vPro 2.x machine is provisioned in Enterprise mode, the only way to communicate with it is via the “hello” packet being sent to the setup and configuration server. After the machine is managed by Ivanti software, Intel vPro operations may be performed on it like normal. What you should not do is discover and manage the OS IP address; otherwise you will have two computer entries that represent the same computer. Because the only common identifier between the two devices is the AMT GUID, and because the AMT GUID can't be found remotely for the OS device, the two entries can't be merged.
If you want to install the Ivanti agents, you can't push an agent configuration, because the only IP address in the database is the Intel vPro IP address, and the push utility needs access to the OS. Instead, the agents need to be pulled (from the managed Intel vPro device) by mapping a drive to the share where you have saved a self-contained client installation package and running the executable file for the agent configuration.
Before pulling the agents, we recommend that you change a setting in the Configure Services utility that forces the core server to check for the AMT GUID as part of identifying a device.
To use the AMT GUID as an identity attribute
- Click Start > Ivanti > Ivanti Configure Services.
- On the Inventory tab, click Device IDs to manage duplicate records.
- In the Attributes List, expand AMT Information.
- Scroll down and move the AMT GUID attribute to the Identity Attributes list.
This will force the AMT GUID to be one of the attributes that can uniquely identify a computer.
After you change this setting, when the Inventory scan from the managed Intel vPro device is imported into the database, the Inventory service matches the Intel AMT GUID from the device that’s already in the database with the OS information in the scan file.
Was this article useful?
The topic was:
Not what I expected
Copyright © 2019, Ivanti. All rights reserved.