Remote provisioning (zero-touch provisioning)

For vPro devices with AMT version 2.3 and later, zero-touch provisioning is still possible. Remote provisioning lets you configure a vPro device in a factory default state to a fully provisioned state (Admin Control Mode) through the use of SSL certificates created specifically for vPro management.

Remote provisioning prerequisites

There are two main requirements for remote provisioning to work:

  1. Provisioning certificate
  2. DHCP option 15 support

Provisioning certificate

Intel requires a certain level of nonrepudiation in order to allow vPro provisioning to occur. This removes the burden of secure identity verification from the end user. For example, when a machine is provisioned in Client Control Mode, the user will be required to allow a KVM session. When the KVM session is initiated from the console, the user is prompted with a 6-digit number in a pop-up window. The user must then contact the person who initiated the KVM session (typically by phone) and relay the 6-digit code. This puts the burden of security on the end user. While this is acceptable in some environments, many organizations want to leverage infrastructure to provide a secure environment without interrupting the end user. Using certificates, a machine can be provisioned in Admin Control Mode and the end user is not required to relay the code.

With the provisioning certificates in place on the core, remote provisioning is as seamless and easy as host-based provisioning. When the agent is installed on the machine, vPro is provisioned in Admin Control Mode. This is accomplished through an exchange of certificate information and leverages organizational naming.

The following are the steps that occur between a vPro device and the Ivanticore during the Ivantiagent installation. The first step has been modified to reflect the Ivantiimplementation.

  1. The Ivanti web service receives a provisioning request from the vPro device during agent install. This initiates the provisioning process.
  2. The provisioning server (Ivanti core server) sends the provisioning certificate to the client with the certificate’s full chain of trust including the root certificate via a secure AMT API call. This root certificate would reflect the certificate authority vendor used and will include the certificate authority vendor’s thumbprint.
  3. The AMT firmware on the client computer parses the provisioning certificate, verifies that the chain of trust is not broken, extracts the root certificate thumbprint and compares it against the thumbprint’s table present in the client’s Intel® AMT firmware. Provisioning stops here if no match is found.
  4. The client computer gets the domain from DHCP Option 15 setting and verifies that the suffix matches the CN field from the certificate. The way a match is determined depends on the client computer’s Intel® AMT firmware version and the provisioning certificate type used. Provisioning stops here if no match is found.
  5. The remote configuration certificate is now successfully verified and provisioning process continues as normal.

For more information, see https://www.intel.com/content/dam/support/us/en/documents/technologies/remote-configuration-certificate-selection.pdf

Obtaining and installing an Intel Provisioning Certificate

An Intel Provisioning Certificate is required for remote configuration. The certificate must be purchased from an approved certificate vendor (Verisign, GoDaddy, etc) and must be a supported class.

NOTE: Before you purchase a certificate, verify in the vendor's documentation or support information which certificates are supported on your device.

When you purchase a certificate, you need to provide a CSR (certificate signing request) file to the vendor you are purchasing the certificate from. This file is generated for your Ivantiproduct along with a private key file. You must specify the correct DNS domain information as part of the CSR process to ensure it matches your DNS infrastructure. After you receive the certificate files from the vendor, the private key file is saved in a directory with a shared public key file and the certificate file from the vendor.

Once the provisioning certificate has been obtained, it needs to be stored on the Ivanti core. Copy all the certificate files (including the private key generated by the CSR process) into the folder:

\\<name of Ivanticore server>\Ivanti\Endpoint Manager\amtprov\certStore\cert_1

For further information on obtaining and managing provisioning certificates, please visit the Ivanti Community article: Intel AMT/vPro Frequently Asked Questions.

DHCP option 15

DHCP option 15 is required during remote provisioning. This option returns the DNS domain name information as part of the DHCP response from the attached router. As mentioned in step 5 above, the client verifies that the suffix returned by DHCP (for example, landesk.com) matches the CN field from the provisioning certificate for another level of validation in the provisioning process.

NOTE: Remote Provisioning will only work if DHCP option 15 is turned on at the router and the suffix of the certificate matches the client DNS domain information at the vPro device. The Ivanticore server must also have the same DNS domain suffix as specified in the provisioning certificate.