Users Guide

ManualsBrandsDell ManualsDesktopOPTIPLEX 755

Dell™ Systems Management Administrator's Guide



Notes, Notices, and Cautions

Information in this document is subject to change without notice.

©2007DellInc.Allrightsreserved.

Reproduction in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden.

Intel Corporation is a contributing source of content in this document.

Trademarks used in this text: Dell and the DELL logo are trademarks of Dell Inc.; Intel is a registered trademark of Intel Corporation; Microsoft and Windows are either trademarks

or registered trademarks of Microsoft Corporation in the United States and/or other countries.

Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any

proprietary interest in trademarks and trade names other than its own.

August 2007 Rev. A00

About Intel® Active Management Technology

Deployment

Intel AMT Setup and Configuration Overview

Using the Intel AMT WebGUI

Intel Management Engine BIOS Extension (MEBx)

Redirecting Serial and IDE Communications

Provisioning: Setup and Configuration Completion

Troubleshooting

NOTE: A NOTE indicates important information that helps you make better use of your computer.

NOTICE: A NOTICE indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.

CAUTION: A CAUTION indicates a potential for property damage, personal injury, or death.

Summary of content (82 pages)

PAGE 1
Dell™ Systems Management Administrator's Guide About Intel® Active Management Technology Deployment Intel AMT Setup and Configuration Overview Intel Management Engine BIOS Extension (MEBx) Provisioning: Setup and Configuration Completion Using the Intel AMT WebGUI Redirecting Serial and IDE Communications Troubleshooting Notes, Notices, and Cautions NOTE: A NOTE indicates important information that helps you make better use of your computer.
PAGE 2
Back to Contents Page Deployment Dell™ Systems Management Administrator's Guide Once you are ready to deploy a computer to a user, plug the computer into a power source and connect it to the network. Use the integrated Intel® 82566DM NIC. Intel Active Management Technology (Intel AMT) does not work with any other NIC solution. When the computer is turned on, it computer immediately looks for a setup and configuration server (SCS).
PAGE 3
Back to Contents Page Intel® Management Engine BIOS Extension (MEBx) Dell™ Systems Management Administrator's Guide Intel MEBx Overview Configuring the Intel Management Engine (ME) Configuring Your Computer to Support Intel AMT Features MEBx Default Settings MEBx Overview The Intel® Management Engine BIOS Extension (MEBx) provides platform-level configuration options for you to configure the behavior of Management Engine (ME) platform.
PAGE 4
l l l l l Eight characters One uppercase letter One lowercase letter A number A special (nonalphanumeric) character, such as !, $, or ; excluding the :, ", and , characters.) The underscore ( _ ) and spacebar are valid password characters but do NOT add to the password complexity. Configuring the Intel® Management Engine (ME) To reach the Intel® Management Engine (ME) Platform Configuration page, follow these steps: 1. 2. 3.
PAGE 5
When enabled, the ME State Control option lets you disable ME to isolate the ME computer from the main platform while debugging a field malfunction. The table below illustrates the details of the options. ME Platform State Control Option Description Enabled Enable the Management Engine on the platform Disabled Disable the Management Engine on the platform In fact, the ME is not really disabled with the Disabled option.
PAGE 6
ME Firmware Local Update Qualifier Option Option Description Always Open The ME firmware local update channel is always enabled. A boot cycle does not change enabled to disabled. The ME FW Local Update option can be ignored. Never The ME firmware local update channel is controlled by the ME FW Local Update option, which can be enabled or disabled. A boot cycle changes enabled to disabled. Restricted The ME firmware local update channel is always enabled only if Intel AMT is in un-provision state.
PAGE 7
The power package selected determines when the ME is turned ON. The default power package turns off the ME in all Sx (S3/S4/S5) states. The end user administrator can choose which power package is used depending on computer usage. The power package selection page can be seen above.
PAGE 8
The Intel AMT Configuration page contains the user-configurable options listed below. For images of these menu options, see Enterprise Mode and SMB Mode. Menu Options l l l l l Host Name TCP/IP Provision Model Setup and Configuration Un-Provision l l l l l VLAN SOL/IDE-R Secure Firmware Update Set PRTC Idle Timeout Host Name A hostname can be assigned to the Intel AMT capable computer. This is the host name of the Intel AMT-enabled computer.
PAGE 9
The menu contains the parameters for the setup and configuration server. This menu also contains the security settings for PSK and PKI configurations. l l l l l Current Provisioning Mode – Displays the current provisioning TLS Mode: None, PKI, or PSK. This configuration is only shown in Enterprise Provision Model. Provisioning Record – Displays the provision PSK/PKI record data of the computer.
PAGE 10
TLS PKI – Remote Configuration Settings The remote configuration options are contained under the TLS PKI sub menu. There are four remote configuration items: l l l l Remote Configuration Enable/Disable Manage Certificate Hashes Set FQDN Set PKI DNS Suffix Remote Configuration Enable/Disable The selectable options are Enable and Disable. If Remote Configuration is disabled, the menu options underneath are still displayed, but are not be used until Remote Configuration is enabled.
PAGE 11
The Manage Certificate Hash screen has several keyboard controls available to you to manage the hashes on the computer.
PAGE 12
Set PKI DNS Suffix When the Set PKI DNS Suffix option is selected under the Remote Configuration menu, you are prompted to enter the PKI DNS Suffix of the Provisioning Server. The Key Value is maintained in EPS. Un-provision The Un-Provision option allows you to reset the Intel AMT configuration to factory defaults. There are three types of un-provision: l l l Partial Un-provision – This option resets all of the Intel AMT settings to their default values but leaves the PID/PPS.
PAGE 13
SOL/IDE-R l l l Username and Password – DISABLED** / ENABLED This option provides the user authentication for SOL/IDER session. If the Kerberos protocol is used, set this option to Disabled and set the user authentication through Kerberos. If Kerberos is not used, you have the choice to enable or disable user authentication on the SOL/IDER session.
PAGE 14
Set PRTC Enter PRTC in GMT (UTC) format (YYYY:MM:DD:HH:MM:SS). Valid date range is 1/1/2004 – 1/4/2021. Setting PRTC value is used for virtually maintaining PRTC during power off (G3) state. This configuration is only displayed for the Enterprise Provision Model. Idle Timeout Use this setting to define the ME WoL idle timeout. When this timer expires, the ME enters a low-power state. This timeout takes effect only when one of the ME WoL power policies is selected. Enter the value in minutes.
PAGE 15
Intel AMT in DHCP Mode Settings Example The table below shows a basic field settings example for the Intel AMT Configuration menu page to configure the computer in DHCP mode. Intel AMT Configurations Example in DHCP Mode Intel AMT Configuration Parameters Values Intel AMT Configuration Select and press . Host Name Example: IntelAMT This is the same as the operating system machine name.
PAGE 16
Remote FW Update Enabled Save and exit MEBx and then boot computer to the Microsoft® Windows® operating system. MEBx Default Settings The table below lists all the default settings for the Intel® Management Engine BIOS Extension (MEBx).
PAGE 17
3 Un-provision setting only seen if the box is provisioned.
PAGE 18
Back to Contents Page About Intel® Active Management Technology Dell™ Systems Management Administrator's Guide Intel® Active Management Technology (Intel AMT, or iAMT®) allows companies to easily manage their networked computers. IT management can: l Discover computing assets on a network regardless of whether the computer is turned on or off — Intel AMT uses information stored in nonvolatile system memory to access the computer.
PAGE 19
Back to Contents Page Redirecting Serial and IDE Communications Dell™ Systems Management Administrator's Guide Intel® AMT makes it possible to redirect serial and IDE communications from a managed client to a management console regardless of the boot and power state of the managed client. The client need only have the Intel AMT capability, a connection to a power source, and a network connection.
PAGE 20
Back to Contents Page Intel® AMT Setup and Configuration Overview Dell™ Systems Management Administrator's Guide Terms Setup and Configuration States Terms The following is a list of important terms related to the Intel® AMT setup and configuration: l l l l l l l Setup and configuration — The process that populates the Intel AMT-managed computer with usernames, passwords, and network parameters that enable the computer to be administered remotely.
PAGE 21
Back to Contents Page Provisioning: Completing the Setup and Configuration Process Dell™ Systems Management Administrator's Guide Using Remote Configuration to Complete Provisioning Using a Configuration Service to Complete Provisioning Using MEBx Interface to Complete Provisioning The computer has to be configured before the Intel® AMT capabilities are ready to interact with the management application.
PAGE 22
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. An IT technician inserts a USB drive key into a computer with a management console. The technician requests local setup and configuration records from a setup and configuration server (SCS) through the console. The SCS does the following: ¡ Generates the appropriate passwords, PID, and PPS sets ¡ Stores this information in its database ¡ Returns the information to the management console The management console writes the password, PID, and PPS sets to a setup.
PAGE 23
3. Select AMT Quick Start from the left navigation menu to open the Altiris Console. 4. Click the plus (+) to expand the Intel AMT Getting Started section. 5. Click the plus (+) to expand the Section 1. Provisioning section.
PAGE 24
6. Click the plus (+) to expand the Basic Provisioning (without TLS) section. 7. Select Step 1. Configure DNS. The notification server with an out-of-band management solution installed must be registered in DNS as "ProvisionServer.
PAGE 25
8. Click Test on the DNS Configuration screen to verify that DNS has the ProvisionServer entry and that it resolves to the correct Intel setup and configuration server (SCS). The IP address for the ProvisionServer and Intel SCS are now visible.
PAGE 26
9. 10. Select Step 2. Discovery Capabilities. Verify that the setting is Enabled. If Disabled, click the checkbox next to Disabled and click Apply.
PAGE 27
11. Select Step 3. View Intel AMT Capable Computers. Any Intel AMT capable computers on the network are visible in this list.
PAGE 28
12. Select Step 4. Create Profile. 13. Click the plus (+) to add a new profile.
PAGE 29
14. On the General tab the administrator can modify the profile name and description along with the password. The administrator sets a standard password for easy maintenance in the future. Select the manual radio button and enter a new password. 15. The Network tab provides the option to enable ping responses, VLAN, WebUI, Serial over LAN, and IDE Redirection. If you are configuring Intel AMT manually, all these settings are also available in the MEBx.
PAGE 30
16. The TLS (Transport Layer Security) tab provides the ability to enable TLS. If enabled, several other pieces of information are required including the certificate authority (CA) server name, CA common name, CA type, and certificate template. 17. The ACL (access control list) tab is used to review users already associated with this profile and to add new users and define their access privileges. 18.
PAGE 31
19. Select Step 5. Generate Security Keys. 20. Select the icon with the arrow pointing out to Export Security Keys to USB Key.
PAGE 32
21. Select the Generate keys before export radio button. 22. Enter the number of keys to generate (depends on the number of computers that need to be provisioned). The default is 50.
PAGE 33
23. The Intel ME default password is admin. Configure the new Intel ME password for the environment. 24. Click Generate. Once the keys have been created, a link appears to the left of the Generate button.
PAGE 34
25. 26. Insert the previously formatted USB device into a USB connector on the ProvisioningServer. Click the Download USB key file link to download setup.bin file to the USB device. The USB device is recognized by default; save the file to the USB device. If additional keys are needed in the future, the USB device must be reformatted before saving the setup.bin file to it. a. Click Save in the File Download dialog box. b. Verify the Save in: location is directed to the USB device. Click Save.
PAGE 35
27. 28. Close the Export Security Keys to USB Key and drive explorer windows to return to the Altiris Console. Take the USB device to the computer, insert the device, and turn on the computer. The USB device is recognized immediately and the following message appears: Continue with Auto Provisioning (Y/N) 29. Press . 30. Press any key to continue with system boot... 31. Once complete, turn off the computer and move back to the management server.
PAGE 36
32. Select Step 6. Configure Automatic Profile Assignments. 33. Verify that the setting setting is enabled. In the Intel AMT 2.0+ dropdown, select the profile created previously. Configure the other settings for the environment. 34. Select Step 7. Monitor Provisioning Process.
PAGE 37
The computers for which the keys were applied begin to appearing in the system list. At first the status is Unprovisioned, then the system status changes to In provisioning, and finally it changes to Provisioned at the end of the process. 35. Select Step 8. Monitor Profile Assignments.
PAGE 38
The computers for which profiles were assigned appear in the list. Each computer is identified by the FQDN, UUID, and Profile Name columns. Once the computers are provisioned, they are visible under the Collections folder in All configured Intel AMT computers.
PAGE 39
Using MEBx Interface to Complete Provisioning Intel® AMT can be set up for either Enterprise or Small and Medium Business operational modes (also called provisioning models). Both operational modes support dynamic and static IP networking. If you use dynamic IP networking (DHCP), the Intel AMT host name and the operating system host name must match. You must also configure both the operating system and Intel AMT to use DHCP as well.
PAGE 40
Intel AMT configuration must occur over a network. The network can be encrypted using the Transport Layer Security Pre-Shared Key (TLS-PSK) protocol. Once the computers connect to an SCS, Enterprise mode configuration occurs. Enterprise Mode The Intel® Management Engine BIOS Extension (MEBx) is an optional ROM module that Intel provides to Dell™ to be included in the Dell BIOS. The MEBx has been customized for Dell computers.
PAGE 41
3. Select Change Intel ME Password. Press . Type the new password twice for verification. The new password must include the following elements: l l l l l Eight characters One uppercase letter One lowercase letter A number A special (nonalphanumeric) character, such as !, $, or ; excluding the :, ", and , characters.) The underscore ( _ ) and spacebar are valid password characters but do NOT add to the password complexity. Change the password to establish Intel AMT ownership.
PAGE 42
5. The following message appears: System resets after configuration change. Continue (Y/N). Press . 6. Intel ME State Control is the next option. The default setting for this option is Enabled. Do not change this setting to Disabled. If you want to disable Intel AMT, change the Manageability Feature Selection option to None.
PAGE 43
7. 8. Select Intel ME Firmware Local Update Qualifier. Press . Select Always Open. Press . The default setting for this option is Always Open. 9. Select Intel ME Features Control. Press .
PAGE 44
10. Manageability Feature Selection is the next option. This feature sets the platform management mode. The default setting is Intel AMT. Selecting the None option disables all remote management capabilities. 11. Select Return to Previous Menu. Press .
PAGE 45
12. Select Intel ME Power Control. Press . 13. Intel ME ON in Host Sleep States is the next option. The default setting is Desktop: ON in S0, S3, S4-5. NOTE: For certain E-Star or low-power configurations, the default setting will be Desktop: ON in S0.
PAGE 46
14. Select Return to Previous Menu. Press . 15. Select Return to Previous Menu. Press .
PAGE 47
16. Exit the MEBx Setup and save the ME configuration. The computer displays an Intel ME Configuration Complete message and then restarts. After the ME configuration is complete, you can configure the Intel AMT settings. For instructions, see Intel AMT Configuration: Enabling Intel AMT for Enterprise Mode. Intel AMT Configuration: Enabling Intel AMT for Enterprise Mode To enable Intel AMT configuration settings on the target platform, perform the following steps: 1. 2. 3.
PAGE 48
5. Select TCP/IP. Press . The following messages appear: l Disable Network Interface: (Y/N) Press . If the network is disabled, then all remote AMT capabilities are disabled and TCP/IP settings are not necessary. This option is a toggle, and the next time it is accessed you are prompted with the opposite setting. l [DHCP Enable] Disable DHCP (Y/N) Press .
PAGE 49
l Domain Name Type the domain name into the field. 6. Select Provision Model from the menu. Press . The following message appears: l [Intel (R) AMT 3.0 Mode] [Enterprise] change to Small Business: (Y/N) Press .
PAGE 50
7. Select Setup and Configuration from the menu. Press . 8. Select Current Provisioning Mode to display the current mode. Press . The current provisioning mode is displayed. Press or to exit.
PAGE 51
9. Select Provisioning Record. The provisioning record displays the provision PSK/PKI record data of the computer. If the data has not been entered, the MEBx displays a message that states Provision Record not present. If the data is entered, the Provision Record displays one of several messages. 10. Select Provisioning Server from the menu. Press . 11. Type the provisioning server IP in the Provisioning server address field and press . The default setting is 0.0.0.0.
PAGE 52
12. Type the port in the Port number field and press . The default setting is 0. If left at the default setting of 0, the Intel AMT attempts to contact the provisioning server on port 9971. If the provisioning server is listening on a different port, enter it here. 13. Select TLS PSK from the menu. Press .
PAGE 53
14. Set PID and PPS is the next option. The PID and PPS can be input manually or by using a USB key once the SCS generates the codes. This option is for entering the provisioning ID (PID) and provisioning passphrase (PPS). PIDs are eight characters and PPS are 32 characters. There are dashes between every set of four characters, so including dashes, PIDs are nine characters and PPS are 40 characters. An SCS must generate these entries. 15. Skip the Delete PID and PPS option.
PAGE 54
17. Select TLS PKI from the menu. Press . 18. Select Remote Configuration Enable/Disable from the menu. Press . This option is Enabled by default and can be Disabled if the network infrastructure does not support a Certificate Authority (CA).
PAGE 55
19. Manage Certificate Hashes option is the next option. Four hashes are configured by default. Hashes can be deleted or added per customer needs. 20. Select Set FQDN from the menu. Press . Type the FQDN of the provisioning server in the text field and press .
PAGE 56
21. Select Set PKI DNS Suffix from the menu. Press . Type the PKI DNS Suffix in the text field and press . 22. Select Return to Previous Menu. Press .
PAGE 57
23. Select Return to Previous Menu. Press . This returns you to the Intel AMT Configuration menu. 24. Skip the Un-Provision option. This option returns the computer to factory defaults. See Return to Default for more information about unprovisioning. 25. Select VLAN from the menu. Press . The following message appears: l [VLAN Disabled] Enable VLAN: (Y/N) Press . 26. Select SOL/IDE-R. Press .
PAGE 58
27. l The following messages appear, and require the response indicated in the following bulleted list: [Caution] System resets after configuration changes. Continue: (Y/N) Press . l User name & Password Select Enabled and then press . This option allows you to add users and passwords from the WebGUI. If the option is disabled, then only the administrator has MEBx remote access.
PAGE 59
l Serial Over LAN Select Enabled and then press . l IDE Redirection Select Enabled and then press .
PAGE 60
28. Secure Firmware Update is the next option. The default setting is Enabled. 29. Skip Set PRTC.
PAGE 61
30. Idle Timeout is the next option. The default setting is 1. This timeout is applicable only when a WoL option is selected in step 13 of the process for enabling ME for the Enterprise operating mode. NOTICE: To maintain E-Star compliance for certain systems, the Desktop: ON in S0 setting must be used in step 13. 31. Select Return to Previous Menu. Press .
PAGE 62
32. Select Exit. Press . 33. The following message appears: Are you sure you want to exit? (Y/N): Press .
PAGE 63
34. The computer restarts. Turn off the computer and disconnect the power cable. The computer is now in setup state and is ready for deployment. SMB Mode The Intel® Management Engine BIOS Extension (MEBx) is an optional ROM module that Intel provides to Dell™ to be included in the Dell BIOS. The MEBx has been customized for Dell™ computers. Dell also supports setup and configuration of Intel AMT in the Small and Medium Business (SMB) mode.
PAGE 64
3. Select Change Intel ME Password. Press . Type the new password twice for verification. The new password must include the following elements: l l l l l Eight characters One uppercase letter One lowercase letter A number A special (nonalphanumeric) character, such as !, $, or ; excluding the :, ", and , characters.) The underscore ( _ ) and spacebar are valid password characters but do NOT add to the password complexity. Change the password to establish Intel AMT ownership.
PAGE 65
5. The following message appears: System resets after configuration change. Continue (Y/N). Press . 6. Intel ME State Control is the next option. The default setting for this option is Enabled. Do not change this setting to Disabled. If you want to disable Intel AMT, change the Manageability Feature Selection option to None.
PAGE 66
7. 8. Select Intel ME Firmware Local Update Qualifier. Press . Select Always Open. Press . The default setting for this option is Always Open. 9. Select Intel ME Features Control. Press .
PAGE 67
10. Manageability Feature Selection is the next option. This feature sets the platform management mode. The default setting is Intel AMT. Selecting the None option disables all remote management capabilities. 11. Select Return to Previous Menu. Press .
PAGE 68
12. Select Intel ME Power Control. Press . 13. Intel ME ON in Host Sleep States is the next option. The default setting is Desktop: ON in S0, S3, S4-5. NOTE: For certain E-Star or low-power configurations, the default setting will be Desktop: ON in S0.
PAGE 69
14. Select Return to Previous Menu. Press . 15. Select Return to Previous Menu. Press .
PAGE 70
16. Exit the MEBx Setup and save the ME configuration. The computer displays an Intel ME Configuration Complete message and then restarts. After the ME configuration is complete, you can configure the Intel AMT settings. Intel AMT Configuration: Enabling Intel AMT for SMB Mode To enable Intel AMT Configuration settings on the target platform, perform the following steps: 1. 2. 3.
PAGE 71
6. 7. l Select TCP/IP. Press . The following messages appear and require the response indicated in the following bulleted list: Disable Network Interface: (Y/N) Press . If the network is disabled, then all remote Intel AMT capabilities are disabled and TCP/IP settings are not necessary. This option is a toggle, and the next time it is accessed you are prompted with the opposite setting. l [DHCP Enable] Disable DHCP (Y/N) Press .
PAGE 72
l Domain Name Type the domain name into the field. 8. 9. l Select Provision Model from the menu. Press . The following message appears: [Intel (R) AMT 3.0 Mode] [Enterprise] change to Small Business: (Y/N) Press .
PAGE 73
10. 11. 12. l Skip the Un-Provision option. This option returns the computer to factory defaults. See Return to Default for more information about unprovisioning. Select VLAN from the menu. Press . The following message appears: [VLAN Disabled] Enable VLAN: (Y/N) Press . 13. Select SOL/IDE-R. Press .
PAGE 74
14. l The following messages appear and require the response indicated in the following bulleted list: [Caution] System resets after configuration changes. Continue: (Y/N) Press . l User name & Password Select Enabled and then press . This option allows you to add users and passwords from the WebGUI. If the option is disabled, then only the administrator has MEBx remote access.
PAGE 75
l Serial Over LAN Select Enabled and then press . l IDE Redirection Select Enabled and then press .
PAGE 76
15. Secure Firmware Update is the next option. The default setting is Enabled. 16. Skip Set PRTC.
PAGE 77
17. Idle Timeout is the next option. The default setting is 1. This timeout is applicable only when a WoL option is selected in step 13 of the process for enabling the ME for SMB operating mode. NOTICE: To maintain E-Star compliance for certain systems, the Desktop: ON in S0 setting must be used in step 13. 18. Select Return to Previous Menu. Press .
PAGE 78
19. Select Exit. Press . 20. The following message appears: Are you sure you want to exit? (Y/N): Press .
PAGE 79
21. The computer restarts. Turn off the computer and disconnect the power cable. The computer is now in setup state and is ready for deployment.
PAGE 80
Back to Contents Page Troubleshooting Dell™ Systems Management Administrator's Guide Return to Default (Un-Provisioning) Firmware Flash Serial-Over-LAN (SOL) and IDE Redirection (IDE-R) This section describes a few basic troubleshooting steps to follow if problems are experienced with the Intel® AMT configuration. Return to Default (Un-Provisioning) Return to default is also known as un-provisioning.
PAGE 81
5. 6. 7. 8. 9. Select Un-Provision. Press . Select Full Unprovision. Press . Reconfigure the settings on the Intel AMT Configuration screen.
PAGE 82
Back to Contents Page Using the Intel® AMT WebGUI Dell™ Systems Management Administrator's Guide The Intel® AMT WebGUI is a Web browser-based interface for limited remote computer management. The WebGUI is often used as a test to determine if Intel AMT setup and configuration was performed properly on a computer. A successful remote connection between a remote computer and the host computer running the WebGUI indicates proper Intel AMT setup and configuration on the remote computer.