Product Guide McAfee ePO Deep Command 2.1.0 For use with ePolicy Orchestrator 4.6.x, 5.x.
COPYRIGHT Copyright © 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc.
Contents 1 Introduction 7 Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intel AMT overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Product components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Getting started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up your environment . . . . . . . . . . . . . . . . . . . . . . . . . . Architecture and how components communicate . . . . . . . . . . .
Contents 4 Configuring Intel AMT systems 43 Synchronize with Windows Active Directory . . . . . . . . . . . . . . . . . . . . . . . Register Windows Active Directory server . . . . . . . . . . . . . . . . . . . . . Schedule LDAP synchronization . . . . . . . . . . . . . . . . . . . . . . . . . Set Intel AMT configuration preferences . . . . . . . . . . . . . . . . . . . . . . . . Import a configuration profile template . . . . . . . . . . . . . . . . . . . . . . Create a configuration profile . . . . .
Contents Create the Intel AMT configuration policies . . . . . . . . . . . . . . . . . . . . Create the Intel AMT policies . . . . . . . . . . . . . . . . . . . . . . . . . . Creating the Client Task Execution policy . . . . . . . . . . . . . . . . . . . . . Compare ePO Deep Command policies . . . . . . . . . . . . . . . . . . . . . . Create the Profile Manager policies . . . . . . . . . . . . . . . . . . . . . . . . . . Create a Configuration Profile policy . . . . . . . . . . . . . . . . . . . . . .
Contents Create a configuration profile that uses Microsoft CA certificates . . . . . . . . . . . Generate certificates for Stunnel using Microsoft CA . . . . . . . . . . . . . . . . Intel MEBX password format . . . . . . . . . . . . . . . . . . . . . . . . . . . . Validate permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modify WMI permissions to add domain computers . . . . . . . . . . . . . . . . Modify DCOM permissions to add domain computers . . . . . . . . . . . . . . . .
1 Introduction ® McAfee ePO Deep Command provides centralized control to your Intel Active Management Technology (AMT) systems regardless of whether they are powered on, or if an operating system is installed or working. The ePO Deep Command software integrates the management and automation features of McAfee® ePolicy Orchestrator® (McAfee ePO™) with the hardware-based security and manageability features of Intel AMT. The Intel AMT feature is included on your systems equipped with Intel vPro .
1 Introduction Product features Feature Description Intel AMT firmware configuration Use ePO Deep Command to perform host-based configuration or remote configuration on your Intel AMT systems: ® ® • Host-based configuration is initiated by enforcing a configuration policy that uses the host-based configuration profile. • Remote configuration requires the RCS Manager plug-in, which directly communicates with your managed Intel RCS server, and a remote configuration policy.
1 Introduction Intel AMT overview Feature Description Maintenance tasks Configure these maintenance tasks: • Synchronize Intel AMT time • Renew Active Directory password • Synchronize network settings • Renew Intel AMT admin password ® ® • Reissue Intel AMT certificates ® This feature requires the Management Framework software. McAfee Endpoint Encryption integration Enable Intel Active Management Technology features on the McAfee Endpoint Encryption secured systems.
1 Introduction Product components • Intel AMT-enabled chipset • Network hardware and software • Corporate network connection (with an AC power source) ® ® Setting up the environment requires that you configure your Intel AMT firmware with certificates and integrate ePO Deep Command into the existing security framework. ® When an Intel AMT system is configured to use Wi-Fi, ePO Deep Command allows out-of-band communication to clients in a wireless environment.
1 Introduction Product components Management Framework module The ePO Deep Command Management Framework module delivers "beyond-the-operating system" security management. This feature enables administrators to perform tasks such as to turn on systems, execute security tasks, and return the Intel AMT systems to their previous power state. This component is required for performing Intel AMT actions and Intel AMT configuration.
1 Introduction Product components McAfee KVM Viewer module ® Administrators can use the McAfee KVM Viewer module to remotely access Intel AMT systems that are KVM-enabled and -supported. From the McAfee KVM Viewer console, you can perform actions on the connected Intel AMT system such as turn it on, turn if off, restart it, and boot it with an IDE-redirection device.
Introduction Getting started 1 Getting started Before using ePO Deep Command, make sure that you have specific software, hardware, and network configurations in place. Setting up your environment Installing ePO Deep Command Discovery and Reporting software is your first step, then you set up other modules, as required. This diagram illustrates the actions required to set up your software. ® For more information on the Intel AMT configuration process, see Preparing your Intel AMT systems.
1 Introduction Getting started Architecture and how components communicate ePO Deep Command is comprised of multiple modules, which help you identify, manage, configure, and troubleshoot your Intel AMT systems. ® ® When installed on McAfee ePO, these modules work with your Intel AMT systems to deliver greater control of your secure environment.
1 Introduction Getting started Step Details 1 Discovery and Reporting plug-in is installed on McAfee ePO, then deployed to client systems. This plug-in detects the Intel AMT systems in your organization. 2 Management client software is installed on McAfee ePO, then deployed to client systems. This plug-in allows you to perform actions and enforce other policies on your Intel AMT systems. 3 Profile Management software is required for Intel AMT configuration.
1 Introduction Getting started 16 McAfee ePO Deep Command 2.1.
2 Installation Perform a series of tasks to set up your ePO Deep Command software. 1 Make sure that your system meets the requirements. 2 Install the ePO Deep Command Discovery and Reporting extension. 3 Deploy the ePO Deep Command Discovery and Reporting plug-in to the Intel AMT systems. 4 Generate reports on your client systems to identify the Intel AMT-enabled systems. 5 Install the ePO Deep Command Management Framework software.
2 Installation Requirements Requirements Verify that your system meets these requirements before you start the installation process. System requirements Systems Requirements McAfee ePO • Version 4.6 Patch 6 or later • Version 5.x See the McAfee ePO documentation for system requirements. Intel AMT systems (common for both wired and wireless environments) ® • CPU: Intel vPro as listed in this link: ® ™ http://www.intel.com/support/vpro/sb/CS-030703.
Installation Requirements 2 Software requirements Make sure that you have the required software installed for the ePO Deep Command module that you're installing. Software Requirements Discovery and Reporting plug-in McAfee Agent for Windows on the Intel AMT systems ® • Version 4.6.0 Patch 3 or later • Version 4.8.x Management Framework client McAfee Agent for Windows on the Intel AMT systems ® • Version 4.6.0 Patch 3 or later • Version 4.8.
2 Installation Requirements Upgrade requirements You can upgrade to ePO Deep Command 2.1.0 from the software version 2.0.0. Supported Intel AMT versions ® ® Some features aren't supported on specific versions of Intel AMT. Review this table to determine which features and versions are supported on Intel AMT systems. ® Use case Intel AMT features used ® Intel AMT version ® 4.0 5.1 6.x 7.x 8.x 9.
2 Installation Requirements Required ports Make sure that your network security software doesn't block ports and services that are needed for Intel AMT communications. ® Add these ports, services, and processes as exclusions in the security policy settings of your network security software such as firewall or intrusion prevention system. Services installed on Agent Handler or McAfee ePO Service Feature Ports Description ServiceAMT.
2 Installation Requirements Services installed on managed Intel AMT systems ® Service/process Feature Ports Description AMTMgmtService.exe Remote configuration 135 This process configures the Intel client system. Additionally, it's also required for client tasks, property collection, and other policies enforcement. ACUConfig.exe Remote configuration 135 This process facilitates configuration or unconfiguration of Intel AMT systems. LMS.
2 Installation ePO Deep Command components in Software Manager ePO Deep Command components in Software Manager Here are the components that you see in Software Manager, when you select ePO Deep Command from the product list. Component Description Discovery and Reporting extension Enables the Discovery and Reporting feature on the server. Check in the extension or download to check it in later. Discovery and Reporting plug-in Deploys the Discovery and Reporting plug-in to the Intel AMT systems.
2 Installation Install the software Install the software ® Install the extensions and deploy them to manage your Intel AMT systems. Tasks • Install or upgrade the ePO Deep Command extensions on page 24 You can install the required ePO Deep Command software components on McAfee ePO. • Deploy the Discovery and Reporting plug-in on page 25 Deploy the Discovery and Reporting plug-in to Intel AMT systems.
2 Installation Install the software Deploy the Discovery and Reporting plug-in ® Deploy the Discovery and Reporting plug-in to Intel AMT systems. Before you begin Make sure that the plug-in package is checked in and listed under Menu | Software | Master Repository. The Deploy ePO Deep Command Discovery and Reporting Plugin client task is created automatically when the ePO Deep Command Discovery and Reporting plug-in is installed on McAfee ePO. Assign the client task to the selected client computers.
2 Installation Install the software Deploy the Management Framework client ® Deploy the Management Framework client to your Intel AMT systems to manage them using Intel AMT actions, policies, server tasks, and queries. ® Before you begin Make sure that the ePO Deep Command Management Framework client package is checked in and listed under Menu | Software | Master Repository.
Installation Install the software 3 2 In Trusted Root Certificates, a pre-activated McAfee ePO Deep Command Root CA (CN=McAfee ePO Deep Command Root ) is listed. If you have imported a certificate or generated a new McAfee ePO Deep Command Root CA, select it, then click Activate. To remove a certificate, select it and click Delete. We recommend that you use certificates generated by McAfee ePO Deep Command Root CA.
2 Installation Configure user permissions 5 In Credentials for Intel® AMT actions, select Change credentials, then select Use above credentials, or type the user name and password. Use domain\user name format for Active Directory accounts. Click Show password to view the password. ® The credentials provided are used for Intel AMT actions. For a new installation, the default out-of-band communication user name is ePO_AMTAdmin and password is randomly generated.
2 Installation Configure user permissions Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, click Menu | User Management | Permission Sets. 2 Select the permission set where you want to assign ePO Deep Command permissions. The details appear to the right.
2 Installation Manage certificates Manage certificates Use certificate management options to export a ePO Deep Command root CA certificate for reuse, import it, or regenerate it with the new time stamp, as needed. Tasks • Export an active certificate on page 30 You can export an active certificate from McAfee ePO to reuse it. • Import a certificate on page 30 Import an exported root certificate to McAfee ePO to use it.
2 Installation Uninstall the software 3 For Trusted Root Certificate, click Generate New Certificate. A new entry is added for McAfee ePO Deep Command Root in Trusted Root Certificates. 4 Select the McAfee ePO Deep Command Root, click Activate, then click OK to confirm. 5 Reconfigure your Intel AMT systems to use the updated certificate. ® ® The Intel AMT actions such as Remote Access, Serial-over-LAN, IDE-Redirection, and KVM access fail if the certificate is not updated on the Intel AMT.
2 Installation Uninstall the software Uninstall the ePO Deep Command client ® Create a client task to remove the client from Intel AMT systems, then assign it to the systems. Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, click Menu | Policy | Client Task Catalog, then select Product Deployment under McAfee Agent. 2 Click New Task and select Product Deployment to open the Client Task Catalog: New Task page.
Installation Uninstall the software 2 Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, click Menu | Software | Software Manager. 2 On the Software Manager page under Product Categories, click Checked In Software | Licensed. 3 Select McAfee ePO Deep Command from the products list, then click Remove next to the extension to be removed. Perform this step for each of the ePO Deep Command extensions checked in to your server.
2 Installation Uninstall the software 34 McAfee ePO Deep Command 2.1.
3 Basics of Intel AMT configuration ® You must configure your Intel AMT systems before you can manage them using ePO Deep Command. ® You can configure your Intel AMT firmware from McAfee ePO, or any other external source. With the ePO Deep Command software, you can configure your Intel AMT systems to Client Control mode using host-based configuration or to Admin Control mode using remote configuration.
3 Basics of Intel AMT configuration Host-based configuration Host-based configuration ® In this method Intel AMT systems are configured locally using an XML profile containing the required configuration settings. This diagram presents an overview of the recommended process for configuring systems using the host-based configuration method. See also Perform host-based configuration on page 49 Client Control mode ® Intel AMT systems enter this mode when they are configured using host-based configuration.
3 Basics of Intel AMT configuration Host-based configuration Client Control mode network architecture ® This illustration is an overview of a network configuration where your Intel AMT systems support Client Control mode. Components in Client Control mode configuration include: • McAfee ePO server — McAfee ePO is the management console from which application and enforcement of Intel AMT policies are configured and distributed.
3 Basics of Intel AMT configuration Remote configuration Host-based configuration authentication ® For host-based configuration, provide credentials for Intel AMT configuration and use McAfee ePO Deep Command Root CA. Make sure to configure these settings on the Server Settings page: • Credentials for Intel® AMT Configuration — Create a password for your managed Intel AMT systems. The default user name for Intel AMT is admin. ® ® • Trusted Root Certificates — Use McAfee ePO Deep Command Root CA.
3 Basics of Intel AMT configuration Remote configuration Admin Control mode network architecture ® This illustration is an overview of a network configuration where your Intel AMT systems support Admin Control mode. Each of the server components in this illustration performs an essential function in Admin Control mode configuration. • McAfee ePO server — McAfee ePO is the management console where application and enforcement of Intel AMT policies are configured and distributed.
3 Basics of Intel AMT configuration Remote configuration How RCS Manager plug-in works ® The RCS Manager plug-in helps you manage the configuration of your Intel AMT firmware, through McAfee ePO. This diagram illustrates the actions involved in configuration through the RCS Manager plug-in. ® The RCS Manager retrieves configuration profiles from the Intel RCS servers, and reports back to McAfee ePO.
3 Basics of Intel AMT configuration Remote configuration Certificates for TLS You can use the Transport Layer Security (TLS) protocol to secure and authenticate communications across your network. ® Intel AMT uses the Public Key Infrastructure (PKI) method of TLS, which provides secure communication using an asymmetric public and private cryptographic key pair. The key pair is retrieved and shared through a trusted authority, known as Certification Authority (CA).
3 Basics of Intel AMT configuration Configuration states Configuration states ® ePO Deep Command adds a system property to determine the configuration status of Intel AMT systems. • Pre-configuration — By default, the Intel AMT features on Intel vPro systems are disabled because the systems are unconfigured. ePO Deep Command cannot manage such systems remotely. All unconfigured clients are categorized under this state.
4 Configuring Intel AMT systems ® You can configure an Intel AMT system using host-based configuration or remote configuration. • Host-based configuration places the Intel AMT system in Client Control mode by default. It is the simplest configuration method. McAfee recommends this configuration method. This mode limits some of Intel AMT functionality. ® ® • Remote configuration places the Intel AMT system in Admin Control mode by default.
4 Configuring Intel AMT systems Set Intel AMT configuration preferences 3 On the Details page, complete these options. a Select Active Directory from LDAP server type, then type the DNS-style domain name or IP address of the system where Windows Active Directory is present. When using a DNS‑style domain name, make sure that McAfee ePO is configured with the appropriate DNS setting and can resolve the DNS‑style domain name of Active Directory.
4 Configuring Intel AMT systems Set Intel AMT configuration preferences Tasks • Import a configuration profile template on page 45 Import a configuration profile that you created in the Intel RCS console or by using ACUWizard.exe. ® • Create a configuration profile on page 45 Create a Configuration Profile policy for the configuration settings, then enforce it to the Intel RCS server.
4 Configuring Intel AMT systems Set Intel AMT configuration preferences Task Create policies based on the default policies such as McAfee Default or My Default. The default policies provide templates where you can add the data required to configure your Intel AMT systems. For option definitions, click ? in the interface. ® 1 In the McAfee ePO console, navigate to Policy Catalog, select ePO Deep Command Profile Manager 2.1.0 as the product and Configuration Profile as the category, then click New Policy.
4 Configuring Intel AMT systems Set Intel AMT configuration preferences f In AMT User accounts and rights, perform one of these steps: • For Digest account, click New Digest User, type user name, type password, retype password (or select Show Password), then select the required access right for the use: • Administrator — Provides PT Administration rights, which allows the user to access all Intel AMT features.
4 Configuring Intel AMT systems Set Intel AMT configuration preferences • • IP address — Select the source for the IP address settings: • DHCP — from the DHCP server. • Static — the same IP address as the host. FQDN — Select the source for the host name suffix: • Primary DNS — from the “Primary DNS Suffix” of the host operating system. • Active directory name — from the Active Directory domain where the host operating system is a member.
Configuring Intel AMT systems Perform host-based configuration 4 4 In Credentials for Intel® AMT actions, do one of these: • Use the default ePO_Admin account — Select Use above credentials, then select Show password to view the default password. • Update credentials — Select Change credentials, deselect Use above credentials, then type the user name and password to be used for Intel AMT actions. (Use domain\user name format for Active Directory accounts) ® 5 Click Save.
4 Configuring Intel AMT systems Perform remote configuration Perform remote configuration ® Install and configure the RCS Manager plug-in to manage the Intel AMT firmware configuration from McAfee ePO. Before you begin Make sure that the Intel AMT systems meet the requirements and prerequisites. See Requirements and Prerequisites for remote configuration. ® ® The RCS Manager plug-in communicates with the Intel RCS servers for configuration or unconfiguration.
Configuring Intel AMT systems Perform remote configuration • 4 Intel AMT systems must not be in a virtual private network (VPN) environment. Home domains of McAfee ePO and Intel AMT systems differ in VPN environment. ® ® • Intel AMT systems must have an onboard Network Interface Card (NIC). Multiple NICs are not supported.
4 Configuring Intel AMT systems Perform remote configuration Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, click Menu | Software | Software Manager. 2 On the Software Manager page under Product Categories, click Software Not Checked In | Licensed. 3 Select McAfee ePO Deep Command 2.1 from the products list, select McAfee ePO Deep Command RCS Manager, then click Check In.
Configuring Intel AMT systems Perform remote configuration 4 Configure Intel AMT systems using remote configuration policy ® Create and enforce a remote configuration policy and select the Intel RCS server and configuration profile to be used. Before you begin • Make sure that the RCS Manager plug-in properties have been collected. Navigate to the system properties page of the Intel RCS server, select McAfee ePO Deep Command RCS Manager Plugin in the Products tab .
4 Configuring Intel AMT systems Test your connection to an Intel AMT system See also Create a policy to configure Intel AMT systems on page 94 Enforce Intel AMT configuration policy on page 111 Test your connection to an Intel AMT system ® Perform some actions on your Intel AMT systems to test whether they can be connected. Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, click Menu | Systems | System Tree.
4 Configuring Intel AMT systems Unconfigure Intel AMT systems through McAfee ePO Unconfigure Intel AMT systems using policy ® ® ® You can unconfigure your Intel AMT systems using the Intel AMT configuration policy. Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, navigate to Policy Catalog, select ePO Deep Command 2.1.0 as the product and AMT Configuration Policies as the category, then click New Policy.
4 Configuring Intel AMT systems Unconfigure Intel AMT systems through McAfee ePO Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, click Menu | Reporting | Queries & Reports, then select ePO Deep Command Reporting under Shared Groups. 2 From the queries list, select Intel® AMT Configuration State, click Action | Duplicate, type a name for the query, then save it.
5 Setting up your environment for Remote Access The McAfee ePO Deep Command Gateway server acts as a proxy responsible for mediating communication between McAfee ePO and remotely managed Intel AMT systems. ® ® The Remote Access feature allows Intel AMT systems to initiate a secured connection to the ePO Deep Command Gateway server.
5 Setting up your environment for Remote Access Install the ePO Deep Command Gateway server Remote Access depends on these components: • McAfee ePO • Intel AMT systems configured for remote connectivity. (In some environments, these systems are protected with a firewall. If the Intel AMT system initiates a connection to your server, you can use this connection to administer it.) ® ® • ePO Deep Command Gateway server.
5 Setting up your environment for Remote Access Generate certificates for Stunnel Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, click Menu | Software | Software Manager. 2 On the Software Manager page under Product Categories, click Software Not Checked In | Licensed. 3 Select McAfee ePO Deep Command 2.1 from the products list, select McAfee ePO Deep Command Gateway Server, then click Download.
5 Setting up your environment for Remote Access Add DH parameter to the .pem file 5 Copy the files to the Stunnel installation directory. For example, C:\Program Files (x86)\stunnel. You can also rename these files: • CN_McAfee_ePO_Deep_Command_Root.crt to ca.cer • .key to cira.key • .crt to cira.pem Add DH parameter to the .pem file The created PEM certificate file needs Diffie-Hellman (DH) values appended to the end. This is done via the OpenSSL tools.
5 Setting up your environment for Remote Access Validate certificate 2 In cert, key, and CAfile, replace the file names and location for cira.pem, cira.key, and ca.cer respectively with the actual values. 3 In ciraamt, use the default ports or replace them with the ports used. • accept — Port that listens to the incoming Remote Access requests, then forwards it to the port used for the connection. The default port is 81. If you want to use a different port, replace it with the actual port number.
5 Setting up your environment for Remote Access Validate certificate 62 McAfee ePO Deep Command 2.1.
6 Enabling Intel AMT wireless manageability ® ® With Intel AMT over a wireless connection, you can perform Intel AMT actions on systems within the enterprise or to a properly configured Remote Access scenario. ® Make sure that the required wireless settings are configured. Also, consider these guidelines for Intel AMT management in a wireless environment. • A wireless connection is established using Wireless network interface (WLAN) or an interface driver (executing on the Intel AMT system).
6 Enabling Intel AMT wireless manageability Prerequisites for using wireless with ePO Deep Command Prerequisites for using wireless with ePO Deep Command ® Consider these guidelines while performing Intel AMT actions on the wireless clients. • Intel AMT over wireless requires the infrastructure to support WPA or WPA2 wireless security. • For Admin profiles, Temporal Key Integrity Protocol (TKIP) or Counter mode CBC MAC Protocol (CCMP) encryption algorithms must be used.
6 Enabling Intel AMT wireless manageability Create a delta configuration profile for wireless ® An Intel AMT wireless profile might not be updated when: • A profile with similar "SSID" is present on the system. • The system is configured again with the same profile or a delta configuration has been performed. • Intel Local Manageability Service driver is not installed or running. • A wireless password has changed.
6 Enabling Intel AMT wireless manageability Create a delta configuration profile for wireless 4 On the Optional Settings page, select Network Configuration, select WiFi Connection, then click Next. 5 On the Network Configuration page, perform these steps, then click Next. a Select Allow WiFi connection with the following WiFi setups, then click Add to open the WiFi Setup screen. ® These settings are required to establish connection to wireless Intel AMT systems.
Enabling Intel AMT wireless manageability Validate wireless settings b c 6 Complete these settings, then click OK. • Setup Name — Type a name for the Wi-Fi setup (up to 32 characters, and must not contain (/ \ < >: ; * |? ”) characters). • SSID — Type the Service Set Identifier (up to 32 characters) that identifies the specific Wi-Fi network. (If left empty, the device tries to connect to all Wi-Fi networks that use Data Encryption as defined in this Wi-Fi Setup.
6 Enabling Intel AMT wireless manageability Validate wireless settings Task For option definitions, click ? in the interface. 68 1 In the McAfee ePO console, navigate to System Tree and open the system details of the wireless client. 2 From the Deep Command tab, validate these settings: • Wired IPv4 address — Must be 0.0.0.0. • Wireless IPv4 address — Must be correct. McAfee ePO Deep Command 2.1.
7 Reporting on your Intel AMT systems With the ePO Deep Command Discovery and Reporting software, you can quickly determine the status of the Intel AMT systems in your network. ® The predefined queries and dashboards provide you with built-in functionality, since they are added to McAfee ePO when the software is installed. These queries can be configured to display results in charts or tables, which can also be used as dashboard monitors.
7 Reporting on your Intel AMT systems Queries and reports Query ® Intel AMT Configuration State Description Displays a pie-chart of different Intel AMT configuration states for all detected systems supporting Intel AMT. ® ® • In (In-configuration) — These systems are in a partially configured state with initial information. • Post (Post-configuration) — These systems are in a fully configured state with security settings, certificates, and settings that activate Intel AMT capabilities.
7 Reporting on your Intel AMT systems Queries and reports Predefined RCS management queries When the Profile Manager software is installed on McAfee ePO, these predefined queries are added to the ePO Deep Command RCS Management group. Query Description ® Managed Intel AMT Systems by RCS Server Displays a pie chart of Intel AMT systems categorized by Intel RCS servers that configured them. The Intel AMT systems that were configured using host-based configuration are categorized under Not Available.
7 Reporting on your Intel AMT systems Queries and reports Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, click Menu | Reporting | Queries & Reports. 2 From the Groups pane, select ePO Deep Command Reporting, ePO Deep Command Management, or ePO Deep Command RCS Management, as needed. In McAfee ePO 4.6, these reports are grouped under Shared Groups. In McAfee ePO 5.0, these reports are grouped under McAfee Groups. The queries for the selected group appear.
7 Reporting on your Intel AMT systems Queries and reports Group Filter Filters the results based on... BIOS Release Date The release date of the BIOS running on Intel AMT systems. BIOS Version The version number of the BIOS running on Intel AMT systems. CILA Whether the Client-Initiated Local Access (CILA), also known as Fast Call for Help feature, is supported and enabled on Intel AMT systems.
7 Reporting on your Intel AMT systems Queries and reports Group Filter Filters the results based on... KVM Whether the KVM (Keyboard, Video and Mouse switch) feature is supported on Intel AMT systems. Last Error Message The error description for the error that occurred if the last AMT action failed. Last IDE-R Session Start/End Time The time when the last IDE-R session was initiated or stopped. Last EDI-R Session Status Whether the status of the last IDE-R Session was active.
7 Reporting on your Intel AMT systems Dashboards and monitors Group Filter Filters the results based on... Wired Link Status Whether Intel AMT systems' physical network connection is functioning. Wired MAC Address The MAC address of the Intel AMT systems' physical network connection. Wireless Ipv4 Address The IPv4 address of the Intel AMT systems' wireless network connection. Wireless Link Status Whether Intel AMT systems' wireless network connection is functioning.
7 76 Reporting on your Intel AMT systems Dashboards and monitors • CILA Supported — Determines the number of managed systems that support Local Access connections out of the total number of managed systems. The administrator can then determine the number of managed systems to enforce Local Access Policy that enables Local Access support. This information allows the managed systems to send Local Access requests to McAfee ePO.
7 Reporting on your Intel AMT systems Dashboards and monitors • Intel® AMT Configuration Mode — Determines the different configuration modes that are present in the total number of managed systems. Because ePO Deep Command currently supports the Enterprise mode only, the administrator must reconfigure managed systems that are not in Enterprise mode. • Intel® AMT Configuration State — Determines the different Intel AMT configuration states present in the total number of managed systems.
7 Reporting on your Intel AMT systems Dashboards and monitors • Intel® AMT Version — Displays the different versions of Intel AMT hardware present on the managed systems. Because ePO Deep Command supports specific versions of Intel AMT, this monitor determines how many systems can be used for Intel AMT actions. ® ® ® • KVM Supported and Enabled — Displays the number of managed systems that support KVM connections out of the total number of managed system.
Reporting on your Intel AMT systems Dashboards and monitors 7 • SOL Supported and Enabled — Displays the number of managed systems that support SOL connections out of the total number of managed systems. This monitor determines the number of systems that can be managed remotely using SOL. • AMT-Capable Systems without Intel® MEI Driver — Determines the systems that require installation of the MEI driver out of the total number of managed systems.
7 Reporting on your Intel AMT systems Dashboards and monitors Management Summary dashboard The Management Summary dashboard displays a collection of monitors based on the results of the default ePO Deep Command Framework software queries.
7 Reporting on your Intel AMT systems Dashboards and monitors • Intel® AMT Configuration Events by Event type — Displays a pie chart representing the number of configuration events for all detected Intel AMT systems. ® ® From any of these reports, you can click an entry for information on the Intel AMT systems for the selected category. For the systems configured using remote configuration, the drill-down page also lists the Intel RCS server name and profile used for their configuration.
7 Reporting on your Intel AMT systems Dashboards and monitors • Ready for Host Based Configuration — Displays a pie-chart representing the number of Intel AMT systems that meet and that do not meet the host-based configuration requirements. The number of systems that are ready for host-based configuration include the number of systems that are already configured. ® Benefits Summary dashboard ® The Benefits Summary dashboard displays monitors that display the count of systems by Intel AMT features.
7 Reporting on your Intel AMT systems Dashboards and monitors • • Troubleshoot Remote Devices (KVM) — Displays a pie-chart representing the number of Intel AMT systems that can be accessed using McAfee KVM to troubleshoot any issues. Systems in this category meet these conditions: ® • Intel AMT 6.
7 Reporting on your Intel AMT systems Dashboards and monitors • Quick reset of pre-boot password on McAfee encrypted devices — Displays a pie-chart representing the number of Intel AMT systems that can reset their pre-boot password using EEPC to regain their access. Systems in this category have Intel AMT 6.0 or later.
7 Reporting on your Intel AMT systems ePO Deep Command system properties • Wake-up devices for security scans and updates — Displays a pie-chart representing the number of Intel AMT systems that can automatically update their security signatures and patches. Systems in this category have Intel AMT 6.0 or later. ® ® ePO Deep Command system properties When ePO Deep Command components are installed, you can find these properties on the System Details page for the managed client systems.
7 Reporting on your Intel AMT systems ePO Deep Command system properties Property Description With Intel MEI driver installed CILA Reports whether the Client-Initiated Local Access (CILA), also known as Fast Call for Help feature is supported and enabled on this system.
7 Reporting on your Intel AMT systems ePO Deep Command system properties Property Description With Intel MEI driver installed Configuration State Reports the configuration state for this system: X ® Without Non-Intel Intel AMT MEI System driver installed ® ® • In-configuration — The system is being configured. • Post-configuration — The system has been configured. • Pre-configuration — The system is unconfigured. DHCP Enabled Reports whether DHCP is enabled on this system.
7 Reporting on your Intel AMT systems ePO Deep Command system properties Property Description With Intel MEI driver installed Intel® MEI Version Reports the version number of the MEI driver running on this system. For example, 6.0.0.1111. X Intel® vPro™ System Reports whether the target system is an Intel X AMT system. This property value is reported as Yes or No. X Is DNS Configured through DHCP Reports whether the DNS server of the system is configured through a DHCP server.
Reporting on your Intel AMT systems ePO Deep Command system properties Property Description With Intel MEI driver installed Last IDE-R Session Status Reports whether the status of the last IDE-R X Session was active. This property value is reported as Yes or No. Last Power On Success Reports whether the last attempt to power this system on using Intel AMT action was successful.
7 Reporting on your Intel AMT systems ePO Deep Command system properties Property Description With Intel MEI driver installed Reported Local Alarm Clock Time Displays the alarm clock time set in the Intel AMT firmware during the ePO Deep Command Alarm Clock policy enforcement or displays Not available when no alarm is set. X Serial-over-LAN (SOL) Reports whether the SOL feature is supported and enabled on this system.
7 Reporting on your Intel AMT systems ePO Deep Command system properties Property Description With Intel MEI driver installed Wireless IPv4 Address Reports the IPv4 address received over this system's wireless network connection. For example, 172.12.000.123. X Wireless Link Status Reports whether this system's wireless network connection is functioning. This property value is reported as Up or Down.
7 Reporting on your Intel AMT systems ePO Deep Command system properties Option Definition Host-Based Configuration Whether host-based configuration is supported on the client: Supported or Not Supported. Is Embedded HBC Enabled Whether host-based configuration is enabled. RCS Server Displays the Intel RCS server name if the client is in Admin Control mode.
8 Managing your Intel AMT systems ® ® Manage the Intel AMT systems in your network by using Intel AMT policies, client task execution policies, Intel AMT actions, server tasks, and queries.
8 Managing your Intel AMT systems Using policies to manage Intel AMT systems Create the Intel AMT configuration policies ® Use the AMT Configuration Policies category to create policies to configure or unconfigure your Intel AMT systems. Tasks • Create a policy to configure Intel AMT systems on page 94 You can create a policy based on the Intel AMT configuration policies.
8 Managing your Intel AMT systems Using policies to manage Intel AMT systems 3 Select Allow ePO to enforce these settings, then perform one of these steps based on configuration mode of systems. • Admin Control mode — Select Remote configure to enable Admin Control Mode, select Unconfigure (if currently configured by ePO), and then select the Intel RCS server and profile used for the configuration.
8 Managing your Intel AMT systems Using policies to manage Intel AMT systems Create the Intel AMT policies ® Use the AMT Policies category to create a policy to turn on your Intel AMT systems, configure Local Access or Remote Access for technical assistance, and set McAfee KVM Viewer preferences. You can also create separate policies for each feature. For better clarity on each feature, we have provided separate tasks for each feature.
Managing your Intel AMT systems Using policies to manage Intel AMT systems 5 Select Repeat Every to specify the days, hours, and minutes to turn on your systems at regular intervals, then save the policy. 6 In the System Tree, assign the policy to the required systems or group. 7 8 8 • Systems — Click Actions | Agent | Set Policies & Inheritance, select ePO Deep Command 2.
8 Managing your Intel AMT systems Using policies to manage Intel AMT systems 6 Click Save. 7 In the System Tree, assign the policy to the required systems or group. 8 9 • Systems — Select the systems, click Actions | Agent | Set Policies & Inheritance, select ePO Deep Command 2.1 as the product, select AMT Policies as the category, select the modified policy, select Break Inheritance, then save the policy assignment. • Groups — Select ePO Deep Command 2.
Managing your Intel AMT systems Using policies to manage Intel AMT systems 8 Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, from Policy Catalog, select ePO Deep Command 2.1.0 as the product and AMT Policies as the category, then click New Policy. 2 Type a name for the policy and any notes, then click OK. 3 Click the policy created, click the Remote Access tab, then select Allow ePO to enforce these settings.
8 Managing your Intel AMT systems Using policies to manage Intel AMT systems • From the Intel AMT systems, click McAfee Agent Status Monitor, then click Collect and Send Properties, Check New Policies, and Enforce Policies. • Click Actions | AMT Actions | Enforce AMT Policies, then click OK. ® 13 Verify the policy enforcement: • View the policy enforcement status in Server Task Log.
8 Managing your Intel AMT systems Using policies to manage Intel AMT systems 7 8 9 In the System Tree, assign the policy to the required systems or group. • To assign the policy to selected systems, select the systems, click Actions | Agent | Set Policies & Inheritance, select ePO Deep Command 2.1 as the product, select AMT Policies as the category, select the modified policy, select Break Inheritance, then save the policy assignment.
8 Managing your Intel AMT systems Using policies to manage Intel AMT systems 4 In Run the following Command afterward (optional), select the product, task type, and client tasks. Client tasks that require a system restart must be added last in the sequence. 5 In When to execute client task, select Execute the task only when system boots due to Alarm clock to avoid executing it when the system starts due to Power on action.
Managing your Intel AMT systems Create the Profile Manager policies 8 Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, click Menu | Policy Comparison, select ePO Deep Command 2.1.0 or ePO Deep Command Profile Manager 2.1.0 as the product, select a policy category, then select All Policy Settings. 2 Select the policies to compare in the Compare policies row from the Policy 1 and the Policy 2 column lists.
8 Managing your Intel AMT systems Create the Profile Manager policies c ® Type the Intel MEBX password, then retype it to confirm. Select Show Password to see the password as you type. Password confirmation is not required with this option. This step can be used only for a remote configuration template. d Select Use generated random password to use a randomly generated digest password or select set password, type a digest password, then retype it to confirm.
8 Managing your Intel AMT systems Use the Intel AMT actions • 4 For Kerberos account, 1 Select New Kerberos User or New Kerberos Group, as needed, select the required user or group, then click OK. 2 Select the user or group, then select the required access right for the user or group (AMT Administrator, AMT Help Desk, AMT Remote Power Control).
8 Managing your Intel AMT systems Use the Intel AMT actions Tasks • Turn on your systems on page 106 The Power On feature allows your Intel AMT systems to deploy the updated security programs ahead of a potential threat outbreak. ® • Obtain User Consent on page 107 Obtain User Consent to perform Intel AMT actions using a passcode generated on the Intel AMT system screen to connect.
8 Managing your Intel AMT systems Use the Intel AMT actions Obtain User Consent ® ® Obtain User Consent to perform Intel AMT actions using a passcode generated on the Intel AMT system screen to connect. Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, from System Tree, select a system, which is in Client Control mode. 2 Click Actions | AMT Actions | Get User Consent. User Consent status of the selected client system is displayed.
8 Managing your Intel AMT systems Use the Intel AMT actions 4 (Optional) In Additional Action, select Launch Serial-over-LAN Terminal (SOL) to access the target system from the server side. You can use the arrow keys to navigate through the BIOS menu that is displayed on the SOL terminal. 5 In User Consent Mode, a Select Operate in User Consent Mode (UCM). Make sure that you enable the User Consent Mode for only one system at a time.
8 Managing your Intel AMT systems Use the Intel AMT actions Connect to a system using the Serial-over-LAN Serial-over-LAN (SOL) is a mechanism that enables the input and output of the serial COM port of a managed Intel AMT system to be redirected over Internet Protocol (IP address). ® Before you begin • Make sure that SOL is supported and enabled on your Intel AMT systems. Verify this from the Deep Command tab on the System Properties page.
8 Managing your Intel AMT systems Use the Intel AMT actions • The recovery operating system image file must be an .iso file shared on a UNC mount. It must be shared and accessible by the Agent Handler. Also, make sure that you have defined its path using the Universal Naming Convention (UNC) syntax rather than using the IP address. • Make sure that the image file can be used for diagnosis, and its size is smaller than 30 MB.
8 Managing your Intel AMT systems Use the Intel AMT actions See also Connect to a system using the Serial-over-LAN on page 109 McAfee KVM Viewer options on page 127 Stop image redirection You can stop an in-progress image redirection for the selected client systems, as needed. Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, from System Tree, select the systems or groups for which IDE-Redirection is active.
8 Managing your Intel AMT systems Automate Intel AMT policy enforcement Automate Intel AMT policy enforcement ® ® Create and use the server tasks to enforce Intel AMT policies and turn on the remote Intel AMT systems at a scheduled time using out-of-band communication. ® If you have many Intel AMT systems in your network, executing this action on all them at once could have a negative impact on your network by consuming too much bandwidth.
8 Managing your Intel AMT systems Maintenance tasks Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, from Server Tasks, click New Task. 2 In Description, type a name for the task that you want to create, a brief description (optional), enable the schedule status, then click Next. 3 From Actions, select Run Query from the drop-down list. From Query, click ... to select the query you created that returns all configured Intel AMT systems, then click OK.
8 Managing your Intel AMT systems Maintenance tasks • Renew Active Directory Password — Resets the password of the Active Directory object representing the Intel AMT system. ® • Renew Administrative Password — Resets the password of the default Digest admin user in the Intel AMT device according to the password setting defined in the profile. ® Modifying ePO Deep Command settings initiates delta configuration to synchronize data among the server, Intel RCS system, and Intel AMT systems.
8 Managing your Intel AMT systems Managing events and logs Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, click Menu | Client Task Comparison, select ePO Deep Command 2.1.0 as the product, select AMT Maintenance as the policy category, then select Show settings. 2 Select the tasks to compare in the Compare Client Tasks row from the Policy 1 and the Policy 2 column lists. The settings available in the tasks and their values appear for the comparison.
8 Managing your Intel AMT systems Managing events and logs Configuration events Name ID Generates when... Deep Command - Configure Failure 34362 A configuration attempt has failed. Deep Command - Unconfigure Failure 34363 An unconfigure attempt has failed. Deep Command - Configure Success 34364 A configuration attempt is successful. Deep Command - Unconfigure Success 34365 An unconfigure attempt is successful.
8 Managing your Intel AMT systems Managing events and logs Task For option definitions, click ? in the interface. 1 In the McAfee ePO console, click Menu | Configuration | Server Settings, select Event Filtering, then click Edit at the bottom of the page. 2 Select All events to the server to forward all events, including Intel client events, to McAfee ePO, or select Only selected events to the server and select the Intel client events that you want to forward. ® ® 3 Click Save.
8 Managing your Intel AMT systems Managing events and logs File name 118 Location Description AMTRCSMgmtService_out.log ..\Program Files\McAfee \ePO Deep Command RCS Manager\AMTRCSMgmtService _out.log Provides a log of RCS Management. MediationCA_out.log Provides a log of RCS plug-in manager. McAfee ePO Deep Command 2.1.0 ..\Program Files\\McAfee \ePO Deep Command RCS Manager\MediationCA_out .
9 Connecting to Intel AMT systems using KVM ® With the McAfee KVM Viewer, you can remotely access Intel AMT systems using the Keyboard-Video-Mouse (KVM) feature, regardless of the operating system.
9 Connecting to Intel AMT systems using KVM KVM Viewer overview KVM Viewer overview ® Use the McAfee KVM Viewer to remotely access your Intel AMT systems and perform actions such as Power on, shutdown, start or restart them using IDE-Redirection. ® Perform these steps to set up your KVM Viewer software and use it for accessing your Intel AMT systems remotely. 120 McAfee ePO Deep Command 2.1.
9 Connecting to Intel AMT systems using KVM KVM requirements KVM requirements Make sure that your system meets these requirements to connect to a system from McAfee KVM Viewer. System Requirements KVM host system (from where the McAfee KVM Viewer connection is initiated) If using a Windows XP or Windows Server 2003 system, it must have: • Windows Remote Management (WinRM) • Microsoft .NET Framework 3.5 SP1 KVM target client system (An Intel AMT system) ® • Version: 6.
9 Connecting to Intel AMT systems using KVM Add McAfee root CA certificate Add McAfee root CA certificate Import the McAfee ePO Deep Command root CA certificate to the KVM host system to authenticate a KVM connection. This task is required only when the KVM host system is not the same system where McAfee ePO is installed. Before you begin Export the McAfee ePO Deep Command root CA certificate from McAfee ePO. See Export an active certificate for instructions.
Connecting to Intel AMT systems using KVM Modify the McAfee KVM Viewer settings 9 Use Microsoft Management Console Add the McAfee ePO Deep Command Root CA certificates, when used, to the certificate store of the system where you're accessing the McAfee KVM Viewer for the connection. Before you begin Export the McAfee ePO Deep Command Root CA from Server Settings | Intel AMT credentials | Edit page. See Export an active certificate for instructions.
9 Connecting to Intel AMT systems using KVM Modify the McAfee KVM Viewer settings Task 1 From the KVM host system, browse to the folder where McAfee KVM Viewer is stored, then double-click the MKVMView file. 2 On the McAfee KVM Viewer Connection page, click Options to view the settings. 3 In the General tab, complete these settings: • Computer — Type the host name of the managed client.
9 Connecting to Intel AMT systems using KVM Modify the McAfee KVM Viewer settings • 4 Authentication settings — Provide credentials used in the configuration profile policy or under Intel AMT credentials in Server Settings. Or select Use currently logged on credentials if the logon user has the required permission in the configuration profile. ® • Digest User — The Intel AMT digest user name for the managed client (displayed only when Use currently logon credentials is not selected).
9 Connecting to Intel AMT systems using KVM Connect to a local system Connect to a local system ® Connect to a local Intel AMT system to send power control commands to the client. Task 1 From the KVM host system, browse to the folder where the McAfee KVM Viewer is stored, then double-click the MKVMView file. 2 In the Computer field, type the IP address, FQDN, or NetBIOS name of a managed client. From the drop-down menu, you can select a client that was connected previously.
9 Connecting to Intel AMT systems using KVM McAfee KVM Viewer options Task For option definitions, click ? in the interface. 1 From the McAfee KVM Viewer screen, click Connection | Stop. The current active session is stopped. 2 ® Click Tools | Options, from the General tab, specify the needed Intel AMT system in the Computer field, then click Connect. ® The connection is switched to the selected Intel AMT system.
9 Connecting to Intel AMT systems using KVM McAfee KVM Viewer options Option Suboption Description Wireless Link Preference Allows selecting the link preference for a session connected over a wireless connection. For a system that has Intel AMT version earlier than version 8.1, select Management Engine preference. This allows restarting the system using an Intel AMT action such as IDE-Redirection. ® ® Help 128 About McAfee KVM Viewer McAfee ePO Deep Command 2.1.
10 Troubleshooting Error messages are displayed by programs when an unexpected condition occurs that can't be fixed by the program itself. Use this list to find an error message, an explanation of the condition, and any action you can take to correct it. Remote configuration ® You might see these errors while setting up an Intel AMT configured using remote configuration.
10 Troubleshooting Issue Description Corrective action Exit code 32 A certificate request has been sent to the Certification Authority but the created certificate has put it into "Pending Requests" or "waiting for approval". Intel SCS does not support pending requests. Request Handling of the Microsoft CA must allow automatic issuing of the certificate per setting provided. For instructions to enable automatically issuance of certificates, see https://community.mcafee.
10 Troubleshooting Issue Description Corrective action Configuration/ unconfiguration task fails with this error in Server Task Log: This error occurs when the Intel AMT systems cannot resolve FQDN of the Intel RCS server or conversely. Make sure that the DNS settings for the Intel AMT system or Intel RCS server are not configured to use both IPv4 and IPv6. Configuration attempt to a system outside the domain fails.
10 Troubleshooting Issue Description Corrective action HTTP 401 in AMTservice.log This issue occurs when the server is not able to authenticate and connect to the Intel AMT system. Verify that the user name and password are correct on the Edit Intel® AMT Credentials page. ® This error can occur if the Openwsman last error = 12029 in AMTservice.log TCP Port 16993 on the Intel AMT system is not accessible from McAfee ePO.
Troubleshooting Issue Description 10 Corrective action Socket Error — Redirection port is not enabled on the Intel AMT System. This error also occurs when a certificate or authentication fails. ® Enforce an AMT Policy to enable the Redirection Port and try again. Make sure that a valid certificate and credentials are used. Maximum Connections Agent Handler allows only four active SOL Reached — Maximum SOL sessions at a time.
10 Troubleshooting IDE-Redirection Issue Description Corrective action IDE-Redirection session does not initiates This issue might occur due to various reasons. Perform these checks, then perform the corrective action based on the error in amtservice.log: • Make sure that IDE-Redirection (IDE-R) is supported and enabled on the System Properties Intel® AMT page. • Verify that the correct credentials and certificates are uploaded in the Server Settings Intel® AMT Credentials page.
10 Troubleshooting Remote Access using the Gateway server Issue Description Corrective action Remote Access connection fails with "Unknown CA" error in the Stunnel log This might occur if the root CA certificate is not imported into the Management Engine Certificate Store of the Intel AMT systems. Make sure that the required certificate is added successfully.
10 Troubleshooting Wireless Issue Description Corrective action IDE-Redirection over a wireless connection fails with this error: Wireless link can't be established because of Boot disk missing, please insert boot disk and some network issues. press ENTER No wireless Admin or User profile is created on the Intel AMT system. ® Fix the connectivity issues in your network, then retry the IDE-Redirection from McAfee ePO or KVM server. Create at least one wireless Admin or User profile on the system.
Troubleshooting Issue Description 10 Corrective action Intel AMT policy enforcement This issue occurs when the None fails with errors similar to system call cannot obtain these errors in AMTservice.log: current time of the Intel AMT system. • Failed to convert time of Intel® ME ® ® • Failed to convert current time • Failed to convert alarm time CILA/CIRA access calls fail with this error in AMTservice.
10 Troubleshooting Issue Description Remote Access request using None Get Technical Help in the Intel Management and Security Status tool fails with an error stating that the organization is not reachable. ® Corrective action ® 1 From the Intel AMT system, open Mozilla Firefox and access your DMZ Agent Handler system where ePO Deep Command Gateway Server is running. The URL must include the port where Stunnel is running. Firefox shows an SSL certificate warning in your browser.
10 Troubleshooting Issue Description Corrective action Alarm Clock policy doesn't enforce This issue might occur due Perform these checks, then perform the to various reasons. corrective action based on the error in amtservice.log: • Make sure that the Intel AMT system is in the Post-Configured state and the System Properties Intel® AMT page is updated. ® • Confirm that the AMT tag is applied to the system in System Tree and the Alarm Clock policy is saved correctly.
10 Troubleshooting Issue Description Corrective action Some AMT commands not work when selected from Automatic Response | New Response | Actions | Run System Command Some of the McAfee ePO commands are targeted for troubleshooting purposes and also require manual inputs from the user. You can use these automatic Response action ePO Deep Command policies enforcement and actions fail after an upgrade to McAfee ePO 4.
11 Frequently asked questions Here are answers to frequently asked questions. Power on and Normal boot or restart What happens if a normal boot or restart is executed on a system that is in Hibernate or Standby mode? The system is restored to a normal running state. Is a user on an Intel AMT system notified if a normal start or restart is initiated from McAfee ePO? ® No, the user is not notified and the system restarts immediately. What is the amtservice.
11 Frequently asked questions • Client Tasks are enabled. • Appropriate managed products are installed on the Intel AMT system. • Intel AMT system is able to communicate with the Agent Handler within two minutes of restarting your system using the Power On action or Alarm Clock task. • Intel AMT system is able to boot from a powered off state if the Power On action or Alarm Clock task is performed from McAfee ePO.
11 Frequently asked questions • Intel Management and Security Status (IMSS) • ACUconfig status or SystemDiscovery ® Properties When does the Last Power On Time parameter get updated on the Deep Command tab? Last Power On Time is one of the properties displayed on the Deep Command tab of the System Details page. This property is updated when an Intel AMT Power On action is executed from the McAfee ePO console.
11 Frequently asked questions 3 Locate and select the Unconfigure Network Access option. A warning message states that the configuration is reset to the default values appears. 4 Press Y to continue. 5 On the next screen, select an appropriate option: Full Unconfigure or Partial Unconfigure, then press Enter to execute the configuration. 6 Once the unconfiguration is complete, the menu appears. Press Return to go back to the previous screen and press Y to exit the MEBX menu.
A Additional information See these topics for more information that you may require to set up or manage ePO Deep Command.
A Additional information Create a configuration profile using Intel RCS 4 If using Digest authentication, skip to the next step. Otherwise, in the Active Directory Integration page, click ... next to Active Directory OU and select the Organizational Unit where the system is stored in the Active Directory, then click Next.
A Additional information Create a configuration profile using Intel RCS 6 On the Transport Layer Security (TLS) page, select Request certificate via CA plugin to configure the profile that recognizes McAfee ePO Deep Command Root CA certificates, complete the options as needed, then click Next. If the Request certificate via CA plugin method is not listed, make sure that the support for CA mediation is enabled in SCSConsole.exe.config.
A Additional information Create a configuration profile using Intel RCS 7 On the Network Configuration page, perform these steps to set up wireless connections, then click Next. a Select Allow WiFi connection with the following WiFi setups, then click Add to open the WiFi Setup screen. b In the Setup Name field, enter a name for the Wi-Fi setup. The setup name can be up to 32 characters, and must not contain (/ \ < >: ; * |? ”) characters.
A Additional information Customize wireless retry settings • IDE redirection • KVM redirection b In Power Management Settings, select Always on (S0-S5). c In Network Settings, type the password for locally accessing the MEBX settings (default is admin on a new system). If you want to use mixed mode and created a password in Edit Server Settings to support host-based configuration, type the same password in this field.
A Additional information Set up the environment for Microsoft CA authentication Set up the environment for Microsoft CA authentication To use certificates generated by Microsoft CA, perform these tasks in addition to the other mandatory tasks for setting up ePO Deep Command. We recommend that you use certificates generated by ePO Deep Command root CA to simplify the configuration process. If you're using Microsoft CA for your environment, use it only for remote configuration.
A Additional information Set up the environment for Microsoft CA authentication Import certificates to server In an environment where McAfee ePO is deployed across different domains, import Microsoft CA certificates to the system where McAfee ePO or Agent Handler is installed. Before you begin • Perform this task only if McAfee ePO is not in the same domain with enterprise CA\PKI. • Specify ePO Deep Command credentials and import the Server Authentication Certificate in McAfee ePO.
A Additional information Set up the environment for Microsoft CA authentication Task 1 On the Certificate Authority server, click Start | Programs | Administrative Tools | Certification Authority. 2 From the Console Root tree, right-click the certificate, then select Properties. 3 On the Properties page, click the General tab, then click View Certificate. 4 On the Certificate page, click the Details tab, then click Copy to File.
A Additional information Set up the environment for Microsoft CA authentication 3 Right-click the Certificate Templates and select Manage. 4 In the right-pane, right-click the Computer template and select Duplicate Template to open the Properties page. 5 In Template display name, type a name for the template (for example, AMT Configuration). 6 Click the Extensions tab, select Application Policies, then click Edit: a Click Add, then click New.
A Additional information Set up the environment for Microsoft CA authentication Enable the certificate template ® Enable the certificate template that you created for Intel AMT configuration. Task 1 In the Certificate Authority server, click Start | Programs | Administrative Tools | Certification Authority. 2 From the Console Root tree, select Certificate Authority | Certificate Templates. Right-click the right pane and select New | Certificate Template to Issue.
A Additional information Set up the environment for Microsoft CA authentication Task ® 1 From the Intel SCS Console, click the icon to create a profile and to open the Configuration Profile wizard. 2 In Profile Description, enter a unique name, then click Next. 3 In Optional Settings, select Access Control List (ACL), Transport Layer Security (TLS), and Active Directory Integration (if using Kerberos authentication), then click Next. 4 If using Digest authentication, skip to the next step.
A Additional information Set up the environment for Microsoft CA authentication c ® In Network Settings, type Intel ME BIOS Extension (MEBX) password for locally accessing the MEBX settings (default is admin on a new system). If you want to use mixed mode and created a password in Edit Server Settings to support host-based configuration, type the same password in this field. d 8 Select Enable Intel® AMT to respond to ping requests and Enable Fast Call for Help (within the enterprise network).
Additional information Intel MEBX password format ® 6 Select Include all certificates in the certification path. 7 Type a password, then save the file as with .pfx extension. A For example, test.pfx. 8 Run these commands to create certificate files. openssl pkcs12 -nocerts -in C:\test.pfx -out C:\cira.key -nodes openssl pkcs12 -clcerts -nokeys -in C:\test.pfx -out C:\cira.pem -nodes openssl pkcs12 -cacerts -nokeys -in C:\test.pfx -out C:\ca.cer -nodes Replace C:\test.
A Additional information Validate permissions Task For option definitions, click ? in the interface. 1 Click Start | Administrative Tools, then click Server Manager. 2 Expand Configuration, right-click WMI Control and select Properties. 3 Go to the Security tab, a From the tree, select Intel_RCS, then click Security. b Click Advanced, add the user group as needed (for example, Domain Computers), then double-click the permission entry for the selected user group.
A Additional information Validate permissions Modify DCOM permissions to add domain computers The configuration process requires appropriate DCOM permissions for domain computers in the server where the Intel RCS is installed and configured. ® Task For option definitions, click ? in the interface. 1 Click Start | Run, then type dcomcnfg and press Enter. 2 Expand Console Root | Component Services | Computers, right-click My Computer, then select Properties. 3 Click the COM Security tab.
A Additional information Self-signed configuration certificates c 8 Add Domain Computers if it's not listed, then allow these permissions for the Domain Computers group. • Full Control • Read • Special Permission Close the Component Services page. Self-signed configuration certificates When using self-signed Certification Authority to create the configuration certificate, consider these points. • Its root hash must be entered into each AMT system that is configured.
A Additional information Intel AMT action logs ® Intel AMT action logs ® ® Here is the information about the feature-wise list of log entries created as a result of Intel AMT actions. Table A-1 Server Task Log entries Feature Server Task Log entry SOL (Serial-over-LAN) Initiated Start of Serial-over-LAN session Description Added when SOL is initiated, with the status: • In Progress — A session is active. • Completed — A session finished successfully. • Failed — A session fails.
A Additional information Python scripts for ePO Deep Command Table A-2 Audit Log entries (continued) Feature Audit Log entry Description Normal Boot/Restart Initiated Normal Boot/Reboot Displays when Normal Boot/Reboot is initiated. Run Tag Criteria Displays when Evaluate AMT tag criteria is initiated. Evaluate AMT tag criteria Table A-3 Threat Event Log entries Feature Threat Event Log entry Description Local Access Local Fast Call for Help Intel AMT system initiates a Local Access call.
Additional information Python scripts for ePO Deep Command A IP address" print "Provide help as the first parameter to get more information" else: if input == "help" or input == "-h" or input == "--h" : print "This script attempts to do a OOB Power On for a remote AMT system using scriptable support in the ePO" print "It requires only one parameter.
A Additional information Python scripts for ePO Deep Command try: print "Error in doing OOB Policy Enforcement on as the command failed to invoke properly due to the following error" print "================" print e.__str__() print "================" except: print "NOTE: Run the command \"set PYTHONIOENCODING=utf-8\" on the command prompt before running the oobenforcepolicy.py script to be able to see the errors" except AttributeError,e: print "Error in using amt.
Index A actions AMT policies, enforcing 111 boot/reboot to BIOS 107 configuration policy, enforcing 111 IDE-redirection 109 image redirection, stopping 111 normal boot/reboot 108 over wireless 63 power on 106 serial-over-LAN 109 user consent 107 AMT configuration action 111 credentials, setting 48 dcom permissions, adding manually 159 host-based configuration 36, 94 permissions, validating 157 policy 49, 53, 94 profile manager 10, 40 remote configuration 38, 50, 94 states 42 third-party CA 150 WMI permissi
Index F frequently asked questions 141 H host-based configuration authentication 38 client control mode 36 move to admin control 95 overview 36 policy 49, 94 user consent 37 K KVM Viewer CA certificate, exporting 30 certificate, adding snap-in 123 certificate, copying 122 certificate, importing 122 connection, switching 126 local connection 126 options 127 overview 10, 119 policy 100 policy, enforcing 121 remote connection 126 requirements 121 settings 123 software, downloading 121 workflow 120 M Manage
Index S U server tasks AMT policies, enforcing 112 AMT tag, assigning 25 power on 112 user consent boot/reboot to BIOS 107 code, generating 107 host-based requirement 37 IDE-redirection 109 KVM redirection 126 T third-party CA authentication, setting up 150 certificate chain, creating 151 certificate issuance 154 certificate snap-in, adding 151 certificates, activating 152 certificates, importing 152 configuration profile, creating 154 remote access, setting 156 stunnel certificates, generating 156 tem
0-00
