Product guide
Client Control mode network architecture
This illustration is an overview of a network configuration where your Intel
®
AMT systems support
Client Control mode.
Components in Client Control mode configuration include:
• McAfee ePO server — McAfee ePO is the management console from which application and
enforcement of Intel
®
AMT policies are configured and distributed. In the McAfee ePO console:
• Modify server settings such as selecting or importing required certificates, setting admin
credentials to authenticate and enable communication between McAfee ePO and Intel
®
AMT
systems. The Intel
®
ME BIOS Extension (MEBX) password that you provide is applied to all
managed Intel
®
AMT systems.
• Create and enforce a configuration policy by selecting the host-based configuration options,
which use the host-based configuration profile.
• Certificate authority server — McAfee recommends that you use McAfee ePO Deep Command
Root CA to simplify the configuration process. However, you can also use an external certificate
authority server such as Microsoft CA or a custom root CA. These servers issue certificates to the
correct trusted devices within the network. Import these certificates and their private keys to
McAfee ePO. You can use Transport Layer Security (TLS) communication by incorporating
certificates issued by a CA.
User consent requirement
When user consent is enabled, attempting to initiate a remote connection displays a User Consent
Code on the client screen. The administrator must enter this code to gain access.
For devices in Client Control mode (configured using host-based configuration), User Consent mode is
required for these actions:
• Boot or restart to BIOS
• Boot using IDE-Redirection (IDE-R)
• KVM Redirection
In Client Control mode, user consent is always required for these actions. In Admin Control mode, it's
optional.
Basics of Intel AMT configuration
Host-based configuration
3
McAfee ePO Deep Command 2.1.0 Product Guide
37