IT@ Brief Enabling Manageability with Intel® Intel Information Technology Computer Manufacturing Active Management Technology Client Management Intel IT has started replacing desktop and mobile PCs across January 2008 Profile: Intel® Active the enterprise with client systems enabled with Intel® Core™2 Management Technology processor with vPro™ technology and Intel® ® with • More than 4,000 desktop and vPro™ technology. These processor technologies include mobile systems deployed in 2007 Intel® Active Management Technology (Intel® AMT), which • Reduces costs of managing enables out-of-band (OOB) access to PC clients regardless of client systems whether systems are powered down or non-functional.1 This functionality will help us reduce client management costs • Improves IT ecosystem security and improve IT security and inventory accuracy. and accuracy of IT inventories

We plan to purchase all new PCs and integrate Intel AMT serial-over-LAN (SOL) and IDE redirect (IDER) down-the-wire management capabilities into our helpdesk responses. To date, we’ve deployed over 4,000 systems with Intel AMT and successfully introduced and managed multiple versions of Intel AMT in our ecosystem.

Powered on and Stan working properly dard comm un ication Com t munic hrough OS ation cha nnel “bel ow ” th e OS

Powered off Asset information and remote power-up still available

Intel® Active Management atus t st Technology Management Console gen y a curit ilable s, se ava ting still S set ot O te bo mo Powered on but nt logs, BId re Eve an OS is down Communication through OS OS-independent communication

Figure 1. Building an enterprise manageability ecosystem. PCs based on Intel® Core™2 processor with vPro™ technology and Intel® Centrino® with vPro™ technology feature Intel® Active Management Technology, which allows IT staff to remediate problems remotely, reducing operating costs and the time users wait for system repairs. IT@Intel Table 1. Deployment of Intel® Active Management Implementing Intel® Active Management Technology (Intel® AMT) at Intel Technology across the Enterprise Version Number of Systems Timeframe Intel AMT, a hardware component of the Intel Core 2 processor with vPro Intel AMT version 2.0 300 Second quarter, 2007 technology and Intel Centrino with vPro technology, combines remote client management and network protection into an OS-independent Intel AMT version 2.5 200 Third quarter, 2007 and tamper-resistant solution. It enables out-of-band (OOB) access

Intel AMT version 2.5 4,000 Fourth quarter, 2007 to PC clients regardless of whether systems are operating, powered down, or non-functional. Intel AMT improves system security, asset management, and system manageability.

To gain these benefits corporate-wide, Intel IT started deploying Intel Table 2. Intel® Active Management Technology (Intel® AMT) AMT-enabled systems in the second quarter of 2007, as shown in Deployment Guiding Principles Table 1. Our initial deployments involved controlled releases in training Guiding Principle Reason rooms, followed by deployments to our production intranet. We plan Add no user operating Simplifies use and reduces agent to continue the implementation through 2008 by tying it to a rolling, system agent. management requirements. worldwide replacement of all desktop and mobile systems.

Do not pass sensitive data in Helps ensure that access to Intel AMT is Our corporate-wide re-platforming effort includes several compute clear text. restricted and secure. Intel AMT must not reduce the security of the environment. ecosystem components:

Integrate solution with existing Maintains the security of the environment • Intel AMT manageability functions security capabilities. when adding Intel AMT. Adding authentication and authorization tools can increase • Intel® Core™ processor family security risks. • Intel AMT management console Configure systems using Intel’s Keeps costs low by using existing infrastructure. • Intel AMT Setup and Configuration Service production environment. Handle systems using automated Takes advantage of remote and down-the- Deployment Guiding Principles features when possible. wire capabilities to increase IT efficiency and lower costs. As we planned for Intel AMT deployments, we established a set of

Manage many systems at once. Increases IT ecosystem manageability and principles to guide our efforts, outlined in Table 2. reduces IT maintenance costs and time by batching processing across many systems. Aligning ISV Management Products Integrate deployment steps into Helps ensure that Intel AMT provisioning with IT Priorities current means of building and will be completed successfully. provisioning systems. As we planned our implementation, we made sure that ISV console

Integrate and handle multiple Helps ensure ecosystem manageability and management functions aligned with our IT priorities by making certain that: Intel AMT versions concurrently. avoids errors that come with complexity. • The console offering addresses all high-priority IT Use existing architectural Keeps costs down by reusing existing functional requirements principles for the implementation. capabilities, purchasing new capabilities only when necessary, and custom building • The ISV is committed to quickly enabling new Intel AMT features capabilities as a last resort. • The ISV roadmap shows a transition from software-based management agents to managing the device at the hardware level, regardless of the state of the • The console integrates with common means of system and user authentication • The console integrates with Intel IT methods for tracking asset identities Testing and Developing for both versions, making deployment more an Implementation straightforward and efficient, and we encountered no problems managing multiple versions of Intel To make sure that the architecture and services AMT from a single toolset. could handle multiple versions of Intel AMT Intel AMT can be deployed in two operational concurrently, we introduced wireless and mobile modes: small and medium business (SMB) and clients with Intel AMT version 2.5 into an existing enterprise. Enterprise mode offers greater security Intel AMT version 2.0 environment, shown in protection, with encrypted communication and Figure 2. certificate-based access control to meet Intel We tested ISV management functions in this security policies. In designing our implementation, mixed environment and found that these functions we initially enabled SMB mode to gain familiarity operated well for both versions of Intel AMT; the with Intel AMT capabilities, and then we enabled SOL and IDER functions worked better with the enterprise mode to meet our environment’s more recent version. security requirements. Results During our implementation, we discovered that some of our processes for handling systems will To date, we’ve successfully deployed over 4,000 need to be revised for future deployments. For client systems with Intel AMT enabled. We found example, any process that renames a system that we could use the same provisioning process requires an Intel AMT re-provisioning step.

Enterprise components for Intel® Active Management Technology (Intel® AMT) version 2.0

Wired desktop PC based on Intel® Core™2 processor with vPro™ technology with Intel AMT version 2.0

Domain Name Services Intel AMT Setup and Directory Service AMT-enabled and Dynamic Host Configuration Service Domain Controller Certificate Authority Management Console Secure Communications Configuration Protocol Configure and Control Intel AMT Extend Management Transport Obtain Domain and IP Address Enable Intel AMT Device Access Functions

Network s Additional components for an d re n n eles

environment with Intel AMT version 2.5 Wi te onnectio onnectio erna C C Alt Primary Wir

Wireless laptop based on Intel® Centrino® with vPro™ technology with Intel AMT version 2.5

Figure 2. Environment for testing multiple versions of Intel® Active Management Technology (Intel® AMT). ISV management functions work well on both versions tested. Intel AMT version 2.5 improved SOL and IDER functionality. Domain Policy Enabler Domain Policy Enabler

Intel® Active Management Management Utilities Domain Technology (Intel® AMT) Enterprise Message Bus (also known as Intermediaries) Intel AMT Management Console, Event Device Domain WS-Management communications throughout Management, Fault Response, Security Behavior rule execution and end-points • Policy rules are distributed to domain • Policies are “translated” into product- policy enablers and Intel AMT end-points and tool-specific rules for execution Enterprise Policy Creation and Management • Policies are created to reflect business priorities and practices • Policies are managed across multiple toolsets

Figure 3. Service-oriented architecture (SOA) for an Intel® Active Management Technology environment.

Future Architectural Plans Our long-term goal is to increase manageability and scalability Authors using a service-oriented architecture (SOA) with Intel AMT, following Jay Hahn-Steichen WS-Management industry specifications (see Figure 3). With this Bob Bogowitz infrastructure, we plan to: David McCray • Create policies that reflect business priorities and practices • Manage these policies across multiple toolsets Acronyms • Translate the policies into product- and tool-specific rules IDER integrated drive electronics redirect • Distribute policy rules to domain policy enablers and Intel Intel® AMT AMT end-points for execution Intel® Active Management Technology OOB out-of-band Because new toolsets can be integrated with an SOA, we expect our SMB small and medium business future SOA to increase IT flexibility and improve return on investment. SOA service-oriented architecture Conclusion SOL serial-over-LAN The widespread deployment of Intel AMT provides Intel with a significant opportunity to reduce the total cost of operation for client systems and increase manageability by taking advantage of the remote management capabilities with improved security and inventory accuracy.

As we move forward in our implementation, we are identifying ways to increase the value of Intel AMT to our organization. We will expand our IDER-based fault response toolset in response to new use cases for down-the-wire diagnostic and repair. We see even greater benefits from aligning Intel AMT with SOA infrastructure for significantly improved scalability, manageability, and return on investment.

1 Details on access under different system states are available at to any intellectual property rights is granted herein. http://download.intel.com/products/vpro/whitepaper/crossclient.pdf Intel, the Intel logo, Intel. Leap ahead. and Intel. Leap ahead. This paper is for informational purposes only. THIS DOCUMENT IS logo, Intel Core, Intel vPro, and Centrino are trademarks of Intel PROVIDED “AS IS” WITH NO WARRANTIES WHATSOEVER, INCLUDING Corporation in the U.S. and other countries. ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, *Other names and brands may be claimed as the property of others. FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR Copyright © 2008 Intel Corporation. All rights reserved. SAMPLE. Intel disclaims all liability, including liability for infringement of any proprietary rights, relating to use of information in this Printed in USA Please Recycle specification. No license, express or implied, by estoppel or otherwise, 0108/IPKA/RDA/PDF ITAI Number: 07-3901b