Professional Documents
Culture Documents
COPYRIGHT
Copyright 2012 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,
McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,
McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,
TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and
other countries. Other names and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
Product Guide
Contents
Preface
7
7
7
8
Introduction
15
23
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Operating system requirements . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install or upgrade the ePO Deep Command extensions . . . . . . . . . . . . . . . .
Deploy the ePO Deep Command Discovery and Reporting plug-in . . . . . . . . . . .
Assign AMT Tag to systems . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deploy the Management Framework client . . . . . . . . . . . . . . . . . . . .
Create a certificate chain . . . . . . . . . . . . . . . . . . . . . . . . . . .
Specify ePO Deep Command credentials . . . . . . . . . . . . . . . . . . . . .
Import CA certificates to ePolicy Orchestrator . . . . . . . . . . . . . . . . . . .
Test your connection to an Intel AMT system . . . . . . . . . . . . . . . . . . .
Installing the ePO Deep Command online help . . . . . . . . . . . . . . . . . . .
Configure user permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Intel AMT clients through ePolicy Orchestrator . . . . . . . . . . . . . . . . .
Create a certificate template . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable the certificate template . . . . . . . . . . . . . . . . . . . . . . . . .
Issue certificates automatically . . . . . . . . . . . . . . . . . . . . . . . . .
Create a configuration profile . . . . . . . . . . . . . . . . . . . . . . . . .
Modify WMI permissions to add domain computers . . . . . . . . . . . . . . . . .
Modify DCOM permissions to add domain computers . . . . . . . . . . . . . . . .
15
16
16
17
18
19
21
23
24
24
25
25
25
26
27
28
28
29
31
32
33
33
34
35
36
38
39
40
45
47
Product Guide
Contents
63
63
63
64
65
65
65
69
74
74
78
81
83
50
50
51
51
52
53
54
54
54
56
57
57
58
59
59
59
60
60
60
61
61
62
83
83
85
90
91
92
93
93
94
94
95
96
96
97
97
97
98
98
99
Product Guide
Contents
103
104
104
105
106
106
107
107
109
Additional information
119
Index
119
119
121
122
123
127
Product Guide
Contents
Product Guide
Preface
The McAfee ePO Deep Command software includes the components that help you generate reports,
configure, manage, and troubleshoot your Intel Active Management Technology (AMT) systems.
Contents
About this guide
Find product documentation
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
Administrators People who implement and enforce the company's security program.
Users People who use the computer where the software is running and can access some or all of
its features.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Bold
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
Product Guide
Preface
Find product documentation
Do this...
User documentation
KnowledgeBase
Product Guide
Introduction
The McAfee ePO Deep Command uses the Intel vPro Active Management Technology (AMT) to
configure, manage, and troubleshoot endpoints by accessing them at hardware level, without relying
on the operating system.
The McAfee ePO Deep Command software integrates the management and automation features of
ePolicy Orchestrator with the hardwarebased security and manageability features of Intel Active
Management Technology (AMT), which is included on your Intel vProequipped desktop and laptop
systems.
Contents
Components and how they work
Product features
Intel AMT overview
What you need to know to get started
McAfee ePO Deep Command Discovery plugin This plugin detects the Intel AMT and BIOS
properties of the managed systems in your organization. The data collected is displayed on the
dashboard. The plugin is added automatically to the ePolicy Orchestrator Master Repository during
installation, and can be deployed to client systems using the predefined deployment task.
Deploy ePO Deep Command Discovery and Reporting plugin task This predefined
deployment task is added to the Client Task Catalog. You can deploy it to the managed systems
you select.
Product Guide
Introduction
Components and how they work
ePO Deep Command Reporting query group These predefined queries collect important
details about the Intel AMTequipped systems in your network. These queries retrieve and display
information about Intel vPro and their BIOS properties. You can modify these queries, or create
custom queries.
Deep Command Discovery & Reporting dashboard This dashboard displays a collection of
monitors based on the results of the default ePO Deep Command Reporting queries. All Intel AMT
and BIOS properties of managed systems are displayed in one place.
AMT tag This tag is automatically assigned to managed systems that are fully configured for the
Intel AMT functionality.
ePO Deep Command: Run Tag Criteria task The predefined task evaluates each system
against the AMT tag criteria (advisable to run every time you configure or unconfigure client
systems).
10
McAfee ePO Deep Command client This plugin manages the core functionality to run client
tasks, enforce policies, and generate events. It is added to the Master Repository when the
software is installed, and can be deployed to client systems using the predefined deployment task.
Deploy Deep Command Client task This predefined deployment task is added to the Client
Task Catalog. You can deploy it to the managed systems you select.
ePO Deep Command Management query group These predefined queries retrieve
information from the ePO Deep Command managed Intel AMT clients. You can modify these
queries, or create custom queries.
AMT actions This action group lists the ePO Deep Command actions that can be performed on
managed Intel AMT systems. These actions help you configure, unconfigure, manage, and enforce
policies to your Intel AMTequipped client systems.
AMT policies This category in the Policy Catalog provides options to create and assign policies
for using the Intel AMT features such as Alarm Clock, Client Initiated Local Access, Client Initiated
Remote Access and KVM access.
Client Task Execution This category in the Policy Catalog provides options to create and assign
policies for executing the Intel AMT clientside actions such as running the arbitrary command and
additional parameters when powered on through the Power On action or through the scheduled
Alarm Clock.
Gateway module This module is installed on your Agent Handler. It facilitates communication
between your ePolicy Orchestrator server and managed Intel AMT systems outside the enterprise
environment (needed for the Client Initiated Remote Access feature).
Product Guide
Introduction
Components and how they work
McAfee ePO Deep Command RCS 8.0 Manager plugin This plugin retrieves configuration
profiles from the Intel RCS servers, and reports back to ePolicy Orchestrator. It is added
automatically to the ePolicy Orchestrator Master Repository during installation, and can be
deployed to Intel RCS server systems using the predefined deployment task.
Deep Command RCS Management Summary dashboard This dashboard displays a monitor
that represents the managed Intel AMT systems by each Intel RCS server.
ePO Deep Command RCS Management query group These predefined queries retrieve
information from the ePO Deep Command managed Intel RCS servers. You can modify these
queries, or create custom queries.
AMT configuration policies This category in the Policy Catalog provides options to create and
assign policies for configuring or unconfiguring the Intel AMT clients.
Enable or disable the KVM support If KVM access is supported on an Intel AMT client
system, you can enable this feature on the client.
User's consent You can specify whether to require user's consent for every remote KVM
connection. If user's consent is enabled, it generates a passcode on the Intel AMT client screen
when an administrator tries to connect to the system from the McAfee KVM console. The same
passcode must be entered in the KVM console for a successful connection. You can also specify the
time after which the passcode is expired.
Default monitor If you are using multiple monitors, select which monitor of the client machine
to display : Primary, Secondary, or Tertiary. Following table lists the minimum screen resolution required
for an Intel AMT client system:
Client
1600x1200
1920x1080
1920x1200
1920x1200
Session timeout You can specify the time after which the KVM connection times out.
Product Guide
11
Introduction
Product features
Product features
McAfee ePO Deep Command features help you manage, configure and report on your Intel AMT
systems.
Feature
Description
Retrieve the Intel AMT and BIOS properties from managed systems,
then view reports to analyze your Intel AMT infrastructure (requires
McAfee ePO Deep Command Discovery and Reporting software).
Find out these information using the dashboard monitors for the
installed McAfee ePO Deep Command components:
Which of the managed systems are Intel AMTequipped
Which Intel AMT systems have been configured using the McAfee
ePO Deep Command RCS Manager software
Which profile was used to configure the Intel AMT systems
The versions of Intel AMT hardware
The configuration status of the Intel AMT systems
Enforce the required Inband and Outofband policies to the Intel AMT
systems (requires McAfee ePO Deep Command Management Framework
software).
Perform these actions on your Intel AMT systems (requires McAfee ePO
Deep Command Management Framework software):
Power on Intel AMT systems
Use SerialoverLAN (SOL) to redirect the input and output of the
serial port of the Intel AMT systems over Internet Protocol (IP).
Boot or reboot a system
Boot or reboot using IDERedirect
Boot or reboot to BIOS
Configure Intel AMT firmware
Stop Image Redirection
Client Initiated Local Access Enable the local Intel AMT systems to initiate a call for technical help
(CILA)
to the ePolicy Orchestrator server from their BIOS or operating system
(requires McAfee ePO Deep Command Management Framework
software).
12
Enable the Intel AMT systems that are outside the enterprise to initiate
a call to the ePolicy Orchestrator server for technical assistance from
their BIOS or the operating system (requires McAfee ePO Deep
Command Management Framework software).
Remote
KeyboardVideoMouse
(KVM)
Product Guide
Introduction
Intel AMT overview
Feature
Description
Maintenance tasks
Synchronize Network
Settings
Product Guide
13
Introduction
What you need to know to get started
Installation and configuration for each action in this process are detailed in the chapters that follow.
14
Product Guide
Before you can use your ePO Deep Command software to manage Intel AMT systems, you must
configure the Intel AMT firmware on those systems.
You can configure your Intel AMT firmware from the ePolicy Orchestrator server, Intel RCS, or any
other external source. This chapter provides an overview of the requirements and processes needed to
configure the Intel AMT firmware in your network in general, as well as information about
configuration options required to set up the ePO Deep Command software.
For ePO Deep Command, the Intel AMT clients must be configured with Transport Layer Security
(TLS).
There is no single source for complete instructions about configuring your Intel AMT firmware.
However, the Intel vPro Expert Center (http://www.intel.com/go/vproexpert) provides a
comprehensive set of documentation and supporting materials you can use to complete the process.
For more information on Intel SCS Remote Configuration Service, see http://www.intel.com/go/scs.
Contents
Intel AMT configuration
Authentication protocols supported
Certificate Authority integration
How RCS Manager plug-in works
Required additional configurations
Admin Control mode network configuration
It makes sure that communication between your Intel AMT systems and your servers is secure
and trusted.
It makes Intel AMT features accessible to your ePO Deep Command software.
Product Guide
15
The method you use to configure systems in your network is dependent on a variety of factors,
including your network infrastructure, hardware and software, and which Intel AMT features you plan
to use. This diagram presents a highlevel overview of the recommended process for configuring
systems.
Configuration states
An Intel AMT system can be in any of these three different states during the configuration process.
Preconfiguration By default, Intel AMT hardware on Intel vPro systems comes from the
hardware manufacturer in Factory Mode. In this mode, Intel AMT is unconfigured and cannot be
remotely managed by ePO Deep Command. It requires a configuration server to configure your
system into Admin Control mode.
Postconfiguration The Intel AMT system enters Operational Mode once its configuration
settings are supplied and committed. At this point, Intel AMT is ready to interact with
management applications and the system is said to be in postconfiguration.
Digest authentication Digest authentication is performed over the Internet using secure keys
to authenticate users. For more information about Digest authentication, refer to the Internet
Engineering Task Force document RFC 2617 (http://datatracker.ietf.org/doc/rfc2617/).
16
Product Guide
Two types of certificates are required for the Admin Control mode configuration of Intel AMT systems:
Server Authentication Certificate For Certificate Authority integration, you need to deploy a
selfsigned CA in your network. A Server Authentication certificate is required for each Intel AMT
device that needs to communicate using TLS. When the Intel AMT client is configured to use TLS,
the configuration server automatically requests a certificate from the root certificate. This
certificate is stored in the nonvolatile RAM on the Intel AMT client, which is based on a standard
web server certificate template available with Microsoft Certification Authority.
Use a supported vendor. The list of supported vendors is prepared based on the root certificate
hashes present in the Intel AMT firmware and its versions. For more information on supported
vendors, see http://communities.intel.com/docs/DOC2225
Generate a Certificate Signing Request (CSR) and purchase the appropriate SSL Certificate from
the vendor. For example, to purchase and install Go Daddy certificates, see http://
downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=21742.
Provide the Intel Client Setup Certificate in the Organizational Unit field of the Certificate
Signing Request.
Make sure that the CN in the Certificate Signing Request matches the Intel AMT System
Domain Suffix.
Make sure that the key is exportable and the Request Type is PKCS10.
Install the vendor certificate on the system where Intel SCS Remote Configuration Service
(RCS) will be running.
For more information on purchasing the correct SSL Certificate, see http://communities.intel.com/
docs/DOC1277.
For more information on installing the vendor certificate, see Installing a Vendor Certificate in the
Intel Setup and Configuration Service (Intel SCS) User Guide.
Product Guide
17
Certificate
Template to Use
Communicating with
Intel AMT Systems
using TLS
Web server
Configuration of
Intel AMT Systems
by the configuration
server
Duplicate of web
server with
customization or
vendorsupplied
certificate
The RCS Manager retrieves configuration profiles from the Intel RCS servers, and reports back to the
ePolicy Orchestrator server. The server uses these profiles to configure the Intel AMT systems and
lists them under the ePO Deep Command configuration policies.
You can create the configuration profiles in the Intel RCS console, then install the RCS Manager
extension. You then push the plugin through the McAfee Agent to the Intel RCS server to retrieve the
server and profilerelated information.
18
Product Guide
The information is listed in the configuration policy that can be configured based on the Intel RCS
server and the configuration profile selected. The customized policies are then pushed to the Intel
AMT client through the McAfee Agent. The ePO Deep Command Client triggers the configurator to
initiate configuration, once the process is complete, the status for success or failure is sent to the
ePolicy Orchestrator server.
Not configured
Of these situations, the first two are of particular importance. Refer this section to make sure that the
appropriate configurations, conditions, and details are in place to move your systems into the
configured and compliant state.
Make sure the latest BIOS, Intel AMT firmware and Intel AMT drivers are applied to all Intel
AMTequipped systems. Refer to the manufacturer of your hardware for details about obtaining this
content.
For security reasons, Intel AMTequipped systems are shipped in an unconfigured state. Before
you can report on or manage these systems with ePO Deep Command software, the Intel AMT
hardware must be configured.
Intel AMT systems can be configured before or after they are deployed to your enterprise
environment. The preferred setup for initial configuration is a Dynamic Host Configuration Protocol
(DHCP) environment with your target systems on a production wired LAN interface with network
ports 135 and 1699216995 available.
Intel AMT systems must be configured with at least one administrative account and TLS
certificate. This configuration requires:
The Intel AMT systems must receive an initial profile to perform its function as a network service.
The profile must be provided to your Intel AMT systems in a secure manner, and must provide the
relevant information such as authentication or Access Control List (ACL) details, enabled service
interface, securing of communications, and so forth.
To make sure optimal performance, Intel AMT systems must be configured to use the Admin
Control Mode.
Product Guide
19
Intel SCS is an essential component that provides a centralized mechanism for initial and post
configuration events. For more information about Intel SCS requirements, setup, and
configuration details, see the Intel Setup and Configuration Service (Intel SCS) User Guide.
The initial trust between Intel SCS and your Intel AMT system is accomplished through
Preshared Key (PSK) or remote configuration certificates (PKI). For more details about PSK and
PKI, see the Intel Setup and Configuration Service (Intel SCS) User Guide.
ePolicy Orchestrator requires TLS in the Intel AMT configuration. The internal CA root certificate
must be in the Trusted Root Certificate store of the Intel AMT system, and must be imported into
the ePolicy Orchestrator server.
ePolicy Orchestrator can authenticate through Intel AMT Digest or a valid Kerberos account with
PT Admin Realm access.
Authentication and certificate details are applied to the ePolicy Orchestrator Server Settings in the
Intel AMT Credentials settings category. Only one set of credentials and one certificate can be
applied per instance of ePO Deep Command.
If your Intel AMT systems were initially configured without using Intel SCS, it might be possible
to change that configuration using the options provided by Intel SCS.
Additional resources
Refer to these sources for additional information about and to download the latest version of Intel
SCS:
20
Product Guide
http://www.intel.com/go/scs
Each of the server components in this illustration perform an essential function in Admin Control mode
configuration:
Active Directory server The Active Directory (AD) server is an integration point for the Intel
AMT device. This integration allows the configuration server to use the Kerberos authentication to
securely manage Intel AMT credentials.
Certificate Authority server The Certification Authority (CA) server issues certificates to the
correct trusted devices within the network. An organization can use Transport Layer Security (TLS)
communication by incorporating certificates issued by a CA.
ePO server The ePolicy Orchestrator server is the management console from which application
and enforcement of Intel AMT policies are configured and distributed.
Configuration server This is used to configure an Intel AMT system. It automates the process
of populating Intel AMT systems with the user names, passwords, and network parameters that
enable the system to be administered remotely from ePO Deep Command. Using the ePO Deep
Command RCS Manager plugin, ePolicy Orchestrator can enforce the Intel AMT configuration
policies to the configuration server (Intel RCS server).
Product Guide
21
Firewall Intel AMT systems requires certain ports are open to allow management traffic to go
through them. These tables refer to the ports being used for Intel AMT system communications,
which should not be blocked.
Communication ports
16992
TCP/UDP
16993
TCP/UDP
Redirection ports
16994
TCP/UDP
16995
TCP/UDP
Port 135 is used for Windows Management Instrumentation (WMI) ACUconfig to RCS
communications. Ports 623 and 624 for Web ServicesManagement (WSMAN) can be used by the
McAfee KVM viewer.
When using the Intel Setup and Configuration Service configuration server, the Microsoft Base
Filtering Engine services intercept the configuration process, which causes the configuration process
to fail. Make sure that firewall rules are enabled for the designated ports.
22
BIOS version Use the latest BIOS and firmware from the OEM for the proper functionality.
IP addressing scheme DHCP for an IP addressing scheme is required for remote configuration
of the Intel AMT systems.
Intel Management Engine Interface (MEI) driver The MEI driver is one of the prerequisites
for configuration and local operations of the Intel AMT system. Confirm with the hardware vendors
to have the right set of MEI drivers for the appropriate Intel AMT systems.
Product Guide
You need to perform a series of steps to set up your McAfee ePO Deep Command software per your
requirements.
1
Deploy the ePO Deep Command Discovery and Reporting plugin to the Intel AMT client systems.
Generate reports on your client systems to identify the Intel AMTenabled systems.
Install the ePO Deep Command Deep Command Management Framework software.
Deploy the ePO Deep Command Client plugin to the Intel AMT systems.
Test your connection to the Intel AMT client systems from the ePolicy Orchestrator server.
Requirements
Verify that your system meets these requirements before you start the installation process.
These are minimum requirements for the ePO Deep Command Discovery and Reporting software. You
must also consider the system requirements for any other products you are installing, such as McAfee
ePolicy Orchestrator.
Product Guide
23
System requirements
Systems
Requirements
McAfee ePolicy
See the ePolicy Orchestrator product documentation for the version 4.6.4 or
Orchestrator server later.
systems
Intel AMT client
systems
Based on the hardware, the version of Intel MEI driver will vary. To obtain the
correct version of this software, contact the hardware manufacturer for your
systems (required when using the Management Framework module).
The installation of the Intel MEI driver is not required to use the Discovery and
Reporting module, but is recommended. Installing it on the managed systems
allows you to collect the complete Intel AMT and BIOS properties.
Graphics
Intel Integrated 3000 (This is required for the McAfee KVM viewer component.)
Network Interface
Card
Onboard (Multiple NICs are not supported by the Intel Active Management
Technology feature of Intel Core2 processor with vPro technology.)
Software requirements
Make sure you have the required software installed for the ePO Deep Command module you're
installing.
Software
Requirements
McAfee management
software
Internet browser
All
The ePO Deep Command Management Framework module requires the Discovery and Reporting module
to function correctly.
24
Product Guide
Software
McAfee ePolicy
Orchestrator server
systems
See the ePolicy Orchestrator product documentation for versions 4.6 or later.
Upgrade requirements
You can upgrade to McAfee ePO Deep Command version 1.5 from the earlier version 1.0.
Deploy the ePO Deep Command Discovery and Reporting plug-in on page 27
Deploy the Discovery and Reporting plugin to generate reports on your Intel AMT
systems.
Product Guide
25
On the Software Manager page under Product Categories, click Software Not Checked In | Licensed.
Select McAfee ePO Deep Command 1.5 from the products list, then perform these:
For fresh installation, select the product components to be installed or select Check In All to check
in all of them.
The ePO Deep Command 1.5 extensions contain its associated clientside component package.
It's recommended to check in components individually. When you use Check In All, duplicate
entries of the ePO Deep Command packages are checked in to the Current branch in the Master
Repository.
For upgrade, click Check In All to check in all the new components, then click Update All to update all
the existing components.
It's recommended to move the ePO Deep Command 1.0 packages in the Master Repository to the
Previous branch before checking in the ePO Deep Command 1.5 components. Also, it's
recommended to use Update All option when the previous versions of ePO Deep Command
packages exist in the Master Repository.
26
Component
Description
Product Guide
Table 3-1 McAfee ePO Deep Command components in Software Manager (continued)
Component
Description
In the Check In Software Summary page, review and accept the End User License Agreement (EULA),
then click OK to complete the installation.
The checked in packages appear under Menu | Software | Master Repository. The checked in extensions
appear under Menu | Software | Extensions.
In the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog, then select Product Deployment
under McAfee Agent.
Click Assign in the Deploy ePO Deep Command Discovery and Reporting Plugin actions column.
The Select a group to assign the task page appears.
Select the required system or system groups where you want to deploy the ePO Deep Command
Discovery and Reporting software plugin.
Product Guide
27
On the Select Task page, verify the Product, Task type, and Task Name to deploy the product. Next to
Tags, select a platform, then click Next.
Send this task to only computers that have the following criteria Use one of the edit links to configure the
criteria.
On the Schedule page, on Select type: select Run immediately and click Next.
Review the summary, then click Save to open the System Tree page.
In the System Tree page, select the systems or groups where you assigned the task, then click Actions
| Agent | Wake Up Agents.
The Wake Up McAfee Agent page appears.
In the Wake Up McAfee Agent, select Force complete policy and task update, then click OK.
On successful execution of this task, the ePO Deep Command Discovery and Reporting plugin is
deployed.
Click Run for the ePO Deep Command: Run Tag Criteria.
Upon successful execution, the AMT tag is assigned to all configured Intel AMT client systems. To
check the task status, navigate to Server Task Log.
In the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog, then select Product Deployment
under McAfee Agent.
28
Product Guide
Select the required systems or groups where you want to deploy Management Framework, then
click OK.
In the Certificate Authority server, click Start | Programs | Administrative Tools | Certification Authority.
The Certification Authority Management Console appears.
From the Console Root tree, rightclick the certificate, then select Properties.
In the Properties screen, click the General tab, then click View Certificate.
In the Certificate screen, click the Details tab, then click Copy to File.
In the Certificate Export Wizard screen, click Next, select the export file format as Base64 encoded X.509
(.CER), then click Next again.
Specify the name of the file to export, click Next, then click Finish.
With a text editor (such as wordpad), copy and paste the entire body of the certificate into one text
file.
Product Guide
29
30
If intermediate certificates exist within your environment, follow the steps 2 through 6 for each
certificate, then copy the entire text between "Begin" and "End" statements and place in bottom to
top order (root at the last) in the text file created in step 7.
Product Guide
In Setting Categories, select Intel AMT Credentials, then click Edit to specify your Intel AMT credentials and
import trusted certificates.
Import and activate a Trusted Root Certificate to use the Client Initiated Remote Access (CIRA),
SerialoverLAN (SOL), IDE Redirection (IDER), and Remote KeyboardVideoMouse (KVM)
features:
a
In Trusted Root Certificates, click Import, then browse to select a PEM encoded (.pem file), DER
encoded (.der file), or a PKCS12 (.p12 file) for a certificate or chained certificates.
This is the root certificate of the CA that's used for creating and signing the Server
Authentication Certificate
Click Next.
Click Save.
The certificate gets listed in the Trusted Root Certificate box.
Select the certificate imported and click Activate to activate it (there can be more than one
certificate installed, but only one is actived at a time). To remove a certificate, select it and click
Delete.
Update your Intel AMT credentials to use for Intel AMT actions:
a
Product Guide
31
Select Change Password, then type your password and confirm password.
If the credentials are invalid or not specified, all Intel AMT actions fail.
Disable listening for CILA/CIRA messages on Agent Handlers Disables Agent Handlers to receive incoming
local access or remote access calls. It can be used to globally disable local access or remote
access without configuring their policy settings, and also disable all other features that depend
on them (such as EEPC Unlock).
Extend CIRA/CILA sessionopening events to describe the reason they were initiated Enables Agent Handlers to
obtain detailed information of the system that initiates a local access or remote access call
(such as who initiated the call: EEPC or a user).
Click Save.
See also
Certificate Authority integration on page 17
When you use Internet Explorer to install the certificate to your Trusted Roots certificate store, it
affects only the current user's certificates and not the local system. Users need to use the MMC
certificates to install on the local system or a service account. This certificate must be checked into
Trusted Root Certification and Intermediate Certification Authorities, and the ePolicy Orchestrator services must be
restarted.
These instructions are specific to importing the root or intermediate certificate of the CA that was used
for creating and signing the Server Authentication Certificate.
Task
For option definitions, click ? in the interface.
32
In the ePolicy Orchestrator server, run mmc from the Command Prompt.
From the Certificates snapin window, select Computer Account, then click Next. From the Select Computer
page, select Local Computer, then click Finish.
Product Guide
Click Close.
Click OK.
Go to Console Root and expand Certificates (Local Computer), then expand Trusted Root Certification Authorities.
The Certificates folder must be displayed in the right pane. Rightclick Certificates, then click all Tasks |
Import.
In the Certificate Import Wizard, click Next, then Browse and select the CA Certificate. Make sure
Trusted Root Certification Authorities is where the certificate is stored. Click Next, then click Finish to
complete the certificate importing process.
Go to Console Root and expand Certificates (Local Computer), then expand Intermediate certification Authorities.
The Certificates folder must be displayed in the right pane. Rightclick Certificates, then click all Tasks |
Import.
See also
Certificate Authority integration on page 17
Power On feature
Follow the instructions in the Power on your systems section of the Managing your Intel AMT systems
chapter.
Boot/Reboot feature
Follow the instructions given in the Boot or reboot using IDERedirect section of the Managing your
Intel AMT systems chapter.
On the Software Manager page under Product Categories, click Software Not Checked In | Licensed.
Select McAfee ePO Deep Command 1.5 from the products list, select McAfee ePO Deep Command Help Extension,
click Check In.
When checked in successfully, the deep_command_help extension appears under ePO Deep Command on the
Extensions page. Verify that the extension version is 1.5.0.xxx.
Product Guide
33
In the ePolicy Orchestrator console, click Menu | User Management | Permission Sets.
On the Permission Sets page, select the permission set to which you want to assign ePO Deep
Command permissions.
The details appear to the right.
34
Product Guide
Permission set
Options
ePO Deep Command Actions Grant permissions for these Intel AMT actions:
(added when ePO
Enforce AMT Policies Allows users to enforce OutofBand policies.
Deep Command
Management
Enforce AMT Firmware Configuration Policy Allows users to configure or
Framework is
unconfigure Intel AMT firmware on the client systems.
installed)
Power On Allows users to power on client systems.
Boot/Reboot with Options (IDER) Allows users to reboot an Intel AMT
system to a redirected disk.
SerialoverLAN Terminal (SOL) Allows users to connect to a remote Intel
AMT system through a virtual serial port.
ePO Deep Command Policies Grant permissions for ePO Deep Command policies and tasks:
(added when ePO
No Permissions Forbids users to view policy and task settings in the ePO
Deep Command
Deep Command policies.
Management
Framework is
View policy and task settings Allows users to view policy and task settings
installed)
in the ePO Deep Command policies.
View and change policy and task settings Allows users to view and modify the
policy and task settings in the ePO Deep Command policies.
ePO Deep Command RCS
Manager (added when
ePO Deep Command
RCS Manager is
installed)
On the Edit Permissions Set page for the selected permission set, select the options as required, then
click Save.
The supported Intel RCS version 8.0.13 or later must be installed and configured.
Obtain the latest Intel RCS version and required documentation from the Intel website:
http://www.intel.com/go/scs.
The ePO Deep Command Management Framework must be installed and configured.
Product Guide
35
Most of these tasks involve steps that are performed in nonMcAfee environment. This guide covers
brief information on the normal procedure that is required to configure the ePO Deep Command RCS
Manager software. However, see the Intel Setup and Configuration Service (Intel SCS) User Guide
for detailed information on these steps and for any alternate steps.
Intel AMT client in a Virtual Private Network (VPN) environment can't be configured from
ePolicy Orchestrator because the home domains of the server and client are different in
this scenario.
If a configured Intel AMT client is outside the home domain and has CIRA policy
configured, it cannot be unconfigured from ePolicy Orchestrator.
Tasks
In the Certificate Authority server, click Start | Programs | Administrative Tools | Certification Authority.
The Certification Authority Management Console appears.
36
Product Guide
In the rightpane, rightclick the Computer template and select Duplicate Template.
The Properties of New Template window appears.
Product Guide
37
In the Template display name field, enter the name for the template as AMT Configuration.
Click the Extensions tab, select Application Policies, then click Edit:
a
Enter the policy name as AMT OID, and in the Object Identifier (OID) field enter this:
2.16.840.1.113741.1.2.3
Click the Subject Name tab, then select Supply in the request.
Click the Request Handling tab, then select Allow private key to be exported.
Click OK.
In the Certificate Authority server, click Start | Programs | Administrative Tools | Certification Authority.
The Certification Authority Management Console appears.
38
Product Guide
From the Console Root tree, select Certificate Authority | Certificate Templates. Rightclick in the right pane
and select New | Certificate Template to Issue.
In the Enable Certificate Templates screen, select the template that was created and click OK.
The template now appears in the right pane with the other certificate templates.
Product Guide
39
Task
1
In the Certificate Authority server, click Start | Programs | Administrative Tools | Certification Authority.
The Certification Authority Management Console appears.
In the Request Handling tab, select Follow the settings in the certificate template, if applicable. Otherwise,
automatically issue the certificate., then click OK.
From the Intel SCS Console, click the icon to create a new profile.
The Configuration Profile Wizard screen appears.
40
In the Profile Description section, enter a unique name, then click Next.
Product Guide
In the Optional Settings, select Access Control List (ACL), Transport Layer Security (TLS), and Active Directory
Integration (if using Kerberos authentication), then click Next.
Product Guide
41
If using Digest authentication, skip to the next step. Otherwise, in the Active Directory (AD)
Integration screen, click ... next to the Active Directory OU field and select the Organizational Unit
where the system is stored in the Active Directory, then click Next.
During configuration, the Intel SCS sends a request to the AD to create an object representing the
Intel AMT system and adds it to the Active Directory Organizational Unit (ADOU) you define.
42
Product Guide
In the Access Control List (ACL) screen, click Add and perform these steps in the User/Group Details
window:
a
From the User Type option, select Digest User to use Digest authentication or Active Directory User/Group
to use Kerberos authentication, as required.
For Active Directory User/Group, click Browse, then select a domain user or group.
Click OK.
Product Guide
43
From the Certificate Authority dropdown list, select the Certification Authority that was added.
From the Server Certificate Template dropdown list, select the required certificate template. Click
Refresh CAs & Templates if the newly created template is not getting populated.
From the Common Names (CNs) in certificate subject name, select Default CNs.
McAfee recommends that you don't select the Use mutual authentication for remote option. When an Intel
AMT client is configured using a profile that uses both local and remote Mutual Authentications, the
Remote Access policy enforcement to the client might fail.
44
Product Guide
Web UI
IDE redirection
KVM redirection
In the ME BIOS Extension (MEBx) password field, enter the password used for locally accessing
the MEBx settings (default is admin on a new system).
In the Network Settings section, select Enable Intel AMT to respond to ping requests and Enable Fast Call for
Help (within the enterprise network).
Product Guide
45
Task
For option definitions, click ? in the interface.
1
Go to the Security tab, perform these steps for the namespaces that control access to the RCS (such
as Intel_RCS, Intel_RCS_Editor, Intel_RCS_Master_Password, and Intel_RCS_Systems):
a
46
Product Guide
Click Advanced, add Domain Computers, then doubleclick the permission entry for domain
computers.
Select This namespace and subnamespaces under Apply to, then select Allow for all permissions.
Make sure that all required users are added in the Security screen. Perform this step for each
required user.
Expand Console Root | Component Services | Computers, rightclick My Computer, then select Properties.
Product Guide
47
Add Domain Computers, then allow these permissions for the Domain Computers group.
c
5
48
Local Access
Remote Access
Click OK.
Add Domain Computers, then allow these permissions for the Domain Computers group.
Local Launch
Remote Launch
Product Guide
Local Activation
Remote Activation
Click OK.
Click OK.
(Optional) If the Intel RCS is running on a Microsoft Windows 2008, then perform these steps in
the component services screen:
a
Expand Console Root | Component Services | Computers | My Computer | DCOM Config, rightclick the entry
for the Intel RCS, then select Properties.
On the Security tab, under Configuration Permissions, select Customize, then click Edit.
Product Guide
49
Add Domain Computers, then allow these permissions for the Domain Computers group.
Full Control
Read
Special Permission
On the Software Manager page under Product Categories, click Software Not Checked In | Licensed.
Select McAfee ePO Deep Command 1.5 from the products list, select McAfee ePO Deep Command RCS Manager
Extension, then click Check In.
When checked in successfully, the ePO Deep Command RCS Manager extension appears under ePO Deep
Command on the Extensions page.
50
Product Guide
Task
For option definitions, click ? in the interface.
1
On the Software Manager page under Product Categories, click Software Not Checked In | Licensed.
Select McAfee ePO Deep Command 1.5 from the products list, select McAfee ePO Deep Command RCS 8.0 Manager,
then click Check In.
When checked in successfully, the ePO Deep Command RCS 8.0 Manager appears under Menu | Software
| Master Repository and the Deploy ePO Deep Command Discovery and Reporting Plugin task appears under Menu |
Policy | Client Task Catalog | McAfee Agent | Product Deployment.
In the ePolicy Orchestrator console, go to System Tree, then select the target server hosting Intel
RCS.
Click the Assigned Client Tasks tab, then click Actions | New Client Task Assignment.
Select McAfee Agent under Product, and Product Deployment under Task Type, then click Create New Task.
Type a name for the task and any notes, then select Target Platforms, as needed.
In Products and components, select McAfee ePO Deep Command RCS 8.0 Manager 1.5.0.xxx, select Action as Install,
select the language, then click Save.
Schedule the task to run immediately or as required, then click Next to view a summary of the task.
The task is added to the list of client tasks for the selected Intel RCS server, and is executed at the
next agentserver communication.
If the Intel RCS server is busy, their might be a delay in processing the WMI call. Wait for the next
agentserver communication for the RCS Manager information to be updated in the ePolicy Orchestrator
console.
Product Guide
51
Task
For option definitions, click ? in the interface.
1
In the ePolicy Orchestrator console, navigate to Policy Catalog, select the Product as ePO Deep Command
1.5.0 and Category as AMT Configuration Policies, then click New Policy.
Select McAfee Default, type a name for the configuration policy and any notes, then click OK.
Select Allow ePO to enforce these settings, select Configure and Maintain, select the Intel RCS server and
the profile to be used for the configuration.
In the System Tree, assign the policy to the required systems or group.
To assign the policy to selected systems, select the systems, click Actions | Agent | Set Policies &
Inheritence, select ePO Deep Command 1.5 as the product, select AMT Configuration Policies as the category,
select the modified configuration policy, select Break Inheritence, then save the policy assignment.
To assign the policy to a system group or to the entire My Organization group, select the group,
select ePO Deep Command 1.5 as the product, click Edit Assignment against the AMT Configuration Policies,
select the modified configuration policy under Assigned policy, then save the policy assignment.
Wait for the next agentserver communication or send an agent wakeup call.
From the Intel AMT systems, click McAfee Agent Status Monitor, then click Collect and Send Properties,
Check New Policies, and Enforce Policies.
On successful policy enforcement, the selected Intel AMT client systems are configured for use. To
verify, navigate to the System Properties page, click the Deep Command tab, make sure that the Configuration
State is Post Configuration.
See also
Create a policy to configure Intel AMT clients on page 84
Enforce Intel AMT configuration policy on page 96
52
Product Guide
Tasks
In the ePolicy Orchestrator console, navigate to Policy Catalog, select the Product as ePO Deep Command
1.5.0 and Category as AMT Configuration Policies, then click New Policy.
Select McAfee Default, type a name for the unconfiguration policy and any notes, then click OK.
Select Allow ePO to enforce these settings, select Unconfigure, then select the appropriate options:
c
3
Also remove the preshared keys or hash data of self signed CA certificates configured on the client systems manually.
to remove the configuration completely.
Force unconfigure even if it is not configured by ePO to unconfigure a system that was configured in
nonePolicy Orchestrator environment.
In the System Tree, assign the policy to the required systems or group.
To assign the policy to selected systems, select the systems, click Actions | Agent | Set Policies &
Inheritence, select ePO Deep Command 1.5 as the product, select AMT Configuration Policies as the category,
select the unconfiguration policy, select Break Inheritence, then save the policy assignment.
To assign the policy to a system group or to the entire My Organization group, select the group,
select ePO Deep Command 1.5 as the product, click Edit Assignment against the AMT Configuration Policies,
select the unconfiguration policy under Assigned policy, then save the policy assignment.
Wait for the next agentserver communication or send an agent wakeup call.
From the Intel AMT systems, click McAfee Agent Status Monitor, then click Collect and Send Properties,
Check New Policies, and Enforce Policies.
On successful policy enforcement, the selected Intel AMT client is unconfigured. To verify, navigate to
the System Properties page, click the Deep Command tab, make sure that the Configuration State is Pre
Configuration.
See also
Create a policy to unconfigure Intel AMT clients on page 84
Product Guide
53
Click Menu | Reporting | Queries & Reports, then select ePO Deep Command Reporting under Shared Groups.
From the queries list, select Intel AMT Configuration State, click Action | Duplicate, type a name for the
query, then save it.
Select the query created in the previous step, click Edit, then perform these.
a
In the chart screen, select to display result as Table, then click Next twice.
In the filter screen, from Available Properties select Configuration State, select comparison as Does not
equal and it's value as Post Configuration.
In the ePolicy Orchestrator console, click Menu | Automation | Server Tasks, then click New Task.
The Server Tasks Builder page appears.
Type a name for the query and a brief description (optional), enable the task, then click Next.
Select the action as Run Query, select the query you have created that returns the unconfigured
Intel AMT systems, select the subaction as Clear Tag and tag as AMT, then click Next.
From the server tasks list, select the task, then click Run from the actions.
The AMT tag is removed from the unconfigured Intel AMT systems.
54
Product Guide
opensource multiplatform program that acts as the SSL tunneling proxy between the ePolicy
Orchestrator server and your remote Intel AMT systems. For more information about stunnel and to
download it, access http://www.stunnel.org. For more information on Agent Handlers and how to
configure them, see the ePolicy Orchestrator Product Guide.
Make sure that LAN based operations are successful and the Intel AMT systems are accessible from the
ePO Deep Command server.
Intel AMT systems configured for remote connectivity ( In some environments, these systems
are protected with a firewall. If the Intel AMT system initiates a connection to your server, you
can use this connection to administer it.)
Ports: The ports to be used in the McAfee ePO Deep Command Gateway Services are
configurable based on your specific environmental requirements.
Port
Allows
Internettostunnel port
Product Guide
55
The remote Intel AMT system or user initiates a connection to the ePO Deep Command Gateway
server that acts as a proxy server. The connection is either initiated manually by the user in an
operating system level utility, or the preoperating system level with a key combination. The
connection can be scheduled to be initiated automatically according at a predetermined time.
Once the connection reaches the ePO Deep Command Gateway server, a secure encrypted tunnel is
established back to the Intel AMT system.
Your ePolicy Orchestrator server is notified of the incoming Remote Access request from the Intel
AMT system.
You can initiate any Intel AMT system command to the remote Intel AMT system.
Tasks
See also
Create a Remote Access policy on page 88
56
On the Software Manager page under Product Categories, click Software Not Checked In | Licensed.
Product Guide
Select McAfee ePO Deep Command 1.5 from the products list, select McAfee ePO Deep Command Gateway Server,
then click Download.
Extract the package contents to a temporary location on your server in the DMZ where the Agent
Handler is installed.
Doubleclick the SetupAGS.exe file, then in the Welcome screen, then click Next.
Select the license type and accept the license agreement, then click OK.
The Destination Folder screen displays a default folder where the software installation files are
copied.
Click Change to specify a folder, or Next to copy them to the default location.
You can use the default port 11111 on this screen. If you change the port, stunnel configuration
must be changed accordingly.
Install stunnel
Install stunnel on the DMZ server where the Agent Handler or McAfee ePO server is installed.
Before you begin
ePO Deep Command Gateway must be installed on this DMZ server.
Task
For option definitions, click ? in the interface.
1
Product Guide
57
Make sure that you enter the fully qualified domain name of the ePO Deep Command Gateway
server.
Make sure that the Web Server template is used when the certificate request is submitted for
signing by the CA.
Task
For option definitions, click ? in the interface.
1
Go to http://www.slproweb.com/products/Win32OpenSSL.html.
Download and install Microsoft Visual C++ 2008 Redistributable Package (required for the OpenSSL
installation).
Download and install the latest OpenSSL for Windows32 (select C:\OpenSSLWin32 as the
destination location).
Copy OpenSSL DLLs to the OpenSSL binaries (/bin) directory during the installation process.
In this command, a private key (cira.key) and a certificate signing request (cira.csr) are
created.
7
Country name as US
State as California
58
Use a web browser to access the CA server. The CA server URL must include the server's FQDN
followed by /certsrv. For example, http://<Server FQDN>/certsrv.
Log on to the CA server as a domain administrator, click Request a Certificate | Advanced Certificate Request.
Product Guide
Select Web Server from the Certificate Template dropdown list. Copy the contents of the file C:
\OpenSSLWin32\bin\cira.csr in the text box Base64encoded certificate request, then click
Submit.
You can open C:\OpenSSLWin32\bin\cira.csr in a text editor such as Notepad or WordPad.
Select Base 64 Encoded and Download Certificate, then save to C:\Program Files\stunnel as cira.pem.
Configure stunnel
You can configure stunnel to listen to port 81 (based on port configuration in your environment) for
the incoming Remote Access requests and forward it to port 11111 (default port you specify for the
ePO Deep Command Gateway server to listen to, during installation).
Task
For option definitions, click ? in the interface.
1
Copy the cira.key (private key), which was created by the openssl command, to the folder C:
\Program Files\stunnel.
Save the CA Root Certificate file to the folder C:\Program Files\stunnel as ca.cer.
Open the stunnel configuration file at C:\Program Files\stunnel\stunnel.conf and add this
content:
cert = C:\Program Files\stunnel\cira.pem
key = C:\Program Files\stunnel\cira.key
CAfile = C:\Program Files\stunnel\ca.cer
[ciraamt]
accept = 81
connect = 11111
The "ciraamt" section configures stunnel to listen at port 81 for incoming Remote Access requests
and forward it to the port 11111, which is the default port where ePO Deep Command Gateway
Server is listening (this configuration was done during the installation of the ePO Deep Command
Gateway server).
Rules must be enabled to allow inbound connections to the Remote Access empty port. In this case,
inbound connections must be allowed to port 81.
In a 32bit operating system, access the command prompt, then run these commands:
cd C:\Program Files\stunnel
stunnel.exe install
Product Guide
59
Validate certificate
Verify that the certificate issued to the host name of your ePO Deep Command Gateway server is
correct. Perform these steps from a local system.
Task
1
Using Mozilla Firefox, go to https://<FQDN of the ePO Deep Command Gateway server>:81 (or
the port you have configured in stunnel.conf to listen).
It must be installed to the host name of the ePO Deep Command Gateway server and issued by CA
that is known to the Intel AMT system.
60
In the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog, then select Product Deployment
under McAfee Agent.
Click New Task and select Product Deployment to open the Client Task Catalog: New Task page
Type a name for the task and any notes, then select appropriate Target Platforms.
Product Guide
In Products and components, select McAfee ePO Deep Command Client 1.5.0.xxx, select Action as Remove, select the
language, then click Save.
In the Client Task Catalog, under the Actions column of your new product deployment task, click
Assign and select the systems or groups where you want to remove the ePO Deep Command
Management Framework client, then click OK.
Click Next to schedule the task as required, click Next again, then click Save.
In the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog, then select Product Deployment
under McAfee Agent.
Click New Task and select Product Deployment to open the Client Task Catalog: New Task page.
Type a name for the task and any notes, then select appropriate Target Platforms.
In Products and components, select McAfee ePO Deep Command Discovery Plugin 1.5.0.xxx, select Action as Remove,
select the language, then click Save.
In the Client Task Catalog, under the Actions column of your new product deployment task, click
Assign and select the systems or groups where you want to remove the ePO Deep Command
Discovery and Reporting plugin, then click OK.
Click Next to schedule the task as required, click Next again, then click Save.
In the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog, then select Product Deployment
under McAfee Agent.
Click New Task and select Product Deployment to open the Client Task Catalog: New Task page.
Type a name for the task and any notes, then select appropriate Target Platforms.
In Products and components, select McAfee ePO Deep Command RCS 8.0 Manager 1.5.0.xxx, select Action as Remove,
select the language, then click Save.
Product Guide
61
In the Client Task Catalog, in the Actions column of your new product deployment task, click Assign
and select the systems or groups where you want to remove the ePO Deep Command RCS
Management plugin, then click OK.
Click Next to schedule the task as required, click Next again, then click Save.
Task
For option definitions, click ? in the interface.
62
On the Software Manager page, under Product Categories, click Checked In Software | Licensed.
Select McAfee ePO Deep Command from the products list, then click Remove against the extension to be
removed. Be sure to perform this step for each of the ePO Deep Command extensions checked into
your server.
Product Guide
With McAfee ePO Deep Command Reporting and Discovery software, you can quickly determine the
status of the Intel AMT systems in your network. The predefined queries and dashboards provide you
with outofthebox functionality, since they are added to your ePolicy orchestrator server when the
software is installed.
These queries can be configured to display results in charts or tables, which can also be used as
dashboard monitors. Query results can be exported to several formats, any of which can be
downloaded or sent as an attachment to an email message.
You can create additional, custom queries using the Query Builder wizard which is available in the
ePolicy Orchestrator server. For details on how to perform this task, see the ePolicy Orchestrator
product documentation for versions 4.6 or later.
Contents
Queries and reports
Dashboards and monitors
Description
CILA Supported
Displays a pie chart of detected client systems supporting Local Access, also
known as CILA or Fast Call For Help.
Displays a pie chart of the deployment status of the ePO Deep Command
plugin.
Displays a pie chart of detected systems that have IDERedirect supported and
enabled.
Displays a pie chart of different Intel AMT configuration modes for all detected
systems supporting Intel AMT.
Enterprise This mode requires a configuration service to configure the
systems remotely.
None This configuration status means that no specific mode is selected.
Product Guide
63
Query
Description
Displays a pie chart of different Intel AMT configuration states for all detected
systems supporting Intel AMT.
In (Inconfiguration) These systems are in a partially configured state with
initial information.
Post (Postconfiguration) These systems are in a fully configured state with
security settings, certificates and settings that activate Intel AMT
capabilities.
Pre (Preconfiguration) These systems have factory default settings and
don't have any Intel AMT configuration defined.
Displays a pie chart of detected systems which have Keyboard, Video display
unit and Mouse (KVM) supported and enabled.
The KVM might not work on a platform with discrete graphics even if it's
supported and enabled. The Intel AMT KVM only operates with Intel
Integrated Graphics.
Displays a summary table of managed systems which have the AMT tag
applied to them.
Systems without Intel MEI Displays a pie chart showing the number of managed systems that support
Driver
Intel AMT without the Intel MEI driver installed on them.
Web UI Enabled Systems
Displays a pie chart of the number of managed systems that have the Intel
AMT web user interface enabled.
Description
Managed Intel AMT Systems by Displays a pie chart of ePOmanaged Intel AMT systems organized by the
RCS Server
Intel RCS servers used to configure them. Details include Configuration
Profiles and Configuration State.
Managed Intel RCS Servers
64
Product Guide
Description
ePO Deep Command Policy Settings Displays the ePO Deep Command Policy Settings for managed systems
Report
that have the AMT tag applied to them.
Intel AMT CILA/CIRA Events and
KVM Details over Time
Displays the numbers in Intel AMT Configuration States (Pre, In, Post)
for all detected systems supporting Intel AMT. From this report, you
can click an entry for specific information on a configuration state such
as profile used.
Displays the numbers in Intel AMT Configuration States (Pre, In, Post)
for all detected systems supporting Intel AMT by their domains.
Displays a summary table of local Fast Call For Help events generated
by managed systems supporting Intel AMT.
From Shared Groups in the Groups pane, select ePO Deep Command Reporting, ePO Deep Command Management or
ePO Deep Command RCS Management, as needed.
The queries for the selected group appear.
Select a query from the Queries list, then click Run. In the query result page, click any item in the
results to drill down further.
Product Guide
65
Group
Filter
Product Version (McAfee ePO The version of the McAfee ePO Deep Command
Deep Command Client)
Management Framework software installed on Intel
AMT client systems.
Service Pack (McAfee ePO
Deep Command Client)
Product Version (McAfee ePO The version of the McAfee ePO Deep Command
Deep Command Detection
Discovery and Reporting software installed on Intel
Plugin)
AMT client systems.
Product Version (McAfee ePO The version of the McAfee ePO Deep Command RCS
Deep Command RCS Manager Manager software on managed Intel RCS servers.
plugin)
Intel AMT
66
Alarm Enabled
BIOS Version
CILA
CILA Enabled
CIRA Enabled
Configuration Mode
Configuration State
Product Guide
Group
Filter
DHCP Enabled
Firmware Version
KVM
Manageability Level
Policy Enforced
Product Guide
67
Group
Filter
Remote Configuration
Enabled
SerialoverLAN (SOL)
System Manufacturer
System Model
TLS
UUID
Web UI Enabled
Intel RCS Management Digest Master Password State Whether the RCS Server is configured to use a Digest
Master Password within an RCS Profile.
68
RCS Profiles
Product Guide
Property
Description
With
Intel
MEI
driver
installed
Without NonIntel
Intel
AMT
MEI
System
driver
installed
Alarm Enabled
BIOS Release
Date
BIOS Version
CILA
No
Not Available
Yes
CILA Agent
Handler
CILA Enabled
No
Not Available
Yes
CIRA Enabled
Product Guide
69
Property
Description
With
Intel
MEI
driver
installed
CIRA Agent
Handler
Without NonIntel
Intel
AMT
MEI
System
driver
installed
IDE Redirection
(IDER)
Not Available
Supported
Supported and Enabled
Supported and Enabled in BIOS only
70
Intel AMT
Supported
Intel AntiTheft
Supported
Intel AMT
Version
Intel MEI
Enabled
Intel MEI
Version
Product Guide
Property
Description
With
Intel
MEI
driver
installed
Intel vPro
System
KVM
Without NonIntel
Intel
AMT
MEI
System
driver
installed
Not Available
Supported
Supported and Enabled
Supported and Enabled in BIOS only
This feature is required for using the McAfee
KVM viewer. The Intel AMT KVM only operates
with Intel Integrated Graphics, it doesn't work
on a platform with discrete graphics even if the
feature is listed as Supported and Enabled.
Last Error
Message
Last IDER
Session
Start/End Time
Last IDER
Session Status
Last Power On
Success
Not Available
Yes
Last Power On
Time
Last SOL
Session
Start/End Time
Last SOL
Session Status
Manageability
Level
Product Guide
71
Property
Description
With
Intel
MEI
driver
installed
Mobile System
(Laptop)
Network
Reports whether the network interface is enabled
Interface Enabled on this system. This property value is reported as
Yes or No.
Without NonIntel
Intel
AMT
MEI
System
driver
installed
Policy Enforced
Policy
Enforcement
Time
Configuration
Mode
Configuration
Mode (TLS)
Remote
Configuration
Enabled
Remote
Configuration
Server
Remote
Configuration
Server IP
Address
Reported Local
Alarm Clock
Time
SerialoverLAN
(SOL)
Not Available
Supported
Supported and Enabled
Supported and Enabled in BIOS only
72
Product Guide
Property
Description
With
Intel
MEI
driver
installed
Without NonIntel
Intel
AMT
MEI
System
driver
installed
System Model
System
Manufacturer
System Serial
Number
Transport Layer
Security (TLS)
Not Available
Supported
Supported and Enabled
Supported and Enabled in BIOS only
This feature must be supported and enabled for
ePO Deep Command.
UUID
Web UI Enabled
Wired IPv4
Address
Wired Link
Status
Wired MAC
Address
Wireless IPv4
Address
Wireless Link
Status
Wireless MAC
Address
Product Guide
73
Configuration status
These are the default monitors that appear under the Deep Command Discovery & Reporting
Summary dashboard:
74
CILA Supported Helps the administrator determine the number of managed systems that support
Local Access connections out of the total number of managed systems. The administrator can then
determine the number of managed systems to enforce Remote Access Policy that enable Local
Access support. This allows the managed systems to send Local Access request to the ePolicy
Orchestrator server.
Product Guide
ePO Deep Command Detection Coverage Helps the administrator determine the number of managed
systems on which the ePO Deep Command Discovery and Reporting plugin has been installed, out
of the total number of managed systems. This monitor is useful to determine the coverage of the
software.
IDE Redirect Supported and Enabled Helps the administrator determine the number of managed systems
that support and can be remotely managed using IDERedirect connections.
Intel AMT Configuration Mode Helps the administrator determine the different configuration modes
that are present in the total number of managed systems. Because ePO Deep Command currently
supports the Enterprise mode only, the administrator must reconfigure managed systems that are
not in Enterprise mode.
Product Guide
75
76
Intel AMT Configuration State Helps the administrator determine the different Intel AMT configuration
states present in the total number of managed systems. The AMT Actions can be used on any
managed system that is in Post Configuration state.
Intel AMT Supported Helps the administrator determine the number of managed systems that are
Intel AMTequipped. However, Intel AMT Actions might not be possible on all these systems; they
depend on the Intel AMT version and the configuration state.
Intel AMT Version Helps the administrator to obtain the different versions of Intel AMT hardware
present on the managed systems. Because ePO Deep Command supports specific versions of Intel
AMT, this monitor enables the administrator determine how many systems can be used for AMT
Actions.
Product Guide
KVM Supported and Enabled Helps the administrator determine the number of managed systems that
support KVM connections out of the total number of managed systems. This enables the
administrator determine the number of systems that can be managed remotely using KVM.
The KVM might not work on a platform with discrete graphics even if it's supported and enabled. The
Intel AMT KVM only operates with Intel Integrated Graphics.
SOL Supported and Enabled Helps the administrator determine the number of managed systems that
support SOL connections out of the total number of managed systems. This helps to determine the
number of systems that can be managed remotely using SOL.
Product Guide
77
AMTCapable Systems without Intel MEI Driver Helps the administrator determine the systems that
require installation of the MEI driver out of the total number of managed systems. The systems
without Intel MEI driver cannot collect specific Intel AMT and BIOS properties.
Web UI Enabled Systems Helps the administrator determine the number of managed systems that
support web browsers. The administrator can open the browser and connect to the managed
systems using its Fully Qualified Domain Name (FQDN) to 16993 port, and log on to it.
For more information on Intel AMT and BIOS properties of each managed system, click the monitor,
select the system, then select the Deep Command tab.
78
Product Guide
Intel AMT Configuration State and Profile Displays a pie chart of the different Intel AMT Configuration
States (Pre, In, Post) for all detected systems supporting Intel AMT and the RCS Server and Profile
by which they were configured, if any.
Product Guide
79
80
Intel AMT Configuration State by Domain Breakdown Displays a bubble chart of Intel AMT Capable
Systems for each Domain. Details include Configuration States (Pre, In, Post) for all detected
systems supporting Intel AMT and the RCS Server and Profile by which they were configured, if
any.
Product Guide
Intel AMT Configuration Events by Event type Displays a pie chart of Intel AMT Events. Details include
Configuration States (Pre, In, Post) for all detected systems supporting Intel AMT and the RCS
Server and Profile by which they were configured, if any.
Managed Intel AMT systems by RCS server Displays a pie chart of ePOManaged Intel AMT Systems
organized by their RCS Server. Details include Configuration Profiles and Configuration State.
Product Guide
81
82
Product Guide
With ePO Deep Command Management Framework software you can manage the Intel AMT systems
in your network by using Intel AMT policies, client task execution policies, Intel AMT actions, server
tasks, and queries.
Contents
Using policies to manage Intel AMT systems
Use the Intel AMT actions
Automate Intel AMT policy enforcement and power on
Using the McAfee KVM Viewer
Maintenance tasks
Managing events and logs
Inband The inband refers to the policies that allow performing agentbased operations using
the ePO Deep Command client agent. This includes:
Outofband The outofband refers to the policies that allow performing the Intel AMT actions.
This includes:
KVM policy
Product Guide
83
Configure and maintain Create a policy to configure Intel AMT firmware on your client
systems.
Unconfigure Create a policy to unconfigure your client systems either fully or partially.
Tasks
Task
For option definitions, click ? in the interface.
1
From the Policy Catalog, select the Product as ePO Deep Command 1.5.0 and Category as AMT Configuration
Policies, then click New Policy.
In the New Policy dialog box, select McAfee Default, type a name for the configuration policy and any
notes, then click OK.
Select Configure and Maintain, then select the Intel RCS server and the profile to be used for the
configuration.
See also
Configure Intel AMT clients through ePolicy Orchestrator on page 35
Task
For option definitions, click ? in the interface.
84
From the Policy Catalog, select the Product as ePO Deep Command 1.5.0 and Category as AMT Configuration
Policies, then click New Policy.
In the New Policy dialog box, select McAfee Default, type a name for the configuration policy and any
notes, then click OK.
Product Guide
Select Allow ePO to enforce these settings, select Unconfigure, then select the appropriate options:
Also remove the preshared keys or hash data of self signed CA certificates configured on the client systems manually.
to remove the configuration completely.
Force unconfigure even if it is not configured by ePO to unconfigure a system that was configured in
nonePolicy Orchestrator environment.
See also
Unconfigure Intel AMT clients through ePolicy Orchestrator on page 52
Tasks
See also
Supported Intel AMT features on page 119
Product Guide
85
The time you set is based on the location of your Intel AMT system. If you specify the
Alarm Clock time to be fewer than five minutes of the current time of your Intel AMT
system, the policy enforces the Alarm Clock Time for the next day.
When you're moving from one time zone to other, the Intel AMT client might power on
at a time not in sync with the local time. This can be resolved after the next
agentserver communication or by modifying and enforcing policy manually.
The required tasks can be performed during off hours to avoid interrupting the Intel
AMT systems users.
Task
For option definitions, click ? in the interface.
1
From the Policy Catalog, select the product as ePO Deep Command 1.5.0 and category as AMT Policies, then
click New Policy.
In the New Policy dialog box, type a name for the Alarm Clock policy, then click OK.
Enable the Alarm Clock at a particular time and specify the randomization minutes.
Randomization minutes help balance the policy distribution to all the selected Intel AMT systems
one at a time. The maximum value is 20 minutes.
Select Repeat Every to specify the days, hours, and minutes to power on your systems at regular
intervals, then save the policy.
In the System Tree, assign the policy to the required systems or group.
To assign the policy to selected systems, select the systems, click Actions | Agent | Set Policies &
Inheritence, select ePO Deep Command 1.5 as the product, select AMT Policies as the category, select the
modified policy, select Break Inheritence, then save the policy assignment.
To assign the policy to a system group, select the group, select ePO Deep Command 1.5 as the
product, click Edit Assignment against the AMT Policies, select the modified policy under Assigned policy,
then save the policy assignment.
Wait for the next agentserver communication or send an agent wakeup call.
From the Intel AMT systems, click McAfee Agent Status Monitor, then click Collect and Send Properties,
Check New Policies, and Enforce Policies.
Click Actions | AMT Actions | Enforce AMT Policies, then click OK.
Navigate to the System Properties page, click the Deep Command tab, make sure the alarm is updated in
the Reported Local Alarm Clock Time.
In the amtservice.log, the policy enforcement should be successful and the Alarm Clock Set Time
is shown in Universal Time Coordinated (UTC).
See also
Enforce Intel AMT policies on page 96
86
Product Guide
Task
For option definitions, click ? in the interface.
1
From the Policy Catalog, select the Product as ePO Deep Command 1.5.0 and the Category as AMT Policies,
then click New Policy.
In the New Policy dialog box, type a new policy name, then click OK.
Click the Remote Access tab, then select the Allow ePO to enforce these settings option.
From the Local Server, select Enable Client Initiated Local Access (CILA), then select an active LAN Agent
Handler from the dropdown list. Select the required Connection Type from where the Intel AMT
system must initiate the call to the ePolicy Orchestrator server. Available options are BIOS Initiated
and OS Initiated.
Click Save.
In the System Tree, assign the policy to the required systems or group.
To assign the policy to selected systems, select the systems, click Actions | Agent | Set Policies &
Inheritence, select ePO Deep Command 1.5 as the product, select AMT Policies as the category, select the
modified policy, select Break Inheritence, then save the policy assignment.
To assign the policy to a system group, select the group, select ePO Deep Command 1.5 as the
product, click Edit Assignment against the AMT Policies, select the modified policy under Assigned policy,
then save the policy assignment.
Wait for the next agentserver communication or send an agent wakeup call.
From the Intel AMT systems, click McAfee Agent Status Monitor, then click Collect and Send Properties,
Check New Policies, and Enforce Policies.
Click Actions | AMT Actions | Enforce AMT Policies, then click OK.
Navigate to the System Properties page, click the Deep Command tab, make sure the value for CILA Enabled
is Yes and the agent handler you selected is listed under CILA Agent Handler.
Initiate a call from the Intel AMT system using the Get Technical Help option in the Intel Management
and Security Status tool. The IMSS tool indicates whether the system is connected or not
connected. After this action, the Threat Event Log on ePolicy Orchestrator displays the Local Fast Call
for Help log with an event id 34350.
See also
Enforce Intel AMT policies on page 96
Product Guide
87
McAfee ePO Agent Handler 4.6 Patch 4 must be installed on the ePO Deep Command
Gateway Server DMZ and must be active.
The FQDN of the ePO Deep Command Gateway server must be resolvable from the
Internet.
The Remote Access configuration ports must be allowed through the DMZ firewall and
be accessible to the remote Intel AMT system clients. Usually, this is the port where
stunnel is configured.
Stunnel version 4.36 or later must be installed on the Agent Handler servers.
Task
For option definitions, click ? in the interface.
1
From the Policy Catalog, select the Product as ePO Deep Command 1.5.0 and the Category as AMT Policies,
then click New Policy.
In the New Policy dialog box, type a new policy name, then click OK.
Click the Remote Access tab, then select Allow ePO to enforce these settings.
In Remote Server, select Enable Client Initiated Remote Access (CIRA). Select the required Connection Type from
where the Intel AMT system must initiate the call to the ePolicy Orchestrator server. Available
options are BIOS Initiated and OS Initiated.
In Home Domain Suffix, type the last part of the host name of the Intel AMT systems, and click Add.
This enables the Intel AMT systems access to the home domains. The Home Domain refers to the
detected DHCP 15 value of the network, that is, Connection Specific DNS suffix, using which Intel
AMT determines if a system is inside or outside the environment. The Intel AMT client must be
outside the enterprise at a minimum the received DHCP option 15 value different than the home
domains. You can enter a maximum of 5 home domain suffixes.
The DHCP and DNS servers must be configured properly for the Remote Access policy to work well.
The details you specify in this step must match your connectionspecific DNS suffixes in your LAN.
Incorrect home domain suffix settings might turn off the access to the Intel AMT systems unless a
Remote Access session is established by the system itself.
88
Select a primary DMZ Agent Handler and specify the stunnel port (as specified in the stunnel
configuration) for the incoming Remote Access requests.
In Tunnel Lifetime, specify the time (in seconds) the Remote Access tunnel must be active after it is
established. The default value is zero, which means there is no timeout for the Tunnel Lifetime.
Product Guide
Allow User Initiated Tunnel Select this to allow Intel AMT users to initiate a Remote Access request
to the server.
Periodic Initiated Tunnel every Select this to specify a time to establish the connection at regular
intervals.
Click Save.
10 In the System Tree, assign the policy to the required systems or group.
To assign the policy to selected systems, select the systems, click Actions | Agent | Set Policies &
Inheritence, select ePO Deep Command 1.5 as the product, select AMT Policies as the category, select the
modified policy, select Break Inheritence, then save the policy assignment.
To assign the policy to a system group, select the group, select ePO Deep Command 1.5 as the
product, click Edit Assignment against the AMT Policies, select the modified policy under Assigned policy,
then save the policy assignment.
Wait for the next agentserver communication or send an agent wakeup call.
From the Intel AMT systems, click McAfee Agent Status Monitor, then click Collect and Send Properties,
Check New Policies, and Enforce Policies.
Click Actions | AMT Actions | Enforce AMT Policies, then click OK.
Navigate to the System Properties page, click the Deep Command tab, make sure the value for CIRA Agent
Handler is Yes and the agent handler you selected is listed under CILA Agent Handler.
Initiate a call from the Intel AMT system using the Get Technical Help option in the Intel Management
and Security Status (IMSS) tool. The IMSS tool indicates whether the system is connected or not
connected. This is part of the environment detection indicator as defined by the Home Domains
setting. After this action, the Threat Event Log on ePolicy Orchestrator displays the Remote Fast Call for
Help log with an event id 34351.
See also
Configure the Gateway server for Remote Access on page 54
Enforce Intel AMT policies on page 96
Product Guide
89
Task
For option definitions, click ? in the interface.
1
From the Policy Catalog, select the Product as ePO Deep Command 1.5.0 and the Category as AMT Policies, then
click New Policy.
In the New Policy dialog box, type a new policy name, then click OK.
Click the KVM Settings tab, then select the Allow ePO to enforce these settings option.
In KVM State and Ports Used, select Enable with TLS on Port 16995, then select Enable OptIn to specify whether
user's consent is required for every connection (optional) and type the OptIn timeout in seconds to
specify the time after which the passcode for the user's consent is expired if no connection is
established.
In Default Visible Monitor, select which monitor of the client machine to display (if the client has
multiple monitors): Primary, Secondary, or Tertiary.
In TCP Session Timeout, type the number of minutes after which the session times out, then save the
policy.
In the System Tree, assign the policy to the required systems or group.
To assign the policy to selected systems, select the systems, click Actions | Agent | Set Policies &
Inheritence, select ePO Deep Command 1.5 as the product, select AMT Policies as the category, select the
modified policy, select Break Inheritence, then save the policy assignment.
To assign the policy to a system group, select the group, select ePO Deep Command 1.5 as the
product, click Edit Assignment against the AMT Policies, select the modified policy under Assigned policy,
then save the policy assignment.
Wait for the next agentserver communication or send an agent wakeup call.
From the Intel AMT systems, click McAfee Agent Status Monitor, then click Collect and Send Properties,
Check New Policies, and Enforce Policies.
Click Actions | AMT Actions | Enforce AMT Policies, then click OK.
To view the policy enforcement status, click Menu | Automation | Server Task Log.
See also
Using the McAfee KVM Viewer on page 98
90
Product Guide
Task
For option definitions, click ? in the interface.
1
From the Policy Catalog, select ePO Deep Command 1.5.0 from the Product menu, then select Client Task
Execution from the Category menu, then click New Policy to create a new client task execution policy or
modify an existing policy.
In Run the following Command afterwards (optional), you can add the arbitrary command and its additional
parameters to need to be executed after the client task executes.
For example, the command <System32>\shutdown.exe shuts down your system after the client
task is run. You can also include additional parameters for the command you type. If you type /h
or /r as the parameters, it hibernates or restarts your Intel AMT system.
Click Save.
In the System Tree, select the systems, click the Assigned Client Tasks tab, then create a client task
assignment to assign the client tasks added to the Client Task Execution policy as in step 2.
In the System Tree, select the systems, click the Assigned Policies tab, click Edit Assignment against the
Client Task Execution policy created or modified in the step 1, then save the assignment.
Wait for the next agentserver communication or send an agent wakeup call.
From the Intel AMT systems, click McAfee Agent Status Monitor, then click Collect and Send Properties,
Check New Policies, and Enforce Policies.
Description
AMTMgmtService_out.log On the Intel AMT systems, this log file displays the client task details
added to the policy.
AMTCT.exe
When the Intel AMT systems are powered on using the OutofBand
Power On feature or the Alarm Clock policy, this service starts and
executes the client task, specified arbitrary command and its additional
parameters sequentially.
AMTCT_out.log
Product Guide
91
Tasks
Correct Intel AMT credentials must be set, and a trusted root certificate must be
uploaded in the Server Settings page.
A power cable must be connected to the Intel AMT systems, including laptops.
Task
For option definitions, click ? in the interface.
1
Click OK.
To view the action status, click Menu | Automation | Server Task Log.
92
Product Guide
Task
For option definitions, click ? in the interface.
1
From the System Tree, select the systems you want to diagnose by booting to their BIOS.
Select Boot/Reboot to BIOS Setup to boot or reboot to the BIOS of the crashed Intel AMT system and
diagnose issues by adjusting its BIOS settings. Also, select Launch SerialoverLAN Terminal (SOL) to
access the crashed system from the server side.
You can use the arrow keys to navigate through the BIOS menu that is displayed on the SOL
terminal.
To view the action status, click Menu | Automation | Server Task Log.
See also
Connect to a system using the Serial-over-LAN on page 94
Using the McAfee KVM Viewer on page 98
From the System Tree, select the systems you want to boot or reboot.
Select Normal Boot/Reboot to boot or reboot the Intel AMT system. You can also select Launch
SerialoverLAN Terminal (SOL) to access the Intel AMT system from the server side.
To view the action status, click Menu | Automation | Server Task Log.
See also
Using the McAfee KVM Viewer on page 98
Product Guide
93
Make sure that SOL is supported and enabled on your Intel AMT systems. Verify this
from the Deep Command tab on the System Properties page.
Make sure that the correct Intel AMT credentials are set, and a trusted root certificate
is uploaded in the Server Settings page.
Make sure to enforce the Intel AMT policies on systems to which you are attempting to
establish an SOL connection.
Make sure that the Intel AMT client is accessible from the Agent Handler and the port
16995 is not blocked in the firewall.
Make sure that "Console Redirection" is enabled in BIOS setup (enabled automatically as
part of the Intel AMT policy enforcement but some manufacturers don't allow this
through remote APIs. Only in such scenario it's required to be enabled manually).
Using SOL, you can connect to a remote Intel AMT system through a virtual serial port. After
initiating an SOL session, you can see it is active. You can also access the BIOS of the Intel AMT
system and send keyboard key combinations using SOL.
Task
For option definitions, click ? in the interface.
1
Click Actions | AMT Actions | SerialOverLAN Terminal (SOL). The SOL terminal appears.
Click Connect to start a connection with the selected system. When the Terminal <=> ePO: Connected
message appears, the SOL session is active.
The display will be blank if the serial port has not sent any data, even though connection is
established. You can send keyboard key combinations to the Intel AMT systems. These keys are
specific to the terminals. For example, If CtrlC is the key that stops the ping command on a Linux
terminal, selecting and sending this key to the Linux terminal by clicking Send on the SOL Terminal
stops the ping command.
When connected:
To view the action status, click Menu | Automation | Server Task Log.
94
IDER must be supported and enabled on the Intel AMT systems. Verify this from the
Deep Command tab on the System Properties page.
You must have enforced Intel AMT policies at least once on the target system(s) to
enable the redirection port.
Product Guide
The recovery operating system image file must be an .iso file shared on a UNC mount.
It must be shared and accessible by the Agent Handler. Also, make sure that you've
defined its path using the Universal Naming Convention (UNC) syntax rather than using
the IP address.
Make sure the image file can be used for diagnosis, and is smaller than 30MB in size.
If your ISO image is larger than 30MB, or you have network bandwidth constraints, see this document
for more information about using a two stage boot process: http://communities.intel.com/docs/
DOC5552
Task
For option definitions, click ? in the interface.
1
From the System Tree, select the systems you want to diagnose using the IDER feature.
IDER is limited and processes only four systems per Agent Handler.
Select the Boot/Reboot from Image (IDER) option to boot or reboot the target Intel AMT system using a
recovery operating system image (.iso file) to diagnose issues. Type the path of the recovery
operating system image file, then click OK.
Click Menu | Automation | Server Task Log to see the status of the selected action. When the status of the
Boot/Reboot with Options log is In Progress, a connection is established and you can start diagnosing the
system issues.
Select Launch SerialoverLAN Terminal (SOL) to access the target system from the server side.
After diagnosing system issues, end the IDER connection by navigating to the System Tree,
selecting the systems, then clicking Actions | AMT Actions | Stop Image Redirection.
The remote systems will not boot to its OS if the IDER is not stopped.
Click OK.
After stopping the IDER connection, you can boot or reboot the systems normally using the Normal
Boot/Reboot option or use SOL to restart the system.
To view the action status, click Menu | Automation | Server Task Log.
See also
Connect to a system using the Serial-over-LAN on page 94
Using the McAfee KVM Viewer on page 98
Product Guide
95
Click OK.
To view the action status, click Menu | Automation | Server Task Log.
Click OK.
To view the action status, click Menu | Automation | Server Task Log.
Select the required systems or groups on which you want to enforce the policies.
Click OK.
To view the action status, click Menu | Automation | Server Task Log.
96
Product Guide
Task
For option definitions, click ? in the interface.
1
In the Description field, type a name for the task you want to create, a brief description (optional),
enable the schedule status, then click Next.
From Actions, select Run Query from the dropdown list. From Query, click ... to select the query you
have created that returns the configured Intel vPro systems, then click OK.
Select an appropriate language from the dropdown list, then in SubActions, click ... and select
OutofBand Enforce AMT Policies, then click OK.
Click Next to view a summary of the server task, then click Save to return to the Server Tasks page.
Product Guide
97
in your network, performing this action on all them at once could have a negative impact
on you network by consuming too much bandwidth. For more information about working
with queries, see the ePolicy Orchestrator Product Guide.
Task
For option definitions, click ? in the interface.
1
In the Description field, type a name for the task you want to create, a brief description (optional),
enable the schedule status, then click Next.
From Actions, select Run Query from the dropdown list. From Query, click ... to select the query you
have created that returns all the configured Intel vPro systems, then click OK.
Select an appropriate language from the dropdown list, then in SubActions, click ..., select OutofBand
Power On, then click OK.
Click Next to view a summary of the server task, then click Save to return to the Server Tasks page.
Click Run for the corresponding server task you created. The Server task Log page displays the status
of the executed task.
The client system is an Intel AMT 6.0 or higher with integrated graphics.
If the management system is a Windows XP or Windows Server 2003 system, it must have
98
Product Guide
Task
For option definitions, click ? in the interface.
1
From the System Tree, select the systems that you want to access remotely.
Click Actions | AMT Actions | Enforce AMT Policies, then click OK.
See also
Create a KVM policy on page 89
From the management system, browse to the folder where McAfee KVM Viewer is stored, then
doubleclick the MKVMView file.
In the McAfee KVM Viewer screen, click Options to open the KVM setting options.
Use DNS to resolve host names Select this to resolve any NetBIOS name or IP address to its FQDN
(Fully Qualified Domain Name).
Product Guide
99
Use current logon credentials Select to use the logon credentials for the account with which you're
already logged on. When selected, McAfee KVM Viewer uses Kerberos authentication. When not
selected it uses Digest.
Digest User The Intel AMT digest user name for the managed client (displayed only when Use
currently logon credentials is not selected).
Password The Intel AMT digest user password for the managed client (displayed only when Use
currently logon credentials is not selected).
Hide password text Select this to hide the text entered in the Password field (displayed only when
Use currently logon credentials is not selected).
Allow credentials to be saved Select this to store the user name and password for use in
subsequent sessions (displayed only when Use currently logon credentials is not selected).
Use TLS server authentication Select this to use TLS server authentication.
The ePO Deep Command 1.5 software supports only the TLS server authentication. Don't
deselect this option.
In the Sessions Settings tab, you can select the monitor to display if the client has more than one
monitor.
Configure the default monitor preference in the KVM policy. Don't change the preference in the
McAfee KVM Viewer settings.
100
(Optional) In the Media Redirection tab, browse and select the image file (.ISO) to use for media
redirection operations.
Product Guide
TLS Certificates Configure the certificates to be used by McAfee KVM Viewer in a TLS
environment. By default, all certificates in the user's certificate store are used. In most cases
there is no need to adjust this list. To import or remove certificates, click Certificates to display the
Trusted Certificates screen.
Product Guide
101
Remote Access When using the MPS Gateway for a Remote Access connection, configure the
proxy settings. Click to display the MPS Auto Proxy Configuration screen, and complete these
options:
Auto proxy include list Click Add to display Add Proxy Host screen.
Type a host name and click OK to add the host and close the screen or click Cancel to close the
screen without adding. Once added to the Auto Proxy list, you can select a host and click
Remove to remove an added host.
Http proxy Type the IP address of the ePO Deep Command Gateway server, followed by the
port used for HTTP proxy (<MPS server IP:8080).
The Gateway server acts as a standard HTTP proxy, which provides an interface to various
HTTP based manageability protocols such as WSMAN and Intel AMT HTML.
Redirection proxy Type the IP address of the ePO Deep Command Gateway server, followed by
the port used for the IDERedirection and Serial over LAN (<MPS server IP:1080).
The Gateway server acts as a SOCKS v5 server, which provides a generic routing mechanism
for TCP/IP based IDERedirection and Serial over LAN protocols.
102
MPS discovery address (Optional) Type the IP address of the ePO Deep Command Gateway
server.
Product Guide
From the management system, browse to the folder where the McAfee KVM Viewer is stored, then
doubleclick the MKVMView file.
In the Computer field, type the IP address, FQDN, or NetBIOS name of a managed client.
From the dropdown menu, you can select a client that was connected previously.
If prompted to enter a client consent code, obtain the consent code from the user of the client
system, then enter the code to connect.
The connection status is displayed when connecting.
On successful connection, the KVM Viewer window displays the client screen.
Product Guide
103
From the management system, browse to the folder where the McAfee KVM Viewer is stored, then
doubleclick the MKVMView file.
Make sure that you have only one trusted root certificate added. To import or remove
certificates, click Certificates.
Make sure that you have configured the proxy settings to be used in a remote connection. Click
Remote Access, then make the necessary changes in the MPS Auto Proxy Configuration screen.
In the Computer field, type the IP address, FQDN, or NetBIOS name of a managed client.
From the dropdown menu, you can select a client that was connected previously.
On successful connection, the KVM Viewer window displays the client screen.
Suboption
Description
File
Exit
Connection Start
104
Stop
Refresh
Product Guide
Option
Tools
Suboption
Description
Color Quality
Scale Video
Full Screen
Send CtrlAltDel
Power Control
Sends the Intel AMT power control commands to the client system:
Power Up Select to power up your Intel AMT client system.
Power Down Select to shut down your Intel AMT client system.
Power Reset Select to restart your Intel AMT client system.
Boot with IDER Select to boot the Intel AMT client system from using
IDERedirect (IDER) device. This device must be configured on the
Media Redirection tab in the Options tab.
End IDER Session Select to end the IDER session (available only when
IDER session is active).
Help
Maintenance tasks
You can create independent schedules for each possible configuration, such as reissuance of
certificates, renewal of passwords, synchronization of Intel AMT time, and network settings.
These tasks can only be performed on the Intel AMT client systems that are configured using the ePO
Deep Command RCS Manager plugin.
Synchronize AMT Time Synchronizes the clock of the Intel AMT device with the clock of the computer
running the Intel RCS service. This task is performed automatically when any of the other tasks
are performed.
Synchronize Network Settings Synchronizes network settings of the Intel AMT device based on these:
IP address
ReIssue AMT Certificates Reissues the certificates stored in the Intel AMT device. If the device
contains 802.1x certificates, this resets the Intel AMT administrator password to the default.
Renew Active Directory Password Resets the password of the Active Directory object representing the
Intel AMT system.
Renew Administrative Password Resets the password of the default Digest admin user in the Intel AMT
device according to the password setting defined in the profile.
Product Guide
105
Outofband events: These events are generated when an Intel AMT action is triggered on a
client systems.
Configuration events: These events are generated when a configure or unconfigure policy is
enforced onto the Intel AMT client systems.
Configuration
events
106
ID
Generates when...
Deep Command
Disconnected Remote Fast
Call For Help
Deep Command
Maintenance Failure
Deep Command
Maintenance Success
Deep Command
Unconfigure Failure
Deep Command
Unconfigure Success
Deep Command
Uncontrolled Unconfigure
Product Guide
In the ePolicy Orchestrator console, navigate to System Tree, click the Assigned Policies tab, then select
McAfee Agent from the Product menu.
Click a policy you want to modify. For example, click My Default under General category.
In the Events tab, select Enable priority event forwarding, select Informational from the event priority menu,
then click Save.
From the ePolicy Orchestrator server, select the systems or groups where you want to assign
this policy, then send an agent wakeup call.
From the Intel AMT systems, go to McAfee Agent Status Monitor | Collect and Send Properties | Check New
Policies | Enforce Policies.
If you don't enforce the policy to the Intel AMT systems using any of these methods, it is enforced
automatically at the next agentserver communication.
Filter events
You can specify which ePO Deep Command events generated from the client systems are to be
forwarded to the server. This selection impacts the bandwidth used in your environment, as well as the
results of eventbased queries.
This is a global setting. Any events not selected here are never forwarded to the server.
Task
For option definitions, click ? in the interface.
1
In the ePolicy Orchestrator console, click Menu | Configuration | Server Settings, select Event Filtering, then
click Edit at the bottom of the page.
The Edit Event Filtering page appears.
Select All events to the server to forward all events, including Intel client events, to the ePolicy
Orchestrator server, or select Only selected events to the server and select the Intel client events that you
want to forward.
Click Save.
Product Guide
107
108
Product Guide
Check the amtservice.log. An HTTP 401 error means the issue might be caused due to
incorrect Intel AMT credentials or certificates. Make sure the correct credentials and
certificates are uploaded in Server Settings on the Edit Intel AMT Credentials page.
Verify that the domain and FQDN of the Intel AMT system is correctly resolved from the
ePolicy Orchestrator server.
Verify that the required Firewall Ports are allowed on the Intel AMT system and the ePolicy
Orchestrator server.
Product Guide
109
The ePolicy Orchestrator server detects that the system is powered on and does not take any
action.
What do I do if an Intel AMT Power On action fails on an Intel AMT system?
1
Make sure the correct credentials and certificates are uploaded in Server Settings on the Edit Intel
AMT Credentials page.
View the amtservice.log, if an HTTP 401 error caused the system to fail, verify that the user
name and password are correct on the Edit Intel AMT Credentials page.
Verify that the domain and FQDN of the Intel AMT system is correctly resolved from the
ePolicy Orchestrator server.
Verify that the required Firewall Ports are allowed on the Intel AMT system and the ePolicy
Orchestrator server.
Extensions
What if I can't check in the ePO Deep Command Management Framework extension?
Make sure you checked in the ePO Deep Command Discovery and Reporting extension before
installing the ePO Deep Command Management Framework extension.
Why are most of the Intel AMT properties shown as Not Available after reinstalling the
ePO Deep Command extension and executing agentserver communication on the Intel
AMT system?
After reinstalling the extension, you need to send an agent wakeup call from ePolicy
Orchestrator with the option Get full product properties selected. Otherwise, the agent sends only the
incremental properties, even if you select Collect and Send Props in the Agent Monitor. Since there
have been no changes between the detections, no properties are sent.
Client Tasks
What conditions should be met to successfully execute the Client Tasks?
Make sure that the:
Intel AMT system is able to communicate with the Agent Handler within two minutes of
restarting your system after an Intel AMT Power On or a scheduled alarm clock wakeup.
Intel AMT system is able to boot from a powered off state if the Intel AMT Power On or
scheduled alarm clock wakeup is executed from the ePolicy Orchestrator server.
Client Tasks will fail if the system is in a state of hibernation or standby.
Where are the log files created for Client Tasks that are executed on the Intel AMT
system?
Two log files are created on the Intel AMT system:
AMTCT_out.log Displays the Client Task ID, software ID, and arbitrary command if
present.
AMTMgmtService_out.log Displays the Client Task details in the Client Task Execution
Policy and the DC message status.
The file paths for these log files on Intel AMT client systems are:
110
Product Guide
How do I return the Intel AMT system to its previous power state at the end of a Client
Task Execution?
It is possible to shut down the Intel AMT System after the system has started due to an Intel
AMT Power On or a Scheduled Alarm Clock Wake Up. An ePolicy Orchestrator user can provide a
shutdown.exe as an arbitrary command in the Client Task Execution Policy. The previous power
state is unknown, so the administrator must select a power state for the system.
Why were the Intel AMT Client Tasks not implemented on an Intel AMT system that
booted after an Intel AMT Power On or after a scheduled Alarm Clock Wake up?
The Intel AMT system fails to communicate with the Agent Handler within two minutes of
restarting after an Intel AMT Power On, after a Scheduled Alarm Clock Wake Up, or if tasks
were not present on the system.
How can I implement multiple arbitrary commands through a Client Task execution policy?
You can execute multiple arbitrary commands using a Windows batch file. The batch file,
containing multiple commands, can be added to the Client Task Execution Policy, which will be
executed after the system starts either through the Intel AMT Power On action or through the
Scheduled Alarm Clock.
To run a batch file, select <System32>\cmd.exe from the Run the following Command afterwards field
and enter /c <path of your batch file> in the Additional Parameters field.
It is necessary to add @echo as the first command in the batch file, otherwise the command
added in the batch file is not executed.
Are there any other tools that can be used to check the status of the Intel AMT system?
You can use these tools:
Product Guide
111
Authentication Failure Invalid credentials were provided in Server Settings | Intel AMT
Credentials.
Socket Error Redirection port is not enabled on the Intel AMT System. Enforce an AMT
Policy to enable the Redirection Port and try again. This error also occurs in the case of a
certificate or authentication failure.
Maximum Connections Reached Agent Handler allows only four Active SOL sessions at
a time. Disconnect one of the Active SOL session and try again.
Verify that the required firewall ports are allowed on the Intel AMT system and the ePolicy
Orchestrator server. Confirm that the Intel AMT system domain and FQDN is correctly resolved
from the ePolicy Orchestrator server. Wait three seconds before trying to connect or disconnect
the SOL session.
I am unable to redirect the BIOS to the SOL terminal. How do I resolve this?
Make sure that the correct credentials are provided in the Server Settings Intel AMT credentials
page. Verify that the required Firewall ports are allowed on the Intel AMT system and the
ePolicy Orchestrator server.
We have multiple Agent Handlers in our environment. The SOL connection through a local
Agent Handler is failing. How do I resolve this?
This occurs when Intel AMT client is not accessible from the Agent Handler. Perform these to
resolve the issue:
If the Intel AMT client is moved from one Agent Handler to another and SOL connection is
tried before the agentserver communication to update this change, wait for the next
agentserver communication.
Make sure that the port 16995 is not blocked in the firewall.
Assign the local Agent Handler to the target system from Menu | Configuration | Agent Handlers |
New Assignment. See the McAfee ePolicy Orchestrator Product Guide for detailed instructions.
Properties
When does the Last Power On Time parameter get updated on the Deep Command tab?
Last Power On Time is one of the properties displayed on the Deep Command tab of the System Details
page. This property is updated when an Intel AMT Power On action is executed from the McAfee
ePO console.
Why are the Intel AMT system properties not updated in a configured system?
Like other managed products, Intel AMT properties appear after the second agentserver
communication.
112
Product Guide
computer name) is shown in the dropdown list. The Local Access policy port number must be 43
characters or fewer. If the length is greater than 43 characters, a warning message is displayed
and the policy can't be saved.
If the total FQDN size of the agent and Agent Handler exceeds 63 characters and the policy is
enforced, the Local Access request sent by the Intel AMT system won't work properly.
Where are the log files created for the ePO Deep Command Gateway Server ?
The ePO Deep Command Gateway Server log is saved in C:\Program Files (x86)\McAfee\ePO
Deep Command Gateway\logs\AMTGatewayService_out.log. You can change the debug level of
the log file by changing the parameter Trace Level in the configuration file C:\Program Files
(x86)\McAfee\ePO Deep Command Gateway\conf\AMTGatewayService_log.config.
When I click "Get Technical Help" to send a Remote Access request from the Intel
Management and Security Status tool, it shows an error that my organization is not
reachable. How do I resolve this issue?
Perform these actions:
1
From the Intel AMT system, open Mozilla Firefox and access your DMZ Agent Handler
system where ePO Deep Command Gateway Server is running. The URL must include the
port where stunnel is running. Firefox shows an SSL certificate warning in your browser.
If using Internet Explorer, you might have issues viewing the certificates.
View the SSL certificate and verify that it has been issued to the host name of the ePO Deep
Command Gateway Server, which should be resolvable from the Internet.
Verify that the issuer of the certificate is the same CA that has been used for configuring the
Intel AMT system or is known to the Intel AMT system.
Check to make sure the ePO Deep Command Gateway Server Logs (AMTGatewayService_out
.log) and the amtservice.log are in the Agent Handler system.
Make sure that the DNS resolution is working properly on the ePO Deep Command Gateway
Server and unnecessary services are not running on the system. Disable any services like IP
Helper or Ipv6 Services if they are not in use and try again.
I am not able to establish a Remote Access connection; it fails with an "Unknown CA" error
in the Stunnel Log. What should I do?
The Remote Access requests might fail if the root CA certificate is not imported into the
Management Engine Certificate Store of the Intel AMT systems. To resolve this, make sure that
the required certificate is added successfully.
I am not able to establish a Remote Access connection; it fails with a "certificate unknown"
error in the Stunnel Log. What should I do?
This issue occurs when the stunnel configuration and management certificates are not in sync.
To troubleshoot this issue:
1
In the Intel Commander, check whether the CA is present in Intel Management Engine
Certificate Store.
In the stunnel configuration, check whether the CA in stunnel and certificate store are the
same.
IDER
I am unable to initiate an IDER Session. How do I find the cause of failure from the
amtservice.log?
First, perform these checks:
Product Guide
113
Make sure that IDERedirection (IDER) is supported and enabled on the System Properties Intel
AMT page.
Verify that the correct credentials and certificates are uploaded in the Server Settings Intel
AMT Credentials page.
Make sure that the system is not in an active IDER session before initiating the IDER
session.
Then perform these tasks specific to the reasons for the IDER failure as mentioned in the
amtservice.log:
Authentication Failure or HTTP 401 error or IDER Session Closed Verify that the
correct user name and password are provided in the Server Settings Intel AMT Credentials page.
TLS Connection Failure Verify that the certificates imported in the Server Settings Intel
AMT Credentials page are correct.
Invalid Parameter Verify that the shared ISO image path is correct and it's accessible by
the Agent Handler.
Socket Error Verify that the system is properly connected and the system is reachable
the Agent Handler.
Maximum Connections This means that four IDER sessions are already active through
the Agent Handler. Stop one of the active IDER sessions and then try again. Verify that the
required Firewall Ports are allowed on the Intel AMT system and on the ePolicy Orchestrator
server. Additionally, do this:
1
Verify that the domain of the Intel AMT system is being correctly resolved from the
ePolicy Orchestrator server.
Confirm that the FQDN of the Intel AMT system is correctly resolving from the ePO
server.
Verify that the domain of the shared folder is correctly resolving from the Agent Handler
and the shared file is accessible.
The recovery operating system image file is an .iso file shared on a UNC mount.
The UNC share is accessible by the Agent Handler and using the system account.
The path has been defined using the UNC syntax rather than using the IP address.
The Boot/Reboot from Image (IDER) fails when the Intel AMT client is in sleep state.
What should we do?
It requires two attempts of the Boot/Reboot from Image action in this situation. The Intel AMT
client powers on in the first attempt. Perform the action again for a successful boot from the
image.
Alarm Clock
I am unable to enforce an Alarm Clock policy. How do I find the actual cause of failure and
resolve this issue?
Make sure that the Intel AMT system is in the PostConfigured state and the System Properties Intel
AMT page is updated. Confirm that the AMT tag is applied to the system in System Tree and the
Alarm Clock policy is saved correctly.
114
Product Guide
Check the amtservice.log, if the reason for failure is Authentication Failure or HTTP 401 error, then check
that the correct user name and password are provided.
In amtservice.log, if the reason for failure is Failed to create alarm clock service, then make sure that
the Intel AMT Alarm Clock feature is supported by the system. From the client system Intel
ME, the time must be set to UTC if Kerberos is used for authentication. Verify that the client
system Intel ME time and Agent Handler time are in sync (plus or minus 15 minutes). Refer to
the Firewall Port section of the product documentation and verify that the required Firewall Ports
are allowed on the Intel AMT system and on the ePolicy Orchestrator Server.
How do I verify that the Alarm Clock Policy is successfully enforced on an Intel AMT
system?
Verify these conditions:
The Policy Enforcement task in the server task log shows the status as completed.
From the System Properties Intel AMT page, confirm the alarm is enabled and time fields display
the updated values.
In the Intel AMT Client system, the Alarm Clock values set by the Alarm Clock policy
enforcement can be verified by using Intel tools like Manageability Commander Tool and
Powershell.
Why does the Alarm Clock Policy fail to set the time saved in the policy?
Verify that the Alarm Clock Time set in the policy is at least five minutes ahead of Intel ME at
the time of policy enforcement.
If the Alarm Clock settings are not ahead of Intel ME time:
If a repeat interval is set, the Alarm Clock is adjusted to the execution time.
Configure or unconfigure
Can I unconfigure an Intel AMT client using an Intel RCS server other than the one that
configured it?
Yes, but only when both the Intel RCS servers belong to the same domain. When multiple Intel
RCS servers are configured within a domain, any of the servers can be used to configure or
unconfigure an Intel AMT client because they all share the same domain privileges.
How do I unconfigure an Intel AMT 6.0 system manually?
1
Start your Intel AMT client and invoke the MEBx screen.
Log on to the Intel AMT system with the MEBX password (which might be different from the
Admin password).
Press Y to continue.
Product Guide
115
In the next screen, select an appropriate option: Full Unconfigure or Partial Unconfigure, then press
Enter to execute the configuration.
Once the unconfiguration is complete, the menu appears. Select Return to go back to the
previous screen and press Y to exit the MEBx menu.
General
On Intel AMT systems, which ports must be allowed access through the firewall?
These ports need to be granted access to the Intel AMT system:
Why do Intel AMT actions fail with the error message "Openwsman last error = 12175"
when the ePolicy Orchestrator server is in a different domain than the Intel AMT systems?
Verify these:
116
Product Guide
The Intel AMT system nodes are configured using intermediate CA certificates.
The certification of the CA is getting resolved from the ePolicy Orchestrator server.
The system account of the ePolicy Orchestrator server does have the required trusted CA to
perform Intel AMT actions.
Why do all Intel AMT actions fail with the error message "Openwsman last error =
12029"?
This error can occur if the TCP Port 16993 on the Intel AMT System is not accessible from the
ePolicy Orchestrator Server. Refer to the Firewall Port section and verify that the required
Firewall Ports are allowed on the Intel AMT system and on the McAfee ePO Server.
Why do all Intel AMT actions fail with the error "Openwsman last error = 12002" on only
some Intel AMT systems?
This error occurs if the Intel AMT system is not reachable and the request times out.
Do Intel AMT systems need to be connected to AC power to allow Intel AMT actions?
Laptop devices with Intel AMT support must be connected to an AC power supply. Detection of
AC (normal power supply) operation and DC power (battery) operation is supported. If the
laptop is in the powered on state, then the AC power supply can be disconnected. ePO Deep
Command is able to communicate with the chipset on the laptop. However, if the laptop is
turned off or in a different power state, the AC power supply must be connected in order to
communicate with ePO Deep Command.
Intel AMT systems can be configured to operate in various Sx states (power states) with AC
power supply, but not with DC power (battery). Some examples of common power states are S0
(the working state when the system is powered on), S3 (also referred to as standby or sleep
when the RAM remains powered), and S4 (also referred to as hibernation when all the contents
of the RAM are stored on the hard disk and the system is turned off).
Power states are tied to power packages. The power packages available on a particular platform
running earlier versions of Intel AMT are OEM specific and might vary from one implementation
to another, but certain packages are required on all Intel AMT mobile platforms. More details on
the supported power packages are available in the Intel AMT Release 2.5/2.6/4.x/6.x/7.0:
http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/
DOCS/Implementation%20and%20Reference%20Guide/WordDocuments/
supportformultiplepowerpolicies.htm
http://software.intel.com/enus/articles/mobilecomputingwithintelamt/
When I execute the Synchronize Network Settings task, it doesn't update WiFi settings in
the Intel AMT client?
WiFi support is not available in the ePO Deep Command version 1.5.
Why do some of the AMT commands not work when selected from Automatic Response | New
Response | Actions | Run System Command?
Some of the ePO commands are targeted for troubleshooting purposes and also require manual
inputs from the user. The two supported commands that can be used in Automatic Response
action are OutofBand Enforce AMT Policies and OutofBand Power On.
Product Guide
117
118
Product Guide
Additional information
Power on KVM
4.0
Yes
Yes
No
No
Yes
Yes
No
5.1
Yes
Yes
Yes
No
Yes
Yes
No
6.0
Yes
Yes
Yes
Yes
Yes
Yes
Yes
7.0
Yes
Yes
Yes
Yes
Yes
Yes
Yes
8.x
Yes
Yes
Yes
Yes
Yes
Yes
Yes
http://www.intel.com/content/www/us/en/architectureandtechnology/vpro/
vprotechnologygeneral.html
http://www.intel.com/content/www/us/en/processors/vpro/
performance2ndgenerationcorevprofamilypaper.html
http://downloadmirror.intel.com/15171/eng/D945GTP_AMT_QuickRefGuide01.pdf
= .rnd
= CA_default
Product Guide
119
Additional information
Sample configuration files
[ CA_default ]
dir
= demoCA
# Where everything is kept
certs
= $dir\certs
# Where the issued certs are kept
crl_dir
= $dir\crl
# Where the issued crl are kept
database
= $dir\index.txt
# database index file.
new_certs_dir
= $dir\newcerts
# default place for new certs.
certificate
= $dir\cacert.pem
# The CA certificate
serial
= $dir\serial
# The current serial number
crl
= $dir\crl.pem
# The current CRL
private_key
= $dir\private\cakey.pem
# The private key
RANDFILE
= $dir\private\private.rnd # private random number file
x509_extensions
= x509v3_extensions
# The extentions to add to the cert
default_days
= 365
# how long to certify for
default_crl_days= 30
# how long before next CRL
default_md
= md5
# which md to use.
preserve
= no
# keep passed DN ordering
policy
= policy_match
[ policy_match ]
countryName
= optional
stateOrProvinceName
= optional
organizationName
= optional
organizationalUnitName
= optional
commonName
= supplied
emailAddress
= optional
[ policy_anything ]
countryName
= optional
stateOrProvinceName
= optional
localityName
= optional
organizationName
= optional
organizationalUnitName
= optional
commonName
= supplied
emailAddress
= optional
[ req ]
default_bits
= 1024
default_keyfile
= privkey.pem
distinguished_name
= req_distinguished_name
attributes
= req_attributes
[ req_distinguished_name ]
countryName
= Country Name (2 letter code)
countryName_min
= 2
countryName_max
= 2
stateOrProvinceName
= State or Province Name (full name)
localityName
= Locality Name (eg, city)
0.organizationName
= Organization Name (eg, company)
organizationalUnitName
= Organizational Unit Name (eg, section)
commonName
= Common Name (eg, your website's domain name)
commonName_max
= 64
emailAddress
= Email Address
emailAddress_max
= 40
[ req_attributes ]
challengePassword
challengePassword_min
challengePassword_max
= A challenge password
= 4
= 20
[ x509v3_extensions ]
nsCertType
= 0x40
120
Product Guide
Additional information
Self-signed configuration certificates
Its root hash must be entered into each AMT client system that will be configured. This can be done
at the time of manufacture or entered manually using the Intel Management Engine BIOS
Extension interface.
A certificate template must be created first. The computer template available in the Microsoft
Certification Authority can be duplicated.
The Object Identifier 2.16.840.1.113741.1.2.3 has to be added in the Enhanced Key Usage section
of the template.
A certificate request should be sent to the selfsigned CA with the FQDN of the configuration server
in the Subject Name.
The CA should use this template to generate the certificate, which is then saved in the
configuration server.
Product Guide
121
Additional information
Intel AMT action logs
Description
Added when SOL is initiated, with the status:
In Progress A session is active.
Completed A session finished successfully.
Failed A session fails.
Terminated A session is terminated by user.
Initiated Stop of
SerialoverLAN (SOL)
session
IDER
SOL BIOS
Boot/Reboot to BIOS
Setup
Power On
Initiated OutofBand
Power On
Policy Enforcement
Description
SOL
IDER
SOL BIOS
122
Product Guide
Additional information
Writing Python scripts
Description
Power On
OutofBand Power On
Policy Enforcement
Description
Local Access
Select McAfee ePolicy Orchestrator 4.6 as the product, then click Download for the corresponding Python
Remote Client.
Download the McAfee ePolicy Orchestrator Scripting Guide for more information on using Python scripts.
Product Guide
123
Additional information
Writing Python scripts
124
Product Guide
Additional information
Writing Python scripts
Product Guide
125
Additional information
Writing Python scripts
126
Product Guide
Index
A
about this guide 7
actions
AMT policies, enforcing 96
boot/reboot to BIOS 93
configuration policy, enforcing 96
IDE-redirect 94
image redirection, stopping 95
normal boot/reboot 93
power on 92
serial-over-LAN 94
AMT
actions 91
configuration 15
configuration states 16
connection, testing 33
management 83
overview 13
policies 83
reports 63
AMT action logs 122
AMT configuration
action 96
Admin Control overview 21
authentication protocols 16
certificate issuance 39
certificates 17
chain certificates, creating 29
dcom permissions, modifying 47
mode 21
policy 51, 84
ports 21
prerequisites 19
process 15
profile, creating 40
rcs manager workflow 18
rcs manager, installing 50
template, creating 36
template, enabling 38
using TLS 21
C
conventions and icons used in this guide 7
D
dashboards and monitors
management summary 78
rcs management 81
reporting summary 74
deep command
AMT credentials, specifying 31
CA certificates, importing 32
components 9
events 106
extensions, installing 26
extensions, removing 62
extensions, upgrading 26
maintenance tasks 105
online help, installing 33
overview 9
requirements 23
user permissions, configuring 34
workflow 13
discovery and reporting
dashboard 74
driver used 74
management dashboard 78
management queries 65
overview 9
plug-in, deploying 27
plug-in, removing 61
properties collection 69
queries, viewing 65
query filters 65
rcs management dashboard 81
rcs management queries 64
reporting queries 63
Product Guide
127
Index
documentation
audience for this guide 7
product-specific, finding 8
typographical conventions and icons 7
policies (continued)
server tasks 97
product features 12
python scripts 123
K
kvm viewer
how to use 98
local connection 103
options 104
overview 9
policy, enforcing 98
remote connection 104
settings, modifying 99
L
logs: AMT actions 122
M
management framework
client, deploying 28
client, removing 60
dashboard 78
overview 9
queries 65
McAfee ServicePortal, accessing 8
P
policies
alarm clock 85
AMT 85
automatic enforcement 97
CILA 87
CIRA 88
client task execution 90
client task log 91
configuration 83
kvm 89
local access 87
power on 85
remote access 88
128
R
rcs manager
AMT configuration 35
dashboard 81
extension, installing 50
overview 9
package, checking in 50
plug-in, deploying 51
plug-in, removing 61
queries 64
remote access
certificates, validating 60
gateway server overview 54
gateway server, installing 56
stunnel certificates, generating 57
stunnel certificates, signing 58
stunnel service, installing 59
stunnel service, starting 59
stunnel, configuring 59
stunnel, installing 57
S
Sample configuration file:stunnel 119
Sample configuration file:used while generating certificates 119
sample python script:AMT policy enforcement 123
sample python script:out-of-band power-on 123
server tasks
AMT policies, enforcing 97
AMT tag, assigning 28
power on 97
ServicePortal, finding product documentation 8
T
Technical Support, finding product information 8
Product Guide
0-00