EPO Deep Command 1.5.0 Product Guide

Product Guide
McAfee ePO Deep Command 1.5.0

For use with ePolicy Orchestrator 4.6.x Software
COPYRIGHT
Copyright 2012 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,
McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,
McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,
TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and
other countries. Other names and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
Product Guide
Contents
Preface
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
7
7
8
Introduction
Components and how they work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Intel AMT overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
What you need to know to get started . . . . . . . . . . . . . . . . . . . . . . . . . 13
Preparing your Intel AMT client systems
15
Intel AMT configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuration states . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication protocols supported . . . . . . . . . . . . . . . . . . . . . . . . . .
Certificate Authority integration . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How RCS Manager plug-in works . . . . . . . . . . . . . . . . . . . . . . . . . . .
Required additional configurations . . . . . . . . . . . . . . . . . . . . . . . . . . .
Admin Control mode network configuration . . . . . . . . . . . . . . . . . . . . . . .
Installation and configuration
23
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Operating system requirements . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install or upgrade the ePO Deep Command extensions . . . . . . . . . . . . . . . .
Deploy the ePO Deep Command Discovery and Reporting plug-in . . . . . . . . . . .
Assign AMT Tag to systems . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deploy the Management Framework client . . . . . . . . . . . . . . . . . . . .
Create a certificate chain . . . . . . . . . . . . . . . . . . . . . . . . . . .
Specify ePO Deep Command credentials . . . . . . . . . . . . . . . . . . . . .
Import CA certificates to ePolicy Orchestrator . . . . . . . . . . . . . . . . . . .
Test your connection to an Intel AMT system . . . . . . . . . . . . . . . . . . .
Installing the ePO Deep Command online help . . . . . . . . . . . . . . . . . . .
Configure user permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Intel AMT clients through ePolicy Orchestrator . . . . . . . . . . . . . . . . .
Create a certificate template . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable the certificate template . . . . . . . . . . . . . . . . . . . . . . . . .
Issue certificates automatically . . . . . . . . . . . . . . . . . . . . . . . . .
Create a configuration profile . . . . . . . . . . . . . . . . . . . . . . . . .
Modify WMI permissions to add domain computers . . . . . . . . . . . . . . . . .
Modify DCOM permissions to add domain computers . . . . . . . . . . . . . . . .
15
16
16
17
18
19
21
23
24
24
25
25
25
26
27
28
28
29
31
32
33
33
34
35
36
38
39
40
45
47
Product Guide
Contents
Install the ePO Deep Command RCS Manager extension . . . . . . . . . . . . . . .

Check in the ePO Deep Command RCS Manager package . . . . . . . . . . . . . . .
Deploy the ePO Deep Command RCS Manager plug-in . . . . . . . . . . . . . . .
Configure Intel AMT systems using policy . . . . . . . . . . . . . . . . . . . .
Unconfigure Intel AMT clients through ePolicy Orchestrator . . . . . . . . . . . . . . . .
Unconfigure Intel AMT systems using policy . . . . . . . . . . . . . . . . . . .
Identify unconfigured systems . . . . . . . . . . . . . . . . . . . . . . . . .
Clear AMT tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the Gateway server for Remote Access . . . . . . . . . . . . . . . . . . . . .
Install the ePO Deep Command Gateway server . . . . . . . . . . . . . . . . . .
Install stunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generate the certificate for stunnel installation . . . . . . . . . . . . . . . . . . .
Sign the certificate using Certification Authority . . . . . . . . . . . . . . . . . .
Configure stunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install stunnel as a Windows service . . . . . . . . . . . . . . . . . . . . . . .
Start the stunnel service . . . . . . . . . . . . . . . . . . . . . . . . . . .
Validate certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uninstall the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uninstall the ePO Deep Command client . . . . . . . . . . . . . . . . . . . . .
Uninstall the Discovery and Reporting plug-in . . . . . . . . . . . . . . . . . . .
Uninstall the RCS Management plug-in . . . . . . . . . . . . . . . . . . . . . .
Remove the ePO Deep Command extensions . . . . . . . . . . . . . . . . . . .
Reporting on your Intel AMT systems
63
Queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Predefined ePO Deep Command reporting queries . . . . . . . . . . . . . . . . .
Predefined ePO Deep Command RCS Management queries . . . . . . . . . . . . . .
Predefined ePO Deep Command management queries . . . . . . . . . . . . . . . .
View default queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Custom query filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties collected by the Discovery and Reporting plug-in . . . . . . . . . . . . .
Dashboards and monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deep Command Discovery and Reporting Summary dashboard . . . . . . . . . . . .
Deep Command Management Summary dashboard . . . . . . . . . . . . . . . . .
Deep Command RCS Management Summary dashboard . . . . . . . . . . . . . . .
Managing your Intel AMT systems
63
63
64
65
65
65
69
74
74
78
81
83
Using policies to manage Intel AMT systems . . . . . . . . . . . . . . . . . . . . . .

Use the Intel AMT Configuration Policies . . . . . . . . . . . . . . . . . . . . .
Use the Intel AMT policies . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Client Task Execution policy . . . . . . . . . . . . . . . . . . . . . .
Use the Intel AMT actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Power on your systems . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Boot or reboot to BIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Boot or reboot a system normally . . . . . . . . . . . . . . . . . . . . . . . .
Connect to a system using the Serial-over-LAN . . . . . . . . . . . . . . . . . . .
Boot or reboot using IDE-Redirect . . . . . . . . . . . . . . . . . . . . . . . .
Stop Image Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enforce Intel AMT configuration policy . . . . . . . . . . . . . . . . . . . . . .
Enforce Intel AMT policies . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automate Intel AMT policy enforcement and power on . . . . . . . . . . . . . . . . . .
Schedule and enforce out-of-band AMT policies . . . . . . . . . . . . . . . . . .
Schedule out-of-band power on for your systems . . . . . . . . . . . . . . . . .
Using the McAfee KVM Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set up the client for KVM . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modify the McAfee KVM Viewer settings . . . . . . . . . . . . . . . . . . . . . .
50
50
51
51
52
53
54
54
54
56
57
57
58
59
59
59
60
60
60
61
61
62
83
83
85
90
91
92
93
93
94
94
95
96
96
97
97
97
98
98
99
Product Guide
Contents
Connect to a local client system . . . . . . . . . . . . . . . . . . . . . . . .

Connect to a remote client system . . . . . . . . . . . . . . . . . . . . . . .
McAfee KVM viewer options . . . . . . . . . . . . . . . . . . . . . . . . . .
Maintenance tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing events and logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ePO Deep Command events . . . . . . . . . . . . . . . . . . . . . . . . . .
Forward events immediately . . . . . . . . . . . . . . . . . . . . . . . . . .
Filter events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
103
104
104
105
106
106
107
107
Frequently asked questions
109
Additional information
119
Supported Intel AMT features . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Sample configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Self-signed configuration certificates . . . . . . . . . . . . . . . . . . . . . . . . .
Intel AMT action logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Writing Python scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index
119
119
121
122
123
127
Product Guide
Contents
Product Guide
Preface
The McAfee ePO Deep Command software includes the components that help you generate reports,
configure, manage, and troubleshoot your Intel Active Management Technology (AMT) systems.
Contents
About this guide
Find product documentation
About this guide

This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
Administrators People who implement and enforce the company's security program.
Users People who use the computer where the software is running and can access some or all of
its features.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Title of a book, chapter, or topic; a new term; emphasis.
Bold
Text that is strongly emphasized.
User input, code,

message
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing an
option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
Product Guide
Preface

McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the McAfee online KnowledgeBase.
Task
1
Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
Under Self Service, access the type of information you need:

To access...
Do this...
User documentation
1 Click Product Documentation.

2 Select a product, then select a version.
3 Select a product document.
KnowledgeBase
Click Search the KnowledgeBase for answers to your product questions.

Click Browse the KnowledgeBase for articles listed by product and version.
Product Guide
Introduction
The McAfee ePO Deep Command uses the Intel vPro Active Management Technology (AMT) to
configure, manage, and troubleshoot endpoints by accessing them at hardware level, without relying
on the operating system.
The McAfee ePO Deep Command software integrates the management and automation features of
ePolicy Orchestrator with the hardwarebased security and manageability features of Intel Active
Management Technology (AMT), which is included on your Intel vProequipped desktop and laptop
systems.
Contents
Components and how they work
Product features
Intel AMT overview
What you need to know to get started

McAfee ePO Deep Command software is comprised of multiple modules.
When installed on your ePolicy Orchestrator server, these modules work with your Intel AMT systems
to deliver greater control of your secure environment.
ePO Deep Command Discovery and Reporting module
ePO Deep Command Management Framework module
ePO Deep Command Remote Configuration Service (RCS) Manager module
McAfee KeyboardVideoMouse (KVM) Viewer module
ePO Deep Command Discovery and Reporting module

The ePO Deep Command Discovery and Reporting module collects detailed information about the
systems on your network that are equipped with Intel AMT. This module adds these items to your
ePolicy Orchestrator console:
McAfee ePO Deep Command Discovery plugin This plugin detects the Intel AMT and BIOS
properties of the managed systems in your organization. The data collected is displayed on the
dashboard. The plugin is added automatically to the ePolicy Orchestrator Master Repository during
installation, and can be deployed to client systems using the predefined deployment task.
Deploy ePO Deep Command Discovery and Reporting plugin task This predefined
deployment task is added to the Client Task Catalog. You can deploy it to the managed systems
you select.
Product Guide
Introduction
ePO Deep Command Reporting query group These predefined queries collect important
details about the Intel AMTequipped systems in your network. These queries retrieve and display
information about Intel vPro and their BIOS properties. You can modify these queries, or create
custom queries.
Deep Command Discovery & Reporting dashboard This dashboard displays a collection of
monitors based on the results of the default ePO Deep Command Reporting queries. All Intel AMT
and BIOS properties of managed systems are displayed in one place.
AMT tag This tag is automatically assigned to managed systems that are fully configured for the
Intel AMT functionality.
ePO Deep Command: Run Tag Criteria task The predefined task evaluates each system
against the AMT tag criteria (advisable to run every time you configure or unconfigure client
systems).
ePO Deep Command Management Framework module

The ePO Deep Command Management Framework module delivers "beyondtheoperating system"
security management, which enables administrators to power on systems, execute security tasks, and
then return the endpoints to their previous power states from a central location. This module adds
these items to your ePolicy Orchestrator console:
10
McAfee ePO Deep Command client This plugin manages the core functionality to run client
tasks, enforce policies, and generate events. It is added to the Master Repository when the
software is installed, and can be deployed to client systems using the predefined deployment task.
Deploy Deep Command Client task This predefined deployment task is added to the Client
Task Catalog. You can deploy it to the managed systems you select.
ePO Deep Command Management query group These predefined queries retrieve
information from the ePO Deep Command managed Intel AMT clients. You can modify these
queries, or create custom queries.
Deep Command Management Summary dashboard This dashboard displays a collection of

monitors based on the results of the default ePO Deep Command Management queries.
AMT actions This action group lists the ePO Deep Command actions that can be performed on
managed Intel AMT systems. These actions help you configure, unconfigure, manage, and enforce
policies to your Intel AMTequipped client systems.
AMT policies This category in the Policy Catalog provides options to create and assign policies
for using the Intel AMT features such as Alarm Clock, Client Initiated Local Access, Client Initiated
Remote Access and KVM access.
Client Task Execution This category in the Policy Catalog provides options to create and assign
policies for executing the Intel AMT clientside actions such as running the arbitrary command and
additional parameters when powered on through the Power On action or through the scheduled
Alarm Clock.
Gateway module This module is installed on your Agent Handler. It facilitates communication
between your ePolicy Orchestrator server and managed Intel AMT systems outside the enterprise
environment (needed for the Client Initiated Remote Access feature).
Product Guide
Introduction
ePO Deep Command RCS Manager module

The ePO Deep Command RCS Manager provides options on how you configure and unconfigure your
Intel AMT client systems through ePolicy Orchestrator. This module adds these items to your ePolicy
Orchestrator server:
McAfee ePO Deep Command RCS 8.0 Manager plugin This plugin retrieves configuration
profiles from the Intel RCS servers, and reports back to ePolicy Orchestrator. It is added
automatically to the ePolicy Orchestrator Master Repository during installation, and can be
deployed to Intel RCS server systems using the predefined deployment task.
Deep Command RCS Management Summary dashboard This dashboard displays a monitor
that represents the managed Intel AMT systems by each Intel RCS server.
ePO Deep Command RCS Management query group These predefined queries retrieve
information from the ePO Deep Command managed Intel RCS servers. You can modify these
queries, or create custom queries.
AMT configuration policies This category in the Policy Catalog provides options to create and
assign policies for configuring or unconfiguring the Intel AMT clients.
McAfee KVM viewer module

The McAfee KVM viewer module can be used by administrators to remotely access one or more Intel
AMT client systems that are KVMenabled and supported. From the McAfee KVM viewer console, you
can perform actions on the connected Intel AMT client such as power on, shut down, restart, and boot
with IDERedirect device. The McAfee KVM Viewer has an external console; however, the Intel AMT
policy can be configured in the ePolicy Orchestrator console with these KVM settings:
Enable or disable the KVM support If KVM access is supported on an Intel AMT client
system, you can enable this feature on the client.
User's consent You can specify whether to require user's consent for every remote KVM
connection. If user's consent is enabled, it generates a passcode on the Intel AMT client screen
when an administrator tries to connect to the system from the McAfee KVM console. The same
passcode must be entered in the KVM console for a successful connection. You can also specify the
time after which the passcode is expired.
Default monitor If you are using multiple monitors, select which monitor of the client machine
to display : Primary, Secondary, or Tertiary. Following table lists the minimum screen resolution required
for an Intel AMT client system:
Client
Screen resolution (with 16bits of color depth)
Intel AMT 6.0
1600x1200
Intel AMT 6.0 maintenance release 2
1920x1080
Intel AMT 7.x
1920x1200
Intel Management Engine 8.0
1920x1200
Session timeout You can specify the time after which the KVM connection times out.
Product Guide
11
Introduction
Product features
Product features
McAfee ePO Deep Command features help you manage, configure and report on your Intel AMT
systems.
Feature
Description
Discover and report
Retrieve the Intel AMT and BIOS properties from managed systems,
then view reports to analyze your Intel AMT infrastructure (requires
McAfee ePO Deep Command Discovery and Reporting software).
Dashboards and monitors
Find out these information using the dashboard monitors for the
installed McAfee ePO Deep Command components:
Which of the managed systems are Intel AMTequipped
Which Intel AMT systems have been configured using the McAfee
ePO Deep Command RCS Manager software
Which profile was used to configure the Intel AMT systems
The versions of Intel AMT hardware
The configuration status of the Intel AMT systems
Intel AMT firmware

configuration
Manage Intel AMT configuration from the ePolicy Orchestrator server

using the ePO Deep Command RCS Manager plugin, which directly
communicates with your managed Intel RCS server for configuring and
unconfiguring (requires McAfee ePO Deep Command RCS Manager
software). You can either enforce the configuration policy to the Intel
AMT clients or use the Configure Intel AMT firmware action (explained
below).
Intel AMT system

management
Enforce the required Inband and Outofband policies to the Intel AMT
systems (requires McAfee ePO Deep Command Management Framework
software).
Intel AMT Actions
Perform these actions on your Intel AMT systems (requires McAfee ePO
Deep Command Management Framework software):
Power on Intel AMT systems
Use SerialoverLAN (SOL) to redirect the input and output of the
serial port of the Intel AMT systems over Internet Protocol (IP).
Boot or reboot a system
Boot or reboot using IDERedirect
Boot or reboot to BIOS
Configure Intel AMT firmware
Stop Image Redirection
Client Initiated Local Access Enable the local Intel AMT systems to initiate a call for technical help
(CILA)
to the ePolicy Orchestrator server from their BIOS or operating system
(requires McAfee ePO Deep Command Management Framework
software).
12
Client Initiated Remote

Access (CIRA)
Enable the Intel AMT systems that are outside the enterprise to initiate
a call to the ePolicy Orchestrator server for technical assistance from
their BIOS or the operating system (requires McAfee ePO Deep
Command Management Framework software).
Remote
KeyboardVideoMouse
(KVM)
Remotely access and troubleshoot your IntelAMT systems (requires

McAfee KVM Viewer software).
Product Guide
Introduction
Intel AMT overview
Feature
Description
Maintenance tasks
Configure these maintenance tasks (requires McAfee ePO Deep

Command Management Framework software):
Synchronize Intel AMT Time
Renew Active Directory

Password
Synchronize Network
Settings
Renew Intel AMT Admin

Password
ReIssue Intel AMT

Certificates
McAfee EEPC integration
Enable Intel Active Management Technology features on the Intel AMT

systems that are protected by the McAfee Endpoint Encryption security
protecting them from unauthorized access, loss, and exposure of data.
For the configuration information, see the McAfee Endpoint Encryption
outofband management section in the EEPC 7.0 Product Guide.
Queries and reports
Generate reports comprised of charts and tables by creating custom

queries or executing the predefined queries for the installed McAfee
ePO Deep Command components.
Intel AMT overview

Intel AMT is a hardwarebased technology for remotely managing and securing systems using
OutofBand communication. Even with a crashed hard drive or a system that is shut down, you can
access the system to perform basic system management tasks.
Intel AMT is a part of the Intel Management Engine built into systems with Intel vPro technology.
The Intel Manageability Engine includes a processor. Its hardwarebased remote management,
security management, power management, and remote configuration features allow you to access an
Intel AMT featured system from remote locations. It relies on a hardwarebased OutofBand
communication channel that operates below the operating system level. The communication channel is
independent of the state of the operating system (For example, present, corrupt, down, encrypted,
crashed, or missing) and of the system's power state, presence of a management agent, and the state
of many hardware components (such as hard disk drives). Using ePO Deep Command, you can
manage the client systems that have an Intel AMTenabled chipset, network hardware and software,
and a connection with an AC power source and a corporate network connection.
Setting up the environment requires you to configure your Intel AMT firmware with certificates and
integrate ePO Deep Command into the existing security framework.

Before you can manage your Intel AMT systems, the ePO Deep Command software requires that you
have specific software, hardware, and network configurations in place. The diagram below illustrates
the highlevel workflow involved in setting up your software.
Installing ePO Deep Command Discovery and Reporting software is your first step. Each additional
action in the process is dependent on, or enabled by installing this module.
Product Guide
13
Introduction
Installation and configuration for each action in this process are detailed in the chapters that follow.
14
Product Guide
Before you can use your ePO Deep Command software to manage Intel AMT systems, you must
configure the Intel AMT firmware on those systems.
You can configure your Intel AMT firmware from the ePolicy Orchestrator server, Intel RCS, or any
other external source. This chapter provides an overview of the requirements and processes needed to
configure the Intel AMT firmware in your network in general, as well as information about
configuration options required to set up the ePO Deep Command software.
For ePO Deep Command, the Intel AMT clients must be configured with Transport Layer Security
(TLS).
There is no single source for complete instructions about configuring your Intel AMT firmware.
However, the Intel vPro Expert Center (http://www.intel.com/go/vproexpert) provides a
comprehensive set of documentation and supporting materials you can use to complete the process.
For more information on Intel SCS Remote Configuration Service, see http://www.intel.com/go/scs.
Contents
Intel AMT configuration
Authentication protocols supported
Certificate Authority integration
How RCS Manager plug-in works
Required additional configurations
Admin Control mode network configuration
Intel AMT configuration

By default, Intel AMT hardware is unconfigured on Intel AMTequipped systems. Before you can
report on or manage these systems with ePO Deep Command software, the Intel AMT hardware must
be configured.
You need to configure your Intel AMT systems to enable this hardware. To successfully configure your
Intel AMT systems, you must make sure that your network infrastructure, as well as the individual
components used in this process are configured correctly. Configuring your Intel AMT firmware serves
two purposes:
It makes sure that communication between your Intel AMT systems and your servers is secure
and trusted.
It makes Intel AMT features accessible to your ePO Deep Command software.
Product Guide
15

The method you use to configure systems in your network is dependent on a variety of factors,
including your network infrastructure, hardware and software, and which Intel AMT features you plan
to use. This diagram presents a highlevel overview of the recommended process for configuring
systems.
Configuration states
An Intel AMT system can be in any of these three different states during the configuration process.
Preconfiguration By default, Intel AMT hardware on Intel vPro systems comes from the
hardware manufacturer in Factory Mode. In this mode, Intel AMT is unconfigured and cannot be
remotely managed by ePO Deep Command. It requires a configuration server to configure your
system into Admin Control mode.
Inconfiguration When an activation tool provided by the configuration server is executed or if

an administrator enters information through the Intel Management Engine BIOS Extension
(manually or with the aid of a USB storage device), Intel AMT makes the transition from the
preconfiguration state to the inconfiguration state.
Postconfiguration The Intel AMT system enters Operational Mode once its configuration
settings are supplied and committed. At this point, Intel AMT is ready to interact with
management applications and the system is said to be in postconfiguration.

To configure your systems, your network infrastructure must include a supported authentication
protocol.
The protocol you use depends on the unique needs of your network. With ePO Deep Command, you
must configure your Intel AMT systems using Transport Layer Security with either or both of these
supported authentication protocols:
Digest authentication Digest authentication is performed over the Internet using secure keys
to authenticate users. For more information about Digest authentication, refer to the Internet
Engineering Task Force document RFC 2617 (http://datatracker.ietf.org/doc/rfc2617/).
Kerberos authentication Kerberos authentication is performed over an open network as a

trusted thirdparty authentication service. Use of this protocol requires Active Directory integration.
For more information about Kerberos authentication, refer to the Internet Engineering Task Force
document RFC4120 (http://datatracker.ietf.org/doc/rfc4120/).
With either of the two authentication used, you must have Intel AMT realm.
16
Product Guide


A Certificate Authority (CA) is required to issue the certificates to the proper trusted devices within the
network.
You can use Transport Layer Security (TLS) communication by incorporating certificates issued by a
CA.
Transport Layer Security is available only in Admin Control mode configuration supported by McAfee
ePO Deep Command.
Two types of certificates are required for the Admin Control mode configuration of Intel AMT systems:
Server Authentication Certificate For Certificate Authority integration, you need to deploy a
selfsigned CA in your network. A Server Authentication certificate is required for each Intel AMT
device that needs to communicate using TLS. When the Intel AMT client is configured to use TLS,
the configuration server automatically requests a certificate from the root certificate. This
certificate is stored in the nonvolatile RAM on the Intel AMT client, which is based on a standard
web server certificate template available with Microsoft Certification Authority.
Configuration Certificate For configuration, you need to deploy a vendorsupplied certificate or

a selfsigned CA in your network. When you use Intel RCS, the certificate is stored in the
certificate store of the user account running the Intel RCS. When using a vendorsupplied
certificate for the configuration, you must:
Use a supported vendor. The list of supported vendors is prepared based on the root certificate
hashes present in the Intel AMT firmware and its versions. For more information on supported
vendors, see http://communities.intel.com/docs/DOC2225
Generate a Certificate Signing Request (CSR) and purchase the appropriate SSL Certificate from
the vendor. For example, to purchase and install Go Daddy certificates, see http://
downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=21742.
Provide the Intel Client Setup Certificate in the Organizational Unit field of the Certificate
Signing Request.
Make sure that the CN in the Certificate Signing Request matches the Intel AMT System
Domain Suffix.
Make sure that the key is exportable and the Request Type is PKCS10.
Install the vendor certificate on the system where Intel SCS Remote Configuration Service
(RCS) will be running.
For more information on purchasing the correct SSL Certificate, see http://communities.intel.com/
docs/DOC1277.
For more information on installing the vendor certificate, see Installing a Vendor Certificate in the
Intel Setup and Configuration Service (Intel SCS) User Guide.
Product Guide
17

This table provides information on certificates templates:

Purpose
Certificate
Template to Use
Specific Information in Certificate
Communicating with
Intel AMT Systems
using TLS
Web server
The Enhanced Key Usage value must contain the Server

Authentication (1.3.6.1.5.5.7.3.1).
The subject field must contain the FQDN of the Intel
AMT system.
McAfee recommends that you don't configure the
Certification Authority (CA) of the web server to use
SHA2 256 or higher encryption because the Intel
AMT client configuration through ePolicy Orchestrator
doesn't work with this encryption.
Configuration of
Intel AMT Systems
by the configuration
server
Duplicate of web
server with
customization or
vendorsupplied
certificate
Enhanced Key Usage value must contain Server

Authentication (1.3.6.1.5.5.7.3.1) and the object
identifier: 2.16.840.1.113741.1.2.3, or Intel Client
Setup Certificate is provided in the Organizational Unit
field.
The subject field must contain the FQDN of the
configuration server.

The RCS Manager is a module of ePO Deep Command that helps you manage the configuration of your
Intel AMT firmware, through ePolicy Orchestrator.
The diagram below illustrates the work flow phases involved in configuration through the RCS Manager
plugin.
The RCS Manager retrieves configuration profiles from the Intel RCS servers, and reports back to the
ePolicy Orchestrator server. The server uses these profiles to configure the Intel AMT systems and
lists them under the ePO Deep Command configuration policies.
You can create the configuration profiles in the Intel RCS console, then install the RCS Manager
extension. You then push the plugin through the McAfee Agent to the Intel RCS server to retrieve the
server and profilerelated information.
18
Product Guide

The information is listed in the configuration policy that can be configured based on the Intel RCS
server and the configuration profile selected. The customized policies are then pushed to the Intel
AMT client through the McAfee Agent. The ePO Deep Command Client triggers the configurator to
initiate configuration, once the process is complete, the status for success or failure is sent to the
ePolicy Orchestrator server.

When configuring your Intel AMT systems for use with ePO Deep Command, keep these specifications
in mind.
In an ePO Deep Command environment, an Intel AMT systems can be:
Not configured
Configured, but not compliant with ePolicy Orchestrator
Configured and compliant with ePolicy Orchestrator
Of these situations, the first two are of particular importance. Refer this section to make sure that the
appropriate configurations, conditions, and details are in place to move your systems into the
configured and compliant state.
Not configured systems

If your Intel AMT systems are not configured, consider these points:
Make sure the latest BIOS, Intel AMT firmware and Intel AMT drivers are applied to all Intel
AMTequipped systems. Refer to the manufacturer of your hardware for details about obtaining this
content.
For security reasons, Intel AMTequipped systems are shipped in an unconfigured state. Before
you can report on or manage these systems with ePO Deep Command software, the Intel AMT
hardware must be configured.
Intel AMT systems can be configured before or after they are deployed to your enterprise
environment. The preferred setup for initial configuration is a Dynamic Host Configuration Protocol
(DHCP) environment with your target systems on a production wired LAN interface with network
ports 135 and 1699216995 available.
Intel AMT systems must be configured with at least one administrative account and TLS
certificate. This configuration requires:
An internal Microsoft Certificate Authority
The Intel Setup and Configuration Service (SCS)
Initial authentication to the Intel AMT system
The Intel AMT systems must receive an initial profile to perform its function as a network service.
The profile must be provided to your Intel AMT systems in a secure manner, and must provide the
relevant information such as authentication or Access Control List (ACL) details, enabled service
interface, securing of communications, and so forth.
To make sure optimal performance, Intel AMT systems must be configured to use the Admin
Control Mode.
Product Guide
19

Intel SCS is an essential component that provides a centralized mechanism for initial and post
configuration events. For more information about Intel SCS requirements, setup, and
configuration details, see the Intel Setup and Configuration Service (Intel SCS) User Guide.
The initial trust between Intel SCS and your Intel AMT system is accomplished through
Preshared Key (PSK) or remote configuration certificates (PKI). For more details about PSK and
PKI, see the Intel Setup and Configuration Service (Intel SCS) User Guide.
Configured, but not compliant systems

If your Intel AMT systems are configured, but not compliant with ePolicy Orchestrator, consider these
points:
ePolicy Orchestrator requires TLS in the Intel AMT configuration. The internal CA root certificate
must be in the Trusted Root Certificate store of the Intel AMT system, and must be imported into
the ePolicy Orchestrator server.
ePolicy Orchestrator can authenticate through Intel AMT Digest or a valid Kerberos account with
PT Admin Realm access.
Authentication and certificate details are applied to the ePolicy Orchestrator Server Settings in the
Intel AMT Credentials settings category. Only one set of credentials and one certificate can be
applied per instance of ePO Deep Command.
If your Intel AMT systems were initially configured without using Intel SCS, it might be possible
to change that configuration using the options provided by Intel SCS.
Additional resources
Refer to these sources for additional information about and to download the latest version of Intel
SCS:
20
Product Guide

http://www.intel.com/go/scs

Admin Control mode configuration requires that specific hardware, software, and configuration settings
be in place.
This illustration provides a highlevel overview of a network configuration that supports Admin Control
mode of your Intel AMT systems.
Each of the server components in this illustration perform an essential function in Admin Control mode
configuration:
Active Directory server The Active Directory (AD) server is an integration point for the Intel
AMT device. This integration allows the configuration server to use the Kerberos authentication to
securely manage Intel AMT credentials.
Certificate Authority server The Certification Authority (CA) server issues certificates to the
correct trusted devices within the network. An organization can use Transport Layer Security (TLS)
communication by incorporating certificates issued by a CA.
ePO server The ePolicy Orchestrator server is the management console from which application
and enforcement of Intel AMT policies are configured and distributed.
Configuration server This is used to configure an Intel AMT system. It automates the process
of populating Intel AMT systems with the user names, passwords, and network parameters that
enable the system to be administered remotely from ePO Deep Command. Using the ePO Deep
Command RCS Manager plugin, ePolicy Orchestrator can enforce the Intel AMT configuration
policies to the configuration server (Intel RCS server).
Product Guide
21

Additional components and their configuration

There are several additional components and configurations not depicted in the previous illustration.
These components also play a role in the configuration process:
Firewall Intel AMT systems requires certain ports are open to allow management traffic to go
through them. These tables refer to the ports being used for Intel AMT system communications,
which should not be blocked.
Communication ports
16992
TCP/UDP
Intel AMT SOAP/HTTP
16993
TCP/UDP
Intel AMT SOAP/HTTPS
Redirection ports
16994
TCP/UDP
Intel AMT Redirection/TCP
16995
TCP/UDP
Intel AMT Redirection/TLS
Port 135 is used for Windows Management Instrumentation (WMI) ACUconfig to RCS
communications. Ports 623 and 624 for Web ServicesManagement (WSMAN) can be used by the
McAfee KVM viewer.
When using the Intel Setup and Configuration Service configuration server, the Microsoft Base
Filtering Engine services intercept the configuration process, which causes the configuration process
to fail. Make sure that firewall rules are enabled for the designated ports.
22
BIOS version Use the latest BIOS and firmware from the OEM for the proper functionality.
IP addressing scheme DHCP for an IP addressing scheme is required for remote configuration
of the Intel AMT systems.
Intel Management Engine Interface (MEI) driver The MEI driver is one of the prerequisites
for configuration and local operations of the Intel AMT system. Confirm with the hardware vendors
to have the right set of MEI drivers for the appropriate Intel AMT systems.
Product Guide
You need to perform a series of steps to set up your McAfee ePO Deep Command software per your
requirements.
1
Make sure that your system meets the requirements.
Install the ePO Deep Command Discovery and Reporting extension.
Deploy the ePO Deep Command Discovery and Reporting plugin to the Intel AMT client systems.
Generate reports on your client systems to identify the Intel AMTenabled systems.
Install the ePO Deep Command Deep Command Management Framework software.
Deploy the ePO Deep Command Client plugin to the Intel AMT systems.
Provide Intel AMT credentials and import server authentication certificates.
Import trusted root CA certificates.
Test your connection to the Intel AMT client systems from the ePolicy Orchestrator server.
10 Configure user access permissions.

11 (Optional) Install and configure the RCS Manager software to manage configuring or unconfiguring
Intel AMT firmware through ePolicy Orchestrator.
12 (Optional) Set up and configure ePO Deep Command Gateway server (required to use the Client
Initiated Remote Access feature).
Contents
Requirements
Install the software
Configure user permissions
Configure Intel AMT clients through ePolicy Orchestrator
Unconfigure Intel AMT clients through ePolicy Orchestrator
Configure the Gateway server for Remote Access
Uninstall the software
Requirements
Verify that your system meets these requirements before you start the installation process.
These are minimum requirements for the ePO Deep Command Discovery and Reporting software. You
must also consider the system requirements for any other products you are installing, such as McAfee
ePolicy Orchestrator.
Product Guide
23

Requirements
System requirements
Systems
Requirements
McAfee ePolicy
See the ePolicy Orchestrator product documentation for the version 4.6.4 or
Orchestrator server later.
systems
Intel AMT client
systems
CPU: Intel vProenabled as listed in this link:

http://www.intel.com/support/vpro/sb/CS030703.htm
RAM: 512 MB minimum (1 GB recommended)
Hard Disk: 200 MB minimum free disk space
Intel AMT: Version 4.x or higher (for McAfee EEPC integration, Intel AMT
version 6.x or higher is required)
Intel MEI driver
Based on the hardware, the version of Intel MEI driver will vary. To obtain the
correct version of this software, contact the hardware manufacturer for your
systems (required when using the Management Framework module).
The installation of the Intel MEI driver is not required to use the Discovery and
Reporting module, but is recommended. Installing it on the managed systems
allows you to collect the complete Intel AMT and BIOS properties.
Intel RCS server
Version 8.0.13 or later (This is required to manage Intel AMT configuration

through ePolicy Orchestrator using the RCS Manager plugin. The ePolicy
Orchestrator server enforces the configuration policy to the Intel RCS server to
facilitate the configuration process.)
Graphics
Intel Integrated 3000 (This is required for the McAfee KVM viewer component.)
Network Interface
Card
Onboard (Multiple NICs are not supported by the Intel Active Management
Technology feature of Intel Core2 processor with vPro technology.)
Software requirements
Make sure you have the required software installed for the ePO Deep Command module you're
installing.
Software
ePO Deep Command

module
Requirements
McAfee management
software
Discovery and Reporting McAfee ePolicy Orchestrator 4.6.4 or later

McAfee Agent for Windows 4.5.1 or later
Management Framework McAfee ePolicy Orchestrator 4.6.4 or later
McAfee Agent for Windows 4.5.1 or later
Internet browser
All
Internet Explorer 7.0 or later

Mozilla Firefox 3.6.20 or later
Pop up windows must be enabled and allowed.
The ePO Deep Command Management Framework module requires the Discovery and Reporting module
to function correctly.
24
Product Guide

Operating system requirements

System
Software
McAfee ePolicy
Orchestrator server
systems
See the ePolicy Orchestrator product documentation for versions 4.6 or later.
Client systems for

ePO Deep Command
software
Windows XP with Service Pack 3 (32 or 64bit)

Windows Vista or higher with Service Pack 1 (32 or 64bit)
The Intel AMT client configuration through ePolicy Orchestrator doesn't
work on this client.
Windows 7 or higher (32 or 64bit)

Windows 8 or higher (only with McAfee Agent 4.6 patch 2 or higher)
Windows Server 2003 or higher (32 or 64bit)
Windows Server 2008 R2 or higher (32 or 64bit)
Upgrade requirements
You can upgrade to McAfee ePO Deep Command version 1.5 from the earlier version 1.0.

Install the extensions and deploy them to manage your Intel AMT systems.
Tasks
Install or upgrade the ePO Deep Command extensions on page 26

The ePO Deep Command software is comprised of multiple modules, which you can install
on your ePolicy Orchestrator server based on your requirements.
Deploy the ePO Deep Command Discovery and Reporting plug-in on page 27
Deploy the Discovery and Reporting plugin to generate reports on your Intel AMT
systems.
Assign AMT Tag to systems on page 28

Run the predefined ePO Deep Command: Run Tag Criteria task to evaluate each system against
AMT tag criteria and assign the AMT tag to all configured Intel AMT client systems.
Deploy the Management Framework client on page 28

Deploy the Management Framework client to your Intel AMT systems to manage them
using Intel AMT actions, policies, server tasks, and queries.
Create a certificate chain on page 29

You can copy the root and intermediate certificates to a single file and save it as a Privacy
Enhanced Mail (PEM) file.
Specify ePO Deep Command credentials on page 31

Specify ePO Deep Command credentials and import the Server Authentication Certificate in
Import CA certificates to ePolicy Orchestrator on page 32

Certificate Authentication (CA) certificates are required to facilitate secure communication
between your clients and servers.
Installing the ePO Deep Command online help on page 33

With the ePO Help installed, you can view definitions of the interface options by clicking ? in
the interface. Perform this task if you've not checked in this extension along with other ePO
Deep Command extensions from Software Manager.
Product Guide
25

Install or upgrade the ePO Deep Command extensions

The ePO Deep Command software is comprised of multiple modules, which you can install on your
ePolicy Orchestrator server based on your requirements.
You can install the software extensions using the Software Manager in ePolicy Orchestrator. The
Software Manager provides a single location within the ePolicy Orchestrator console to review and
obtain McAfee software and components. If you already have an earlier version of the software
installed, following this task upgrades McAfee ePO Deep Command version to 1.5.
Task
For option definitions, click ? in the interface.
1
In the ePolicy Orchestrator console, click Menu | Software | Software Manager.
On the Software Manager page under Product Categories, click Software Not Checked In | Licensed.
Select McAfee ePO Deep Command 1.5 from the products list, then perform these:
For fresh installation, select the product components to be installed or select Check In All to check
in all of them.
The ePO Deep Command 1.5 extensions contain its associated clientside component package.
It's recommended to check in components individually. When you use Check In All, duplicate
entries of the ePO Deep Command packages are checked in to the Current branch in the Master
Repository.
For upgrade, click Check In All to check in all the new components, then click Update All to update all
the existing components.
It's recommended to move the ePO Deep Command 1.0 packages in the Master Repository to the
Previous branch before checking in the ePO Deep Command 1.5 components. Also, it's
recommended to use Update All option when the previous versions of ePO Deep Command
packages exist in the Master Repository.
Table 3-1 McAfee ePO Deep Command components in Software Manager
26
Component
Description
McAfee ePO Deep Command

Discovery and Reporting
Extension
The software extension to enable the Discovery and Reporting

feature on the server. Check in the extension or download to
check it in later.

Discovery and Reporting
Plugin
The package to deploy the Discovery and Reporting plugin onto

the Intel AMT client systems. Check in the extension or download
to check it in later.

Management Framework
Extension
The software extension to enable the Management Framework

feature on the server. Check in the extension or download to
check it in later.

Management Framework
Client
The package to deploy the Management Framework plugin onto

the Intel AMT client systems. Check in the extension or download
to check it in later.

RCS Manager Extension
The software extension to allow the Intel AMT configuration

through the server. Check in the extension or download to check it
in later.

RCS 8.0 Manager
The package to deploy the RCS Manager plugin onto the

managed Intel RCS server. Check in the extension or download to
check it in later.
Intel Setup and Configuration

Service
The software for setting up environment to configure Intel AMT

systems. Download, then install it on the system required.
Product Guide

Table 3-1 McAfee ePO Deep Command components in Software Manager (continued)
Component
Description

Gateway Server
The software for setting up environment to enable communication

with the remotely managed Intel AMT system. Download, then
install it on a server in your corporate DMZ where the Agent
Handler is installed.
McAfee KVM Viewer
The software component for remotely connecting to an Intel AMT

client. Download, then install it on the system required.

1.5.0 Product Guide
The product guide for download.

1.5.0 Release Notes
The product release information for download.

Help Extension
The product help extension to be downloaded, then installed to

the ePolicy Orchestrator server to enable assistance in the
interface.
Once the ePO Help is installed, you can view definitions of the
interface options by clicking ? in the interface.
In the Check In Software Summary page, review and accept the End User License Agreement (EULA),
then click OK to complete the installation.
The checked in packages appear under Menu | Software | Master Repository. The checked in extensions
appear under Menu | Software | Extensions.
Deploy the ePO Deep Command Discovery and Reporting plugin

Deploy the Discovery and Reporting plugin to generate reports on your Intel AMT systems.
Before you begin
Make sure that the McAfee ePO Deep Command Discovery and Reporting Plugin package is checked in
and listed under Menu | Software | Master Repository.
The Deploy ePO Deep Command Discovery and Reporting Plugin client task is created automatically when the
McAfee ePO Deep Command Discovery and Reporting Plugin is installed on the ePolicy Orchestrator server.
Assign the client task to the desired client computers.
Task
1
In the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog, then select Product Deployment
under McAfee Agent.
Click Assign in the Deploy ePO Deep Command Discovery and Reporting Plugin actions column.
The Select a group to assign the task page appears.
Select the required system or system groups where you want to deploy the ePO Deep Command
Discovery and Reporting software plugin.
Click OK to open the Client Task Assignment Builder wizard.
Product Guide
27

On the Select Task page, verify the Product, Task type, and Task Name to deploy the product. Next to
Tags, select a platform, then click Next.
Send this task to all computers
Send this task to only computers that have the following criteria Use one of the edit links to configure the
criteria.
On the Schedule page, on Select type: select Run immediately and click Next.
Review the summary, then click Save to open the System Tree page.
In the System Tree page, select the systems or groups where you assigned the task, then click Actions
| Agent | Wake Up Agents.
The Wake Up McAfee Agent page appears.
In the Wake Up McAfee Agent, select Force complete policy and task update, then click OK.
On successful execution of this task, the ePO Deep Command Discovery and Reporting plugin is
deployed.
Assign AMT Tag to systems

Run the predefined ePO Deep Command: Run Tag Criteria task to evaluate each system against AMT tag
criteria and assign the AMT tag to all configured Intel AMT client systems.
Task
1
In the ePolicy Orchestrator console, click Menu | Automation | Server Tasks.

The Server Tasks page appear.
Click Run for the ePO Deep Command: Run Tag Criteria.
Upon successful execution, the AMT tag is assigned to all configured Intel AMT client systems. To
check the task status, navigate to Server Task Log.
Deploy the Management Framework client

Deploy the Management Framework client to your Intel AMT systems to manage them using Intel
AMT actions, policies, server tasks, and queries.
Before you begin
Make sure that the McAfee ePO Deep Command Management Framework Client package is checked in
and listed under Menu | Software | Master Repository.
The Deploy ePO Deep Command Client client task is created automatically when the McAfee ePO Deep Command
Management Framework Client is installed on the ePolicy Orchestrator server.
Task
1
under McAfee Agent.
Click Assign in Deploy ePO Deep Command Client.

The Select a group to assign the task page appears.
28
Product Guide

Select the required systems or groups where you want to deploy Management Framework, then
click OK.
Click Next to schedule the deployment task as required.
Click Next, then click Save.
Send an agent wakeup call.
Create a certificate chain

You can copy the root and intermediate certificates to a single file and save it as a Privacy Enhanced
Mail (PEM) file.
Task
1
In the Certificate Authority server, click Start | Programs | Administrative Tools | Certification Authority.
The Certification Authority Management Console appears.
From the Console Root tree, rightclick the certificate, then select Properties.
In the Properties screen, click the General tab, then click View Certificate.
In the Certificate screen, click the Details tab, then click Copy to File.
In the Certificate Export Wizard screen, click Next, select the export file format as Base64 encoded X.509
(.CER), then click Next again.
Specify the name of the file to export, click Next, then click Finish.
With a text editor (such as wordpad), copy and paste the entire body of the certificate into one text
file.
Product Guide
29

30
If intermediate certificates exist within your environment, follow the steps 2 through 6 for each
certificate, then copy the entire text between "Begin" and "End" statements and place in bottom to
top order (root at the last) in the text file created in step 7.
Product Guide

Save the combined file as a .PEM file.
Specify ePO Deep Command credentials

Specify ePO Deep Command credentials and import the Server Authentication Certificate in ePolicy
Orchestrator.
You can import a single or chain of certificates. The credentials you specify must be the same as the
configuration credentials. This procedure authenticates your administrator rights to manage Intel AMT
systems using ePO Deep Command.
Task
1
In the ePolicy Orchestrator console, click Menu | Configuration | Server Settings.
In Setting Categories, select Intel AMT Credentials, then click Edit to specify your Intel AMT credentials and
import trusted certificates.
Import and activate a Trusted Root Certificate to use the Client Initiated Remote Access (CIRA),
SerialoverLAN (SOL), IDE Redirection (IDER), and Remote KeyboardVideoMouse (KVM)
features:
a
In Trusted Root Certificates, click Import, then browse to select a PEM encoded (.pem file), DER
encoded (.der file), or a PKCS12 (.p12 file) for a certificate or chained certificates.
This is the root certificate of the CA that's used for creating and signing the Server
Authentication Certificate
Click Next.
Click Save.
The certificate gets listed in the Trusted Root Certificate box.
Select the certificate imported and click Activate to activate it (there can be more than one
certificate installed, but only one is actived at a time). To remove a certificate, select it and click
Delete.
Update your Intel AMT credentials to use for Intel AMT actions:
a
Type your Active Directory or Digest username.

(Use domain\username format for Active Directory accounts. )
Product Guide
31

Select Change Password, then type your password and confirm password.
If the credentials are invalid or not specified, all Intel AMT actions fail.
In CILA/CIRA Event Details, select the options required:
Disable listening for CILA/CIRA messages on Agent Handlers Disables Agent Handlers to receive incoming
local access or remote access calls. It can be used to globally disable local access or remote
access without configuring their policy settings, and also disable all other features that depend
on them (such as EEPC Unlock).
Extend CIRA/CILA sessionopening events to describe the reason they were initiated Enables Agent Handlers to
obtain detailed information of the system that initiates a local access or remote access call
(such as who initiated the call: EEPC or a user).
Click Save.
See also
Certificate Authority integration on page 17
Import CA certificates to ePolicy Orchestrator

Certificate Authentication (CA) certificates are required to facilitate secure communication between
your clients and servers.
Before you begin
Specify ePO Deep Command credentials and import the Server Authentication Certificate in
In an environment where ePolicy Orchestrator server is implemented across different domains, import
the root and intermediate certificates to the system account where the ePolicy Orchestrator server or
Agent Handler is installed. This prevents the 401 or 12175 errors from being displayed in the
AMTService.log file.
Perform this task only if the ePolicy Orchestrator server is not in the same domain with Enterprise CA
\PKI. In an enterprise CA\PKI, the Microsoft directory service automatically replicates the root or
intermediate certificates. If it's a standalone CA or nonMicrosoft PKI, these steps are required. Check
that first to make sure that the required certificates are available. If they're not present, perform this
task.
When you use Internet Explorer to install the certificate to your Trusted Roots certificate store, it
affects only the current user's certificates and not the local system. Users need to use the MMC
certificates to install on the local system or a service account. This certificate must be checked into
Trusted Root Certification and Intermediate Certification Authorities, and the ePolicy Orchestrator services must be
restarted.
These instructions are specific to importing the root or intermediate certificate of the CA that was used
for creating and signing the Server Authentication Certificate.
Task
32
In the ePolicy Orchestrator server, run mmc from the Command Prompt.
From File, click Add/Remove Snapin, then click Add.
In Add Standalone Snapin, select Certificates, then click Add.
From the Certificates snapin window, select Computer Account, then click Next. From the Select Computer
page, select Local Computer, then click Finish.
Product Guide

Click Close.
Click OK.
Go to Console Root and expand Certificates (Local Computer), then expand Trusted Root Certification Authorities.
The Certificates folder must be displayed in the right pane. Rightclick Certificates, then click all Tasks |
Import.
In the Certificate Import Wizard, click Next, then Browse and select the CA Certificate. Make sure
Trusted Root Certification Authorities is where the certificate is stored. Click Next, then click Finish to
complete the certificate importing process.
Go to Console Root and expand Certificates (Local Computer), then expand Intermediate certification Authorities.
The Certificates folder must be displayed in the right pane. Rightclick Certificates, then click all Tasks |
Import.
See also
Certificate Authority integration on page 17
Test your connection to an Intel AMT system

After configuring your Intel AMT firmware, specifying product credentials to manage your Intel AMT
systems, then deploying ePO Deep Command to your Intel AMT systems, you can verify that the
Intel AMT system is managed by your ePolicy Orchestrator server by using the Power On and Boot/
Reboot features.
Power On feature
Follow the instructions in the Power on your systems section of the Managing your Intel AMT systems
chapter.
Boot/Reboot feature
Follow the instructions given in the Boot or reboot using IDERedirect section of the Managing your
Intel AMT systems chapter.
Installing the ePO Deep Command online help

With the ePO Help installed, you can view definitions of the interface options by clicking ? in the
interface. Perform this task if you've not checked in this extension along with other ePO Deep
Command extensions from Software Manager.
Task
1
Select McAfee ePO Deep Command 1.5 from the products list, select McAfee ePO Deep Command Help Extension,
click Check In.
When checked in successfully, the deep_command_help extension appears under ePO Deep Command on the
Extensions page. Verify that the extension version is 1.5.0.xxx.
Product Guide
33


Minimum permissions must be set for all users so to allow or forbid them use different ePO Deep
Command actions, policies and tasks.
A permission set is a group of permissions granted to a user account for specific products or features
of a product. One or more permission sets can be assigned. For users who are global administrators,
all permissions to all products and features are automatically assigned. Global administrators can
assign existing permission sets when creating or editing user accounts and when creating or editing
permission sets.
When you install the ePO Deep Command Management Framework, it adds sections called ePO Deep
Command Actions and ePO Deep Command Policies on the Permission Sets, without applying any
permissions. The global administrator might need to give permissions to handle other ePolicy
Orchestrator areas that work with ePO Deep Command such as policies and tasks.
Task
1
In the ePolicy Orchestrator console, click Menu | User Management | Permission Sets.
On the Permission Sets page, select the permission set to which you want to assign ePO Deep
Command permissions.
The details appear to the right.
34
Click Edit next to the permission set to be modified:
Product Guide

Permission set
Options
ePO Deep Command Actions Grant permissions for these Intel AMT actions:
(added when ePO
Enforce AMT Policies Allows users to enforce OutofBand policies.
Deep Command
Management
Enforce AMT Firmware Configuration Policy Allows users to configure or
Framework is
unconfigure Intel AMT firmware on the client systems.
installed)
Power On Allows users to power on client systems.
Boot/Reboot with Options (IDER) Allows users to reboot an Intel AMT
system to a redirected disk.
SerialoverLAN Terminal (SOL) Allows users to connect to a remote Intel
AMT system through a virtual serial port.
ePO Deep Command Policies Grant permissions for ePO Deep Command policies and tasks:
(added when ePO
No Permissions Forbids users to view policy and task settings in the ePO
Deep Command
Deep Command policies.
Management
Framework is
View policy and task settings Allows users to view policy and task settings
installed)
in the ePO Deep Command policies.
View and change policy and task settings Allows users to view and modify the
policy and task settings in the ePO Deep Command policies.
ePO Deep Command RCS
Manager (added when
ePO Deep Command
RCS Manager is
installed)
Grant permissions for ePO Deep Command configuration policies:

No Permissions Forbids users to view policy and task settings in the ePO
Deep Command configuration policies.
View policy and task settings Allows users to view policy and task settings
in the ePO Deep Command configuration policies.
View and change policy and task settings Allows users to view and modify the
policy and task settings in the ePO Deep Command configuration
policies.
On the Edit Permissions Set page for the selected permission set, select the options as required, then
click Save.

You need to install and configure the ePO Deep Command RCS Manager plugin to manage the Intel
AMT firmware configuration from ePolicy Orchestrator, which communicates with the Intel RCS
servers to perform the configuration or unconfiguration.
Before you begin
The supported Intel RCS version 8.0.13 or later must be installed and configured.
Obtain the latest Intel RCS version and required documentation from the Intel website:
http://www.intel.com/go/scs.
The ePO Deep Command Management Framework must be installed and configured.
Product Guide
35

Most of these tasks involve steps that are performed in nonMcAfee environment. This guide covers
brief information on the normal procedure that is required to configure the ePO Deep Command RCS
Manager software. However, see the Intel Setup and Configuration Service (Intel SCS) User Guide
for detailed information on these steps and for any alternate steps.
Intel AMT client in a Virtual Private Network (VPN) environment can't be configured from
ePolicy Orchestrator because the home domains of the server and client are different in
this scenario.
If a configured Intel AMT client is outside the home domain and has CIRA policy
configured, it cannot be unconfigured from ePolicy Orchestrator.
Tasks
Create a certificate template on page 36

Create a remote configuration certificate template for the Intel AMT configuration.
Enable the certificate template on page 38

Enable the certificate template for use in the Intel AMT configuration.
Issue certificates automatically on page 39

Configure to issue certificates automatically and not into the "pending requests" for a
successful Intel AMT configuration.
Create a configuration profile on page 40

Create a configuration profile in the Intel RCS server, for the settings required to push the
Intel AMT device configuration.
Modify WMI permissions to add domain computers on page 45

The remote configuration of Intel AMT systems requires appropriate WMI permissions for
domain computers on the server where the Intel RCS is installed and configured.
Modify DCOM permissions to add domain computers on page 47

The configuration process requires appropriate DCOM permissions for domain computers in
the server where the Intel RCS is installed and configured.
Install the ePO Deep Command RCS Manager extension on page 50

The ePO Deep Command RCS Manager extension is required to manage the Intel AMT
configuration through ePolicy Orchestrator. Perform this task if you've not checked in this
extension along with other ePO Deep Command extensions from Software Manager.
Check in the ePO Deep Command RCS Manager package on page 50

The ePO Deep Command RCS Manager package is required to deploy the RCS Manager
plugin onto the managed Intel RCS servers. Perform this task if you've not checked in this
package along with other ePO Deep Command extensions from Software Manager.
Deploy the ePO Deep Command RCS Manager plug-in on page 51

After the ePO Deep Command RCS Manager extension is installed on the ePolicy
Orchestrator server, deploy the RCS Manager plugin to the Intel RCS server.
Configure Intel AMT systems using policy on page 51

You can configure your Intel AMT client systems from the ePolicy Orchestrator console
using the Intel AMT Configuration Policy.
Create a certificate template

Create a remote configuration certificate template for the Intel AMT configuration.
Task
1
36
Product Guide

From the Console Root tree, doubleclick Certificate Templates.

The list of templates appear in the right pane.
Rightclick the Certificate Templates and select Manage.
In the rightpane, rightclick the Computer template and select Duplicate Template.
The Properties of New Template window appears.
Product Guide
37

In the Template display name field, enter the name for the template as AMT Configuration.
Click the Extensions tab, select Application Policies, then click Edit:
a
Click Add, then click New
Enter the policy name as AMT OID, and in the Object Identifier (OID) field enter this:
2.16.840.1.113741.1.2.3
Click OK to three times to return to the Properties of New Template window.
Click the Subject Name tab, then select Supply in the request.
Click the Request Handling tab, then select Allow private key to be exported.
Click OK.
Enable the certificate template

Enable the certificate template for use in the Intel AMT configuration.
Task
1
38
Product Guide

From the Console Root tree, select Certificate Authority | Certificate Templates. Rightclick in the right pane
and select New | Certificate Template to Issue.
In the Enable Certificate Templates screen, select the template that was created and click OK.
The template now appears in the right pane with the other certificate templates.
Issue certificates automatically

Configure to issue certificates automatically and not into the "pending requests" for a successful Intel
AMT configuration.
ePO Deep Command doesn't support pending certificate requests. If during configuration the CA puts
the certificate into the Pending Requests state, Intel SCS returns an error (#35). Make sure that
the CA and the templates used by Intel SCS are not defined to put certificate requests into a pending
state.
Product Guide
39

Task
1
Rightclick the CA, select Properties.

The certificate properties screen appears.
Click the Policy Module tab, then click Properties.
In the Request Handling tab, select Follow the settings in the certificate template, if applicable. Otherwise,
automatically issue the certificate., then click OK.
Create a configuration profile

Create a configuration profile in the Intel RCS server, for the settings required to push the Intel AMT
device configuration.
Task
1
From the Intel SCS Console, click the icon to create a new profile.
The Configuration Profile Wizard screen appears.
40
In the Profile Description section, enter a unique name, then click Next.
Product Guide

In the Optional Settings, select Access Control List (ACL), Transport Layer Security (TLS), and Active Directory
Integration (if using Kerberos authentication), then click Next.
Product Guide
41

If using Digest authentication, skip to the next step. Otherwise, in the Active Directory (AD)
Integration screen, click ... next to the Active Directory OU field and select the Organizational Unit
where the system is stored in the Active Directory, then click Next.
During configuration, the Intel SCS sends a request to the AD to create an object representing the
Intel AMT system and adds it to the Active Directory Organizational Unit (ADOU) you define.
42
Product Guide

In the Access Control List (ACL) screen, click Add and perform these steps in the User/Group Details
window:
a
From the User Type option, select Digest User to use Digest authentication or Active Directory User/Group
to use Kerberos authentication, as required.
Provide credentials for the selected authentication type:
For Digest User, type the username and password.
For Active Directory User/Group, click Browse, then select a domain user or group.
From the Access Type dropdown list, select Both.
From the Realms options, select PT Administration.
Click OK.
Product Guide
43

In the Transport Layer Security (TLS) screen, perform these steps:
From the Certificate Authority dropdown list, select the Certification Authority that was added.
From the Server Certificate Template dropdown list, select the required certificate template. Click
Refresh CAs & Templates if the newly created template is not getting populated.
From the Common Names (CNs) in certificate subject name, select Default CNs.
McAfee recommends that you don't select the Use mutual authentication for remote option. When an Intel
AMT client is configured using a profile that uses both local and remote Mutual Authentications, the
Remote Access policy enforcement to the client might fail.
44
Product Guide

In the System Settings screen, perform these steps:
In Management Interfaces section, select all of these options:
Web UI
Serial Over LAN
IDE redirection
KVM redirection
In the Power Management Settings section, select Always on (S0S5).
In the ME BIOS Extension (MEBx) password field, enter the password used for locally accessing
the MEBx settings (default is admin on a new system).
In the Network Settings section, select Enable Intel AMT to respond to ping requests and Enable Fast Call for
Help (within the enterprise network).
Click Finish to close Configuration Profile Wizard.
The profile is added to the list of profiles.
Modify WMI permissions to add domain computers

The remote configuration of Intel AMT systems requires appropriate WMI permissions for domain
computers on the server where the Intel RCS is installed and configured.
Product Guide
45

Task
1
Click Start | Administrative Tools, then click Server Manager.
Expand Configuration, rightclick WMI Control, then select Properties.
Go to the Security tab, perform these steps for the namespaces that control access to the RCS (such
as Intel_RCS, Intel_RCS_Editor, Intel_RCS_Master_Password, and Intel_RCS_Systems):
a
From the tree, select a namespace and click Security.
The Security screen of the namespace appears.
46
Product Guide

Click Advanced, add Domain Computers, then doubleclick the permission entry for domain
computers.
Select This namespace and subnamespaces under Apply to, then select Allow for all permissions.
Make sure that all required users are added in the Security screen. Perform this step for each
required user.
Save the settings and close the properties screens.
Modify DCOM permissions to add domain computers

The configuration process requires appropriate DCOM permissions for domain computers in the server
where the Intel RCS is installed and configured.
Task
1
Click Start | Run, then type dcomcnfg and press Enter.
Expand Console Root | Component Services | Computers, rightclick My Computer, then select Properties.
Click the COM Security tab.
Product Guide
47

From the Access Permissions section:

a
Click Edit Limits.
Add Domain Computers, then allow these permissions for the Domain Computers group.
c
5
48
Local Access
Remote Access
Click OK.
From the Launch and Activation Permissions section:

a
Click Edit Limits.
Local Launch
Remote Launch
Product Guide

Local Activation
Remote Activation
Click OK.
Click OK.
(Optional) If the Intel RCS is running on a Microsoft Windows 2008, then perform these steps in
the component services screen:
a
Expand Console Root | Component Services | Computers | My Computer | DCOM Config, rightclick the entry
for the Intel RCS, then select Properties.
On the Security tab, under Configuration Permissions, select Customize, then click Edit.
Product Guide
49

Full Control
Read
Special Permission
Close the Component Services window.
Install the ePO Deep Command RCS Manager extension

The ePO Deep Command RCS Manager extension is required to manage the Intel AMT configuration
through ePolicy Orchestrator. Perform this task if you've not checked in this extension along with other
ePO Deep Command extensions from Software Manager.
Task
1
Select McAfee ePO Deep Command 1.5 from the products list, select McAfee ePO Deep Command RCS Manager
Extension, then click Check In.
When checked in successfully, the ePO Deep Command RCS Manager extension appears under ePO Deep
Command on the Extensions page.
Check in the ePO Deep Command RCS Manager package

The ePO Deep Command RCS Manager package is required to deploy the RCS Manager plugin onto
the managed Intel RCS servers. Perform this task if you've not checked in this package along with
other ePO Deep Command extensions from Software Manager.
50
Product Guide

Task
1
Select McAfee ePO Deep Command 1.5 from the products list, select McAfee ePO Deep Command RCS 8.0 Manager,
then click Check In.
When checked in successfully, the ePO Deep Command RCS 8.0 Manager appears under Menu | Software
| Master Repository and the Deploy ePO Deep Command Discovery and Reporting Plugin task appears under Menu |
Policy | Client Task Catalog | McAfee Agent | Product Deployment.
Deploy the ePO Deep Command RCS Manager plug-in

After the ePO Deep Command RCS Manager extension is installed on the ePolicy Orchestrator server,
deploy the RCS Manager plugin to the Intel RCS server.
Task
1
In the ePolicy Orchestrator console, go to System Tree, then select the target server hosting Intel
RCS.
Click the Assigned Client Tasks tab, then click Actions | New Client Task Assignment.
Select McAfee Agent under Product, and Product Deployment under Task Type, then click Create New Task.
Type a name for the task and any notes, then select Target Platforms, as needed.
In Products and components, select McAfee ePO Deep Command RCS 8.0 Manager 1.5.0.xxx, select Action as Install,
select the language, then click Save.
Select the task from the list, then click Next.
Schedule the task to run immediately or as required, then click Next to view a summary of the task.
Review the summary of the task, then click Save.
The task is added to the list of client tasks for the selected Intel RCS server, and is executed at the
next agentserver communication.
If the Intel RCS server is busy, their might be a delay in processing the WMI call. Wait for the next
agentserver communication for the RCS Manager information to be updated in the ePolicy Orchestrator
console.
Configure Intel AMT systems using policy

You can configure your Intel AMT client systems from the ePolicy Orchestrator console using the
Intel AMT Configuration Policy.
Product Guide
51

Task
1
In the ePolicy Orchestrator console, navigate to Policy Catalog, select the Product as ePO Deep Command
1.5.0 and Category as AMT Configuration Policies, then click New Policy.
In the New Policy dialog box, perform these steps:
Select McAfee Default, type a name for the configuration policy and any notes, then click OK.
Select Allow ePO to enforce these settings, select Configure and Maintain, select the Intel RCS server and
the profile to be used for the configuration.
Save the policy.
In the System Tree, assign the policy to the required systems or group.
To assign the policy to selected systems, select the systems, click Actions | Agent | Set Policies &
Inheritence, select ePO Deep Command 1.5 as the product, select AMT Configuration Policies as the category,
select the modified configuration policy, select Break Inheritence, then save the policy assignment.
To assign the policy to a system group or to the entire My Organization group, select the group,
select ePO Deep Command 1.5 as the product, click Edit Assignment against the AMT Configuration Policies,
select the modified configuration policy under Assigned policy, then save the policy assignment.
Enforce the policy using one of these methods:
Wait for the next agentserver communication or send an agent wakeup call.
From the Intel AMT systems, click McAfee Agent Status Monitor, then click Collect and Send Properties,
Check New Policies, and Enforce Policies.
Click Actions | AMT Actions | Enforce AMT Firmware Configuration Policy.
On successful policy enforcement, the selected Intel AMT client systems are configured for use. To
verify, navigate to the System Properties page, click the Deep Command tab, make sure that the Configuration
State is Post Configuration.
See also
Create a policy to configure Intel AMT clients on page 84
Enforce Intel AMT configuration policy on page 96

You can unconfigure a managed Intel AMT client from the configuration policy or using the Unconfigure
action in the ePolicy Orchestrator console.
You can unconfigure a configured system, either Fully or Partially. A Full Unconfigure removes the
entire configuration (such as the security credentials, and operational network settings) and disables
the Intel AMT features on the system. A Partial Unconfigure retains the configuration data (like the
host name, domain name, PKI settings, PSK settings), but disables the Intel AMT features on the
system. The Intel AMT system can still communicate with the Intel SCS server.
52
Product Guide

Tasks
Unconfigure Intel AMT systems using policy on page 53

You can unconfigure your Intel AMT client systems from the ePolicy Orchestrator console
using the Intel AMT Configuration Policy.
Identify unconfigured systems on page 54

Create and execute a query, which retrieves unconfigured Intel AMT systems.
Clear AMT tag on page 54

Create a server task based on the query that identifies the unconfigured systems to clear
AMT tag them.
Unconfigure Intel AMT systems using policy

You can unconfigure your Intel AMT client systems from the ePolicy Orchestrator console using the
Intel AMT Configuration Policy.
Task
1
In the ePolicy Orchestrator console, navigate to Policy Catalog, select the Product as ePO Deep Command
1.5.0 and Category as AMT Configuration Policies, then click New Policy.
In the New Policy dialog box, perform these steps:

a
Select McAfee Default, type a name for the unconfiguration policy and any notes, then click OK.
Select Allow ePO to enforce these settings, select Unconfigure, then select the appropriate options:
c
3
Also remove the preshared keys or hash data of self signed CA certificates configured on the client systems manually.
to remove the configuration completely.
Force unconfigure even if it is not configured by ePO to unconfigure a system that was configured in
nonePolicy Orchestrator environment.
Save the policy.
Inheritence, select ePO Deep Command 1.5 as the product, select AMT Configuration Policies as the category,
select the unconfiguration policy, select Break Inheritence, then save the policy assignment.
To assign the policy to a system group or to the entire My Organization group, select the group,
select ePO Deep Command 1.5 as the product, click Edit Assignment against the AMT Configuration Policies,
select the unconfiguration policy under Assigned policy, then save the policy assignment.
On successful policy enforcement, the selected Intel AMT client is unconfigured. To verify, navigate to
the System Properties page, click the Deep Command tab, make sure that the Configuration State is Pre
Configuration.
See also
Create a policy to unconfigure Intel AMT clients on page 84
Product Guide
53

Identify unconfigured systems

Create and execute a query, which retrieves unconfigured Intel AMT systems.
Task
1
Click Menu | Reporting | Queries & Reports, then select ePO Deep Command Reporting under Shared Groups.
From the queries list, select Intel AMT Configuration State, click Action | Duplicate, type a name for the
query, then save it.
Select the query created in the previous step, click Edit, then perform these.
a
In the chart screen, select to display result as Table, then click Next twice.
In the filter screen, from Available Properties select Configuration State, select comparison as Does not
equal and it's value as Post Configuration.
Save the query, then execute it.
Displays the list of Intel AMT systems that are unconfigured.
Clear AMT tag

Create a server task based on the query that identifies the unconfigured systems to clear AMT tag
them.
Before you begin
Create a query to identify unconfigured systems.
Task
1
In the ePolicy Orchestrator console, click Menu | Automation | Server Tasks, then click New Task.
The Server Tasks Builder page appears.
Type a name for the query and a brief description (optional), enable the task, then click Next.
Select the action as Run Query, select the query you have created that returns the unconfigured
Intel AMT systems, select the subaction as Clear Tag and tag as AMT, then click Next.
Schedule the task, as required, then click Next.
Review the task summary, then save it.
From the server tasks list, select the task, then click Run from the actions.
The AMT tag is removed from the unconfigured Intel AMT systems.

The McAfee ePO Deep Command Gateway server acts as a proxy responsible for mediating
communication between the ePolicy Orchestrator server and the remotely managed Intel AMT
systems. It resides in the corporate DMZ sever where the Agent Handler is installed.
The Remote Access feature allows Intel AMT technology platforms to initiate a secured connection to
a gateway server residing in the enterprise demilitarized zone (DMZ). To use Remote Access policies,
install ePO Deep Command Gateway on the DMZ server where the Agent Handler or the ePolicy
Orchestrator server is installed, then download, certify, install, and configure stunnel, which is an
54
Product Guide

opensource multiplatform program that acts as the SSL tunneling proxy between the ePolicy
Orchestrator server and your remote Intel AMT systems. For more information about stunnel and to
download it, access http://www.stunnel.org. For more information on Agent Handlers and how to
configure them, see the ePolicy Orchestrator Product Guide.
Make sure that LAN based operations are successful and the Intel AMT systems are accessible from the
ePO Deep Command server.
A Remote Access workflow involves these:
Remote Access relies on these components:
The ePolicy Orchestrator server.
Intel AMT systems configured for remote connectivity ( In some environments, these systems
are protected with a firewall. If the Intel AMT system initiates a connection to your server, you
can use this connection to administer it.)
ePO Deep Command Gateway server.
Ports: The ports to be used in the McAfee ePO Deep Command Gateway Services are
configurable based on your specific environmental requirements.
Port
Allows
Internettostunnel port
Stunnel to connect to the outside network (internet). For

example, port 2002.
Stunneltogateway (or Intel

AMT listen port)
Stunnel to connect to the Intel AMT platform. The default

port is 11111.
SOCKSv5 proxy listen port
Gateway server to receive the SOCKSv5 proxy connection

requests. The default port is 1080.
HTTP proxy listen port
Gateway server to receive the HTTP proxy connection

requests. Traffic addressed to Intel AMT platforms through
this port is forwarded to the SOCKSv5 port. The default port
is 8080.
Product Guide
55

The remote Intel AMT system or user initiates a connection to the ePO Deep Command Gateway
server that acts as a proxy server. The connection is either initiated manually by the user in an
operating system level utility, or the preoperating system level with a key combination. The
connection can be scheduled to be initiated automatically according at a predetermined time.
Once the connection reaches the ePO Deep Command Gateway server, a secure encrypted tunnel is
established back to the Intel AMT system.
Your ePolicy Orchestrator server is notified of the incoming Remote Access request from the Intel
AMT system.
You can initiate any Intel AMT system command to the remote Intel AMT system.
Tasks
Install the ePO Deep Command Gateway server on page 56

To enable communication with the remotely managed Intel AMT system, install the ePO
Deep Command Gateway server on a server in your corporate DMZ where the Agent
Install stunnel on page 57

Install stunnel on the DMZ server where the Agent Handler or McAfee ePO server is
installed.
Generate the certificate for stunnel installation on page 57

The Server Authentication Certificate is required to use stunnel.
Sign the certificate using Certification Authority on page 58

Sign the generated certificate using OpenSSL. The CA used to sign the certificate should be
known to the Intel AMT system. Additionally, the root certificate for Remote Access needs
to be installed in the Intel Management Engine firmware, without which the Remote
Access tunnel can't be established.
Configure stunnel on page 59

You can configure stunnel to listen to port 81 (based on port configuration in your
environment) for the incoming Remote Access requests and forward it to port 11111
(default port you specify for the ePO Deep Command Gateway server to listen to, during
installation).
Install stunnel as a Windows service on page 59

Install stunnel as a service on a 32 or 64bit Windows operating system where ePO Deep
Command Gateway Server is installed.
Start the stunnel service on page 59

Start the stunnel service to start processing any CIRA requests.
Validate certificate on page 60

Verify that the certificate issued to the host name of your ePO Deep Command Gateway
server is correct. Perform these steps from a local system.
See also
Create a Remote Access policy on page 88
Install the ePO Deep Command Gateway server

To enable communication with the remotely managed Intel AMT system, install the ePO Deep
Command Gateway server on a server in your corporate DMZ where the Agent Handler is installed.
Task
56
Product Guide

Select McAfee ePO Deep Command 1.5 from the products list, select McAfee ePO Deep Command Gateway Server,
then click Download.
Extract the package contents to a temporary location on your server in the DMZ where the Agent
Doubleclick the SetupAGS.exe file, then in the Welcome screen, then click Next.
Select the license type and accept the license agreement, then click OK.
The Destination Folder screen displays a default folder where the software installation files are
copied.
Click Change to specify a folder, or Next to copy them to the default location.
You can use the default port 11111 on this screen. If you change the port, stunnel configuration
must be changed accordingly.
Click Next | Finish.
Install stunnel
Install stunnel on the DMZ server where the Agent Handler or McAfee ePO server is installed.
Before you begin
ePO Deep Command Gateway must be installed on this DMZ server.
Task
1
Go to http://www.stunnel.org/, then download the stunnel software package to a temporary

location on the server system where the Agent Handler or ePolicy Orchestrator is installed in the
DMZ.
Doubleclick stunnel<version>installer.exe and follow the instructions.
Stunnel is installed in C:\Program Files.
Generate the certificate for stunnel installation

The Server Authentication Certificate is required to use stunnel.
Before you begin
OpenSSL generates stunnel certificates and requires a onetime setup. The steps that
follow provide an example of the process used to generate the certificate. For complete
instructions on generating certificates, go to http://www.stunnel.org/?page=howto and see
Generating the stunnel certificate and private key (pem).
You can generate certificates on another system to avoid copying various certification
dependent software, executables, or binaries on the DMZ.
When you generate stunnel certificates, follow these guidelines:
The private key size must not exceed 2048.
Don't include an email address.
Product Guide
57

Make sure that you enter the fully qualified domain name of the ePO Deep Command Gateway
server.
Make sure that the Web Server template is used when the certificate request is submitted for
signing by the CA.
Task
1
Go to http://www.slproweb.com/products/Win32OpenSSL.html.
Download and install Microsoft Visual C++ 2008 Redistributable Package (required for the OpenSSL
installation).
Download and install the latest OpenSSL for Windows32 (select C:\OpenSSLWin32 as the
destination location).
Copy OpenSSL DLLs to the OpenSSL binaries (/bin) directory during the installation process.
After the installation is complete, copy openssl.cnf to the C:\OpenSSLWin32\bin directory.
From the command prompt, go to C:\OpenSSLWin32\bin and run this command:

openssl req new config openssl.cnf newkey rsa:1024 nodes keyout cira.key out cira.csr
In this command, a private key (cira.key) and a certificate signing request (cira.csr) are
created.
7
When prompted, specify these values:
Country name as US
State as California
Location as Santa Clara
Organization name as McAfee

Don't provide your email address. However, it is mandatory to provide the host name of the system
when generating the request for key.
Sign the certificate using Certification Authority

Sign the generated certificate using OpenSSL. The CA used to sign the certificate should be known to
the Intel AMT system. Additionally, the root certificate for Remote Access needs to be installed in the
Intel Management Engine firmware, without which the Remote Access tunnel can't be established.
Task
58
Use a web browser to access the CA server. The CA server URL must include the server's FQDN
followed by /certsrv. For example, http://<Server FQDN>/certsrv.
Log on to the CA server as a domain administrator, click Request a Certificate | Advanced Certificate Request.
Click Submit a Certificate request by using a base64 encoded file.
Product Guide

Select Web Server from the Certificate Template dropdown list. Copy the contents of the file C:
\OpenSSLWin32\bin\cira.csr in the text box Base64encoded certificate request, then click
Submit.
You can open C:\OpenSSLWin32\bin\cira.csr in a text editor such as Notepad or WordPad.
Select Base 64 Encoded and Download Certificate, then save to C:\Program Files\stunnel as cira.pem.
This is the signed public certificate that stunnel uses.
Configure stunnel
You can configure stunnel to listen to port 81 (based on port configuration in your environment) for
the incoming Remote Access requests and forward it to port 11111 (default port you specify for the
ePO Deep Command Gateway server to listen to, during installation).
Task
1
Copy the cira.key (private key), which was created by the openssl command, to the folder C:
\Program Files\stunnel.
Save the CA Root Certificate file to the folder C:\Program Files\stunnel as ca.cer.
Open the stunnel configuration file at C:\Program Files\stunnel\stunnel.conf and add this
content:
cert = C:\Program Files\stunnel\cira.pem
key = C:\Program Files\stunnel\cira.key
CAfile = C:\Program Files\stunnel\ca.cer
[ciraamt]
accept = 81
connect = 11111
The "ciraamt" section configures stunnel to listen at port 81 for incoming Remote Access requests
and forward it to the port 11111, which is the default port where ePO Deep Command Gateway
Server is listening (this configuration was done during the installation of the ePO Deep Command
Gateway server).
Rules must be enabled to allow inbound connections to the Remote Access empty port. In this case,
inbound connections must be allowed to port 81.
Install stunnel as a Windows service

Install stunnel as a service on a 32 or 64bit Windows operating system where ePO Deep Command
Gateway Server is installed.
In a 32bit operating system, access the command prompt, then run these commands:
cd C:\Program Files\stunnel
stunnel.exe install
Start the stunnel service

Start the stunnel service to start processing any CIRA requests.
Product Guide
59

From the command prompt, run these commands.

cd C:\Program Files\stunnel
stunnel.exe stunnel.conf
Validate certificate
Verify that the certificate issued to the host name of your ePO Deep Command Gateway server is
correct. Perform these steps from a local system.
Task
1
Using Mozilla Firefox, go to https://<FQDN of the ePO Deep Command Gateway server>:81 (or
the port you have configured in stunnel.conf to listen).
View the certificate installed on the site.
It must be installed to the host name of the ePO Deep Command Gateway server and issued by CA
that is known to the Intel AMT system.

To uninstall ePO Deep Command, you must remove ePO Deep Command from the Intel AMT systems
and remove the ePO Deep Command extensions from ePolicy Orchestrator.
Tasks
Uninstall the ePO Deep Command client on page 60

Create a client task to remove the ePO Deep Command Management Framework client,
then assign it to the Intel AMT systems from which the plugin needs to be removed.
Uninstall the Discovery and Reporting plug-in on page 61

Create a client task to remove the ePO Deep Command Discovery and Reporting plugin,
and assign it to the Intel AMT systems from which the plugin needs to be removed.
Uninstall the RCS Management plug-in on page 61

Create a client task to remove the ePO Deep Command RCS Management plugin, and
assign it to the Intel RCS servers from which the plugin needs to be removed.
Remove the ePO Deep Command extensions on page 62

You can remove the ePO Deep Command extension from ePolicy Orchestrator using the
Software Manager.
Uninstall the ePO Deep Command client

Create a client task to remove the ePO Deep Command Management Framework client, then assign it
to the Intel AMT systems from which the plugin needs to be removed.
Task
60
under McAfee Agent.
Click New Task and select Product Deployment to open the Client Task Catalog: New Task page
Type a name for the task and any notes, then select appropriate Target Platforms.
Product Guide

In Products and components, select McAfee ePO Deep Command Client 1.5.0.xxx, select Action as Remove, select the
language, then click Save.
Click Save and exit the New Task page.
In the Client Task Catalog, under the Actions column of your new product deployment task, click
Assign and select the systems or groups where you want to remove the ePO Deep Command
Management Framework client, then click OK.
Click Next to schedule the task as required, click Next again, then click Save.
Uninstall the Discovery and Reporting plug-in

Create a client task to remove the ePO Deep Command Discovery and Reporting plugin, and assign it
to the Intel AMT systems from which the plugin needs to be removed.
Task
1
under McAfee Agent.
Click New Task and select Product Deployment to open the Client Task Catalog: New Task page.
In Products and components, select McAfee ePO Deep Command Discovery Plugin 1.5.0.xxx, select Action as Remove,
In the Client Task Catalog, under the Actions column of your new product deployment task, click
Assign and select the systems or groups where you want to remove the ePO Deep Command
Discovery and Reporting plugin, then click OK.
Uninstall the RCS Management plug-in

Create a client task to remove the ePO Deep Command RCS Management plugin, and assign it to the
Intel RCS servers from which the plugin needs to be removed.
Task
1
under McAfee Agent.
Click New Task and select Product Deployment to open the Client Task Catalog: New Task page.
In Products and components, select McAfee ePO Deep Command RCS 8.0 Manager 1.5.0.xxx, select Action as Remove,
Product Guide
61

In the Client Task Catalog, in the Actions column of your new product deployment task, click Assign
and select the systems or groups where you want to remove the ePO Deep Command RCS
Management plugin, then click OK.
Remove the ePO Deep Command extensions

You can remove the ePO Deep Command extension from ePolicy Orchestrator using the Software
Manager.
You can also remove the extension by navigating to the Extensions page, clicking Remove for the
corresponding ePO Deep Command extension, then clicking OK.
Task
62
On the Software Manager page, under Product Categories, click Checked In Software | Licensed.
Select McAfee ePO Deep Command from the products list, then click Remove against the extension to be
removed. Be sure to perform this step for each of the ePO Deep Command extensions checked into
your server.
In the Remove Software Summary page, then click OK.
Product Guide
With McAfee ePO Deep Command Reporting and Discovery software, you can quickly determine the
status of the Intel AMT systems in your network. The predefined queries and dashboards provide you
with outofthebox functionality, since they are added to your ePolicy orchestrator server when the
software is installed.
These queries can be configured to display results in charts or tables, which can also be used as
dashboard monitors. Query results can be exported to several formats, any of which can be
downloaded or sent as an attachment to an email message.
You can create additional, custom queries using the Query Builder wizard which is available in the
ePolicy Orchestrator server. For details on how to perform this task, see the ePolicy Orchestrator
product documentation for versions 4.6 or later.
Contents
Queries and reports
Queries and reports

You can create queries on Intel AMT information stored in the database, or use predefined ePO Deep
Command queries.
Predefined ePO Deep Command reporting queries

When the ePO Deep Command Discovery and Reporting software is installed on your ePolicy
Orchestrator server, these predefined queries are added to the ePO Deep Command Reporting group.
Query
Description
CILA Supported
Displays a pie chart of detected client systems supporting Local Access, also
known as CILA or Fast Call For Help.
ePO Deep Command

Detection Coverage
Displays a pie chart of the deployment status of the ePO Deep Command
plugin.
IDE Redirect Supported

and Enabled
Displays a pie chart of detected systems that have IDERedirect supported and
enabled.
Intel AMT Configuration

Mode
Displays a pie chart of different Intel AMT configuration modes for all detected
systems supporting Intel AMT.
Enterprise This mode requires a configuration service to configure the
systems remotely.
None This configuration status means that no specific mode is selected.
Product Guide
63

Queries and reports
Query
Intel AMT Configuration

State
Description
Displays a pie chart of different Intel AMT configuration states for all detected
systems supporting Intel AMT.
In (Inconfiguration) These systems are in a partially configured state with
initial information.
Post (Postconfiguration) These systems are in a fully configured state with
security settings, certificates and settings that activate Intel AMT
capabilities.
Pre (Preconfiguration) These systems have factory default settings and
don't have any Intel AMT configuration defined.
Intel AMT Supported
Displays a pie chart of managed systems supporting Intel AMT.
Intel AMT Version
Displays a column chart of detected Intel AMT versions.
KVM Supported and

Enabled
Displays a pie chart of detected systems which have Keyboard, Video display
unit and Mouse (KVM) supported and enabled.
The KVM might not work on a platform with discrete graphics even if it's
supported and enabled. The Intel AMT KVM only operates with Intel
Integrated Graphics.
SOL Supported and

Enabled
Displays a pie chart of detected systems which have SerialOverLAN (SOL)

supported and enabled.
Systems with AMT Tag
Displays a summary table of managed systems which have the AMT tag
applied to them.
Systems without Intel MEI Displays a pie chart showing the number of managed systems that support
Driver
Intel AMT without the Intel MEI driver installed on them.
Web UI Enabled Systems
Displays a pie chart of the number of managed systems that have the Intel
AMT web user interface enabled.
Predefined ePO Deep Command RCS Management queries

When the ePO Deep Command RCS manager software is installed on your ePolicy Orchestrator server,
these predefined queries are added to the ePO Deep Command Management group.
Query
Description
Managed Intel AMT Systems by Displays a pie chart of ePOmanaged Intel AMT systems organized by the
RCS Server
Intel RCS servers used to configure them. Details include Configuration
Profiles and Configuration State.
Managed Intel RCS Servers
64
Displays a table of ePOmanaged Intel RCS servers. Details include

Configuration Profiles, Digest Master Password State, and Network
Timeout.
Product Guide

Queries and reports
Predefined ePO Deep Command management queries

When the ePO Deep Command Management Framework software is installed on your ePolicy
Orchestrator server, these predefined queries are added to the ePO Deep Command Management
group.
Query
Description
ePO Deep Command Policy Settings Displays the ePO Deep Command Policy Settings for managed systems
Report
that have the AMT tag applied to them.
Intel AMT CILA/CIRA Events and
KVM Details over Time
Displays a histogram of the CILA/CIRA events over time. From this

report, you can click an entry for specific information on event such as
event type, configuration state, KVM properties. If caller identification
is enabled, you can see additional events of CILA_User/CIRA_User.
Intel AMT Configuration Events by

Event type
Displays the number of configuration events for each Intel AMT

Configuration States (Pre, In, Post) for all detected systems supporting
Intel AMT.
Intel AMT Configuration State and

Profile
Displays the numbers in Intel AMT Configuration States (Pre, In, Post)
for all detected systems supporting Intel AMT. From this report, you
can click an entry for specific information on a configuration state such
as profile used.
Intel AMT Configuration State by

Domain Breakdown
Displays the numbers in Intel AMT Configuration States (Pre, In, Post)
for all detected systems supporting Intel AMT by their domains.
Local Fast Call For Help Events

(CILA)
Displays a summary table of local Fast Call For Help events generated
by managed systems supporting Intel AMT.
Remote Fast Call For Help Events

(CIRA)
Displays a summary table of Remote Fast Call For Help events

generated by managed systems supporting Intel AMT.
View default queries

Run the predefined queries to generate reports based on ePO Deep Command components.
Task
1
Click Menu | Reporting | Queries & Reports.
From Shared Groups in the Groups pane, select ePO Deep Command Reporting, ePO Deep Command Management or
ePO Deep Command RCS Management, as needed.
The queries for the selected group appear.
Select a query from the Queries list, then click Run. In the query result page, click any item in the
results to drill down further.
Click Close when finished.
Custom query filters

You can create custom queries with ePO Deep Command specific filters to retrieve information on your
client systems.
You'll see these filters only on queries resulting information about managed systems.
Product Guide
65

Queries and reports
Group
Filter
Filters the results based on...
McAfee ePO Deep

Command Client
Properties
Hotfix/Patch Version (McAfee

ePO Deep Command Client)
The patch version of the McAfee ePO Deep Command

Management Framework software installed on Intel
AMT client systems.
Language (McAfee ePO Deep

Command Client)
The localized language of the McAfee ePO Deep

Command Management Framework software installed
Intel AMT client systems.
For now, the McAfee ePO Deep Command Client is
available only in English.
Product Version (McAfee ePO The version of the McAfee ePO Deep Command
Deep Command Client)
Management Framework software installed on Intel
AMT client systems.
Service Pack (McAfee ePO
Deep Command Client)
The version of the Service Pack installed on Intel AMT

client systems.
McAfee ePO Deep

Command Detection
Plugin Properties
Product Version (McAfee ePO The version of the McAfee ePO Deep Command
Deep Command Detection
Discovery and Reporting software installed on Intel
Plugin)
AMT client systems.
McAfee ePO Deep

Command RCS
Manager Plugin
Properties
Language (McAfee ePO Deep

Command RCS Manager
Plugin)
The localized language of the McAfee ePO Deep

Command RCS Manager software installed on managed
Intel RCS servers.
For now, the McAfee ePO Deep Command RCS
Manager software is available only in English.
Product Version (McAfee ePO The version of the McAfee ePO Deep Command RCS
Deep Command RCS Manager Manager software on managed Intel RCS servers.
plugin)
Intel AMT
66
Alarm Enabled
Whether the ePO Deep Command AMT policy has been

scheduled to power on Intel AMT client systems.
BIOS Release Date
The release date of the BIOS running on Intel AMT

client systems.
BIOS Version
The version number of the BIOS running on Intel AMT

client systems.
CILA
whether the ClientInitiated Local Access (CILA), also

known as Fast Call for Help feature is supported and
enabled on Intel AMT client systems.
CILA Agent Handler
The FQDN of the Agent Handler assigned by the ePO

Deep Command Remote Access policy to handle CILA
requests generated by Intel AMT client systems.
CILA Enabled
Whether ePO Deep Command Remote Access is enabled

and enforced CILA on Intel AMT client systems.
CIRA Agent Handler
The FQDN of the DMZ Agent Handler assigned by ePO

Deep Command Remote Access policy to handle CIRA
requests generated by Intel AMT client systems.
CIRA Enabled
Whether the ePO Deep Command Remote Access policy

has enabled and enforced ClientInitiated Remote Access
(CIRA) on Intel AMT client systems.
Configuration Mode
The Configuration Mode used to configure Intel AMT

client systems.
Configuration Mode (TLS)
The TLS configuration mode of Intel AMT client

systems.
Configuration State
The configuration state of Intel AMT client systems.
Product Guide

Queries and reports
Group
Filter
DHCP Enabled
Whether DHCP is enabled on Intel AMT client systems.
Endpoint Access Control

Enabled
Whether Intel Endpoint Access Control is enabled to

check for Intel AMT Network Policy Compliance on
client systems.
Firmware Update Enabled
Whether the Firmware Update feature is enabled in the

BIOS of Intel AMT client systems.
Firmware Version
The version number of the Firmware running on Intel

AMT client systems.
Hardware Crypto Enabled
Whether the Intel AMT hardware crypto engine feature

is enabled on Intel AMT client systems (If disabled, the
Transport Layer Security doesn't work).
IDE Redirection (IDER)
Whether the IDER feature is supported and enabled on

Intel AMT DNS Name
The full Domain Name System name stored in the Intel

AMT firmware on Intel AMT client systems.
Intel AMT Fully Configured
Whether the Intel AMT hardware is fully configured.
Intel AMT Supported
Whether the systems are equipped with Intel AMT

hardware.
Intel AMT Version
The version number of the Intel AMT hardware present

on systems.
Intel AMT AntiTheft

Supported
Whether the systems support Intel AntiTheft

technology.
Intel MEI Enabled
Whether the MEI driver is present and turned on.
Intel MEI Verison
The version number of the MEI driver running on Intel

AMT client systems.
Intel vPro System
Whether the target systems are Intel vPro systems.
KVM
Whether the KVM (Keyboard, Video and Mouse switch)

feature is supported on Intel AMT client systems.
Last Error Message
The error description for the error that occurred if the

last AMT action failed.
Last IDER Session Start/End

Time
The time when the last IDER session was initiated or

stopped.
Last EDIR Session Status
Whether the status of the last IDER Session was active.
Last Power On Success
Whether the last attempt to power systems on through

alarm clock AMT Action was successful.
Last Power On Time
The time this system was powered on last through

alarm clock AMT action.
Last SOL Session Start/End

Time
The time when the last SOL session was initiated or

stopped.
Last SOL Session Status
Whether the status of the last SOL Session was active.
Manageability Level
The manageability level of Intel AMT client systems.
Mobile System (Laptop)
Whether Intel AMT client systems are laptops.
Network Interface Enabled
Whether the network interface is enabled on Intel AMT

client systems.
Policy Enforced
Whether the ePO Deep Command AMT policy is enforced

on client systems.
Policy Enforcement Time
The last enforcement time for the ePO Deep Command

AMT policy on client systems.
Product Guide
67

Queries and reports
Group
Filter
Remote Configuration
Enabled
Whether the Intel AMT client systems can be

configured remotely.
Remote Configuration Server
The FQDN of the Intel RCS server used for configuring

Remote Configuration Server

IP Address
The IP Address of the Intel RCS server used for

configuring Intel AMT client systems.
SerialoverLAN (SOL)
Whether the SOL feature is supported and enabled on

System Manufacturer
Filters the results based on manufacturer of the client

systems.
System Model
The model number of the client systems.
System Serial Number
The serial number of the client systems.
TLS
Whether Intel AMT client systems are in Configured

State with TLS enabled (required to configure and
manage Intel AMT clients through ePO Deep
Command).
UUID
The ID of the Intel AMT client systems' hardware.
Web UI Enabled
Whether the Intel AMT Web interface was enabled on

the client systems during the configuration.
Wired IPv4 Address
The IPv4 address of the Intel AMT client systems'

physical network connection.
Wired Link Status
Whether Intel AMT client systems' physical network

connection is functioning.
Wired MAC Address
The MAC address of the Intel AMT client systems'

physical network connection.
Wireless Ipv4 Address
The IPv4 address of the Intel AMT client systems'

wireless network connection.
Wireless Link Status
Whether Intel AMT client systems' wireless network

connection is functioning.
Wireless MAC Address
The MAC address of the Intel AMT client systems'

wireless network connection.
Intel AMT Management RCS Profile

RCS Server
The configuration profile used in configuring the Intel

AMT client systems.
The Intel RCS server used in configuring the Intel AMT
client systems.
Intel RCS Management Digest Master Password State Whether the RCS Server is configured to use a Digest
Master Password within an RCS Profile.
68
Network Timeout (seconds)
The time set for which the RCS tries to establish a

connection.
RCS Profiles
Filters the configuration profiles configured on the Intel

RCS server.
Product Guide

Queries and reports
Properties collected by the Discovery and Reporting plug-in

The ePO Deep Command Discovery and Reporting plugin collects properties from the managed
systems where it is installed. The properties that are reported depend on whether the system is an
Intel AMT system, and whether or not the Intel MEI driver is installed.
Make sure that the Send full product properties in addition to system properties option has been selected in the
McAfee Agent policy configuration for the Intel AMT client. If this option has not been selected, the
System Details page for the client displays no data on the Deep Command tab.
Property
Description
With
Intel
MEI
driver
installed
Without NonIntel
Intel
AMT
MEI
System
driver
installed
Alarm Enabled
Reports whether the ePO Deep Command AMT

policy has set the alarm clock in the Intel AMT
firmware.
BIOS Release
Date
Reports the release date of the BIOS running on

this system using the MM/DD/YY format.
BIOS Version
Reports the version number of the BIOS running

on this system.
CILA
Reports whether the ClientInitiated Local Access

(CILA), also known as Fast Call for Help feature is
supported and enabled on this system. This
property value is reported as:
No
Not Available
Yes
CILA Agent
Handler
Reports the FQDN of the Agent Handler assigned

X
by the ePO Deep Command Remote Access policy
to handle CILA requests generated by this system.
This property value is reported as:
FQDN of Agent Handler
Not Available
CILA Enabled
Reports whether ePO Deep Command Remote

Access is enabled and enforced CILA on this
system. This property value is reported as:
No
Not Available
Yes
CIRA Enabled
Reports whether the ePO Deep Command Remote X

Access policy has enabled and enforced
ClientInitiated Remote Access (CIRA), also known
as Fast Call for Help, on this system. This property
value is reported as:
No
Not Available
Yes
Product Guide
69

Queries and reports
Property
Description
With
Intel
MEI
driver
installed
CIRA Agent
Handler
Reports the FQDN of the DMZ Agent Handler

assigned by ePO Deep Command Remote Access
policy to handle CIRA requests generated by this
system. This property value is reported as
Without NonIntel
Intel
AMT
MEI
System
driver
installed
<FQDN> of DMZ Agent Handler

Not Available
DHCP Enabled
Reports whether DHCP is enabled on this system.

This property value is reported as Yes or No.
Endpoint Access Indicates whether Intel Endpoint Access Control is

Control Enabled enabled to check for Intel AMT Network Policy
Compliance.
Firmware Update Reports whether the Firmware Update feature is

Enabled
enabled in the BIOS of this system. This property
value is reported as Yes or No.
Firmware Version Reports the version number of the Firmware

running on this system.
Hardware Crypto Reports whether the Intel AMT hardware crypto

Enabled
engine feature is enabled on this system. This
property value is reported as Yes or No.
IDE Redirection
(IDER)
Reports whether the IDER feature is supported

and enabled on this system. This property value is
reported as:
Not Available
Supported
Supported and Enabled
Supported and Enabled in BIOS only
70
Intel AMT DNS

Name
Reports the full Domain Name System name

stored in the Intel AMT firmware on this system.
For example, C1amtepo.epoqa.in.
Intel AMT Fully

Configured
Reports whether the Intel AMT hardware is fully

configured. This property value is reported as Yes
or No.
Intel AMT
Supported
Reports whether this system is equipped with

Intel AMT hardware. This property value is
reported as Yes or No.
Intel AntiTheft
Supported
Reports whether this system supports Intel

AntiTheft technology. This property value is
reported as Yes or No.
Intel AMT
Version
Reports the version number of the Intel AMT

hardware present on this system. For example,
6.1.20.
Intel MEI
Enabled
Reports whether the MEI driver is present and

turned on. This property value is reported as Yes
or No.
Intel MEI
Version
Reports the version number of the MEI driver

running on this system. For example, 6.0.0.1111.
Product Guide

Queries and reports
Property
Description
With
Intel
MEI
driver
installed
Intel vPro
System
Reports whether the target system is an Intel

X
AMT system. This property value is reported as Yes
or No.
KVM
Reports whether the KVM (Keyboard, Video and

X
Mouse switch) feature is supported on this system.
Without NonIntel
Intel
AMT
MEI
System
driver
installed
Not Available
Supported
This feature is required for using the McAfee
KVM viewer. The Intel AMT KVM only operates
with Intel Integrated Graphics, it doesn't work
on a platform with discrete graphics even if the
feature is listed as Supported and Enabled.
Last Error
Message
Displays the error description for the error that

occurred if the last AMT Action failed.
Last IDER
Session
Start/End Time
Reports the time when the last IDER session was

initiated or stopped. For example, MM/DD/YY
12:00 PM.
Last IDER
Session Status
Reports whether the status of the last IDER

X
Session was active. This property value is reported
as Yes or No.
Last Power On
Success
Reports whether the last attempt to power this

system on using Intel AMT action was successful.
Not Available
Yes
Last Power On
Time
Reports the last time this system was powered on

as the result of Intel AMT action. For example,
MM/DD/YY 12:00 PM.
Last SOL
Session
Start/End Time
Reports the time when the last SOL session was

initiated or stopped. For example, MM/DD/YY
12:00 PM.
Last SOL
Session Status
Reports whether the status of the last SOL Session X

was active. This property value is reported as Yes
or No.
Manageability
Level
Reports the manageability level for this system.

These levels are reported as:
Full Intel AMT is supported

None Intel AMT is not supported
Not Available nonIntel AMT hardware
Standard Intel AMT is partially enabled
Product Guide
71

Queries and reports
Property
Description
With
Intel
MEI
driver
installed
Mobile System
(Laptop)
Reports whether this system is a laptop. This

property value is reported as Yes or No.
Network
Reports whether the network interface is enabled
Interface Enabled on this system. This property value is reported as
Yes or No.
Without NonIntel
Intel
AMT
MEI
System
driver
installed
Policy Enforced
Reports whether the ePO Deep Command AMT

policy is enforced on this system. This property
value is reported as Yes or No.
Policy
Enforcement
Time
Displays the last enforcement time for the ePO

Deep Command AMT policy on this system. For
example, MM/DD/YY 12:00 PM.
Configuration
Mode
Reports the configuration mode of this system:
Configuration
Mode (TLS)
Reports the TLS configuration mode of this

system:
Enterprise mode Enterprise configuration

mode
X
PKI Public Key Interface protocol

PSK Preshared Key Based TLS protocol
Configuration
State
Reports the configuration state for this system:
Inconfiguration The system is being

configured.
Postconfiguration The system has been
configured.
Preconfiguration The system is unconfigured.
Remote
Configuration
Enabled
Reports whether this system can be configured

remotely. This property value is reported as Yes or
No.
Remote
Configuration
Server
Reports the fully qualified domain name of the

configuration server during the configuration. For
example, sccm.amtepo.epoqa.in.
Remote
Configuration
Server IP
Address
Reports the IP address of the configuration server

during the configuration. For example,
172.12.000.123.
Reported Local
Alarm Clock
Time
Displays the alarm clock time set in the Intel AMT X

firmware during the ePO Deep Command Alarm
Clock policy enforcement or displays Not available
when no alarm is set.
SerialoverLAN
(SOL)
Reports whether the SOL feature is supported and

enabled on this system. This property value is
reported as:
Not Available
Supported
72
Product Guide

Queries and reports
Property
Description
With
Intel
MEI
driver
installed
Without NonIntel
Intel
AMT
MEI
System
driver
installed
System Model
Reports this system's model. For example, Dell

OptiPlex 755.
System
Manufacturer
Reports this system's manufacturer name. For

example, Dell Inc.
System Serial
Number
Reports the serial number of this system. For

example, 0ABC8BA.
Transport Layer
Security (TLS)
Reports whether this system is in the Post

Configured state with TLS enabled. This property
value is reported as:
Not Available
Supported
This feature must be supported and enabled for
ePO Deep Command.
UUID
Reports the ID for this systems hardware. For

example,
4C4C4D44004A4A108048C4C44F384253.
Web UI Enabled
Reports whether the Intel AMT Web interface is

enabled on this system (during the configuration).
This property value is reported as Yes or No.
Wired IPv4
Address
Reports the IPv4 address received over this

system's physical network connection. For
example, 172.12.000.123.
Wired Link
Status
Reports whether this system's physical network

connection is functioning. This property value is
reported as Up or Down.
Wired MAC
Address
Reports the MAC address received over this

system's physical network connection. For
example, 781bcb8cf20a.
Wireless IPv4
Address
Reports the IPv4 address received over this

system's wireless network connection. For
example, 172.12.000.123.
Wireless Link
Status
Reports whether this system's wireless network

connection is functioning. This property value is
reported as Up or Down.
Wireless MAC
Address
Reports the MAC address received over this

system's wireless network connection. For
example, 781bcb8cf20a.
Product Guide
73

About the Intel MEI driver

The Intel Management Engine Interface (MEI) driver is the Intel AMT subsystem used by the client
operating system to access Intel AMT capabilities.
When this driver (also known as the HECI or Host Embedded Controller Interface driver) is installed on
the Intel AMT system, the ePO Deep Command Discovery and Reporting plugin is able to report a
more complete set of system details. The MEI driver is bidirectional, allowing the host (OS) or the
Intel AMT firmware to initiate transactions.
If this driver is missing on an Intel AMT client, the Device Manager notifications indicates missing
driver for PCI Simple Communications interface. On Intel AMT version 6.x and later, the driver can be
installed from the Microsoft Windows Update. To obtain the latest Intel MEI driver for your client
system, contact the manufacturer.

Dashboards, which are comprised of monitors, help you monitor your managed Intel AMT systems.
Deep Command Discovery and Reporting Summary dashboard

The Deep Command Discovery & Reporting Summary dashboard is added to your ePolicy Orchestrator
server when you install the ePO Deep Command Discovery and Reporting software.
The dashboard displays a collection of monitors based on the results of the default ePO Deep
Command Discovery and Reporting software queries. Using this monitor, you can see:
Which of the managed systems are Intel AMTequipped
The versions of Intel AMT hardware
Configuration status
These are the default monitors that appear under the Deep Command Discovery & Reporting
Summary dashboard:
74
CILA Supported Helps the administrator determine the number of managed systems that support
Local Access connections out of the total number of managed systems. The administrator can then
determine the number of managed systems to enforce Remote Access Policy that enable Local
Access support. This allows the managed systems to send Local Access request to the ePolicy
Orchestrator server.
Product Guide

ePO Deep Command Detection Coverage Helps the administrator determine the number of managed
systems on which the ePO Deep Command Discovery and Reporting plugin has been installed, out
of the total number of managed systems. This monitor is useful to determine the coverage of the
software.
IDE Redirect Supported and Enabled Helps the administrator determine the number of managed systems
that support and can be remotely managed using IDERedirect connections.
Intel AMT Configuration Mode Helps the administrator determine the different configuration modes
that are present in the total number of managed systems. Because ePO Deep Command currently
supports the Enterprise mode only, the administrator must reconfigure managed systems that are
not in Enterprise mode.
Product Guide
75
76

Intel AMT Configuration State Helps the administrator determine the different Intel AMT configuration
states present in the total number of managed systems. The AMT Actions can be used on any
managed system that is in Post Configuration state.
Intel AMT Supported Helps the administrator determine the number of managed systems that are
Intel AMTequipped. However, Intel AMT Actions might not be possible on all these systems; they
depend on the Intel AMT version and the configuration state.
Intel AMT Version Helps the administrator to obtain the different versions of Intel AMT hardware
present on the managed systems. Because ePO Deep Command supports specific versions of Intel
AMT, this monitor enables the administrator determine how many systems can be used for AMT
Actions.
Product Guide

KVM Supported and Enabled Helps the administrator determine the number of managed systems that
support KVM connections out of the total number of managed systems. This enables the
administrator determine the number of systems that can be managed remotely using KVM.
The KVM might not work on a platform with discrete graphics even if it's supported and enabled. The
Intel AMT KVM only operates with Intel Integrated Graphics.
SOL Supported and Enabled Helps the administrator determine the number of managed systems that
support SOL connections out of the total number of managed systems. This helps to determine the
number of systems that can be managed remotely using SOL.
Product Guide
77

AMTCapable Systems without Intel MEI Driver Helps the administrator determine the systems that
require installation of the MEI driver out of the total number of managed systems. The systems
without Intel MEI driver cannot collect specific Intel AMT and BIOS properties.
Web UI Enabled Systems Helps the administrator determine the number of managed systems that
support web browsers. The administrator can open the browser and connect to the managed
systems using its Fully Qualified Domain Name (FQDN) to 16993 port, and log on to it.
For more information on Intel AMT and BIOS properties of each managed system, click the monitor,
select the system, then select the Deep Command tab.
Deep Command Management Summary dashboard

The Deep Command Management Summary dashboard is added to your ePolicy Orchestrator server
when you install the ePO Deep Command Management Framework software.
The dashboard displays a collection of monitors based on the results of the default ePO Deep
Command Management Framework software queries. Using this monitor, you can get configuration
information about the Intel AMT systems in your environment.
These are the default monitors that appear under the Deep Command Management Summary
dashboard:
78
Product Guide

Intel AMT Configuration State and Profile Displays a pie chart of the different Intel AMT Configuration
States (Pre, In, Post) for all detected systems supporting Intel AMT and the RCS Server and Profile
by which they were configured, if any.
Product Guide
79

80
Intel AMT Configuration State by Domain Breakdown Displays a bubble chart of Intel AMT Capable
Systems for each Domain. Details include Configuration States (Pre, In, Post) for all detected
systems supporting Intel AMT and the RCS Server and Profile by which they were configured, if
any.
Product Guide

Intel AMT Configuration Events by Event type Displays a pie chart of Intel AMT Events. Details include
Configuration States (Pre, In, Post) for all detected systems supporting Intel AMT and the RCS
Server and Profile by which they were configured, if any.
Deep Command RCS Management Summary dashboard

The Deep Command RCS Management Summary dashboard is added to your ePolicy Orchestrator
server when you install the ePO Deep Command RCS Manager software.
This is the default monitor that appear under the Deep Command RCS Management Summary
dashboard:
Managed Intel AMT systems by RCS server Displays a pie chart of ePOManaged Intel AMT Systems
organized by their RCS Server. Details include Configuration Profiles and Configuration State.
Product Guide
81

82
Product Guide
With ePO Deep Command Management Framework software you can manage the Intel AMT systems
in your network by using Intel AMT policies, client task execution policies, Intel AMT actions, server
tasks, and queries.
Contents
Using policies to manage Intel AMT systems
Use the Intel AMT actions
Automate Intel AMT policy enforcement and power on
Using the McAfee KVM Viewer
Maintenance tasks
Managing events and logs

Policies ensure that the product features are configured correctly, while client tasks are the scheduled
actions that run on the managed systems hosting any clientside software.
When you change a policy from your ePolicy Orchestrator server, that policy is at during the next
agentserver communication. As a result, the next time a system that has received the new policy is
powered on, the new policy is enforced automatically.
ePO Deep Command has these policies:
Inband The inband refers to the policies that allow performing agentbased operations using
the ePO Deep Command client agent. This includes:
Client Task Execution policy
AMT Configuration policy
Outofband The outofband refers to the policies that allow performing the Intel AMT actions.
This includes:
Alarm Clock policy
Remote Access policy
Local Access policy
KVM policy
Use the Intel AMT Configuration Policies

If you want to configure or unconfigure your Intel AMT systems through ePolicy Orchestrator, you can
use the Intel AMT configuration policies.
You can use one of these options to configure or unconfigure your client systems.
Product Guide
83

Configure and maintain Create a policy to configure Intel AMT firmware on your client
systems.
Unconfigure Create a policy to unconfigure your client systems either fully or partially.
Tasks
Create a policy to configure Intel AMT clients on page 84

You can create a configuration policy based on the Intel AMT configuration policies.
Create a policy to unconfigure Intel AMT clients on page 84

You can create an unconfigure policy based on the Intel AMT configuration policies.
Create a policy to configure Intel AMT clients

You can create a configuration policy based on the Intel AMT configuration policies.
Before you begin
Make sure that the ePO Deep Command RCS Manager software is installed and configured.
Task
1
From the Policy Catalog, select the Product as ePO Deep Command 1.5.0 and Category as AMT Configuration
Policies, then click New Policy.
In the New Policy dialog box, select McAfee Default, type a name for the configuration policy and any
notes, then click OK.
Select Allow ePO to enforce these settings.
Select Configure and Maintain, then select the Intel RCS server and the profile to be used for the
configuration.
Save the policy.
See also
Configure Intel AMT clients through ePolicy Orchestrator on page 35
Create a policy to unconfigure Intel AMT clients

You can create an unconfigure policy based on the Intel AMT configuration policies.
Before you begin
Make sure that the ePO Deep Command RCS Manager software is installed and configured.
Task
84
From the Policy Catalog, select the Product as ePO Deep Command 1.5.0 and Category as AMT Configuration
Policies, then click New Policy.
In the New Policy dialog box, select McAfee Default, type a name for the configuration policy and any
notes, then click OK.
Product Guide

Select Allow ePO to enforce these settings, select Unconfigure, then select the appropriate options:
Also remove the preshared keys or hash data of self signed CA certificates configured on the client systems manually.
to remove the configuration completely.
Force unconfigure even if it is not configured by ePO to unconfigure a system that was configured in
nonePolicy Orchestrator environment.
Save the policy.
See also
Unconfigure Intel AMT clients through ePolicy Orchestrator on page 52
Use the Intel AMT policies

If your remote Intel AMT systems need technical assistance, you can schedule a time to power on
your systems and create a Local Access or Remote Access policy. You can also configure your McAfee
KVM viewer connection using this policy to remotely access a client for troubleshooting.
You must define Alarm Clock, Local Access, and Remote Access settings in a single policy and assign it
to the required systems or groups.
Tasks
Create an Alarm Clock policy on page 85

The Alarm Clock feature enables you to remotely schedule to power on Intel AMT systems
at a defined time and perform specific tasks.
Create a Local Access policy on page 87

The Local Access feature allows the local Intel AMT system to initiate a Fast Call For Help
inside the enterprise network. When a user initiates a connection, Intel AMT detects that it
is inside the enterprise and sends a local access request directly to the ePolicy Orchestrator
server.
Create a Remote Access policy on page 88

The Remote Access feature allows the remote Intel AMT systems located outside the
corporate network to initiate a secured connection to a gateway server residing in the
enterprise demilitarized zone (DMZ), to communicate with the ePolicy Orchestrator server.
Create a KVM policy on page 89

The McAfee KVM viewer provides a console to access remote clients. This feature is useful
in scenarios when you need an access to an Intel AMT system to troubleshoot any issues.
You can configure this policy to enable or disable KVM feature, user's consent for the
connection, opt in time out, session time out and so on.
See also
Supported Intel AMT features on page 119
Create an Alarm Clock policy

The Alarm Clock feature enables you to remotely schedule to power on Intel AMT systems at a
defined time and perform specific tasks.
Before you begin
Consider these:
Product Guide
85

The time you set is based on the location of your Intel AMT system. If you specify the
Alarm Clock time to be fewer than five minutes of the current time of your Intel AMT
system, the policy enforces the Alarm Clock Time for the next day.
When you're moving from one time zone to other, the Intel AMT client might power on
at a time not in sync with the local time. This can be resolved after the next
agentserver communication or by modifying and enforcing policy manually.
The required tasks can be performed during off hours to avoid interrupting the Intel
AMT systems users.
Task
1
From the Policy Catalog, select the product as ePO Deep Command 1.5.0 and category as AMT Policies, then
click New Policy.
In the New Policy dialog box, type a name for the Alarm Clock policy, then click OK.
Select Allow ePO to enforce these settings.
Enable the Alarm Clock at a particular time and specify the randomization minutes.
Randomization minutes help balance the policy distribution to all the selected Intel AMT systems
one at a time. The maximum value is 20 minutes.
Select Repeat Every to specify the days, hours, and minutes to power on your systems at regular
intervals, then save the policy.
Inheritence, select ePO Deep Command 1.5 as the product, select AMT Policies as the category, select the
modified policy, select Break Inheritence, then save the policy assignment.
To assign the policy to a system group, select the group, select ePO Deep Command 1.5 as the
product, click Edit Assignment against the AMT Policies, select the modified policy under Assigned policy,
then save the policy assignment.
Click Actions | AMT Actions | Enforce AMT Policies, then click OK.
To verify the policy enforcement:
Click Menu | Automation | Server Task Log.
Navigate to the System Properties page, click the Deep Command tab, make sure the alarm is updated in
the Reported Local Alarm Clock Time.
In the amtservice.log, the policy enforcement should be successful and the Alarm Clock Set Time
is shown in Universal Time Coordinated (UTC).
See also
Enforce Intel AMT policies on page 96
86
Product Guide

Create a Local Access policy

The Local Access feature allows the local Intel AMT system to initiate a Fast Call For Help inside the
enterprise network. When a user initiates a connection, Intel AMT detects that it is inside the
enterprise and sends a local access request directly to the ePolicy Orchestrator server.
Before you begin
The Local Area Network (LAN) Agent Handler to be used for the Local Access policy must
be active.
Task
1
From the Policy Catalog, select the Product as ePO Deep Command 1.5.0 and the Category as AMT Policies,
then click New Policy.
In the New Policy dialog box, type a new policy name, then click OK.
Click the Remote Access tab, then select the Allow ePO to enforce these settings option.
From the Local Server, select Enable Client Initiated Local Access (CILA), then select an active LAN Agent
Handler from the dropdown list. Select the required Connection Type from where the Intel AMT
system must initiate the call to the ePolicy Orchestrator server. Available options are BIOS Initiated
and OS Initiated.
Click Save.
Navigate to the System Properties page, click the Deep Command tab, make sure the value for CILA Enabled
is Yes and the agent handler you selected is listed under CILA Agent Handler.
Initiate a call from the Intel AMT system using the Get Technical Help option in the Intel Management
and Security Status tool. The IMSS tool indicates whether the system is connected or not
connected. After this action, the Threat Event Log on ePolicy Orchestrator displays the Local Fast Call
for Help log with an event id 34350.
See also
Product Guide
87

Create a Remote Access policy

The Remote Access feature allows the remote Intel AMT systems located outside the corporate
network to initiate a secured connection to a gateway server residing in the enterprise demilitarized
zone (DMZ), to communicate with the ePolicy Orchestrator server.
Before you begin
McAfee ePO Agent Handler 4.6 Patch 4 must be installed on the ePO Deep Command
Gateway Server DMZ and must be active.
The FQDN of the ePO Deep Command Gateway server must be resolvable from the
Internet.
The Remote Access configuration ports must be allowed through the DMZ firewall and
be accessible to the remote Intel AMT system clients. Usually, this is the port where
stunnel is configured.
Stunnel version 4.36 or later must be installed on the Agent Handler servers.
OpenSSL is required for generating the certificates.

The Remote Access is an advanced feature of Intel AMT technology platforms that helps initiate a
secured connection from your server to the Intel AMT systems through a gateway server residing in
the enterprise DMZ. Make sure you provide the correct details of your Intel AMT system environment
while configuring a Remote Access policy. If there's a mistake, especially while enforcing the Remote
Access policy to a larger environment, you might need to be physically present to unconfigure each
Intel AMT system, then reconfigure them.
Task
1
From the Policy Catalog, select the Product as ePO Deep Command 1.5.0 and the Category as AMT Policies,
then click New Policy.
Click the Remote Access tab, then select Allow ePO to enforce these settings.
In Remote Server, select Enable Client Initiated Remote Access (CIRA). Select the required Connection Type from
where the Intel AMT system must initiate the call to the ePolicy Orchestrator server. Available
options are BIOS Initiated and OS Initiated.
In Home Domain Suffix, type the last part of the host name of the Intel AMT systems, and click Add.
This enables the Intel AMT systems access to the home domains. The Home Domain refers to the
detected DHCP 15 value of the network, that is, Connection Specific DNS suffix, using which Intel
AMT determines if a system is inside or outside the environment. The Intel AMT client must be
outside the enterprise at a minimum the received DHCP option 15 value different than the home
domains. You can enter a maximum of 5 home domain suffixes.
The DHCP and DNS servers must be configured properly for the Remote Access policy to work well.
The details you specify in this step must match your connectionspecific DNS suffixes in your LAN.
Incorrect home domain suffix settings might turn off the access to the Intel AMT systems unless a
Remote Access session is established by the system itself.
88
Select a primary DMZ Agent Handler and specify the stunnel port (as specified in the stunnel
configuration) for the incoming Remote Access requests.
In Tunnel Lifetime, specify the time (in seconds) the Remote Access tunnel must be active after it is
established. The default value is zero, which means there is no timeout for the Tunnel Lifetime.
Product Guide

Select these options:
Allow User Initiated Tunnel Select this to allow Intel AMT users to initiate a Remote Access request
to the server.
Periodic Initiated Tunnel every Select this to specify a time to establish the connection at regular
intervals.
Click Save.
10 In the System Tree, assign the policy to the required systems or group.
11 Enforce the policy using one of these methods:
Navigate to the System Properties page, click the Deep Command tab, make sure the value for CIRA Agent
Handler is Yes and the agent handler you selected is listed under CILA Agent Handler.
Initiate a call from the Intel AMT system using the Get Technical Help option in the Intel Management
and Security Status (IMSS) tool. The IMSS tool indicates whether the system is connected or not
connected. This is part of the environment detection indicator as defined by the Home Domains
setting. After this action, the Threat Event Log on ePolicy Orchestrator displays the Remote Fast Call for
Help log with an event id 34351.
See also
Configure the Gateway server for Remote Access on page 54
Create a KVM policy

The McAfee KVM viewer provides a console to access remote clients. This feature is useful in scenarios
when you need an access to an Intel AMT system to troubleshoot any issues. You can configure this
policy to enable or disable KVM feature, user's consent for the connection, opt in time out, session
time out and so on.
Before you begin
Correct Intel AMT Credentials must be set, and a trusted root certificate must be uploaded
in the Server Settings page for the Intel AMT Credentials category.
Product Guide
89

Task
1
From the Policy Catalog, select the Product as ePO Deep Command 1.5.0 and the Category as AMT Policies, then
click New Policy.
Click the KVM Settings tab, then select the Allow ePO to enforce these settings option.
In KVM State and Ports Used, select Enable with TLS on Port 16995, then select Enable OptIn to specify whether
user's consent is required for every connection (optional) and type the OptIn timeout in seconds to
specify the time after which the passcode for the user's consent is expired if no connection is
established.
In Default Visible Monitor, select which monitor of the client machine to display (if the client has
multiple monitors): Primary, Secondary, or Tertiary.
In TCP Session Timeout, type the number of minutes after which the session times out, then save the
policy.
To view the policy enforcement status, click Menu | Automation | Server Task Log.
See also
Using the McAfee KVM Viewer on page 98
Using the Client Task Execution policy

Enforcing Client Task Execution Policies to the Intel AMT systems executes the client tasks, the
arbitrary command and additional parameters when powered on through ePolicy Orchestrator.
Create a Client Task Execution policy

Create a policy to execute a client task from the Policy Catalog, then assign it to the required client
systems.
90
Product Guide

Task
1
From the Policy Catalog, select ePO Deep Command 1.5.0 from the Product menu, then select Client Task
Execution from the Category menu, then click New Policy to create a new client task execution policy or
modify an existing policy.
Next, add new or existing client tasks to this policy.

Client tasks that require system restart must be added last in the sequence.
In Run the following Command afterwards (optional), you can add the arbitrary command and its additional
parameters to need to be executed after the client task executes.
For example, the command <System32>\shutdown.exe shuts down your system after the client
task is run. You can also include additional parameters for the command you type. If you type /h
or /r as the parameters, it hibernates or restarts your Intel AMT system.
Click Save.
In the System Tree, select the systems, click the Assigned Client Tasks tab, then create a client task
assignment to assign the client tasks added to the Client Task Execution policy as in step 2.
In the System Tree, select the systems, click the Assigned Policies tab, click Edit Assignment against the
Client Task Execution policy created or modified in the step 1, then save the assignment.
Client Task Execution policy logs and services

These are the logs and services displayed on the Intel AMT system.
Log files and services

Log files
Description
AMTMgmtService_out.log On the Intel AMT systems, this log file displays the client task details
added to the policy.
AMTCT.exe
When the Intel AMT systems are powered on using the OutofBand
Power On feature or the Alarm Clock policy, this service starts and
executes the client task, specified arbitrary command and its additional
parameters sequentially.
AMTCT_out.log
Displays the status of the executing client task.

You can create and enforce actions on your configured remote Intel AMT systems.
Before you begin
In the System Tree, verify that your managed systems have the AMT tag assigned to them.
Product Guide
91

Tasks
Power on your systems on page 92

The Power On feature allows your Intel AMT systems to deploy the updated security
programs ahead of a potential threat outbreak.
Boot or reboot to BIOS on page 93

BIOS is the boot firmware program that controls your system from the time it starts until
operating system takes over.
Boot or reboot a system normally on page 93

You can boot or reboot the managed Intel AMT systems from ePolicy Orchestrator when
required. For example, when you want to leave the recovery operating system image.
Connect to a system using the Serial-over-LAN on page 94

SerialoverLAN (SOL) is a mechanism that enables the input and output of the serial COM
port of a managed Intel AMT system to be redirected over Internet Protocol (IP).
Boot or reboot using IDE-Redirect on page 94

IDERedirect allows you to reboot an Intel AMT system to a redirected disk.
Stop Image Redirection on page 95

You can stop the previous Image Redirection for the selected client systems.
Enforce Intel AMT configuration policy on page 96

You can use this action to immediately configure the Intel AMT capable systems that have
a configuration policy assigned to them.

You can use this action to immediately enforce the Intel AMT policies of Alarm Clock, Local
Access, Remote Access, and KVM, on the selected systems.
Power on your systems

The Power On feature allows your Intel AMT systems to deploy the updated security programs ahead
of a potential threat outbreak.
Before you begin
Correct Intel AMT credentials must be set, and a trusted root certificate must be
uploaded in the Server Settings page.
The Intel AMT systems must be configured.
A power cable must be connected to the Intel AMT systems, including laptops.
Task
1
In the ePolicy Orchestrator console, click Menu | Systems | System Tree.
Select the required systems or groups you want to power on.
Click Actions | AMT Actions | Power On.

The Power On dialog box appears.
Click OK.
To view the action status, click Menu | Automation | Server Task Log.
92
Product Guide

Boot or reboot to BIOS

BIOS is the boot firmware program that controls your system from the time it starts until operating
system takes over.
You can boot or reboot to the BIOS of any Intel AMT system and diagnose issues by adjusting its
BIOS settings, which might not be accessible after the operating system has restarted. Use the SOL
option to access the Intel AMT system from the server during system diagnosis. You can also perform
this task from the McAfee KVM Viewer console.
For Intel vPro 7.0 systems, establish the SOL connection before initiating the Boot/Reboot to BIOS Setup
action to get a full screen refresh in the SOL terminal.
Task
1
From the System Tree, select the systems you want to diagnose by booting to their BIOS.
Click Actions | AMT Actions | Boot/Reboot with Options.

The Boot/Reboot with Options dialog box appears.
Select Boot/Reboot to BIOS Setup to boot or reboot to the BIOS of the crashed Intel AMT system and
diagnose issues by adjusting its BIOS settings. Also, select Launch SerialoverLAN Terminal (SOL) to
access the crashed system from the server side.
You can use the arrow keys to navigate through the BIOS menu that is displayed on the SOL
terminal.
See also
Boot or reboot a system normally

You can boot or reboot the managed Intel AMT systems from ePolicy Orchestrator when required. For
example, when you want to leave the recovery operating system image.
You can also perform this task from the McAfee KVM Viewer console.
Task
1
From the System Tree, select the systems you want to boot or reboot.

Select Normal Boot/Reboot to boot or reboot the Intel AMT system. You can also select Launch
SerialoverLAN Terminal (SOL) to access the Intel AMT system from the server side.
See also
Product Guide
93

Connect to a system using the Serial-over-LAN

SerialoverLAN (SOL) is a mechanism that enables the input and output of the serial COM port of a
managed Intel AMT system to be redirected over Internet Protocol (IP).
Before you begin
Make sure that SOL is supported and enabled on your Intel AMT systems. Verify this
from the Deep Command tab on the System Properties page.
Make sure that the correct Intel AMT credentials are set, and a trusted root certificate
is uploaded in the Server Settings page.
Make sure to enforce the Intel AMT policies on systems to which you are attempting to
establish an SOL connection.
Make sure that the Intel AMT client is accessible from the Agent Handler and the port
16995 is not blocked in the firewall.
Make sure that "Console Redirection" is enabled in BIOS setup (enabled automatically as
part of the Intel AMT policy enforcement but some manufacturers don't allow this
through remote APIs. Only in such scenario it's required to be enabled manually).
Using SOL, you can connect to a remote Intel AMT system through a virtual serial port. After
initiating an SOL session, you can see it is active. You can also access the BIOS of the Intel AMT
system and send keyboard key combinations using SOL.
Task
1
Select the systems you want to establish an SOL connection with.

SOL is processed on a maximum of four systems at one time per Agent Handler.
Click Actions | AMT Actions | SerialOverLAN Terminal (SOL). The SOL terminal appears.
Click Connect to start a connection with the selected system. When the Terminal <=> ePO: Connected
message appears, the SOL session is active.
The display will be blank if the serial port has not sent any data, even though connection is
established. You can send keyboard key combinations to the Intel AMT systems. These keys are
specific to the terminals. For example, If CtrlC is the key that stops the ping command on a Linux
terminal, selecting and sending this key to the Linux terminal by clicking Send on the SOL Terminal
stops the ping command.
When connected:
Boot or reboot using IDE-Redirect

IDERedirect allows you to reboot an Intel AMT system to a redirected disk.
Before you begin
94
IDER must be supported and enabled on the Intel AMT systems. Verify this from the
Deep Command tab on the System Properties page.
You must have enforced Intel AMT policies at least once on the target system(s) to
enable the redirection port.
Product Guide

The recovery operating system image file must be an .iso file shared on a UNC mount.
It must be shared and accessible by the Agent Handler. Also, make sure that you've
defined its path using the Universal Naming Convention (UNC) syntax rather than using
the IP address.
Make sure the image file can be used for diagnosis, and is smaller than 30MB in size.
If your ISO image is larger than 30MB, or you have network bandwidth constraints, see this document
for more information about using a two stage boot process: http://communities.intel.com/docs/
DOC5552
Task
1
From the System Tree, select the systems you want to diagnose using the IDER feature.
IDER is limited and processes only four systems per Agent Handler.

Select the Boot/Reboot from Image (IDER) option to boot or reboot the target Intel AMT system using a
recovery operating system image (.iso file) to diagnose issues. Type the path of the recovery
operating system image file, then click OK.
Click Menu | Automation | Server Task Log to see the status of the selected action. When the status of the
Boot/Reboot with Options log is In Progress, a connection is established and you can start diagnosing the
system issues.
Select Launch SerialoverLAN Terminal (SOL) to access the target system from the server side.
After diagnosing system issues, end the IDER connection by navigating to the System Tree,
selecting the systems, then clicking Actions | AMT Actions | Stop Image Redirection.
The remote systems will not boot to its OS if the IDER is not stopped.
Click OK.
After stopping the IDER connection, you can boot or reboot the systems normally using the Normal
Boot/Reboot option or use SOL to restart the system.
See also
Stop Image Redirection

You can stop the previous Image Redirection for the selected client systems.
Task
1
Select the required systems or groups you want to configure.
Product Guide
95

Click Actions | AMT Actions | Stop Image Redirection.

The Stop Image Redirection dialog box appears.
Click OK.
Enforce Intel AMT configuration policy

You can use this action to immediately configure the Intel AMT capable systems that have a
configuration policy assigned to them.
Task
1
Select the required systems or groups you want to configure.

The Enforce AMT Firmware Configuration Policy dialog box appears.
Click OK.
Enforce Intel AMT policies

You can use this action to immediately enforce the Intel AMT policies of Alarm Clock, Local Access,
Remote Access, and KVM, on the selected systems.
Task
1
Select the required systems or groups on which you want to enforce the policies.
Click Actions | AMT Actions | Enforce AMT Policies.

The Enforce AMT Policies dialog box appears.
Click OK.
96
Product Guide


Create and use the server tasks to enforce Intel AMT policies and power on the remote Intel AMT
systems at a scheduled time using OutofBand communication.
Tasks
Schedule and enforce out-of-band AMT policies on page 97

You can enforce the existing Intel AMT policy outofband to the Intel AMT systems at a
particular time or at regular intervals.
Schedule out-of-band power on for your systems on page 97

You can choose to power on your Intel AMT systems at a particular time or at regular
intervals.
Schedule and enforce out-of-band AMT policies

You can enforce the existing Intel AMT policy outofband to the Intel AMT systems at a particular
time or at regular intervals.
Before you begin
Create a query that returns only the fully configured Intel AMT systems you want to
modify. Be sure that your query results are returned in table format. If you have a large
number of Intel AMT systems in your network, performing this action on all them at once
could have a negative impact on you network by consuming too much bandwidth. For more
information about working with queries, see the ePolicy Orchestrator Product Guide.
Task
1
On the Server Tasks page, click New Task.

In the Description field, type a name for the task you want to create, a brief description (optional),
enable the schedule status, then click Next.
From Actions, select Run Query from the dropdown list. From Query, click ... to select the query you
have created that returns the configured Intel vPro systems, then click OK.
Select an appropriate language from the dropdown list, then in SubActions, click ... and select
OutofBand Enforce AMT Policies, then click OK.
Click Next and schedule the task as required.
Click Next to view a summary of the server task, then click Save to return to the Server Tasks page.
Schedule out-of-band power on for your systems

You can choose to power on your Intel AMT systems at a particular time or at regular intervals.
Before you begin
Create a query that returns Intel AMT systems that are configured. Be sure that your
query is configured to return the specific subset of systems you want to modify, and that
the results are returned in table format. If you have a large number of Intel AMT systems
Product Guide
97

in your network, performing this action on all them at once could have a negative impact
on you network by consuming too much bandwidth. For more information about working
with queries, see the ePolicy Orchestrator Product Guide.
Task
1
On the Server Tasks page, click New Task.

In the Description field, type a name for the task you want to create, a brief description (optional),
enable the schedule status, then click Next.
From Actions, select Run Query from the dropdown list. From Query, click ... to select the query you
have created that returns all the configured Intel vPro systems, then click OK.
Select an appropriate language from the dropdown list, then in SubActions, click ..., select OutofBand
Power On, then click OK.
Click Next and schedule the task.
Click Next to view a summary of the server task, then click Save to return to the Server Tasks page.
Click Run for the corresponding server task you created. The Server task Log page displays the status
of the executed task.

With the McAfee KVM Viewer, you can remotely access the Intel AMT client systems using the Intel
vPro Technology's KeyboardVideoMouse (KVM) Remote Control feature regardless of the present
operating system state.
To use McAfee KVM Viewer, you need to:
1
Make sure that these requirements are met:
The client system is an Intel AMT 6.0 or higher with integrated graphics.
If the management system is a Windows XP or Windows Server 2003 system, it must have
Windows Remote Management (WinRM)
Microsoft .NET Framework 3.5 SP1
Set up the managed client to use KVM.
Modify the McAfee KVM Viewer settings.
Establish a connection to a local or remote client system.
Set up the client for KVM

Configure the KVM policy, then enforce it to the Intel AMT clients.
Before you begin
Create a KVM policy to enable KVM.
98
Product Guide

Task
1
From the System Tree, select the systems that you want to access remotely.
See also
Create a KVM policy on page 89
Modify the McAfee KVM Viewer settings

Provide settings required for a successful connection.
Task
1
From the management system, browse to the folder where McAfee KVM Viewer is stored, then
doubleclick the MKVMView file.
In the McAfee KVM Viewer screen, click Options to open the KVM setting options.
In the General tab, complete these settings:
Computer Type the host name of the managed client.
Use DNS to resolve host names Select this to resolve any NetBIOS name or IP address to its FQDN
(Fully Qualified Domain Name).
Product Guide
99

Use current logon credentials Select to use the logon credentials for the account with which you're
already logged on. When selected, McAfee KVM Viewer uses Kerberos authentication. When not
selected it uses Digest.
Digest User The Intel AMT digest user name for the managed client (displayed only when Use
currently logon credentials is not selected).
Password The Intel AMT digest user password for the managed client (displayed only when Use
currently logon credentials is not selected).
Hide password text Select this to hide the text entered in the Password field (displayed only when
Use currently logon credentials is not selected).
Allow credentials to be saved Select this to store the user name and password for use in
subsequent sessions (displayed only when Use currently logon credentials is not selected).
Use TLS server authentication Select this to use TLS server authentication.
The ePO Deep Command 1.5 software supports only the TLS server authentication. Don't
deselect this option.
In the Sessions Settings tab, you can select the monitor to display if the client has more than one
monitor.
Configure the default monitor preference in the KVM policy. Don't change the preference in the
McAfee KVM Viewer settings.
100
(Optional) In the Media Redirection tab, browse and select the image file (.ISO) to use for media
redirection operations.
Product Guide

In the Advanced step, complete these options:
TLS Certificates Configure the certificates to be used by McAfee KVM Viewer in a TLS
environment. By default, all certificates in the user's certificate store are used. In most cases
there is no need to adjust this list. To import or remove certificates, click Certificates to display the
Trusted Certificates screen.
Product Guide
101

Remote Access When using the MPS Gateway for a Remote Access connection, configure the
proxy settings. Click to display the MPS Auto Proxy Configuration screen, and complete these
options:
Enable auto proxy Select this to configure auto proxy settings.
Auto proxy include list Click Add to display Add Proxy Host screen.
Type a host name and click OK to add the host and close the screen or click Cancel to close the
screen without adding. Once added to the Auto Proxy list, you can select a host and click
Remove to remove an added host.
Http proxy Type the IP address of the ePO Deep Command Gateway server, followed by the
port used for HTTP proxy (<MPS server IP:8080).
The Gateway server acts as a standard HTTP proxy, which provides an interface to various
HTTP based manageability protocols such as WSMAN and Intel AMT HTML.
Redirection proxy Type the IP address of the ePO Deep Command Gateway server, followed by
the port used for the IDERedirection and Serial over LAN (<MPS server IP:1080).
The Gateway server acts as a SOCKS v5 server, which provides a generic routing mechanism
for TCP/IP based IDERedirection and Serial over LAN protocols.
102
MPS discovery address (Optional) Type the IP address of the ePO Deep Command Gateway
server.
Product Guide

Connect to a local client system

Connect to a local Intel AMT client systems to send power control commands to the client.
Task
1
From the management system, browse to the folder where the McAfee KVM Viewer is stored, then
In the Computer field, type the IP address, FQDN, or NetBIOS name of a managed client.
From the dropdown menu, you can select a client that was connected previously.
Click Connect to establish the connection.
If prompted to enter a client consent code, obtain the consent code from the user of the client
system, then enter the code to connect.
The connection status is displayed when connecting.
On successful connection, the KVM Viewer window displays the client screen.
Product Guide
103

Connect to a remote client system

Connect to a remote Intel AMT client systems to send power control commands to the client.
Task
1
From the management system, browse to the folder where the McAfee KVM Viewer is stored, then
Click Options to open the KVM setting options.
In the Advanced tab, complete these options:
Make sure that you have only one trusted root certificate added. To import or remove
certificates, click Certificates.
Make sure that you have configured the proxy settings to be used in a remote connection. Click
Remote Access, then make the necessary changes in the MPS Auto Proxy Configuration screen.
In the Computer field, type the IP address, FQDN, or NetBIOS name of a managed client.
From the dropdown menu, you can select a client that was connected previously.
Click Connect to establish the connection.

If prompted to enter a client consent code, obtain the consent code from the user of the client
system, then enter the code to connect.
The connection status is displayed when connecting.
On successful connection, the KVM Viewer window displays the client screen.
McAfee KVM viewer options

Once you connect to a client system, use the KVM console's Menu bar options to perform required
actions.
Option
Suboption
Description
File
Exit
Closes the McAfee KVM Viewer screen.

An active IDERedirection session does not end when the McAfee KVM
Viewer is closed.
Connection Start
104
Starts a connection to the client system.
Stop
Ends a connection to the client system.
Refresh
Reloads the screen in display.
Product Guide

Maintenance tasks
Option
Tools
Suboption
Description
Color Quality
Allows selecting the quality of the video component: Maximum, Medium, or

Low.
Scale Video
Allows resizing the screen to a specific percentage.
Full Screen
Displays the screen in Full Screen mode.
Send CtrlAltDel
Sends CtlAltDel command to the client system.
Power Control
Sends the Intel AMT power control commands to the client system:
Power Up Select to power up your Intel AMT client system.
Power Down Select to shut down your Intel AMT client system.
Power Reset Select to restart your Intel AMT client system.
Boot with IDER Select to boot the Intel AMT client system from using
IDERedirect (IDER) device. This device must be configured on the
Media Redirection tab in the Options tab.
End IDER Session Select to end the IDER session (available only when
IDER session is active).
Help
About McAfee KVM

Viewer
Displays the version and copyright information of the McAfee KVM

Viewer.
Maintenance tasks
You can create independent schedules for each possible configuration, such as reissuance of
certificates, renewal of passwords, synchronization of Intel AMT time, and network settings.
These tasks can only be performed on the Intel AMT client systems that are configured using the ePO
Deep Command RCS Manager plugin.
The maintenance client task provides these options:
Synchronize AMT Time Synchronizes the clock of the Intel AMT device with the clock of the computer
running the Intel RCS service. This task is performed automatically when any of the other tasks
are performed.
Synchronize Network Settings Synchronizes network settings of the Intel AMT device based on these:
Fully qualified domain name
IP address
DDNS and DHCP Option 81
ReIssue AMT Certificates Reissues the certificates stored in the Intel AMT device. If the device
contains 802.1x certificates, this resets the Intel AMT administrator password to the default.
Renew Active Directory Password Resets the password of the Active Directory object representing the
Intel AMT system.
Renew Administrative Password Resets the password of the default Digest admin user in the Intel AMT
device according to the password setting defined in the profile.
Product Guide
105


Configure events to track configuration changes and any failures reported from the Intel AMT
systems.
The ePO Deep Command software generates two kinds of events:
Outofband events: These events are generated when an Intel AMT action is triggered on a
client systems.
Configuration events: These events are generated when a configure or unconfigure policy is
enforced onto the Intel AMT client systems.
ePO Deep Command events

When configured to track, these ePO Deep Command client events are logged in the Threat Event log.
Name
Outofband events Deep Command Local Fast
Call For Help
Configuration
events
106
ID
Generates when...
34350 A Client Initiated Local Access call for

technical help is initiated by the local
Intel AMT client system.
Deep Command Connected

Remote Fast Call For Help
34351 The Client Initiated Remote Access call is

initiated by the remote Intel AMT client
system.
Deep Command
Disconnected Remote Fast
Call For Help
34352 The Client Initiated Remote Access call is

terminated by the remote Intel AMT
system.
Deep Command Command

Not Found
34360 The arbitrary command specified in the

policy is not a valid command.
Deep Command Command

Execution Failed
34361 The arbitrary command specified in the

policy fails to execute for some reason. For
example, when a user doesn't have
sufficient rights to execute the command.
Deep Command
Maintenance Failure
34367 A maintenance task is successfully

executed.
Deep Command
Maintenance Success
34368 A maintenance task has failed.
Deep Command Local User

needs help
34369 An event of type CILA_USER is generated

when a Local User requests assistance (if
the caller identification is enabled).
Deep Command Connected

Remote Fast Call For Help
from User
34371 An event of type CIRA_USER is generated

when a connection request for a Remote
Fast Call For Help action from the current
user is successfully established (if the
caller identification is enabled).
Deep Command Configure

Failure
34362 A configuration attempt has failed.
Deep Command
Unconfigure Failure
34363 An unconfigure attempt has failed.
Deep Command Configure

Success
34364 A configuration attempt is successful.
Deep Command
Unconfigure Success
34365 An unconfigure attempt is successful.
Deep Command
Uncontrolled Unconfigure
34366 An attempt to unconfigure a system that

has been configured by some unknown
means.
Product Guide

Forward events immediately

Configure to forward events with Informational priority immediately to the ePolicy Orchestrator server
which allows the Intel AMT system report any failures as they occur.
Task
1
In the ePolicy Orchestrator console, navigate to System Tree, click the Assigned Policies tab, then select
McAfee Agent from the Product menu.
Click a policy you want to modify. For example, click My Default under General category.
In the Events tab, select Enable priority event forwarding, select Informational from the event priority menu,
then click Save.
From the ePolicy Orchestrator server, select the systems or groups where you want to assign
this policy, then send an agent wakeup call.
From the Intel AMT systems, go to McAfee Agent Status Monitor | Collect and Send Properties | Check New
Policies | Enforce Policies.
If you don't enforce the policy to the Intel AMT systems using any of these methods, it is enforced
automatically at the next agentserver communication.
Filter events
You can specify which ePO Deep Command events generated from the client systems are to be
forwarded to the server. This selection impacts the bandwidth used in your environment, as well as the
results of eventbased queries.
This is a global setting. Any events not selected here are never forwarded to the server.
Task
1
In the ePolicy Orchestrator console, click Menu | Configuration | Server Settings, select Event Filtering, then
click Edit at the bottom of the page.
The Edit Event Filtering page appears.
Select All events to the server to forward all events, including Intel client events, to the ePolicy
Orchestrator server, or select Only selected events to the server and select the Intel client events that you
want to forward.
Click Save.
The changes are made at the next agentserver communication.
Product Guide
107

108
Product Guide
Here are answers to frequently asked questions.
Normal boot or reboot

What happens if a normal boot or reboot is executed on a system that is in Hibernate or
Standby mode?
The system is restored to a normal running state.
Is an end user on an Intel AMT system notified if a normal start or restart is initiated from
the ePolicy Orchestrator server?
No, the end user is not notified and the system restarts immediately.
What is the amtservice.log file and where is it located? How do you increase the debug
level for this log file?
The amtservice.log file is present on the Agent Handler system where Intel AMT actions,
events, and success and failure messages are logged.
On a 64bit ePolicy Orchestrator system, the location is C:\Program Files (x86)\McAfee
\ePolicyOrchestrator\DB\Logs.
On a 32bit ePolicy Orchestrator system, the location is C:\Program Files\McAfee
\ePolicyOrchestrator\DB\Logs.
To increase the debug log level, go to the Registry Editor | HKEY_LOCAL_MACHINE | Network Associates |
ePolicy Orchestrator | Log Level, and change the value to 8.
What do I do if a normal boot or reboot for an Intel AMT system fails?
1
Check the amtservice.log. An HTTP 401 error means the issue might be caused due to
incorrect Intel AMT credentials or certificates. Make sure the correct credentials and
certificates are uploaded in Server Settings on the Edit Intel AMT Credentials page.
Verify that the domain and FQDN of the Intel AMT system is correctly resolved from the
Verify that the required Firewall Ports are allowed on the Intel AMT system and the ePolicy
OutofBand Power On feature

What happens if the Intel AMT Power On action is executed on a system that is in the
Hibernate or Standby mode?
The system is restored to the normal running state.
What happens if the Intel AMT Power On action is executed on a system that is already
running?
Product Guide
109
The ePolicy Orchestrator server detects that the system is powered on and does not take any
action.
What do I do if an Intel AMT Power On action fails on an Intel AMT system?
1
Make sure the correct credentials and certificates are uploaded in Server Settings on the Edit Intel
AMT Credentials page.
View the amtservice.log, if an HTTP 401 error caused the system to fail, verify that the user
name and password are correct on the Edit Intel AMT Credentials page.
Verify that the domain and FQDN of the Intel AMT system is correctly resolved from the
Verify that the required Firewall Ports are allowed on the Intel AMT system and the ePolicy
Extensions
What if I can't check in the ePO Deep Command Management Framework extension?
Make sure you checked in the ePO Deep Command Discovery and Reporting extension before
installing the ePO Deep Command Management Framework extension.
Why are most of the Intel AMT properties shown as Not Available after reinstalling the
ePO Deep Command extension and executing agentserver communication on the Intel
AMT system?
After reinstalling the extension, you need to send an agent wakeup call from ePolicy
Orchestrator with the option Get full product properties selected. Otherwise, the agent sends only the
incremental properties, even if you select Collect and Send Props in the Agent Monitor. Since there
have been no changes between the detections, no properties are sent.
Client Tasks
What conditions should be met to successfully execute the Client Tasks?
Make sure that the:
Client Tasks are enabled.
Appropriate managed products are installed on the Intel AMT system.
Intel AMT system is able to communicate with the Agent Handler within two minutes of
restarting your system after an Intel AMT Power On or a scheduled alarm clock wakeup.
Intel AMT system is able to boot from a powered off state if the Intel AMT Power On or
scheduled alarm clock wakeup is executed from the ePolicy Orchestrator server.
Client Tasks will fail if the system is in a state of hibernation or standby.
Where are the log files created for Client Tasks that are executed on the Intel AMT
system?
Two log files are created on the Intel AMT system:
AMTCT_out.log Displays the Client Task ID, software ID, and arbitrary command if
present.
AMTMgmtService_out.log Displays the Client Task details in the Client Task Execution
Policy and the DC message status.
The file paths for these log files on Intel AMT client systems are:
110
Product Guide
..\Documents and Settings\Default User\Application Data\McAfee for Microsoft

Windows XP and Microsoft Windows Server 2003 based systems.
..\ProgramData\McAfee\ePO Deep Command Client for systems running on any other

operating system.
How do I return the Intel AMT system to its previous power state at the end of a Client
Task Execution?
It is possible to shut down the Intel AMT System after the system has started due to an Intel
AMT Power On or a Scheduled Alarm Clock Wake Up. An ePolicy Orchestrator user can provide a
shutdown.exe as an arbitrary command in the Client Task Execution Policy. The previous power
state is unknown, so the administrator must select a power state for the system.
Why were the Intel AMT Client Tasks not implemented on an Intel AMT system that
booted after an Intel AMT Power On or after a scheduled Alarm Clock Wake up?
The Agent Handler is not reachable.
The Intel AMT system fails to communicate with the Agent Handler within two minutes of
restarting after an Intel AMT Power On, after a Scheduled Alarm Clock Wake Up, or if tasks
were not present on the system.
How can I implement multiple arbitrary commands through a Client Task execution policy?
You can execute multiple arbitrary commands using a Windows batch file. The batch file,
containing multiple commands, can be added to the Client Task Execution Policy, which will be
executed after the system starts either through the Intel AMT Power On action or through the
Scheduled Alarm Clock.
To run a batch file, select <System32>\cmd.exe from the Run the following Command afterwards field
and enter /c <path of your batch file> in the Additional Parameters field.
It is necessary to add @echo as the first command in the batch file, otherwise the command
added in the batch file is not executed.
Intel AMT console

How do I send a Fast Call for Help from my Intel AMT system?
Refer to the system documentation on how to send a Fast Call for Help from the Intel AMT
System hardware, or open Intel Management and Security Status and click Get Technical Help to send a Fast
Call.
How do I access the Intel MEBx BIOS?
You need to restart your system and press a combination of keys as defined by the
manufacturer. For certain OEMs, you need to press Left Ctrl + P until you hear a beeping
sound. The default MEBx password is admin.
How do I access the Web interface from an Intel AMT System?
If the web interface is enabled on the Intel AMT system, open Internet Explorer, type https://
<FQDN of the AMT System>:16993/, and provide your Active Directory logon credentials or
digest credentials added in the configuration profile.
The registry must be updated to allow Internet Explorer to connect to Port 16993. Refer to
http://support.microsoft.com/kb/908209 for the required registry changes.
Are there any other tools that can be used to check the status of the Intel AMT system?
You can use these tools:
Intel Management and Security Status (IMSS)
ACUconfig status or SystemDiscovery
Product Guide
111
Serial Over LAN (SOL)

The SOL connection to an Intel AMT system is failing. How do I find the cause for this
failure?
These messages are displayed on the SOL terminal when the SOL connection fails:
Authentication Failure Invalid credentials were provided in Server Settings | Intel AMT
Credentials.
Busy An SOL connection to the Intel AMT system is already established.
Socket Error Redirection port is not enabled on the Intel AMT System. Enforce an AMT
Policy to enable the Redirection Port and try again. This error also occurs in the case of a
certificate or authentication failure.
Maximum Connections Reached Agent Handler allows only four Active SOL sessions at
a time. Disconnect one of the Active SOL session and try again.
Verify that the required firewall ports are allowed on the Intel AMT system and the ePolicy
Orchestrator server. Confirm that the Intel AMT system domain and FQDN is correctly resolved
from the ePolicy Orchestrator server. Wait three seconds before trying to connect or disconnect
the SOL session.
I am unable to redirect the BIOS to the SOL terminal. How do I resolve this?
Make sure that the correct credentials are provided in the Server Settings Intel AMT credentials
page. Verify that the required Firewall ports are allowed on the Intel AMT system and the
We have multiple Agent Handlers in our environment. The SOL connection through a local
Agent Handler is failing. How do I resolve this?
This occurs when Intel AMT client is not accessible from the Agent Handler. Perform these to
resolve the issue:
If the Intel AMT client is moved from one Agent Handler to another and SOL connection is
tried before the agentserver communication to update this change, wait for the next
agentserver communication.
Make sure that the port 16995 is not blocked in the firewall.
Assign the local Agent Handler to the target system from Menu | Configuration | Agent Handlers |
New Assignment. See the McAfee ePolicy Orchestrator Product Guide for detailed instructions.
Properties
When does the Last Power On Time parameter get updated on the Deep Command tab?
Last Power On Time is one of the properties displayed on the Deep Command tab of the System Details
page. This property is updated when an Intel AMT Power On action is executed from the McAfee
ePO console.
Why are the Intel AMT system properties not updated in a configured system?
Like other managed products, Intel AMT properties appear after the second agentserver
communication.
Local Access and Remote Access

What is the 63character restriction warning message that appears while creating a Local
Access Policy ?
The Intel AMT chipset limits the Local Access and Remote Access configuration to 63characters.
Out of these, 20characters are used for the protocol header and directory path. For a Local
Access policy to be successfully enforced, the actual Agent Handler name (published DNS or
112
Product Guide
computer name) is shown in the dropdown list. The Local Access policy port number must be 43
characters or fewer. If the length is greater than 43 characters, a warning message is displayed
and the policy can't be saved.
If the total FQDN size of the agent and Agent Handler exceeds 63 characters and the policy is
enforced, the Local Access request sent by the Intel AMT system won't work properly.
Where are the log files created for the ePO Deep Command Gateway Server ?
The ePO Deep Command Gateway Server log is saved in C:\Program Files (x86)\McAfee\ePO
Deep Command Gateway\logs\AMTGatewayService_out.log. You can change the debug level of
the log file by changing the parameter Trace Level in the configuration file C:\Program Files
(x86)\McAfee\ePO Deep Command Gateway\conf\AMTGatewayService_log.config.
When I click "Get Technical Help" to send a Remote Access request from the Intel
Management and Security Status tool, it shows an error that my organization is not
reachable. How do I resolve this issue?
Perform these actions:
1
From the Intel AMT system, open Mozilla Firefox and access your DMZ Agent Handler
system where ePO Deep Command Gateway Server is running. The URL must include the
port where stunnel is running. Firefox shows an SSL certificate warning in your browser.
If using Internet Explorer, you might have issues viewing the certificates.
View the SSL certificate and verify that it has been issued to the host name of the ePO Deep
Command Gateway Server, which should be resolvable from the Internet.
Verify that the issuer of the certificate is the same CA that has been used for configuring the
Intel AMT system or is known to the Intel AMT system.
Check to make sure the ePO Deep Command Gateway Server Logs (AMTGatewayService_out
.log) and the amtservice.log are in the Agent Handler system.
Make sure that the DNS resolution is working properly on the ePO Deep Command Gateway
Server and unnecessary services are not running on the system. Disable any services like IP
Helper or Ipv6 Services if they are not in use and try again.
I am not able to establish a Remote Access connection; it fails with an "Unknown CA" error
in the Stunnel Log. What should I do?
The Remote Access requests might fail if the root CA certificate is not imported into the
Management Engine Certificate Store of the Intel AMT systems. To resolve this, make sure that
the required certificate is added successfully.
I am not able to establish a Remote Access connection; it fails with a "certificate unknown"
error in the Stunnel Log. What should I do?
This issue occurs when the stunnel configuration and management certificates are not in sync.
To troubleshoot this issue:
1
In the Intel Commander, check whether the CA is present in Intel Management Engine
Certificate Store.
In the stunnel configuration, check whether the CA in stunnel and certificate store are the
same.
IDER
I am unable to initiate an IDER Session. How do I find the cause of failure from the
amtservice.log?
First, perform these checks:
Product Guide
113
Make sure that IDERedirection (IDER) is supported and enabled on the System Properties Intel
AMT page.
Verify that the correct credentials and certificates are uploaded in the Server Settings Intel
AMT Credentials page.
Make sure that the system is not in an active IDER session before initiating the IDER
session.
Then perform these tasks specific to the reasons for the IDER failure as mentioned in the
amtservice.log:
Authentication Failure or HTTP 401 error or IDER Session Closed Verify that the
correct user name and password are provided in the Server Settings Intel AMT Credentials page.
TLS Connection Failure Verify that the certificates imported in the Server Settings Intel
AMT Credentials page are correct.
Invalid Parameter Verify that the shared ISO image path is correct and it's accessible by
the Agent Handler.
Socket Error Verify that the system is properly connected and the system is reachable
the Agent Handler.
Maximum Connections This means that four IDER sessions are already active through
the Agent Handler. Stop one of the active IDER sessions and then try again. Verify that the
required Firewall Ports are allowed on the Intel AMT system and on the ePolicy Orchestrator
server. Additionally, do this:
1
Verify that the domain of the Intel AMT system is being correctly resolved from the
Confirm that the FQDN of the Intel AMT system is correctly resolving from the ePO
server.
Verify that the domain of the shared folder is correctly resolving from the Agent Handler
and the shared file is accessible.
IDER is not working in Local Access environment. What should I do?

It might be due to the Universal Naming Convention (UNC) share is not accessible from
ServiceAMT because of the domain authentication policy for UNC share. Make sure that
The recovery operating system image file is an .iso file shared on a UNC mount.
The UNC share is accessible by the Agent Handler and using the system account.
The path has been defined using the UNC syntax rather than using the IP address.
The Boot/Reboot from Image (IDER) fails when the Intel AMT client is in sleep state.
What should we do?
It requires two attempts of the Boot/Reboot from Image action in this situation. The Intel AMT
client powers on in the first attempt. Perform the action again for a successful boot from the
image.
Alarm Clock
I am unable to enforce an Alarm Clock policy. How do I find the actual cause of failure and
resolve this issue?
Make sure that the Intel AMT system is in the PostConfigured state and the System Properties Intel
AMT page is updated. Confirm that the AMT tag is applied to the system in System Tree and the
Alarm Clock policy is saved correctly.
114
Product Guide
Check the amtservice.log, if the reason for failure is Authentication Failure or HTTP 401 error, then check
that the correct user name and password are provided.
In amtservice.log, if the reason for failure is Failed to create alarm clock service, then make sure that
the Intel AMT Alarm Clock feature is supported by the system. From the client system Intel
ME, the time must be set to UTC if Kerberos is used for authentication. Verify that the client
system Intel ME time and Agent Handler time are in sync (plus or minus 15 minutes). Refer to
the Firewall Port section of the product documentation and verify that the required Firewall Ports
are allowed on the Intel AMT system and on the ePolicy Orchestrator Server.
How do I verify that the Alarm Clock Policy is successfully enforced on an Intel AMT
system?
Verify these conditions:
The Policy Enforcement task in the server task log shows the status as completed.
From the System Properties Intel AMT page, confirm the alarm is enabled and time fields display
the updated values.
In the Intel AMT Client system, the Alarm Clock values set by the Alarm Clock policy
enforcement can be verified by using Intel tools like Manageability Commander Tool and
Powershell.
Why does the Alarm Clock Policy fail to set the time saved in the policy?
Verify that the Alarm Clock Time set in the policy is at least five minutes ahead of Intel ME at
the time of policy enforcement.
If the Alarm Clock settings are not ahead of Intel ME time:
If a repeat interval is set, the Alarm Clock is adjusted to the execution time.
If no interval is set, the Alarm Clock is adjusted by 24 hours.
If randomization is enabled, a random time is added.

If in doubt, set the Agent Handler log level to eight. This will display the times and dates used
for calculating the Alarm Clock.
Configure or unconfigure
Can I unconfigure an Intel AMT client using an Intel RCS server other than the one that
configured it?
Yes, but only when both the Intel RCS servers belong to the same domain. When multiple Intel
RCS servers are configured within a domain, any of the servers can be used to configure or
unconfigure an Intel AMT client because they all share the same domain privileges.
How do I unconfigure an Intel AMT 6.0 system manually?
1
Start your Intel AMT client and invoke the MEBx screen.
Log on to the Intel AMT system with the MEBX password (which might be different from the
Admin password).
Locate and select the Unconfigure Network Access option.

A warning message stating that the configuration will be reset to the default values appears.
Press Y to continue.
Product Guide
115
In the next screen, select an appropriate option: Full Unconfigure or Partial Unconfigure, then press
Enter to execute the configuration.
Once the unconfiguration is complete, the menu appears. Select Return to go back to the
previous screen and press Y to exit the MEBx menu.
Why am I not able to unconfigure a client outside my domain?

If a configured Intel AMT client is outside the home domain and has Remote Access policy
configured, it cannot be unconfigured from ePolicy Orchestrator. Unconfigure the client system
manually.
Why am I getting exit error code 78 and AMT Status code Not ready when I try to
configure a client?
This might occur when the client is Intel AMTequipped but AMT is disabled in BIOS. The Intel
AMT capabilities might not be configured by the device manufacturer on this system so please
contact your administrator or device manufacturer's support for the resolution.
McAfee KVM Viewer

I started an IDER session through McAfee KVM Viewer and closed the screen. Why the
IDER connection is still active when I reopen the McAfee Viewer screen?
An active IDERedirection session does not end when the McAfee KVM Viewer is closed. In the
McAfee KVM Viewer screen, click Tools | Power Control | End IDER Session to end the IDER session.
Why my McAfee KVM Viewer running in VM environment crashes intermittently?
This might happen due to low availability of resources. Free up memory space on the system
and try again.
When using Kerberos authentication, why do I see "authentication failed" error in the KVM
viewer log and "Disconnected" in the KVM Viewer status Window?
This might happen when Digest User authentication is selected in the profile configuration which
you're using. Please access the Intel RCS console and check the profile configuration. If Digest
User is selected for User Type in the profile, you need to provide the digest logon credentials in
McAfee KVM Viewer. In McAfee KVM Viewer, click the General tab, click Options, deselect Use currently
logged on credentials, then enter the digest user name and password.
While connecting a McAfee EEPC client from McAfee KVM Viewer, mouse pointer behaves
abnormally on the Preboot authentication screen if I keep it idle for more than 5 minutes.
What should I do?
Press Tab to move cursor to the next field.
General
On Intel AMT systems, which ports must be allowed access through the firewall?
These ports need to be granted access to the Intel AMT system:
16993 tcp Intel AMT SOAP/HTTPS
16993 udp Intel AMT SOAP/HTTPS
16995 tcp Intel AMT Redirection/TLS
16995 udp Intel AMT Redirection/TLS
135 (WMI port for ACUconfig to RCS communications)
Why do Intel AMT actions fail with the error message "Openwsman last error = 12175"
when the ePolicy Orchestrator server is in a different domain than the Intel AMT systems?
Verify these:
116
Product Guide
The Intel AMT system nodes are configured using intermediate CA certificates.
The certification of the CA is getting resolved from the ePolicy Orchestrator server.
The system account of the ePolicy Orchestrator server does have the required trusted CA to
perform Intel AMT actions.
Why do all Intel AMT actions fail with the error message "Openwsman last error =
12029"?
This error can occur if the TCP Port 16993 on the Intel AMT System is not accessible from the
ePolicy Orchestrator Server. Refer to the Firewall Port section and verify that the required
Firewall Ports are allowed on the Intel AMT system and on the McAfee ePO Server.
Why do all Intel AMT actions fail with the error "Openwsman last error = 12002" on only
some Intel AMT systems?
This error occurs if the Intel AMT system is not reachable and the request times out.
Do Intel AMT systems need to be connected to AC power to allow Intel AMT actions?
Laptop devices with Intel AMT support must be connected to an AC power supply. Detection of
AC (normal power supply) operation and DC power (battery) operation is supported. If the
laptop is in the powered on state, then the AC power supply can be disconnected. ePO Deep
Command is able to communicate with the chipset on the laptop. However, if the laptop is
turned off or in a different power state, the AC power supply must be connected in order to
communicate with ePO Deep Command.
Intel AMT systems can be configured to operate in various Sx states (power states) with AC
power supply, but not with DC power (battery). Some examples of common power states are S0
(the working state when the system is powered on), S3 (also referred to as standby or sleep
when the RAM remains powered), and S4 (also referred to as hibernation when all the contents
of the RAM are stored on the hard disk and the system is turned off).
Power states are tied to power packages. The power packages available on a particular platform
running earlier versions of Intel AMT are OEM specific and might vary from one implementation
to another, but certain packages are required on all Intel AMT mobile platforms. More details on
the supported power packages are available in the Intel AMT Release 2.5/2.6/4.x/6.x/7.0:
http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/
DOCS/Implementation%20and%20Reference%20Guide/WordDocuments/
supportformultiplepowerpolicies.htm
http://software.intel.com/enus/articles/mobilecomputingwithintelamt/
When I execute the Synchronize Network Settings task, it doesn't update WiFi settings in
the Intel AMT client?
WiFi support is not available in the ePO Deep Command version 1.5.
Why do some of the AMT commands not work when selected from Automatic Response | New
Response | Actions | Run System Command?
Some of the ePO commands are targeted for troubleshooting purposes and also require manual
inputs from the user. The two supported commands that can be used in Automatic Response
action are OutofBand Enforce AMT Policies and OutofBand Power On.
Product Guide
117
118
Product Guide
See these for additional information.

Contents
Supported Intel AMT features
Sample configuration files
Self-signed configuration certificates
Intel AMT action logs
Writing Python scripts
Supported Intel AMT features

Some features aren't supported on specific versions of Intel AMT. Review this table to determine
which features and versions are supported on Intel AMT systems.
Intel AMT
version
SOL IDERedirect Alarm Clock Local Access Remote

Access
Power on KVM
4.0
Yes
Yes
No
No
Yes
Yes
No
5.1
Yes
Yes
Yes
No
Yes
Yes
No
6.0
Yes
Yes
Yes
Yes
Yes
Yes
Yes
7.0
Yes
Yes
Yes
Yes
Yes
Yes
Yes
8.x
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Online resources for more information on Intel AMT technology
http://www.intel.com/content/www/us/en/architectureandtechnology/vpro/
vprotechnologygeneral.html
http://www.intel.com/content/www/us/en/processors/vpro/
performance2ndgenerationcorevprofamilypaper.html
http://downloadmirror.intel.com/15171/eng/D945GTP_AMT_QuickRefGuide01.pdf

Here are two sample files that are required to configure the ePO Deep Command Gateway server.
Sample file for generating certificates

RANDFILE
[ ca ]
default_ca
= .rnd
= CA_default
# The default ca section
Product Guide
119
[ CA_default ]
dir
= demoCA
# Where everything is kept
certs
= $dir\certs
# Where the issued certs are kept
crl_dir
= $dir\crl
# Where the issued crl are kept
database
= $dir\index.txt
# database index file.
new_certs_dir
= $dir\newcerts
# default place for new certs.
certificate
= $dir\cacert.pem
# The CA certificate
serial
= $dir\serial
# The current serial number
crl
= $dir\crl.pem
# The current CRL
private_key
= $dir\private\cakey.pem
# The private key
RANDFILE
= $dir\private\private.rnd # private random number file
x509_extensions
= x509v3_extensions
# The extentions to add to the cert
default_days
= 365
# how long to certify for
default_crl_days= 30
# how long before next CRL
default_md
= md5
# which md to use.
preserve
= no
# keep passed DN ordering
policy
= policy_match
[ policy_match ]
countryName
= optional
stateOrProvinceName
= optional
organizationName
= optional
organizationalUnitName
= optional
commonName
= supplied
emailAddress
= optional
[ policy_anything ]
countryName
= optional
stateOrProvinceName
= optional
localityName
= optional
organizationName
= optional
= optional
commonName
= supplied
emailAddress
= optional
[ req ]
default_bits
= 1024
default_keyfile
= privkey.pem
distinguished_name
= req_distinguished_name
attributes
= req_attributes
[ req_distinguished_name ]
countryName
= Country Name (2 letter code)
countryName_min
= 2
countryName_max
= 2
stateOrProvinceName
= State or Province Name (full name)
localityName
= Locality Name (eg, city)
0.organizationName
= Organization Name (eg, company)
= Organizational Unit Name (eg, section)
commonName
= Common Name (eg, your website's domain name)
commonName_max
= 64
emailAddress
= Email Address
emailAddress_max
= 40
[ req_attributes ]
challengePassword
challengePassword_min
challengePassword_max
= A challenge password
= 4
= 20
[ x509v3_extensions ]
nsCertType
= 0x40
Sample file for stunnel configuration

; Sample stunnel configuration file by Michal Trojnara 20022006
; Some options used here might not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = C:\Program Files (x86)\stunnel\cira.pem
key = C:\Program Files (x86)\stunnel\cira.key
120
Product Guide
CAfile = C:\Program Files (x86)\stunnel\ca.cer

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv3
options = NO_SSLv2
ciphers = AES128SHA
; Authentication stuff
verify = 0
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = C:\Program Files (x86)\stunnel\stunnel.log
; Use it for client mode
client = no
; Servicelevel configuration
[ciraamt]
accept = 81
connect = 11111
;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0
; vim:ft=dosini

When using selfsigned Certification Authority to create the configuration certificate, consider these
points.
Its root hash must be entered into each AMT client system that will be configured. This can be done
at the time of manufacture or entered manually using the Intel Management Engine BIOS
Extension interface.
A certificate template must be created first. The computer template available in the Microsoft
Certification Authority can be duplicated.
The Object Identifier 2.16.840.1.113741.1.2.3 has to be added in the Enhanced Key Usage section
of the template.
A certificate request should be sent to the selfsigned CA with the FQDN of the configuration server
in the Subject Name.
The CA should use this template to generate the certificate, which is then saved in the
configuration server.
Product Guide
121

Here's the information about the featurewise list of log entries created as a result of Intel AMT
actions.
Table A-1 Intel AMT action server task log entries
Feature
Server task log entry
SOL (SerialoverLAN) Initiated Start of

SerialoverLAN session
Description
Added when SOL is initiated, with the status:
In Progress A session is active.
Completed A session finished successfully.
Failed A session fails.
Terminated A session is terminated by user.
Initiated Stop of
SerialoverLAN (SOL)
session
IDER
Added when SOL stop is initiated, with the

status: In Progress, Completed, Failed, or Terminated.
Start /Reboot with Options Added when IDERedirection (IDER) is initiated,

with the status:In Progress, Completed, Failed, or
Terminated.
Initiated Stop of Image
Redirection
Added when IDER stop is initiated, with the

status: In Progress, Completed, Failed, or Terminated.
SOL BIOS
Boot/Reboot to BIOS
Setup
Added when Boot/Reboot to BIOS Setup is

initiated, with the status: In Progress, Completed,
Failed, or Terminated
Power On
Initiated OutofBand
Power On
Added when OutofBand Power On is initiated,

with the status: In Progress, Completed, Failed, or
Terminated.
Policy Enforcement
OutofBand Enforce AMT

Policies
Added when Enforce AMT Policies is initiated, with

the status: In Progress, Completed, Failed, or
Terminated.
Normal Boot/ Reboot
Initiated Normal Boot/

Reboot
Added when Normal Boot/Reboot is initiated, with

the status: In Progress, Completed, Failed, or
Terminated.
Run Tag Criteria
ePO Deep Command: Run

Tag Criteria
Added when ePO Deep Command: Run Tag

Criteria is initiated, with the status: Completed or
Terminated.
Table A-2 Outofband action Audit Task Log entries

Feature
Audit Log entry
Description
SOL
SerialoverLAN (Request to Start

SerialoverLAN session sent to
System)
Displays when SOL is initiated.
SerialoverLAN (Request to Stop

SerialoverLAN session sent to
System)
Displays when SOL stop is initiated.
Initiated Boot/Reboot from Image
Displays when IDER is initiated.
Initiated Stop of Image Redirection
Displays when IDER stop is initiated.
Initiated Boot/Reboot to BIOS Setup
Displays when Boot/Reboot to BIOS

setup is initiated.
IDER
SOL BIOS
122
Product Guide
Table A-2 Outofband action Audit Task Log entries (continued)

Feature
Audit Log entry
Description
Power On
OutofBand Power On
Displays when OutofBand Power on is

initiated.
Policy Enforcement
OutofBand Enforce AMT Policies
Displays when Enforce AMT Policies is

initiated.
Normal Boot/ Reboot Initiated Normal Boot/Reboot
Displays when Normal Boot/Reboot is

initiated.
Run Tag Criteria
Displays when Evaluate AMT tag

criteria is initiated.
Evaluate AMT tag criteria
Table A-3 Outofband action Threat Event Log entries

Feature
Threat Event Log entry
Description
Local Access
Local Fast Call for Help
The Local Access call is initiated by the Intel

AMT system.
Remote Access Connected Remote Fast Call for

Help
Disconnected Remote Fast Call for
Help
The Remote Access call is initiated by the

Intel AMT system.
The Remote Access call is terminated by the
Intel AMT system.

You can write Python scripts to enforce Intel AMT policies and power on your client systems from the
Intel AMT action.
Download the Python Remote Client scripting library from the ePolicy Orchestrator server. Functions
used in your scripts are defined here.
1
In Product Categories under Software (by Label), click Management Solutions.
Select McAfee ePolicy Orchestrator 4.6 as the product, then click Download for the corresponding Python
Remote Client.
Download the McAfee ePolicy Orchestrator Scripting Guide for more information on using Python scripts.
Sample script for OutofBand Power On

# Script to do an OOB Power On through the ePO Python Scripting support.
# The parameters to be passed to the script is an Ip Address or a list of Comma separated Ip
Address.
import mcafee
import sys
# mcafee.client() function in this command is using these parameters
# 1st parameter is the hostname of the ePO System.
# 2nd parameter is the Port on which the ePO Web Interface is accessible.
# 3rd parameter is the Username that will be used to login to the ePO Web interface.
# 4th parameter is the Password of the User name provided in the 3rd parameter.
# 5th parameter is always https and 6th parameter is always json.
mc = mcafee.client('myepo','8443','admin','epo', 'https','json')
try:
input = sys.argv[1] #input to the script, our AMT system Ip Address.
except:
print "Missing 1st parameter. Provide a single Ip Address of a comma separated list of
Ip Address"
Product Guide
123
print "Provide help as the first parameter to get more information"

else:
if input == "help" or input == "h" or input == "h" :
print "This script will attempt to do a OOB Power On for a remote AMT system using
scriptable support in the ePO"
print "It requires only one Paramater. Pass the Ip Address of the remote AMT system
to do a Power On"
print "You can optionally pass a comma separated list of Ip Address(s) of the remote
AMT systems(s) to do a Power On"
print "Example : c:\python26\python.exe oobpoweron.py amt01"
print "NOTE: Run the command \"set PYTHONIOENCODING=utf8\" on the command prompt
before running the oobpoweron.py script to be able to see the errors"
else:
try:
result = mc.amt.powerOn(input)
except mcafee.CommandInvokerError,e:
try:
print "Error in doing OOB Power on as the command failed to invoke properly
due to the following error"
print "================"
print e.__str__()
print "================"
except:
print "NOTE: Run the command \"set PYTHONIOENCODING=utf8\" on the command
prompt before running the oobpoweron.py script to be able to see the errors"
except AttributeError,e:
print "Error in using amt.powerOn attribute"
Sample script for Intel AMT system policy enforcement

# Script to do an OOB Power On through the ePO Python Scripting support.
# The parameters to be passed to the script is an Ip Address or a list of Comma separated Ip
Address.
import mcafee
import sys
# mcafee.client() function in this command is using these parameters
# 1st parameter is the hostname of the ePO System.
# 2nd parameter is the Port on which the ePO Web Interface is accessible.
# 3rd parameter is the Username that will be used to login to the ePO Web interface.
# 4th paramter is the Password of the User name provided in the 3rd parameter.
# 5th parameter is always https and 6th parameter is always json.
mc = mcafee.client('m0','8443','admin','epo', 'https','json')
try:
input = sys.argv[1] #input to the script, our AMT system Ip Address.
except:
print "Missing 1st parameter. Provide a single Ip Address of a comma separated list of
Ip Address"
print "Provide help as the first parameter to get more information"
else:
if input == "help" or input == "h" or input == "h" :
print "This script will attempt to do a OOB Policy Enforcement for a remote AMT
system using scriptable support in the ePO"
print "It requires only one Paramater. Pass the Ip Address of the remote AMT system
to do a Power On"
print "You can optionally pass a comma separated list of Ip Address(s) of the remote
AMT systems(s) to do a Policy Enforcement"
print "Example : c:\python26\python.exe oobenforcepolicy.py amt01"
print "NOTE: Run the command \"set PYTHONIOENCODING=utf8\" on the command prompt
before running the oobenforcepolicy.py script to be able to see the errors"
else:
try:
result = mc.amt.enforcePolicy(input)
except mcafee.CommandInvokerError,e:
try:
print "Error in doing OOB Policy Enforcement on as the command failed to
invoke properly due to the following error"
print "================"
print e.__str__()
print "================"
except:
124
Product Guide
print "NOTE: Run the command \"set PYTHONIOENCODING=utf8\" on the command

prompt before running the oobenforcepolicy.py script to be able to see the errors"
except AttributeError,e:
print "Error in using amt.enfocePolicy attribute"
Product Guide
125
126
Product Guide
Index
401 or 12175 error

messages 32
A
about this guide 7
actions
AMT policies, enforcing 96
boot/reboot to BIOS 93
configuration policy, enforcing 96
IDE-redirect 94
image redirection, stopping 95
normal boot/reboot 93
power on 92
serial-over-LAN 94
AMT
actions 91
configuration 15
configuration states 16
connection, testing 33
management 83
overview 13
policies 83
reports 63
AMT action logs 122
AMT configuration
action 96
Admin Control overview 21
authentication protocols 16
certificate issuance 39
certificates 17
chain certificates, creating 29
dcom permissions, modifying 47
mode 21
policy 51, 84
ports 21
prerequisites 19
process 15
profile, creating 40
rcs manager workflow 18
rcs manager, installing 50
template, creating 36
template, enabling 38
using TLS 21
AMT configuration (continued)

WMI permissions, modifying 45
AMT unconfiguration
identify state 54
policy 53, 84
tag removal 54
C
conventions and icons used in this guide 7
D
dashboards and monitors
management summary 78
rcs management 81
reporting summary 74
deep command
AMT credentials, specifying 31
CA certificates, importing 32
components 9
events 106
extensions, installing 26
extensions, removing 62
extensions, upgrading 26
maintenance tasks 105
online help, installing 33
overview 9
requirements 23
user permissions, configuring 34
workflow 13
discovery and reporting
dashboard 74
driver used 74
management dashboard 78
management queries 65
overview 9
plug-in, deploying 27
plug-in, removing 61
properties collection 69
queries, viewing 65
query filters 65
rcs management dashboard 81
rcs management queries 64
reporting queries 63
Product Guide
127
Index
documentation
audience for this guide 7
product-specific, finding 8
typographical conventions and icons 7
policies (continued)
server tasks 97
product features 12
python scripts 123
frequently asked questions 109
queries and reports

discovery 63
management framework 65
rcs management 64
K
kvm viewer
how to use 98
local connection 103
options 104
overview 9
policy, enforcing 98
remote connection 104
settings, modifying 99
L
logs: AMT actions 122
M
management framework
client, deploying 28
client, removing 60
dashboard 78
overview 9
queries 65
McAfee ServicePortal, accessing 8
P
policies
alarm clock 85
AMT 85
automatic enforcement 97
CILA 87
CIRA 88
client task execution 90
client task log 91
configuration 83
kvm 89
local access 87
power on 85
remote access 88
128
R
rcs manager
AMT configuration 35
dashboard 81
extension, installing 50
overview 9
package, checking in 50
plug-in, deploying 51
plug-in, removing 61
queries 64
remote access
certificates, validating 60
gateway server overview 54
gateway server, installing 56
stunnel certificates, generating 57
stunnel certificates, signing 58
stunnel service, installing 59
stunnel service, starting 59
stunnel, configuring 59
stunnel, installing 57
S
Sample configuration file:stunnel 119
Sample configuration file:used while generating certificates 119
sample python script:AMT policy enforcement 123
sample python script:out-of-band power-on 123
server tasks
AMT policies, enforcing 97
AMT tag, assigning 28
power on 97
ServicePortal, finding product documentation 8
T
Technical Support, finding product information 8
Product Guide
0-00

EPO Deep Command 1.5.0 Product Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EPO Deep Command 1.5.0 Product Guide

Uploaded by

Copyright:

Available Formats

Product Guide

McAfee ePO Deep Command 1.5.0

McAfee ePO Deep Command 1.5.0

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Components and how they work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Preparing your Intel AMT client systems

Intel AMT configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Installation and configuration

McAfee ePO Deep Command 1.5.0

Install the ePO Deep Command RCS Manager extension . . . . . . . . . . . . . . .

Reporting on your Intel AMT systems

Queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Managing your Intel AMT systems

McAfee ePO Deep Command 1.5.0

Using policies to manage Intel AMT systems . . . . . . . . . . . . . . . . . . . . . .

Connect to a local client system . . . . . . . . . . . . . . . . . . . . . . . .

Frequently asked questions

Supported Intel AMT features . . . . . . . . . . . . . . . . . . . . . . . . . . . .

McAfee ePO Deep Command 1.5.0

McAfee ePO Deep Command 1.5.0

About this guide

Title of a book, chapter, or topic; a new term; emphasis.

Text that is strongly emphasized.

User input, code,

A link to a topic or to an external website.

McAfee ePO Deep Command 1.5.0

Find product documentation

Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

Under Self Service, access the type of information you need:

1 Click Product Documentation.

Click Search the KnowledgeBase for answers to your product questions.

McAfee ePO Deep Command 1.5.0

Components and how they work

ePO Deep Command Discovery and Reporting module

ePO Deep Command Management Framework module

ePO Deep Command Remote Configuration Service (RCS) Manager module

McAfee KeyboardVideoMouse (KVM) Viewer module

ePO Deep Command Discovery and Reporting module

McAfee ePO Deep Command 1.5.0

ePO Deep Command Management Framework module

Deep Command Management Summary dashboard This dashboard displays a collection of

McAfee ePO Deep Command 1.5.0

ePO Deep Command RCS Manager module

McAfee KVM viewer module

Screen resolution (with 16bits of color depth)

Intel AMT 6.0

Intel AMT 6.0 maintenance release 2

Intel AMT 7.x

Intel Management Engine 8.0

McAfee ePO Deep Command 1.5.0

Discover and report

Dashboards and monitors

Intel AMT firmware

Manage Intel AMT configuration from the ePolicy Orchestrator server

Intel AMT system

Intel AMT Actions

Client Initiated Remote

Remotely access and troubleshoot your IntelAMT systems (requires

McAfee ePO Deep Command 1.5.0

Configure these maintenance tasks (requires McAfee ePO Deep

Renew Active Directory

Renew Intel AMT Admin

ReIssue Intel AMT

Enable Intel Active Management Technology features on the Intel AMT