This document explains how to deploy McAfee ePO Deep Command to your endpoints. Deep Command not only proivdes out-of-band-management for your clients, but it can now be used to configure Intel AMT hardware. This is useful because configuring AMT hardware previously required the use of custom scripts or third-party software. This document is written to accomodate remote configuration of Intel AMT. If you wish to use an alternative configuration method, then please refer to the alternative configuration documentation.
The following prerequisites are required to complete the steps in this document:
- Intel AMT capable hardware
- Selection of the remote configuration method for Intel AMT
- Intel SCS and McAfee components configured in accordance with the other documents in this series
The core installation and configuration steps in this document include:
- Edit AMT Configuration policy
- Identify and Tag Systems Ready for Deep Command deployment
- Create Deep Command deployment task
- Monitor deployment progress
Edit AMT Configuration Policy
McAfee configures Intel AMT clients by interfacing with Intel SCS. This is why the RCS Manager must be deployed to the Intel SCS server. This exposes things like the AMT configuration profile to ePO. From ePO, we simply have to select which configuration profile we want to use and then include it in the Deep Command AMT Configuration policy. Once Deep Command is deployed to the endpoint, this policy will take effect after the first policy enforcement done by the McAfee Agent. If the policy is properly enforced, then the system will go from the "Pre Configuration" state to the "Post Configuration" state in the Deep Command Discovery and Reporting dashboard. A status of Post Configuration indicates that Intel AMT is fully configured.
In ePO go to Menu > Policy > Policy Catalog and select ePO Deep Command, then choose AMT Configuration Policies as the category. Open the policy and choose the option to allow ePO to enforce these settings. Then select your Intel SCS server from the drop-down menu. Then select Configure and Maintain and choose your AMT profile from the drop-down menu (in this example it is AMTprofile).
Identify and Tag Systems Ready for Deep Command Deployment
The data collected by the Deep Command Discovery and Reporting software can be used to create a custom query that identifies systems ready for AMT configuration. The query simply looks for systems that are AMT capable, are not missing the MEI driver and are also not already fully AMT provisioned. The results of this query will then be used to apply a tag to identify systems that are ready for Deep Command deployment.
In McAfee ePO go to Menu > Reporting > Queries and Reports. Then select ePO Deep Command Reporting and choose New.
In the Feature Group, select Systems Management. In the Results Type choose Managed Systems and click Next to proceed.
In the Query Builder, choose to display results as a Table. Keep the other default values and click Next to proceed. In the columns screen, display only the System Name column. Then click next to proceed.
In the Filter screen, scroll down to the Intel AMT properties and select Intel AMT Fully Provisioned and set it to equals no. Select Intel AMT Supported and set it to equals yes. Then select Intel MEI Enabled and set it to equals yes. Then click Save to proceed.
In the Save Query screen, give the query a name and description. Save the query in the existing group entitled ePO Deep Command Reporting. Then click Save to complete this process.
This query can now be used to identify systems ready for AMT configuration. The next step is to create a tag that will be applied to those systems. Go to Menu > Systems > Tag Catalog then choose Tag > Actions > New Tag. In the Description screen, name the tag AMT_Ready. Click Next to proceed. Do not specify any criteria in the criteria screen and click Next to proceed. Accept the default values in the Evaluation screen and then click Next to proceed. Accept the default values in the Preview screen and click Save to complete this process.
This tag needs to be manually applied to systems. This is done by running a server task that applies the tag to all systems returned by the AMT Ready Systems query. Go to Menu > Automation > Server tasks and choose New Task. Name the task and give it a description. Click Next to proceed.
In the Actions screen set it to run the AMT Ready Systems Query and set the Sub-Action to apply the AMT_Ready tag. Click Next to proceed.
In the Schedule screen, set the task to run on a schedule. In this example the task will be set to run hourly. Then click Next to proceed.
Tip: For lab environments and first-time installs, use Run Immediately for the Schedule type. This will make it run the next time the McAfee Agent synchronizes.
Review the settings in the Summary screen and then click Save to complete this process.
Create Deep Command Deployment Task
In the ePO System Tree, select the system or group that you wish to deploy to. Then go to the Assigned Client Tasks tab. Click Actions > New Client Task Assignment. Choose McAfee Agent > Product Deployment. Then notice that a task called Deploy ePO Deep Command already exists. Select this task and then set it to only deploy to systems with the AMT_Ready tag (as shown below).
Monitor Deployment Progress
Now that the client task assignment has been established, ePO will automatically deploy Deep Command to your AMT clients. The easiest way to track the progress is to simply view the Deep Command Discovery and Reporting Dashboard. Any system in a state of "Post Configuration" has the Deep Command client installed and has completed the AMT configuration process.
Please note that you will not be able to perform AMT Actions until after ePO has assigned the AMT tag to your fully configured clients. This is done with a server task, and you can manually run the server task or give it a more frequent schedule if you need the tag applied sooner. The task is named ePO Deep Command: Run Tag Criteria.
More resources for installing McAfee Deep Command 1.5
Step 2: Install Intel SCS
Step 4: Deploy Deep Command
Note: There are many ways to configure Intel AMT hardware. This document references a method known as remote configuration. This requires the use of an SSL certificate. While this is recommended for production deployments, you might consider an alternative configuration method for test environments. McAfee recommends using the host based configuration method for test or proof-of-concept environments.
Appendix C: McAfee ePO Deep Command 1.5 Setup Checklist