Deep Command - Good, Better, and Best Scenarios

Version 5

    Introduction

    McAfee ePO Deep Command 2.0 enables beyond-the-operating-system security management.  Interfacing with Intel® Active Management Technology (AMT), McAfee ePO Deep Command 2.0 utilizes the built management engine functionality to enable compelling solutions in your environment:

     

    • Power and Update – Control of power at the physical hardware.   Combining a power-on event with predetermined client task executions.   Enabling off-hours updates
    • EEPC Out-of-Band – Integrated with McAfee EEPC 7.  Power and securely unlock encrypted systems.  Easily reset encryption passwords.  Quick resolve common encryption boot sector errors.
    • Remote Remediation – Connect via hardware integrate Keyboard-Video-Mouse (KVM).   Direct the system to a network-based bootable image.   Assess and resolve security events remotely.
    • Internet based clients – Perform all of the above whether inside or outside the target environment.

     

    In addition to intriguing usage models, McAfee ePO Deep Command simplifies the Intel® AMT configuration experience.    There are two supported methods of configuration:

    • Host based configuration – Define server settings, enable policies, and apply to the endpoints.   No additional infrastructure required.   Base configuration settings applied.   Recommended if you are just getting started.
    • Remote Configuration – Requires Intel® Setup and Configuration Software (SCS) and infrastructure changes.    All Intel® AMT configuration settings can be defined and applied.   Recommended for advanced users.

     

    This article highlights “good, better, and best” experiences based on the version and capabilities of Intel® AMT in connection with McAfee ePO Deep Command.

     

    Getting Started – Discover Intel® AMT Capable Systems in Your Environment  

     

    Intel® AMT is a component of the Intel® vPro™ Technology Platform.    All Intel® vPro™ Technology platforms have Intel® AMT.    Not all Intel® AMT capable platforms are Intel® vPro™ Technology capable.    There are different builds and capabilities levels of Intel® AMT.

     

    Instead of attempting to maintain a list of all Intel® AMT capable systems, there’s a better approach.   Start by downloading and deploying the free McAfee ePO Deep Command Discovery and Reporting plugin.   The plugin will capture the necessary information from all Microsoft Windows endpoints in your environment and display via an easy to read dashboard.  

     

    gbb image1.png

     

    Using the data acquired via the McAfee ePO Deep Command Discovery and Reporting plugin, the attached custom query provides a view of the data relevant for planning purposes in relation to “good, better, and best”.

     

    gbb image2.png

     

    The report shown above has a filter for only Intel® AMT supported platforms.    Key points of interest include:

    • Intel® AMT version – Identifies the generation of Intel AMT.   Updates can occur only within a generation and via the specific system manufacturer’s updates download website
    • Manageability Level – Identifies whether the platform supports all (i.e. Full) or reduced set (i.e. Standard) of Intel® AMT capabilities.   No in place upgrades are available from Standard to Full.
    • System Name, Manufacturer, and Model – Used to identify the specific system.

     

    Good State – Use Case Scenarios

     

    Intel® AMT capable systems with Standard Manageability provide a foundational experience.    Standard Manageability is commonly found in desktop platforms for cost sensitive business users, enabling an initial experience of beyond-the-operating system security management with McAfee ePO Deep Command.   

     

    As shown below, the use case scenarios are consistent across all generations of Intel® AMT supporting Standard Manageability

     

     

    McAfee ePO Deep Command Use Case Scenarios

    Intel® AMT 5.x to 9.x

    Standard Manageability

    Direct Power-on\Reset - Combine with Client TaskX
    Boot to Remediation ISO imageX
    Boot to and modify BIOS settingsX

     

     

     

    Standard manageability enables the main “AMT Actions” within the McAfee ePO as shown below.   

    gbb image3.png

     

    In addition, a direct power-on action via Intel AMT can be combined with predetermined Client Task Executions as shown in the following example.    When using this feature, ensure the McAfee ePO Deep Command Client Task Execution policy was already applied to the endpoints before powering them off.

    gbb image4.png

     

    The “good” state provides basic Intel® AMT functionality via McAfee ePO Deep Command.   The next step up is to enable and utilize the AMT policies provided in a Full Manageability platform.

     

    Better State – Use Case Scenarios

    Intel® AMT platforms with Full Manageability provide an expanded set of features and capabilities.   The complete use case scenarios are dependent upon the specific version or generation of Intel® AMT.   In the chart below, the new use case scenarios are in highlighted bold italics.   Many but not all platforms in this scenario are branded with an Intel® vPro™ sticker or label.

     

    The use case scenarios listed below are in order of preference as commonly heard from customers.   

     

    McAfee ePO Deep Command Use Case Scenarios

    (Full Manageability of Intel® AMT)

    Intel® AMT 4.1

    Full Manageability

    Intel® AMT 5.1

    Full Manageability

    Intel® AMT 6.x or higher

    Full Manageability

    Direct Power-on\Reset - Combine with Client Task

    XXX
    Scheduled Security Tasks
    XX
    EEPC Out-of-Band - Remote Unlock

    X
    EEPC Out-of-Band - Fast Password Reset

    X
    EEPC Out-of-Band - Remote Remediation

    X
    EECP Out-of-Band - Location Aware Remote Unlock

    X
    Boot to Remediation ISO imageXXX
    Boot to and modify BIOS settingsXXX
    Support for Internet-Connected Systems
    XX
    Receive\route user request for assistanceXXX

     

    The main upgrades that enable this “better state” are the AMT policies which the firmware is able to process.  As a reminder, communications between McAfee ePO and Intel® AMT occur outside of the host operating system.    AMT policies can be updated via this communication path even when the host operating system is offline and the endpoint is connected to the network.

     

    The power control scenarios are separated into two approaches: direct or scheduled.    The latter uses an alarm clock feature within Intel® AMT.    The following scenario shows a screenshot of the Alarm Clock settings under AMT policies

    gbb image5.png

     

    When used in combination with Deep Command Client Task Execution, this enables solution scenarios such as On Demand scans during non-production hours.   The name in the chart above is "Schedule Security Tasks".

    gbb image6.png

     

    The “Remote Access” tab of Intel® AMT policies enables a required firmware setting for a frequently requested use case:  McAfee EEPC7 out-of-band operations.    The specific setting is “CILA”, referring to client initiate local access.    Used by the McAfee EEPC preboot authentication environment, this setting enables the firmware to send a message to a designated agent handler in the environment.

    gbb image7.png

    Further down the Remote Access settings for “CIRA” or Client Initiate Remote Access can be defined, used in connection with McAfee ePO Deep Command Gateway Services for endpoint outside of the enterprise.

     

    In addition to enabling the McAfee EEPC7 out-of-band communications, the Remote Access settings for the AMT policies enable a user at the client system to send an alert to the designated agent handler.   Once received, the alert can trigger follow-on events as defined within McAfee ePO workflow settings.  

     

    Best State – Use Case Scenarios

    The best experience of McAfee ePO Deep Command builds upon the “better” scenario and includes the McAfee KVM Viewer, shown in bold italics below.    Keyboard-Video-Mouse (KVM) enables remote desktop type connectivity to the platform regardless of the host operating system state.

     

    In the chart below, the new use case scenario is in highlighted bold italics.

     

    Platforms at this level are always branded with Intel® vPro™ Technology.  

     

    McAfee ePO Deep Command Use Case Scenarios

    (Full Manageability of Intel® AMT)

    Intel® AMT 6.x or higher

    Full Manageability

    Direct Power-on\Reset - Combine with Client Task

    X
    Scheduled Security TasksX
    EEPC Out-of-Band - Remote UnlockX
    EEPC Out-of-Band - Fast Password ResetX
    EEPC Out-of-Band - Remote RemediationX
    EECP Out-of-Band - Location Aware Remote UnlockX
    McAfee KVM Viewer - Connection to hardware integrated IP-KVMX
    Boot to Remediation ISO imageX
    Boot to and modify BIOS settingsX
    Support for Internet-Connected SystemsX
    Receive\route user request for assistanceX

     

     

    The KVM capabilities of Intel® vPro™ Technology platform require Intel® AMT 6.x or higher, the interface to be enabled in the firmware, and an Intel integrated graphics display adapter.

     

    In addition, AMT policies enable you to define specific KVM settings as shown below

     

    gbb image8.png

     

    Configuration Scenarios

    In mapping out the “good, better, or best” use case scenarios as shown above, the configuration of Intel® AMT will also be a factor.    Shown in the chart below, Host Based Configuration is often the preferred method due to simplicity (highlighted bold italics).  

     

    Remote configuration requires additional software and changes within the infrastructure.   

     

    Both options are available whether Standard or Full manageability platforms.

     

    Step-by-steps guides of the configuration methods provided at https://community.mcafee.com/docs/DOC-5069

     

    McAfee ePO Deep Command

    Configuration Scenarios

    Intel® AMT

    4.x to 6.x

    Intel® AMT

    7.x or higher

    Host Based Configuration (Preferred)
    X
    Remote Configuration (requires Intel® SCS and external certificate)XX

     

     

    Concluding Remarks

    Combining the configuration and use case scenarios, the best of both worlds is an Intel® vPro™ Technology platform with Intel® AMT 7 or higher.   McAfee ePO Deep Command can discovery, configure, and fully utilize all of the features as referenced in this article.

     

    When preparing your next order of endpoint systems – ask for Intel® vPro™ Technology platforms which are available in variety of endpoint form factors including Ultrabook, laptop, desktop and workstation.

     

    In addition to configuring for McAfee ePO Deep Command, the Intel® AMT systems can be utilized by other applications within the environment.   See the article explaining how to Configure via McAfee ePO Deep Command and use by Microsoft SCCM.  

     

    More suggested reading? Index of resources on McAfee ePO Deep Command 2.0

     

     

    The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries