Once configured, Intel® AMT is a service on your network awaiting an authenticated and authorized request. To ensure McAfee ePO Deep Command or other applications continue to communicate with Intel AMT, specific maintenance operations are recommended. Common scenarios for failed communications to a connected Intel AMT device include:
McAfee ePO Deep Command enables Intel AMT maintenance tasks to be created. Determining what tasks are needed and recommended frequency in applying the tasks is the purpose of this document. The document demonstrates both a reactive and proactive approach to Intel AMT configuration maintenance.
Using the system properties collected via McAfee ePO, a custom query and report can determine what configured Intel AMT clients are experiencing communication errors.
The sample query below selects the System Name, Intel® AMT DNS Name, Last Communication, Last Error Message, and TLS data points. The System Name and Last Communication are found under “Managed Systems”, the rest of the properties are found under Intel® AMT in the query builder.
On the Query Builder Filter Tab, two common filters include:
Running the query in my lab environment, three problematic systems are identified. The query was performed on November 12, 2012. The results show two of the systems have not had Agent-to-Server Communication (ASC) for a few weeks. This is likely due to systems being disconnected from the network or other reasons which need to be addressed before focusing on failed Intel AMT communications.
The third system, shown as “LenovoTiny”, indicates the Intel AMT FQDN differs from the operating system name. In short – the client was renamed. The Intel AMT Hostname and associated TLS certificate need to be updated.
Additional notes in determining cause and effect for failed communications:
For the common error shown for “LenovoTiny”, a simple first step to resolve the issue is to Enforce AMT Firmware Configuration Policy. This action forces the Intel AMT configuration to be reapplied to the target system.
Select the target client, click Actions > AMT Actions > Enforce AMT Firmware Configuration Policy as shown below
For a mismatched FQDN, enforcing the Intel AMT configuration policy resolved the error. After the next ePO Deep Command Discovery and Reporting data collection, an Enforce AMT Policies action was completed as noted below.
Using the above mentioned custom query, the “LenovoTiny” unit is no longer listed as having communication errors.
The sequence can be automated via McAfee ePO Server Task, connecting results from the query with a specific action or Client Execution Task. The next section explores Intel AMT Maintenance Tasks.
Intel AMT Maintenance tasks can be initiated via commands executed on the client endpoint, or via Jobs as defined on the Intel SCS console. McAfee ePO Deep Command uses Client Execution Tasks to initiate the Maintenance Tasks on the client. This approach is more scalable due to a distributed pull approach versus a central push approach.
In the Client Task Catalog, a subsection of Client Task Types exists for ePO Deep Command 1.5.0 as shown below
By default, no maintenance tasks are defined. Before creating an AMT Maintenance Task, review the following McAfee ePO Deep Command product guide explanations augmented with Intel SCS User Guide and additional commentary. Specific recommendations are in underlined bold italics:
Using the above explanations, a few common scenarios for Intel AMT Maintenance tasks are presented in the next section on proactively maintaining the Intel AMT configuration.
The first section of this document demonstrated a query and reactive approach to update the FQDN of the Intel AMT firmware. Building upon the custom query shown in that section, a maintenance task similar to the following can be used.
Using a server task to combine the custom query (i.e. “AMT Communication errors”) with the Maintenance Task will look similar to the following:
Schedule the server task to run on a regular interval for proactive maintenance due to system name changes. Although this resolution is technically reactive, the server task automates the maintenance event.
Review the Validity Period of the Web Server certificate template. In the example below, the certificates issued using the default template are valid for 2 years.
In addition to the TLS Web Server Certificate, if the Intel AMT configuration in the environment uses 802.1x certificates the Validity Period of the template is also a factor of consideration.
If all certificate templates have a validity period of 2 years and the system hostname has not changed during that time, the following Intel AMT Maintenance Task settings will update the certificates:
In this example, the task is set to run on the first Thursday of November – approximately a year from now. Additional scheduling granularity can be applied based on the target environment.
The intent of this Intel AMT maintenance task is to avoid broken communications due to expired TLS certificates.
If AD Integration with Kerberos authentication is used in the environment, the password policy for the Organizational Unit where Intel AMT objects are stored will apply. In the following example, the default domain policy with a 42 day maximum password age applies. After the 42 days, if the Intel AMT object is not maintained authentication to the object may fail due to expired object password.
In this scenario, an Intel AMT Maintenance Task every 30 days via the McAfee ePO schedule will provide 12 days grace period in case a particular client is not on the network when at the given time.
The Intel AMT Maintenance Task will look similar to the following:
With an assigned schedule such as the following:
An alternative to monthly execution of the task is to provide an exception on the object password policy only to the Organizational Unit where Intel AMT objects are stored.
Maintaining the Intel AMT configuration ensures communications are not disrupted due to system name changes, expired certificates, expired passwords, and so forth. To help automate the scheduling of maintenance events, whether reactively or proactively, Client Tasks can be defined within McAfee ePO specific to an AMT Maintenance action.
Click here for an index of additional resources on McAfee ePO Deep Command in this community.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries