The information provided below is based on McAfee ePO Deep Command version 1.5. The new version 2.0 release includes Host Based Configuration, McAfee ePO generated TLS certificates, integrated User Consent for specific boot\reboot operations, and more. The improvements simplify the Intel® AMT configuration experience enabling a faster path to using the technology solution
Install McAfee ePO Deep Command 1.5
Use the following documents to install, configure and deploy McAfee Deep Command 1.5.
Step 2: Install Intel SCS
Step 4: Deploy Deep Command
Note: There are many ways to configure Intel AMT hardware. This document references a method known as remote configuration. This requires the use of an SSL certificate. While this is recommended for production deployments, you might consider an alternative configuration method for test environments. McAfee recommends using the host based configuration method for test or proof-of-concept environments.
Appendix C: McAfee ePO Deep Command 1.5 Setup Checklist
McAfee Deep Command requires Intel® vPro™ technology hardware. This hardware offers Intel® Active Management Technology (AMT) which provides services in the firmware that enable McAfee Deep Command to perform out of band management tasks. Intel AMT is shipped disabled on all hardware and must be enabled prior to using with McAfee Deep Command. This document contains McAfee’s recommended process for enabling and configuring Intel AMT. Following this process will ensure compatibility with McAfee Deep Command.
Because McAfee Deep Command is dependent on Intel AMT capable hardware, installing McAfee Deep Command should be thought of as a four step process
Step 1: Discover and Report All Intel AMT Capable Systems in the Environment
Step 2: Install Intel SCS
Step 3: Install Intel AMT and McAfee ePO Server Components
Step 4: Deploy McAfee ePO Deep Command 1.5 and Configure AMT Clients
Tip: Print the McAfee ePO Deep Command 1.5 Setup Checklist and check each step as you progress through the installation.
Before You Begin
The following items should be considered before starting the installation.
High Level Process
Per the main steps listed above, here is a summarized list of all the tasks that must be performed to both configure Intel AMT and deploy McAfee ePO Deep Command.
McAfee Deep Command is implemented with an extension for McAfee ePO and a package that can be deployed to systems managed by the McAfee agent.
Intel AMT configuration is implemented by installing Intel Setup and Configuration software on a server (the McAfee ePO server in this example). This software then leverages Microsoft Active Directory, DNS, DHCP and a Microsoft Certificate Authority to configure Intel AMT clients.
The McAfee ePO Deep Command Gateway Services facilities Intel AMT communications to remote clients. Understanding how McAfee ePO Deep Command works in an intranet environment is highly recommend before exploring how to connect remote clients.
Note: Initial configuration of Intel AMT clients must be done with a wired connection while the system is on the local area network. This requirement exists while doing remote configuration. Other configuration methods (like host based configuration) can be done over wireless.
Configuration of Intel AMT occurs between the Intel RCS and the client firmware over TCP port16993. Direct TCP\IP communications occur to the Intel AMT firmware, which shares the same IP address and FQDN as the host operating system. Intel AMT traffic is designated by TCP ports 16992-16995 at the network interface of the endpoint.
Configuration of Intel AMT in a Deep Command environment requires a web server certificate to be assigned to each endpoint. Once Intel AMT is configured on the endpoint device, it is a network service awaiting an authenticated and authorized request. Installing and configuring McAfee Deep Command will enable administrators to make valid connections to that network service and leverage the capabilities of Intel AMT via McAfee ePO.
The following tables list and describe all of the components used in the McAfee Deep Command product. The rest of the installation guide will walk through the configuration of each component, but it is useful to get a baseline understanding of what each component does before you begin the installation.
|McAfee Agent||Version 4.5 patch 1 or later. This facilitates communication with McAfee ePO and allows you to deploy the AMT Discovery and Reporting component to the system.|
|McAfee AMT Discovery and Reporting||Version 1.5 or later. This collects AMT properties from the system and reports them to McAfee ePO. This data is then used to determine the status of AMT on the system. Only systems that are fully provisioned can support McAfee Deep Command.|
|Intel MEI Driver||This driver must be present on systems in order for software to interact with the AMT firmware. Without it, the Discovery and Reporting data will be incomplete and both AMT configuration and Deep Command installation will fail. MEI drivers are delivered by Windows update for all hardware from 2010 and 2011. MEI drivers for older hardware must be obtained from the hardware manufacturer.|
|Intel AMT Firmware||McAfee Deep Command features are dependent on the version of the AMT firmware. For best results McAfee recommends updating to the latest version of AMT firmware provided by your hardware manufacturer.|
|Intel Client Configurator (ACUconfig.exe)||Version 8.1 or later. This program performs AMT configuration. It reads the AMT profile and applies those settings to the firmware on an AMT client. These files can be packaged, deployed and executed by any systems management software. Deep Command 1.5 will automatically deploy and execute ACUconfig.exe to perform remote configuration of Intel AMT. If an alternative configuration method is required, then a custom package can be built and deployed from ePO.|
|McAfee Deep Command||Version 1.5 or later. McAfee Deep Command leverages Intel AMT to perform out of band management and security tasks. With version 1.5 and later it can also be used to configure Intel AMT in your environment.|
|Network||A wired network connection on internal LAN is required for initial AMT configuration when using Deep Command to perform AMT remote configuration. Configuration over wireless is possible if AMT host based configuration is performed.|
|Operating System||Microsoft Windows XP SP3 or later|
|McAfee ePO||Version 4.6 patch 4 or later is required for all components of McAfee Deep Command v1.5.|
|McAfee ePO AMT Discovery and Reporting||This dashboard provides individual monitors that indicate the readiness of client systems for both AMT configuration and Deep Command deployment.|
|Microsoft Certificate Authority with Web Enrollment|
The Microsoft CA is established by adding the Active Directory Server Certificates role to a server in your environment. Then, the Certificate Authority Web Enrollment role service must also be added; this requires the IIS role service to also be added. McAfee recommends running these roles on a separate server that is acting as an enterprise certificate authority, not on the McAfee ePO server.
All AMT clients will request a TLS web server certificate from this CA during AMT configuration.
|Service Account for Intel Remote Configuration Service||A domain account must be created. This service account will run the Remote Configuration Service on the McAfee ePO server. This account must have local admin rights on the server. In addition, this account must have permission to request certificates and to issue and manage certificates on the Microsoft CA server. In this document, we recommend using the NetworkService account|
|Intel AMT Setup and Configuration Application||Intel Setup and Configuration Service (SCS) 8.1 and later. This is used to install the Remote Configuration Service on the McAfee ePO server, provide the Intel AMT Configuration Wizard, and program files to be executed on the client.Intel SCS is available at http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20921Please note that other client configuration applications (like Microsoft SCCM) can also function as Setup and Configuration Applications. Using those applications is beyond the scope of this document.|
|Intel Remote Configuration Service||This will be installed on the server as part of the SCS installation. During configuration this service receives connections from the AMT client and authenticates them by using the AMT Remote Configuration Certificate. It then negotiates the client’s TLS enrollment and sends the configuration settings to the client’s AMT firmware.|
|Active Management Technology Configuration Utility Wizard (ACUwizard)||This will be installed on the server as part of the SCS installation. It is used to create Intel AMT configuration profiles.McAfee requires the AMT configuration profile to be configured to use admin control mode and to use TLS. McAfee recommends using digest authentication rather than Kerberos authentication for test and POC environments. For production environments, we recommend the use of digest master password.|
|DHCP||On your DHCP server, validate the DHCP server Scope Options. DNS Domain Name (Option 15) is critical for the Remote Configuration Certificate. It is important that this domain name is what you expect it to be. Please note the domain name in Option 15 prior creating the certificate signing request for the Remote Configuration SSL Certificate.For the purposes of this guide, the IP v6 scope should be disabled.|
|Remote Configuration SSL Certificate||Remote Configuration of Intel AMT requires an SSL certificate to establish trust between the client firmware and the SCS server. Only certificates from Verisign, GoDaddy, Comodo, Starfield, Entrust, or Cybertrust are supported. Self-signed root certificates are not supported because a corresponding hash for that certificate will not exist in the AMT firmware.More information at http://www.intel.com/content/www/us/en/remote-support/intel-vpro-certificates.html|
TIP: When creating the certificate signing request, be sure that the common name field contains the actual connection-specific DNS suffix found on your client’s wired LAN interface. This should match option 15 in your DHCP settings.
Note: If obtaining an SSL certificate is not possible, then please consider alternative configuration methods.
|Ports||The following ports should be open between the McAfee ePO servers and the AMT clients.16992 TCP/UDP bidirectional|
16993 TCP/UDP bidirectional
16994 TCP/UDP bidirectional
16995 TCP/UDP bidirectional
Client Configuration Workflow
The diagram below illustrates what happens when an Intel AMT client goes through the configuration process. It shows each component involved and describes what role each component plays in the configuration process.