ePO Deep Command 1.0 Product Guide€¦ · mcafee ® epo deep command 1 ... forth the general terms and conditions for the use of the licensed software. if you do not know which type

Product Guide

McAfee® ePO Deep Command 1.0.0For use with ePolicy Orchestrator® 4.6.x Software

COPYRIGHTCopyright © 2011 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or byany means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSAVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE),MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registeredtrademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive ofMcAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee® ePO Deep Command 1.0.0 Product Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Introduction 7Product overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7What you need to know to get started . . . . . . . . . . . . . . . . . . . . . . . . . 8Intel® AMT overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 Installing the software 11Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Operating system requirements . . . . . . . . . . . . . . . . . . . . . . . . 12

Install the ePO Deep Command extensions . . . . . . . . . . . . . . . . . . . . . . . 12Uninstalling the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Uninstall the ePO Deep Command client . . . . . . . . . . . . . . . . . . . . . 13Uninstall the Discovery plugin . . . . . . . . . . . . . . . . . . . . . . . . . . 13Remove the ePO Deep Command extensions . . . . . . . . . . . . . . . . . . . 14

3 Provisioning your Intel® AMT firmware 15About provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Provisioning states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Types of provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

About authentication protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17About Certificate Authority integration . . . . . . . . . . . . . . . . . . . . . . . . . 17ePO Deep Command specific provisioning details . . . . . . . . . . . . . . . . . . . . . 19Overview: Enterprise mode provisioning network configuration . . . . . . . . . . . . . . . 21Deprovision Intel® AMT firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4 Setting up and configuring your software 25Set up and configure the ePO Deep Command software . . . . . . . . . . . . . . . . . . 25

Deploy the ePO Deep Command Discovery and Reporting plugin . . . . . . . . . . . . 25Deploy the Management Framework client . . . . . . . . . . . . . . . . . . . . 26Specify ePO Deep Command credentials . . . . . . . . . . . . . . . . . . . . . 26Import CA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Test your connection to an Intel® vPro™ system . . . . . . . . . . . . . . . . . . 28Configuring permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Set up and configure the SCCM extension . . . . . . . . . . . . . . . . . . . . . . . 29Install the SCCM extension . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Add registered SCCM servers . . . . . . . . . . . . . . . . . . . . . . . . . 29Import data from SCCM servers . . . . . . . . . . . . . . . . . . . . . . . . . 30Removing the SCCM extension . . . . . . . . . . . . . . . . . . . . . . . . . 30

McAfee® ePO Deep Command 1.0.0 Product Guide 3

Set up and configure your environment for CIRA . . . . . . . . . . . . . . . . . . . . . 31ePO Deep Command Gateway server configuration . . . . . . . . . . . . . . . . . 31

5 Reporting on your Intel® vPro™ systems 37Discovery and Reporting queries and their descriptions . . . . . . . . . . . . . . . . . . 37

View default queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Properties collected by the Discovery plugin . . . . . . . . . . . . . . . . . . . . . . . 39

About the Intel® MEI driver . . . . . . . . . . . . . . . . . . . . . . . . . . 43About the Intel® AMT Summary dashboard . . . . . . . . . . . . . . . . . . . . . . . 44

6 Managing your Intel® vPro™ systems 47Using policies to manage Intel® vPro™ systems . . . . . . . . . . . . . . . . . . . . . . 47

About the policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Using the Client Task Execution policy . . . . . . . . . . . . . . . . . . . . . . 51

Using Out-of-Band actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Power on your systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Use the Serial-over-LAN feature . . . . . . . . . . . . . . . . . . . . . . . . 54Boot or reboot using IDE-Redirect . . . . . . . . . . . . . . . . . . . . . . . . 55Boot or reboot to BIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Boot or reboot a system normally . . . . . . . . . . . . . . . . . . . . . . . . 56

Creating and using server tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Schedule and enforce out-of-band AMT policies . . . . . . . . . . . . . . . . . . 57Schedule out-of-band power on for your systems . . . . . . . . . . . . . . . . . 57

Management Framework queries . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

7 Frequently asked questions 59

A Appendixes 67Supported Intel® AMT features . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Sample configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Out-of-Band action logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Writing Python scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Index 75

Contents


Preface

This guide introduces the McAfee ePO Deep Command software and its features. It also givesinformation on using the Discovery and Reporting plug-in to get better reporting of your client systemproperties and provides instructions on using Management Framework to manage these systems.

Contents

About this guide Finding product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

ConventionsThis guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialogboxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


Finding product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFinding product documentation


http://mysupport.mcafee.com

1 IntroductionThe McAfee ePO Deep Command software integrates the management and automation features ofePolicy Orchestrator software with the hardware-based security and manageability features of Intel®

vPro™ technology, which is included on your Intel® AMT equipped desktop and laptop systems (Intel®

vPro™ systems).

Contents

Product overview What you need to know to get started Intel® AMT overview

Product overviewMcAfee ePO Deep Command software is comprised of two independent modules.

When installed on your ePolicy Orchestrator server, these modules work with your Intel® vPro™

systems to deliver greater control of your secure environment.

• ePO Deep Command Discovery and Reporting module

• ePO Deep Command Management Framework module

ePO Deep Command Discovery and Reporting module

The ePO Deep Command Discovery and Reporting module collects detailed information about thesystems on your network that are equipped with Intel® AMT. This module adds the following to yourePolicy Orchestrator server:

• Discovery plugin — The Discovery plugin detects the Intel® vPro™ and BIOS properties of themanaged systems in your organization, then displays them on the Intel® AMT summary dashboard.This plugin is added automatically to the ePolicy Orchestrator Master Repository during installation,then deployed to client systems by the default client update task that is included in the software.

• Default queries — These predefined queries start collecting important details about the Intel®

vPro™ equipped systems in your network right away. They retrieve and display information aboutIntel® vPro™ and BIOS properties. You can modify these queries, or create custom queries.

• Dashboard with default monitors — The Intel® AMT Summary dashboard organizes andpresents the default queries for easy viewing. All Intel® vPro™ and BIOS properties of ePolicyOrchestrator managed systems are displayed in one place.

• AMT tag — The AMT tag is assigned to managed systems that are fully Intel® AMT provisioned.The AMT tag is added to the Tag Catalog automatically.

• Default client update task — An automatically created task, Install/Update ePO Deep CommandDiscovery Plugin task, is added to the Client Task Catalog. You can apply this update task to themanaged systems you select.

1


ePO Deep Command Management Framework module

The ePO Deep Command Management Framework module delivers "beyond-the-operating system"security management, allowing security administrators to reduce operation costs while enhancing theirsecurity posture. This module adds the following to your ePolicy Orchestrator server:

• ePO Deep Command Client — The Deep Command client, which is added to the MasterRepository when the software is installed, is responsible for the following core functionality:

• Running client tasks

• Enforcing policies

• Generating events

Use the default product deployment task to install this client on your Intel® vPro™ systems.

• Gateway module — The Gateway module is installed on your Agent Handler. It facilitatescommunication between your ePolicy Orchestrator server and managed Intel® vPro™ systemslocated in your organization's DMZ.

• Default product deployment task — The Deploy ePO Deep Command Client deployment task iscreated automatically and added to the Client Task Catalog. You can assign this deployment task tothe managed systems you select.

What you need to know to get startedBefore you can manage your Intel® vPro™ systems, the ePO Deep Command software requires that youhave specific software, hardware, and network configurations in place. The following diagramillustrates the high-level workflow we recommend for setting up your software.

Installing ePO Deep Command Discovery and Reporting software is your first step. Each additionalaction in the process is dependent on, or enabled by installing this module.

Installation and configuration for each action in this process are detailed in the chapters that follow.

1 IntroductionWhat you need to know to get started


Intel® AMT overview Intel® AMT is a hardware-based technology for remotely managing and securing systems usingOut-of-Band communication. Even with a crashed hard drive or a system that is shut down, you canaccess the system to perform basic system management tasks.

Intel® AMT is a part of the Intel® Management Engine built into systems with Intel® vPro™ technology.Intel® AMT is designed into a secondary processor located on the motherboard. Its hardware-basedremote management, security management, power management, and remote configuration featuresallow you to access an Intel® AMT featured system from remote locations. It relies on ahardware-based Out-of-Band communication channel that operates below the operating system level.The communication channel is independent of the state of the operating system (whether present,corrupt, down, encrypted, crashed, or missing) and of the system's power state, presence of amanagement agent, and the state of many hardware components (such as hard disk drives). UsingePO Deep Command, you can manage the client systems that have an Intel® AMT-enabled chipset,network hardware and software, and a connection with a power source and a corporate networkconnection.

Setting up the environment requires you to provision your Intel® AMT firmware with certificates andintegrate ePO Deep Command into the existing security framework.

IntroductionIntel® AMT overview 1


2 Installing the softwareePO Deep Command software is comprised of two software modules, which must be installed on yourePolicy Orchestrator server. Once installed, you'll be able to set up and configure your ePO DeepCommand software.

Contents

Requirements Install the ePO Deep Command extensions Uninstalling the software

RequirementsVerify that your system meets these requirements before you start the installation process.

These are minimum requirements for the ePO Deep Command Discovery and Reporting software. Youmust also consider the system requirements for any other products you are installing, such as McAfeeePolicy Orchestrator.

System requirementsSystems Requirements

McAfee ePolicyOrchestrator serversystems

See the ePolicy Orchestrator product documentation for 4.6 or later.

Client systems • CPU: Pentium III 1 GHz or higher

• RAM: 512 MB minimum (1 GB recommended)

• Hard Disk: 200 MB minimum free disk space

Intel® MEI driver Based on the hardware, the version of Intel® MEI driver will vary. To obtain thecorrect version of this software, contact the hardware manufacturer for yoursystems.

The installation of the Intel® MEI driver is not required to use the Discovery andReporting module, but is recommended. Installing it on the managed systemsallows you to collect the complete Intel® vPro™ and BIOS properties.

This driver is required when using the Management Framework module.

2


Software requirementsMake sure you have the required software installed for the ePO Deep Command module you're installing.

Software ePO Deep Commandmodule

Requirements

McAfee managementsoftware

Discovery and Reporting • McAfee ePolicy Orchestrator 4.6.0 or later

• McAfee Agent for Windows 4.5.1 or later

Management Framework • McAfee ePolicy Orchestrator 4.6.1 or later

• McAfee Agent for Windows 4.5.1 or later

Internet browser All • Internet Explorer 7.0 or later

• Mozilla Firefox 3.6.20 or later

Pop up windows must be enabled and allowed.

The ePO Deep Command Management Framework module requires the Discovery and Reporting moduleto function correctly.

Operating system requirementsSystem Software

McAfee ePolicy Orchestratorserver systems

See the ePolicy Orchestrator product documentation for versions 4.6or later

Client systems for ePO DeepCommand software

• Windows XP SP3 (32- or 64-bit) • Windows Server 2003 orhigher (32- or 64-bit)

• Windows Vista or higher (32- or64-bit)

• Windows Server 2008 R2 orhigher (32- or 64-bit)

• Windows 7 or higher (32- or64-bit)

Install the ePO Deep Command extensionsYou can install the software extensions using the ePolicy Orchestrator Software Manager. The SoftwareManager provides a single location within the ePolicy Orchestrator console to review and obtain McAfeesoftware and components.

Task

For option definitions, click ? in the interface.

1 In the ePolicy Orchestrator console, click Menu | Software | Software Manager.

2 On the Software Manager page under Product Categories, click Software Not Checked In | Licensed.

2 Installing the softwareInstall the ePO Deep Command extensions


3 Select the ePO Deep Command software components to be installed, then click Check In.

Click Download to save the software to a temporary location to be checked in later, using theinstructions provided in the ePolicy Orchestrator 4.6.0 documentation.

4 In the Check In Software Summary page, review and accept the End User License Agreement (EULA),then click OK to complete the installation.

Installing the ePO Deep Command software extensions automatically adds the ePO Deep CommandDiscovery and Reporting plugin and Management Framework client available in the Master Repositoryunder Menu | Software.

Uninstalling the softwareTo uninstall ePO Deep Command, you must remove ePO Deep Command from the Intel® vPro™

systems and remove the ePO Deep Command extension from ePolicy Orchestrator.

Uninstall the ePO Deep Command clientUninstalling the ePO Deep Command Management Framework client from your Intel® vPro™ systems isone of the steps required to remove the ePO Deep Command software.

Task


1 In the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog, then select Product Deploymentunder McAfee Agent.

2 Click New Task and select Product Deployment from the New Task dialog box. The Client Task Catalog: New Taskpage opens.

3 In the New Task page, define each option field according to your needs. In the Products and componentsoption, select the ePO Deep Command client from the components menu, and select Remove in theActions menu.

4 Click Save and exit the New Task page. The Client Task Catalog page opens.

5 In the Client Task Catalog, in the Actions column of your new product deployment task, click Assignand select the systems or groups where you want to remove the ePO Deep Command client, thenclick OK.

6 Click Next to schedule the task as required.

7 Click Next, then click Save.

Uninstall the Discovery pluginUninstalling the ePO Deep Command Discovery and Reporting Discovery plugin from your Intel® vPro™

systems is one of the steps required to remove the ePO Deep Command software.

Installing the softwareUninstalling the software 2


Task


1 In the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog, then select Product Updateunder McAfee Agent.

2 From the New Task dialog box, click New Task and select Product Update. The Client Task Catalog: New Taskpage opens.

3 In the New Task page, name and describe your task, then set the remaining options as follows:• Package selection — Selected packages

• Package types — In the Signatures and engines list, deselect all options. In the Patches and service packslist, select only the Discovery plugin remover option.

4 Click Save and exit the New Task page. The Client Task Catalog page opens.

5 In the Client Task Catalog, in the Actions column of your new product update task, click Assign andselect the systems or groups where you want to remove the ePO Deep Command client, then clickOK.

6 Click Next to schedule the task as required.


Remove the ePO Deep Command extensionsYou can remove the ePO Deep Command extension from ePolicy Orchestrator using the SoftwareManager.

Task



2 On the Software Manager page, under Product Categories, click Checked In Software | Licensed.

3 Select the product and the corresponding extension to be removed, then click Remove. Be sure toperform this step for each of the ePO Deep Command extensions checked into your server.

You can also remove the extension by navigating to the Extensions page, clicking Remove for thecorresponding ePO Deep Command extension, then clicking OK.

4 In the Remove Software Summary page, click OK.

2 Installing the softwareUninstalling the software


3 Provisioning your Intel® AMT firmwareBefore you can use your ePO Deep Command software to manage Intel® vPro™ systems, you mustprovision the Intel® AMT firmware on those systems.

This chapter provides an overview of the requirements and processes needed to provision systems inyour network in general, as well as information about provisioning that is specific to ePO DeepCommand software.

There is no single source for complete instructions about provisioning your Intel® AMT firmware.However, the Intel® vPro™ Expert Center (http://communities.intel.com/community/openportit/vproexpert) provides a comprehensive set of documentation and supporting materials you can use tocomplete the process.

Contents

About provisioning About authentication protocols About Certificate Authority integration ePO Deep Command specific provisioning details Overview: Enterprise mode provisioning network configuration Deprovision Intel® AMT firmware

About provisioningBy default, Intel® AMT hardware is disabled on Intel® AMT equipped systems. Before you can report onor manage these systems with ePO Deep Command software, the Intel® AMT hardware must be enabled.

Provisioning is the process of enabling this hardware. To successfully provision your Intel® vPro™

systems, you must ensure that your network infrastructure, as well as the individual components usedin the process of provisioning, are configured correctly. Provisioning your Intel® AMT firmware servestwo purposes:

• It ensures that communication between your Intel® vPro™ systems and your servers is secure andtrusted.

• It makes Intel® vPro™ features accessible to your ePO Deep Command software.

3


http://communities.intel.com/community/openportit/vproexperthttp://communities.intel.com/community/openportit/vproexpert

The method you use to provision systems in your network is dependent on a variety of factors,including your network infrastructure, hardware and software, and which Intel® AMT features you planto use. The following diagram presents a high-level overview of the recommended process forprovisioning systems.

Provisioning states An Intel® vPro™ system can be in any of these three different states during the provisioning process.

• Pre-provision — By default, Intel® AMT hardware on Intel® vPro™ systems comes from thehardware manufacturer in Factory Mode. In this mode, Intel® AMT is disabled and cannot beremotely managed by ePO Deep Command. It requires a provisioning server to configure yoursystem into Enterprise Mode.

• In-provision — When an activation tool provided by the provisioning server is executed or if anadministrator enters information via the Intel® AMT MEBx (manually or with the aid of a USBstorage device), Intel® AMT makes the transition from the pre-provisioning state to thein-provisioning state. The Intel® AMT device then periodically sends messages (Hello packets) tothe provisioning server. When the provisioning server receives messages from the Intel® AMTdevice, it responds by delivering the configuration settings and placing the device inpost-provisioning state. Hello packets contain the IP address and UUID of an Intel® vPro™ system.

• Post-provision — The Intel® vPro™system enters Operational Mode once its configuration settingsare supplied and committed. At this point, Intel® vPro™ is ready to interact with managementapplications and the system is said to be post-provisioned.

Types of provisioningIntel® vPro™ systems can be provisioned in two modes, SMB and Enterprise. However, ePO DeepCommand software requires that you use Enterprise mode provisioning.

• Enterprise mode — This provisioning mode is recommended for an enterprise environment, andis required for use with ePolicy Orchestrator software. This mode enables a provisioning server toremotely configure the Intel® vPro™ system. Enterprise mode provisioning is a centralizedconfiguration that enables you to use enterprise infrastructure configuration options such asMicrosoft Active Directory. This further enables the provisioning server to authorize and select theauthenticated domain user to interact and manage the Intel® vPro™ system. Using this provisioning

3 Provisioning your Intel® AMT firmware

About provisioning


mode allows an administrator to have a common policy across the system and Intel® AMT devices,such as:

• All traffic from ePO Deep Command to the Intel® AMT device is encrypted.

• Security guidelines facilitate frequent password changes and other management tasks from acentral configuration server.

• Active Directory credentials are used to manage the Intel® AMT device.

• Small and medium business (SMB) mode — This mode is used for standalone managementwhere security requirements are minimal.

About authentication protocols To provision your systems, your network infrastructure must include a supported authentication protocol.

The protocol you use depends on the unique needs of your network. The support authenticationprotocols are:

• Digest authentication — Digest authentication is performed over the Internet using secure keysto authenticate users. For more information about Digest authentication, refer to the InternetEngineering Task Force document RFC 2617 (http://datatracker.ietf.org/doc/rfc2617/).

• Kerberos authentication — Kerberos authentication is performed over an open network as atrusted third-party authentication service. Use of this protocol requires Active Directory integration.For more information about Kerberos authentication, refer to the Internet Engineering Task Forcedocument RFC4120 (http://datatracker.ietf.org/doc/rfc4120/).

You can use either, or a combination of both, when performing Enterprise mode provisioning.

About Certificate Authority integrationA Certificate Authority (CA) is used to issue the certificates to the proper trusted devices within thenetwork.

Certificate Authority integration

An organization can use Transport Layer Security (TLS) communication by incorporating certificatesissued by a CA.

TLS is only available in Enterprise mode provisioning with an Intel® AMT device.

Provisioning your Intel® AMT firmwareAbout authentication protocols 3


http://datatracker.ietf.org/doc/rfc2617/http://datatracker.ietf.org/doc/rfc4120/

Two types of certificates are required for the Enterprise Mode Provisioning of Intel® vPro™ systems:

• Server Authentication Certificate — Certificate Authority integration requires a Self-Signed CAto be deployed in the network. Each Intel® vPro™ device that needs to communicate using TLSrequires a Server Authentication certificate, for which a Self-Signed CA must be deployed in thenetwork. A certificate is automatically requested from the Root CA on behalf of the Intel® AMTclient by the Provisioning Server when the Intel® AMT client is configured to use TLS. It is stored inthe Non-Volatile RAM on the Intel® AMT client. The Certificate is based on a standard Web ServerCertificate Template that is available with Microsoft Certification Authority.

• Provisioning Certificate — This requires a Vendor Supplied Certificate or a Self-Signed CAdeployed in the Network. This is stored in the Certificate Storage of the Provisioning Server, foundin the Computer Account or the User Account.

• If a Self-Signed Certification Authority is used for creating the Provisioning Certificate:

• A proper Certificate Template must first be created. The Computer Template available in theMicrosoft Certification Authority can be duplicated.

• The OID 2.16.840.1.113741.1.2.3 has to be added in the Enhanced Key Usage section of thetemplate.

• A Certificate request should be sent to the Self-Signed CA with the FQDN of the ProvisioningServer in the Subject Name.

• The CA should use this template to generate the certificate, which is then saved in theProvisioning Server.

• If a Vendor Supplied Certificate is being used for the Provisioning Certificate:

• A Supported Vendor must be used. The list of Supported Vendors depends on the RootCertificate hashes present in the Intel® AMT firmware, which depends on the Intel® AMTversions being used. For more information on supported vendors, see the following Intel®

documentation:

http://www.vproexpert.com/59JHE/RCFG-Cert-Util/docs/RemoteConfigurationCertificateSelection.pdf

• Purchase the appropriate SSL Certificate from the vendor and generate a Certificate SigningRequest (CSR).

• Ensure the Intel® Client Setup Certificate is provided in the OU field of the Certificate SigningRequest.

• The CN in the Certificate Signing Request must match the Intel® vPro™ System Domain Suffix.

• The key must be exportable and the Request Type must be PKCS10.

• For more information on purchasing the correct SSL Certificate, see the Working withvendors section of the Remote Configuration FAQ document available here: http://www.vproexpert.com/59JHE//RCFG-Cert-Util/docs/RCFGfaq.pdf.

• Install the Vendor Certificate on the system where Intel® SCS Remote Configuration Service(RCS) will be running. For more information on installing the Vendor Certificate, seeInstalling a Vendor Certificate in the Intel SCS 7.0 Setup and Configuration User Guide.


About Certificate Authority integration


http://www.vproexpert.com/59JHE/RCFG-Cert-Util/docs/RemoteConfigurationCertificateSelection.pdfhttp://www.vproexpert.com/59JHE/RCFG-Cert-Util/docs/RemoteConfigurationCertificateSelection.pdfhttp://www.vproexpert.com/59JHE//RCFG-Cert-Util/docs/RCFGfaq.pdfhttp://www.vproexpert.com/59JHE//RCFG-Cert-Util/docs/RCFGfaq.pdf

This table defined the certificates required for this environment:

Purpose CertificateTemplate to Use

Specific Information in Certificate

Provisioning of Intel®vPro™ Systems by theProvisioning Server

Duplicate of Webserver withCustomizations orVendor SuppliedCertificate

Enhanced Key Usage value must contain ServerAuthentication (1.3.6.1.5.5.7.3.1) and the objectidentifier: 2.16.840.1.113741.1.2.3. OR Intel® ClientSetup Certificate is provided in the OU field.

The subject field must contain the FQDN of theProvisioning Server.

Communicating withIntel® vPro™ Systemsusing TLS

Web server The Enhanced Key Usage value must contain theServer Authentication (1.3.6.1.5.5.7.3.1).

The subject field must contain the FQDN of the Intel®vPro™ system.

ePO Deep Command doesn't support the hierarchy of CAs. The CA used for generating the certificate forcommunication with Intel® vPro™ systems needs to be checked in to the server setting for ePO DeepCommand.

ePO Deep Command specific provisioning detailsWhen provisioning your Intel® vPro™ systems for use with ePO Deep Command, keep these specifics inmind.

In an ePO Deep Command environment, Intel® vPro™ systems will be in one of three states:

• Unconfigured

• Configured, but not compliant with ePolicy Orchestrator

• Configured and compliant with ePolicy Orchestrator

Of these three states, the first two are of particular importance. Use the sections about these twostates that follow as a reference to ensure the appropriate configurations, conditions, and details arein place to move your systems into the Configured and compliant state.

Unconfigured systems

If your Intel® vPro™ systems are unconfigured, consider the following:

• Ensure the latest BIOS, Intel® AMT firmware and Intel® AMT drivers are applied to all Intel® AMTequipped systems. Refer to the manufacturer of your hardware for details about obtaining thiscontent.

• For security reasons, Intel® AMT equipped systems are intentionally shipped in an unconfiguredstate. These systems should be configured only after they are in place in the target environment.

• Intel® vPro™ systems can be configured before or after they are deployed to your enterpriseenvironment. The preferred setup for initial configuration is a DHCP environment with your targetsystems on a production wired LAN interface with network ports 9971 and 16992-16995 available.

Provisioning your Intel® AMT firmwareePO Deep Command specific provisioning details 3


• Intel® vPro™ systems must be configured with at least one administrative account and TLScertificate. This configuration requires:

• An internal Microsoft Certificate Authority

• The Intel® Setup and Configuration Service (SCS)

• Initial authentication to the Intel® vPro™ system

• The Intel® vPro™ systems must receive an initial profile to perform its function as a network service.The profile must be provided to your Intel® vPro™ systems in a secure manner, and must providethe relevant information such as authentication or access control list (ACL) details, enabled serviceinterface, securing of communications, and so forth.

• To ensure optimal performance, Intel® vPro™ systems must be configured to use the Admin ControlMode.

• Intel® SCS is an essential component that provides a centralized mechanism for initial and postconfiguration events. For more information about SCS requirements, setup, and configurationdetails, see the Intel® Setup and Configuration Service (Intel® SCS) User Guide (http://downloadcenter.intel.com/Detail_Desc.aspx?lang=eng&DwnldID=19882.

• The initial trust between Intel® SCS and your Intel® vPro™ system is accomplished via Pre-sharedKey (PSK) or remote configuration certificates (PKI). For more details about PSK and PKI, see theIntel® Setup and Configuration Service (Intel® SCS) User Guide

Configured, but not compliant systems

If your Intel® vPro™ systems are configured, but not compliant with ePolicy Orchestrator, consider thefollowing:

• ePolicy Orchestrator requires TLS in the Intel® AMT configuration. The internal CA root certificatemust be in the Trusted Root Certificate store of the Intel® vPro™ system, and must be imported intothe ePolicy Orchestrator server.

• ePolicy Orchestrator can authenticate via Intel® AMT Digest or a valid Kerberos account with PTAdmin Realm access.

• Authentication and certificate details are applied to the ePolicy Orchestrator Server Settings in theIntel® AMT Credentials settings category. Only one set of credentials or one certificate can beapplied per instance of ePO Deep Command.

• If your Intel® vPro™ systems were initially configured without using Intel® SCS, it might be possibleto change that configuration using the options provided by SCS.

Additional resources

Refer to the following sources for additional information about and to download the latest version ofIntel® SCS:


ePO Deep Command specific provisioning details


http://downloadcenter.intel.com/Detail_Desc.aspx?lang=eng&DwnldID=19882http://downloadcenter.intel.com/Detail_Desc.aspx?lang=eng&DwnldID=19882

• http://www.intel.com/support/scs

• http://www.intel.com/software/scs

Overview: Enterprise mode provisioning network configurationEnterprise mode provisioning requires that specific hardware, software, and configuration settings bein place.

This illustration provides a high-level overview of a network configuration that supports Enterprisemode provisioning of your Intel® vPro™ systems.

Each of the server components in this illustration perform an essential function in Enterprise modeprovisioning:

• Active Directory server — The Active Directory (AD) server is an integration point for the Intel®

AMT device. This integration allows the configuration server to use the Kerberos authentication tosecurely manage Intel® AMT credentials.

• Certificate Authority server — The Certification Authority (CA) server issues certificates to thecorrect trusted devices within the network. An organization can use Transport Layer Security (TLS)communication by incorporating certificates issued by a CA.

• ePO server — The ePolicy Orchestrator server is the management console from which applicationand enforcement of Intel® AMT policies are configured and distributed.

• DHCP server — Intel® AMT devices obtain the IP address via the Dynamic Host ConfigurationProtocol server. The Management Engine software (not shown) also uses the DHCP server todynamically update the DNS server with its FQDN.

Provisioning your Intel® AMT firmwareOverview: Enterprise mode provisioning network configuration 3


http://www.intel.com/p/en_US/support/highlights/sftwr-prod/scshttp://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configuration-service-scs/

• DNS server — Intel® vPro™ systems use the DNS server during the provisioning phase to locatethe provision server and request their configuration information. Ensure your provisioning server isregistered in DNS and an alias for ProvisionServer is created.

• Provisioning server — This is used to provision an Intel® vPro™ system. It automates the processof populating Intel® vPro™ systems with the user names, passwords, and network parameters thatenable the system to be administered remotely from ePO Deep Command.

Additional components and their configuration

There are several additional components and configurations not depicted in the previous illustration.These components also play a role in the provisioning process:

• Firewall — Intel® vPro™ systems requires certain ports are open to allow management traffic to gothrough them. These tables refer to the ports being used for Intel® vPro™ system communications,which should not be blocked.

Communication ports

16992 TCP/UDP Intel® AMT SOAP/HTTP

16993 TCP/UDP Intel® AMT SOAP/HTTPS

Redirection ports

16994 TCP/UDP Intel® AMT Redirection/TCP

16995 TCP/UDP Intel® AMT Redirection/TLS

Port 9971 is used in Enterprise mode to listen for Hello packets from the Intel® vPro™ systems.

When using the Intel® Setup and Configuration Service provisioning sever, the Microsoft BaseFiltering Engine services intercept the provisioning process, which causes the provisioning process tofail. Ensure that firewall rules are enabled for the designated ports.

• BIOS version — Use the latest BIOS and firmware from the OEM to ensure proper functionality.

• IP addressing scheme — Enterprise mode only supports DHCP for an IP addressing scheme.

• Intel® Management Engine Interface (MEI) driver — The MEI driver is one of the prerequisitesfor provisioning, as these drivers are needed to deploy on the Intel® vPro™ system. Confirm withthe hardware vendors to have the right set of MEI drivers for the appropriate Intel® vPro™ systems.

Deprovision Intel® AMT firmware You can deprovision a provisioned system, either Fully or Partially. A Full Deprovisioning removes theentire configuration (like the security credentials, and operational network settings) and disables theIntel® vPro™ features on the system. A Partial Deprovisioning retains provisioning configuration data(like the host name, domain name, PKI settings, PSK settings), but disables the Intel® AMT featureson the system. The Intel® vPro™ system can still communicate with the Provisioning Server.

Perform a Full Deprovision on a client system.

Task

1 Start the provisioned Intel® vPro™ system, and press Ctrl + P or F12 to invoke the MEBx screen.

2 Log on to the Intel® vPro™ system with the admin user name and password that were configuredduring the Provisioning process.

3 Select Intel ME General Settings and press Enter.


Deprovision Intel® AMT firmware


4 Select Unconfigure Network Access and press Enter. A warning message saying that the Configuration willbe Reset to the Default Values appears.

5 Press Y to continue.

6 In the next screen, select the option Full Unprovision and press Enter to execute a Full Deprovision, orselect the option Partial Unprovision and press Enter to execute a Partial Deprovisioning.

7 Once the deprovisioning is complete, the menu appears. Select Return to go back to the previousscreen and press Y to exit the MEBx menu.

Provisioning your Intel® AMT firmwareDeprovision Intel® AMT firmware 3


4 Setting up and configuring your softwareOnce you've installed the ePO Deep Command software, you need to set up and configure it to fullyleverage all available features.

Contents

Set up and configure the ePO Deep Command software Set up and configure the SCCM extension Set up and configure your environment for CIRA

Set up and configure the ePO Deep Command softwareThese tasks guide you through the process of setting up and configuring your ePO Deep Commandmodules.

They assume that you have installed both the Discovery and Reporting module, and the ManagementFramework module. For details on installation, see Installing ePO Deep Command software.

Tasks

• Deploy the ePO Deep Command Discovery and Reporting plugin on page 25The ePO Deep Command Discovery and Reporting plugin must be deployed to yourmanaged systems. Assign the Install/Update ePO Deep Command Discovery Plugin task to yourmanaged systems to deploy the Discovery plugin.

• Deploy the Management Framework client on page 26After the Management Framework extension is installed on the ePolicy Orchestrator server,it automatically creates the client task, Deploy ePO Deep Command Client.

• Specify ePO Deep Command credentials on page 26Specify ePO Deep Command credentials and import the Server Authentication Certificate inePolicy Orchestrator. The credentials you specify must be the same as the provisioningcredentials. This procedure authenticates your administrator rights to manage Intel® vPro™

systems using ePO Deep Command.

• Import CA certificates on page 27Certificate Authentication (CA) certificates are required to facilitate secure communicationbetween your clients and servers.

Deploy the ePO Deep Command Discovery and Reporting pluginThe ePO Deep Command Discovery and Reporting plugin must be deployed to your managed systems.Assign the Install/Update ePO Deep Command Discovery Plugin task to your managed systems to deploy theDiscovery plugin.

This client task is automatically created when the ePO Deep Command Discovery and Reportingmodule is installed on the ePolicy Orchestrator server.

Assign the client task to the desired client computers.

4


Task


1 In the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog, then select Product Updateunder McAfee Agent.

2 Click Assign in the Install/Update ePO Deep Command Discovery Plugin Actions column to open the Select a groupto assign the task page.

3 Select the required system or system groups where you want to deploy the ePO Deep CommandDiscovery and Reporting software Discovery plugin.

4 Click OK to open the Client Task Assignment Builder wizard.

5 On the Select Task page, verify the Product, Task type, and Task Name to deploy the product. Next toTags, select a platform, then click Next.

• Send this task to all computers

• Send this task to only computers that have the following criteria — Use one of the edit links to configure thecriteria.

6 On the Schedule page, on Select type: select Run immediately and click Next.

7 Review the summary, then click Save to open the System Tree page.

8 In the System Tree page, select the systems or groups where you assigned the task, then click Actions| Agent | Wake Up Agents. The Wake Up McAfee Agent page appears.

9 In the Wake Up McAfee Agent, select Force policy update , then click OK.

To evaluate each system against AMT tag criteria, the Run Tag Criteria must be executed.

Deploy the Management Framework clientAfter the Management Framework extension is installed on the ePolicy Orchestrator server, itautomatically creates the client task, Deploy ePO Deep Command Client.

Task


1 In the ePolicy Orchestrator console, click Menu | Policy | Client Task Catalog, then select Product Deploymentunder McAfee Agent.

2 Click Assign in Deploy ePO Deep Command Client to open the Select a group to assign the task page.

3 Select the required systems or groups where you want to deploy Management Framework, thenclick OK.

4 Click Next to schedule the deployment task as required.


6 Send an agent wake-up call.

Specify ePO Deep Command credentialsSpecify ePO Deep Command credentials and import the Server Authentication Certificate in ePolicyOrchestrator. The credentials you specify must be the same as the provisioning credentials. This

4 Setting up and configuring your softwareSet up and configure the ePO Deep Command software


procedure authenticates your administrator rights to manage Intel® vPro™ systems using ePO DeepCommand.

Task


1 In the ePolicy Orchestrator console, click Menu | Configuration | Server Settings.

2 In Setting Categories, select AMT Credentials, then click Edit to specify your Intel® AMT credentials andimport trusted certificates. The Edit Intel AMT Credentials page appears.

3 Type your user name and password, confirm your password, then click Save.

If the credentials are invalid or not specified, all OOB actions fail.

Click Edit to change your credentials anytime.

4 Click Edit. In Trusted Root Certificates, click Import to specify a PEM encoded (.pem file), DERencoded (.der file), or a PKCS12 (.p12 file) certificate. The certificate is required for CIRA, SOL andIDE-R policies.

This is the Root Certificate of the CA that was used for creating and signing the ServerAuthentication Certificate. See the About Certification Authority Integration section in theProvisioning your Intel® AMT firmware chapter for more information on the Server AuthenticationCertificate.

5 Click Save.

Import CA certificates Certificate Authentication (CA) certificates are required to facilitate secure communication betweenyour clients and servers.

While specifying ePO Deep Command credentials, import CA certificates to the system account whereePolicy Orchestrator or Agent Handler is installed in a cross domain. This prevents the 401 or 12175error from being displayed in the AMTService.log file. Refer to the Frequently asked questions sectionfor more information on the AMTService.log file.

When you use Internet Explorer to install the CA certificate to your Trusted Roots certificate store, itaffects only the current user's certificates and not the local system. Users need to use the MMCcertificates to install on the local system or a service account. This CA must be checked into Trusted RootCertification and Intermediate Certification Authorities, and the ePolicy Orchestrator services must be restarted.

This is the Root Certificate of the CA that was used for creating and signing the Server AuthenticationCertificate. See the Certification Authority Integration section in the Provisioning your AMT firmwarechapter for more information on the Server Authentication Certificate.

Task


1 Specify ePO Deep Command credentials and import the Server Authentication Certificate in ePolicyOrchestrator. Refer to the Specify ePO Deep Command credentials section for instructions.

2 Run mmc from the Command Prompt of your ePolicy Orchestrator system.

3 From File, click Add/Remove Snap-in, then click Add.

4 In Add Standalone Snap-in, select Certificates, then click Add.

Setting up and configuring your softwareSet up and configure the ePO Deep Command software 4


5 From the Certificates snap-in window, select Computer Account, then click Next. From the Select Computerpage, select Local Computer, then click Finish.

6 Click Close.

7 Click OK.

8 Go to Console Root and expand Certificates (Local Computer), then expand Trusted Root Certification Authorities.The Certificates folder must be displayed in the right pane. Right-click Certificates, then click all Tasks |Import.

9 In the Certificate Import Wizard, click Next, then Browse and select the CA Certificate. Make sureTrusted Root Certification Authorities is where the certificate is stored. Click Next, then click Finish tocomplete the certificate importing process.

10 Go to Console Root and expand Certificates (Local Computer), then expand Intermediate certification Authorities.The Certificates folder must be displayed in the right pane. Right-click Certificates, then click all Tasks |Import.

Test your connection to an Intel® vPro™ system After provisioning your Intel® AMT firmware, specifying product credentials to manage your Intel®

vPro™ systems, then deploying ePO Deep Command to your Intel® vPro™ systems, you can verify thatthe Intel® vPro™ system is managed by your ePolicy Orchestrator server by using the Power On and Boot/Reboot features.

Power On feature

Follow the instructions in the Power on your systems section of the Managing your Intel® vPro™

systems chapter.

Boot/Reboot feature

Follow the instructions given in the Boot or reboot using IDE-Redirect section of the Managing yourIntel® vPro™ systems chapter.

Configuring permission sets Minimum permissions must be set for all users so they can execute different OOB actions on any Intel®

vPro™ system in the System Tree, and view ePO Deep Command events.

Common permissions for Out-of-Band actions

• View the list of Agent Handlers.

• View the System Tree tab in Systems.

• Access My Organization in System Tree.

Other permissions

For Out-of-band Power On feature access, configure these permission sets:

• Wake up agents and view the Agent Activity Log in Systems.

• Power On in ePO Deep Command Out-of-Band actions.

4 Setting up and configuring your softwareSet up and configure the ePO Deep Command software


For Out-of-Band policy enforcement, configure these permission sets:

• Enforce Intel® AMT Policies in ePO Deep Command Out-of-Band actions.

• View policy and task settings in ePO Deep Command policies.

For SOL Terminal access, configure the following permission:

• Use Serial over LAN Terminal (SOL) in ePO Deep Command Out-of-Band actions.

For IDE-R access, configure the following permission:

• Boot/Reboot with Options (IDE-R) in ePO Deep Command Out-of-Band actions.

To view the CILA and CIRA Events in Threat Event log, configure the following permission:

• View Threat Event Log in Reporting.

Set up and configure the SCCM extension Setting up and configuring the SCCM extensions on your ePolicy Orchestrator server allows you toimport data from your SCCM servers so you can view details about the software installed on aparticular Intel® vPro™ system.

Install the SCCM extensionInstall the SCCM extension on your ePolicy Orchestrator server to view specific details about anySCCM-managed systems that are also managed by your ePolicy Orchestrator server, such as, status,domain, version, and operating system. This procedure is optional.

Task



2 In Product Categories, click Software Not Checked In | Licensed.

3 Select the SCCM extension you want to install, then click Check In.

You can also download the SCCM extension to a temporary location on your system and install itlater. For instructions on installing extensions, see the McAfee ePolicy Orchestrator 4.6.0 ProductGuide.

4 In the Software Summary page, review and accept the End User License Agreement (EULA), thenclick OK.

Add registered SCCM servers Adding SCCM servers allows you to import Intel® vPro™ system details registered in the SCCM serversto ePolicy Orchestrator.

Before you begin

You must install SCCM extensions on ePolicy Orchestrator.

Setting up and configuring your softwareSet up and configure the SCCM extension 4


Task


1 From the ePolicy Orchestrator console, click Menu | Configuration | Registered Servers.

2 Click New Server. The Registered Server Builder page appears.

3 In the Description field, under Server Type, select SCCM from the drop-down list, then type the servername.

4 In the Details field, specify the following information:• DNS Name or IP of this site's provider (WMI Host)

• SCCM site code

• WMI user name

• WMI password

5 Confirm the WMI password and click Test Connection. You will receive one of these messages:

• Connection verified

• Failed to establish connection

6 Click Save.

Import data from SCCM serversImport data from SCCM servers to ePolicy Orchestrator.

Task


1 From the ePolicy Orchestrator console, click Menu | Automation | Server Tasks.

2 Click New Task. The Server Task Builder page appears.

3 Type a name for the task, select Schedule Status as Enabled, then click Next.

4 In Actions, select SCCM - Import Data on ePO systems, select the required SCCM server from which youwant to import system data, select a tag as required, then click Next.

5 Schedule the task as required, then click Next. A summary of the task is displayed.

6 Click Save.

7 Click Run. The Server Task Log page is displayed with the status of the task.

8 Navigate to the System Properties page, select the Intel® vPro™ system, then click the SCCM tab to viewdetails of the Intel® vPro™ system.

Removing the SCCM extension Remove the SCCM extension from ePolicy Orchestrator.

4 Setting up and configuring your softwareSet up and configure the SCCM extension


Task



2 On the Software Manager page in Product Categories, click Checked In Software | Licensed.

3 Select the product and the corresponding SCCM extension to be removed, then click Remove.

You can also remove the extension by navigating to the Extensions page, clicking Removecorresponding to SCCM extension, then clicking OK.

4 In the Remove Software Summary page, click OK.

Set up and configure your environment for CIRATo use the Client Initiated Remote Access feature (CIRA), you must set up and configure an ePO DeepCommand Gateway server.

The ePO Deep Command Gateway server acts as a proxy responsible for mediating communicationbetween the ePolicy Orchestrator server and the remotely managed Intel® vPro™ systems. It resides inthe corporate DMZ sever where Agent Handler is installed.

ePO Deep Command Gateway server configuration The CIRA feature allows Intel® vPro™ technology platforms to initiate a secured connection to agateway server residing in the enterprise De-Militarized Zone (DMZ).

To use CIRA policies, you must download, certify, install, and configure stunnel separately. Beforeinstalling stunnel, you must install ePO Deep Command Gateway on the DMZ server where AgentHandler or the McAfee ePO server is installed. You can download stunnel from http://www.stunnel.org.

Stunnel is a multi-platform program that acts as the SSL tunneling proxy between the McAfee™ ePOserver and your remote Intel® vPro™ systems.

For instructions on setting up Agent Handler, see the ePolicy Orchestrator 4.6 Product Guide.

Setting up and configuring your softwareSet up and configure your environment for CIRA 4


http://www.stunnel.org

Install the ePO Deep Command Gateway serverInstall the ePO Deep Command Gateway server on the server in your corporate DMZ where the AgentHandler is installed.

Task


1 From the CA server, extract the contents from EPODCGateway 1.0.0 Package.zipto a temporary location on your server in the DMZ where Agent Handler is installed.

2 Double-click the SetupAGS.exe file. The Welcome screen appears.

3 Click Next. Select the license type and accept the license agreement, then click OK. The DestinationFolder screen displays a default folder where the software installation files are copied.

4 Click Change to specify a folder, or Next to copy them to the default location. Where ePO DeepCommand Gateway Information screen displays the default port the ePO Deep Command Gatewaylistens for the new Intel® AMT platform connection request.

You can use the default port 11111 on this screen. If you change the port, stunnel configurationmust be changed accordingly. Refer to Use the CIRA policy for instructions.

5 Click Next | Finish.

Install stunnel Install stunnel on the DMZ server where the Agent Handler or McAfee ePO server is installed.

Before you begin

ePO Deep Command Gateway must be installed on this DMZ server.

4 Setting up and configuring your softwareSet up and configure your environment for CIRA


Task


1 Go to http://www.stunnel.org/, then download the stunnel software package to a temporarylocation on the server system where the Agent Handler or ePolicy Orchestrator is installed in the DMZ.

2 Double-click stunnel--installer.exe and follow the instructions.

Stunnel is installed in C:\Program Files.

Generate the certificate for stunnel installationThe Server Authentication Certificate is required to use stunnel. For more information on the ServerAuthentication Certificate, see Certification Authority Integration in the Provisioning your Intel® AMTfirmware chapter.

Before you begin

OpenSSL generates stunnel certificates and requires a one-time setup. The step that followprovide an example of the process used to generate the certificate. For completedinstructions on generating certificates, go to http://www.stunnel.org/?page=howto and seeGenerating the stunnel certificate and private key (pem).

You can generate certificates on another system to avoid copying various certificationdependent software, executables, or binaries on the DMZ.

If you know how to generate stunnel certificates, follow these guidelines:

• The private key size must not exceed 2048.

• Do not include an email address.

• Enter the fully qualified domain name of the ePO Deep Command Gateway server.

• Ensure that the Web Server template is used when the certificate request is submitted for signingby the CA.

Task


1 Go to http://www.slproweb.com/products/Win32OpenSSL.html.

2 Install vcredist_x86.exe, which is required for the OpenSSL installation.

3 Install Win32OpenSSL-1_0_0d, then select C:\OpenSSL-Win32 as the destination location.

4 Copy OpenSSL DLLs to The OpenSSL binaries (/bin) directory during the installation process.

5 After the installation is complete, copy openssl.cnf to the C:\OpenSSL-Win32\bindirectory.

6 From the command prompt, go to C:\OpenSSL-Win32\bin and run this command:

openssl req -new -config openssl.cnf -newkey rsa:1024 -nodes -keyout cira.key -out cira.csr

In this command, a private key (cira.key) and a cira.csr (certificate signing request) are created.

7 When prompted, specify the following values:• Country name: US

• State: California



http://www.stunnel.org/http://www.stunnel.org/?page=howtohttp://www.slproweb.com/products/Win32OpenSSL.html

• Location: Santa Clara

• Organization name: McAfee

Do not provide your email address. However, it is mandatory to provide the hostname of the systemwhen generating the request for key.

Sign the certificate using Certification Authority Sign the generated certificate using OpenSSL. The CA used to sign the certificate should be known tothe Intel® vPro™ system. Additionally, the CA Thumbprint value (CA Hash) must be present in the MEBxBIOS of the Intel® vPro™ system. If this is not, the CIRA tunnel can't be established.

Task


1 Use a web browser to access the CA server. The CA server URL must include the server's FQDNfollowed by /certsrv. For example, http:///certsrv.

2 Log on to the CA server as a domain administrator, click Request a Certificate | Advanced Certificate Request.

3 Click Submit a Certificate request by using a base64 encoded file.

4 Select Web Server from the Certificate Template drop-down list. Copy the contents of the file C:\OpenSSL-Win32\bin\cira.csr in the text box Base-64-encoded certificate request, then click Submit.

Notepad or WordPad can be used to open C:\OpenSSL-Win32\bin\cira.csr.

5 Select Base 64 Encoded and Download Certificate, then save to C:\Program Files\stunnel as cira.pem.

This is the signed public certificate that stunnel uses.

Configure stunnelUse this task to configure stunnel, for instance, to listen to port 81 for the incoming CIRA requests andforward it to port 11111 (default port you specify for the ePO Deep Command Gateway server to listento, during installation).

Task


1 Copy the cira.key (private key), which was created by the openssl command, to the folder C:\Program Files\stunnel.

2 Save the CA Root Certificate file to the folder C:\Program Files\stunnel as ca.cer.



3 Configure the stunnel configuration file C:\Program Files\stunnel\stunnel.conf and include theselines:

• cert = C:\Program Files\stunnel\cira.pem

• key = C:\Program Files\stunnel\cira.key

• CAfile = C:\Program Files\stunnel\ca.cer

[ciraamt]

accept = 81

connect = 11111

where "cert" is the publicly signed certificate, "key" is the private key for stunnel and "CAfile" isthe Root Certificate which was used to sign the stunnel certificate

If you have saved the files in some other name, update the stunnel.conf configuration fileaccordingly. See the sample stunnel configuration file in Appendix.

The "ciraamt" section configures stunnel to listen at port 81 for incoming CIRA requests andforward it to the port 11111 which is the default port where ePO Deep Command Gateway Server islistening. (This configuration was done during the installation of the ePO Deep Command Gatewayserver.

Rules must be enabled to allow inbound connections to the CIRA empty port. In this case, inboundconnections must be allowed to port 81.

Install stunnel as a Windows service Install stunnel as a service on a 32- or 64-bit Windows operating system where ePO Deep CommandGateway Server is installed. Following are the instructions to install stunnel as a service for a 32-bitoperating system.

• From the command prompt, run these commands.

cd C:\Program Files\stunnel

stunnel.exe -install

Start the stunnel service Start the stunnel service to start processing any CIRA requests.

• From the command prompt, run these commands.

cd C:\Program Files\stunnel

stunnel.exe stunnel.conf



Validate certificate Verify that the certificate issued to the host name of your ePO Deep Command Gateway server is correct.

Task

1 Using Mozilla Firefox, go to https://:81 (or theport you have configured in stunnel.conf to listen).

2 View the certificate installed on the site.

It must be installed to the host name of the ePO Deep Command Gateway server and issued by CAthat is known to the Intel® vPro™ system.



5 Reporting on your Intel® vPro™ systemsWith McAfee ePO Deep Command Reporting and Discovery software, you can quickly determine thestatus of the Intel® vPro™ systems in your network. The predefined queries and dashboards provideyou with out-of-the-box functionality, since they are added to your ePolicy orchestrator server whenthe software is installed.

These queries can be configured to display results in charts or tables, which can also be used asdashboard monitors. Query results can be exported to several formats, any of which can bedownloaded or sent as an attachment to an email message.

You can create additional, custom queries using the Query Builder wizard which is available in theePolicy Orchestrator server. For details on how to perform this task, see the ePolicy Orchestratorproduct documentation for versions 4.6 or later.

Contents

Discovery and Reporting queries and their descriptions Properties collected by the Discovery plugin About the Intel® AMT Summary dashboard

Discovery and Reporting queries and their descriptionsWhen the ePO Deep Command Discovery and Reporting software is installed on your ePolicyOrchestrator server, predefined queries are added to the Queries and Reporting feature.

Table 5-1 ePO Deep Command Discovery and Reporting queries

Query Description

CILA Supported Displays a pie chart of detected client systems supporting Client Initiated LocalAccess (CILA), also known as Fast Call For Help.

ePO Deep CommandDetection Coverage

Displays a pie chart of the deployment status of the ePO Deep Command plugin.

IDE Redirect Supportedand Enabled

Displays a pie chart of detected systems that have IDE-Redirect supportedand enabled.

Intel® AMT FullyProvisioned

Displays a pie chart of managed systems where Intel® AMT is fully provisioned.

Intel® AMT ProvisioningMode

Displays a pie chart of different Intel® AMT provisioning modes for all detectedsystems supporting Intel® AMT.

• Enterprise — This mode requires a configuration service to provision thesystems remotely.

• None — This provisioning status means that no specific mode is selected.

• Small and Medium Business (SMB) — In this mode, the administratorcan manually provision the systems.

5


Table 5-1 ePO Deep Command Discovery and Reporting queries (continued)

Query Description

Intel® AMT ProvisioningState

Displays a pie chart of different Intel® AMT provisioning states for all detectedsystems supporting Intel® AMT.

• In (In-provisioning) — These systems are in a partially configured state withinitial information Transport Layer and Security (TLS) networking.

• Post (Post-provisioning) — These systems are in a fully configured statewith security settings, certificates and settings that activate Intel® AMTcapabilities.

• Pre (Pre-provisioning) — These systems have factory default settings anddo not have any Intel® AMT configuration defined.

Intel® AMT Supported Displays a pie chart of managed systems supporting Intel® AMT.Intel® AMT Version Displays a column chart of detected Intel® AMT versions.KVM Supported andEnabled

Displays a pie chart of detected systems which have Keyboard, Video displayunit and Mouse (KVM) supported and enabled.

SOL Supported andEnabled

Displays a pie chart of detected systems which have Serial-Over-LAN (SOL)supported and enabled.

Systems with AMT Tag Displays a summary table of managed systems which have the AMT tagapplied to them.

Systems without Intel® MEIDriver

Displays a pie chart showing the number of managed systems that supportIntel® AMT without the Intel® MEI driver installed on them.

Web UI Enabled Systems Displays a pie chart of the number of managed systems that have the webuser interface enabled.

View default queriesUse these steps to run and view default queries for ePO Deep Command Discovery and Reportingsoftware.

Task


1 Click Menu | Reporting | Queries & Reports. To open the Queries page opens.

2 Select ePO Deep Command Reporting from Shared Groups in the Groups pane. The Standard Discovery and Reportingquery list appears.

3 Select a query from the Queries list, then click Run. In the query result page click on any item in theresults to drill down and view the properties of each managed system under Intel® AMT tab.

4 Click Close when finished.

5 Reporting on your Intel® vPro™ systems

Discovery and Reporting queries and their descriptions


Properties collected by the Discovery pluginThe ePO Deep Command Discovery and Reporting software Discovery plugin collects properties fromthe managed systems where it is installed. The properties that are reported depend on whether thesystem is an Intel® vPro™ system, and whether or not the Intel® MEI driver is installed.

Property Description WithIntel®MEIDriverInstalled

WithoutIntel®MEIDriverInstalled

Non-Intel®vPro™System

Alarm Enabled Reports whether the ePO Deep Command AMTpolicy has set the alarm clock in the Intel® AMTfirmware.

X

BIOS ReleaseDate

Reports the release date of the BIOS running onthis system using the DD/MM/YY format.

X X X

BIOS Version Reports the version number of the BIOS runningon this system. For example, A05.

X X X

CILA Reports whether the Client-Initiated Local Access(CILA), also known as Fast Call for Help feature issupported and enabled on this system. Thisproperty value is reported as:

• No

• Not Available

• Yes

X

CILA AgentHandler

Reports the FQDN of the Agent Handler assignedby the ePO Deep Command Remote Access policyto handle CILA requests generated by this system.This property value is reported as:

• FQDN of Agent Handler

• Not Available

X

CILA Enabled Reports whether ePO Deep Command RemoteAccess is enabled and enforced CILA on thissystem. This property value is reported as:

• No

• Not Available

• Yes

X

CIRA Enabled Reports whether the ePO Deep Command RemoteAccess policy has enabled and enforcedClient-Initiated Remote Access (CIRA), also knownas Fast Call for Help, on this system. This propertyvalue is reported as:

• No

• Not Available

• Yes

X

Reporting on your Intel® vPro™ systemsProperties collected by the Discovery plugin 5





CIRA AgentHandler

Reports the FQDN of the DMZ Agent Handlerassigned by ePO Deep Command Remote Accesspolicy to handle CIRA requests generated by thissystem. This property value is reported as

• of DMZ Agent Handler

• Not Available

X

DHCP Enabled Reports whether DHCP is enabled on this system.This property value is reported as Yes or No.

X

EndpointAccess ControlEnabled

Indicates whether Intel Endpoint Access Control isenabled to check for Intel® AMT Network PolicyCompliance.

X

FirmwareUpdate Enabled

Reports whether the Firmware Update feature isenabled in the BIOS of this system. This propertyvalue is reported as Yes or No.

X

FirmwareVersion

Reports the version number of the Firmwarerunning on this system. For example 1.20.1059

X X

Hardware CryptoEnabled

Reports whether the Intel® AMT hardware cryptoengine feature is enabled on this system. Thisproperty value is reported as Yes or No.

X

IDE Redirection(IDE-R)

Reports whether the IDE-R feature is supportedand enabled on this system. This property value isreported as:

• Not Available

• Supported

• Supported and Enabled

• Supported and Enabled in BIOS only

X X

Intel® AMT DNSName

Reports the full Domain Name System namestored in the Intel® AMT firmware on this system.For example, C1amtepo.epoqa.in.

X

Intel® AMT FullyProvisioned

Reports whether the Intel® AMT hardware is fullyprovisioned. This property value is reported as Yesor No.

X

Intel® AMTSupported

Reports whether this system is equipped withIntel® AMT hardware. This property value isreported as Yes or No.

X X

Intel® Anti-TheftSupported

Reports whether this system supports Intel®Anti-Theft technology. This property value isreported as Yes or No.

X X

Intel® AMTVersion

Reports the version number of the Intel® AMThardware present on this system. For example,6.1.20.

X X

Intel® MEIEnabled

Reports whether the MEI hardware is present andturned on. This property value is reported as Yesor No.

X X

Intel® MEIVersion

Reports the version number of the MEI driverrunning on this system. For example, 6.0.0.1111.

X


Properties collected by the Discovery plugin





Intel® vPro™System

Reports whether the target system is an Intel®vPro™ system. This property value is reported asYes or No.

X X

KVM Reports whether the KVM (Keyboard, Video andMouse switch) feature is supported on thissystem. This property value is reported as:

• Not Available

• Supported



X X

Last ErrorMessage

Displays the error description for the error thatoccurred if the last Out-of-Band (OOB) action failed.

X

Last IDE-RSession Start/End Time

Reports the time when the last IDE-R session wasinitiated or stopped. For example, DD/MM/YY12:00 PM.

X

Last IDE-RSession Status

Reports whether the status of the last IDE-RSession is active. This property value is reportedas Yes or No.

X

Last Power OnSuccess

Reports whether the last attempt to power thissystem on using an OOB action was successful.This property value is reported as:

• Not Available

• Yes

X

Last Power OnTime

Reports the last time this system was powered onas the result of an OOB action. For example, DD/MM/YY 12:00 PM.

X

Last SOLSession Start/End Time

Reports the time when the last SOL session wasinitiated or stopped. For example, DD/MM/YY12:00 PM.

X

Last SOLSession Status

Reports whether the status of the last SOL Sessionis active. This property value is reported as Yes orNo.

X

ManageabilityLevel

Reports the manageability level for this system.These levels are reported as:

• Full — Intel® AMT is supported

• None — Intel® AMT is not supported

• Not Available — non-Intel® AMT hardware

• Standard — Intel® AMT is partially enabled

X X

Mobile System(Laptop)

Reports whether this system is a laptop. Thisproperty value is reported as Yes or No.

X

NetworkInterfaceEnabled

Reports whether the network interface is enabledon this system. This property value is reported asYes or No.

X






Policy Enforced Reports whether the ePO Deep Command AMTpolicy is enforced on this system. This propertyvalue is reported as Yes or No.

X

PolicyEnforcementTime

Displays the last enforcement time for the ePODeep Command AMT policy on this system. Forexample, MM/DD/YY 12:00 PM.

X

ProvisioningMode

Reports the provisioning mode of this system:

• Enterprise mode — Enterprise provisioning mode

• SMB — Small and Medium Business provisioningmode

X

ProvisioningMode (TLS)

Reports the TLS provisioning mode of this system:

• PKI — Public Key Interface protocol

• PSK — Pre-shared Key Based TLS protocol

X

ProvisioningState

Reports the provisioning state for this system:

• In-provisioning — The system is beingprovisioned.

• Post-provisioning — The system has beenprovisioned.

• Pre-provisioning — The system is unprovisioned.

X

RemoteConfigurationEnabled

Reports whether this system can be provisionedremotely. This property value is reported as Yes orNo.

X

RemoteConfigurationServer

Reports the FQDN of the provisioning serverconfigured during the provisioning process. Forexample, sccm.amtepo.epoqa.in

X

RemoteConfigurationServer IPAddress

Reports the IP address of the provisioning serverconfigured during the provisioning process. Forexample, 172.12.000.123.

X

Reported LocalAlarm ClockTime

Displays the alarm clock time set in the Intel® AMTfirmware during the ePO Deep Command AlarmClock policy enforcement. For example, MM/DD/YY12:00 PM.

X

Serial-over-LAN(SOL)

Reports whether the SOL feature is supported andenabled on this system. This property value isreported as:

• Not Available

• Supported



X X

System Model Reports this system's model. For example,OptiPlex 755.

X X X

SystemManufacturer

Reports this system's manufacturer name. Forexample, Dell Inc.

X X X


Properties collected by the Discovery plugin





System SerialNumber

Reports the serial number of this system. Forexample, 0ABC8BA.

X X X

Transport LayerSecurity (TLS)

Reports whether this system is in the PostConfigured state with TLS enabled. This propertyvalue is reported as:

• Not Available

• Supported



X

UUID Reports the ID for this systems hardware. Forexample,4C4C4D44-004A-4A10-8048-C4C44F384253.

X X X

Web UI Enabled Reports whether the Intel® AMT Web interface(configured during provisioning) is enabled on thissystem. This property value is reported as Yes orNo.

X

Wired IPv4Address

Reports the IPv4 address received over thissystem's physical network connection. Forexample, 172.12.000.123.

X

Wired LinkStatus

Reports whether this system's physical networkconnection is functioning. This property value isreported as Up or Down.

X

Wired MACAddress

Reports the MAC address received over thissystem's physical network connection. Forexample, 781bcb8cf20a.

X

Wireless IPv4Address

Reports the IPv4 address received over thissystem's wireless network connection. Forexample, 172.12.000.123.

X

Wireless LinkStatus

Reports whether this system's wireless networkconnection is functioning. This property value isreported as Up or Down.

X

Wireless MACAddress

Reports the MAC address received over thissystem's wireless network connection. Forexample, 781bcb8cf20a.

X

About the Intel® MEI driver The Intel® Management Engine Interface (MEI) driver is the Intel® AMT subsystem used by the clientoperating system (OS) to access Intel® AMT capabilities.

When this driver (also known as the HECI or Host Embedded Controller Interface driver) is installed onthe Intel® vPro™ system, the ePO Deep Command Discovery and Reporting Discovery plugin is able toreport a more complete set of system details. The MEI driver is bi-directional, allowing the host (OS)or the Intel® AMT firmware to initiate transactions.

If you need to install the Intel® MEI driver, refer to the Intel® product documentation



About the Intel® AMT Summary dashboardThe Intel® AMT Summary dashboard is added to your ePolicy Orchestrator server when you install theePO Deep Command Discovery and Reporting software.

The dashboard displays a collection of monitors based on the results of the default ePO DeepCommand Discovery and Reporting software queries. Using this monitor, you can see:

• Which of the managed systems are Intel® AMT equipped

• The versions of Intel® AMT hardware

• Configuration status

These are the default dashboard monitors that appear after installing the ePO Deep CommandDiscovery and Reporting software.

• CILA Supported — Helps the administrator determine the number of managed systems thatsupport CILA connections out of the total number of managed systems. The administrator can thendetermine the number of managed systems to enforce Remote Access Policy that enable CILAsupport. This allows the managed systems to send CILA request to the ePolicy Orchestrator server.

• ePO Deep Command Detection Coverage — Helps the administrator determine the number ofmanaged systems on which the ePO Deep Command Discovery and Reporting Discovery plugin hasbeen installed, out of the total number of managed systems. This monitor is useful to determinethe coverage of the software.

• IDE-Redirect Supported and Enabled — Helps the administrator determine the number ofmanaged systems that support and can be remotely managed using IDE-R connections.

• Intel® AMT Fully Provisioned — Helps the administrator determine the number of managedsystems that are fully Intel® AMT provisioned, out of the total number of managed systems. Theadministrator can determine the number of managed systems that can be used for out-of-bandactions, and the number of remaining systems that need to be provisioned.

• Intel® AMT Provisioning Mode — Helps the administrator determine the different provisioningmodes that are present in the total number of managed systems. Because ePO Deep Commandcurrently supports the Enterprise mode only, the administrator must re-provision managed systemsthat are not in Enterprise mode.

• Intel® AMT Provisioning State — Helps t

Documents

ePO Deep Command 1.0 Product Guide€¦ · mcafee ® epo deep command 1 ... forth the general terms and conditions for the use of the licensed software. if you do not know which type