Using Spiceworks for Change Control - Justin Davison, R J Lee Group
How Spiceworks Integrated Intel Technology into the Spiceworks IT Desktop - Kevin S. Havre, Intel
1. All New 2010 Intel®
Core™ vPro™ Processor
Family for MSPs
How Spiceworks has integrated Intel
technology into the Spiceworks IT Desktop
Kevin S. Havre
Intel Corporation
September 2010
1
2. Smart Security1
Intel® Core™ Processors and Piketon: Essential
technology for SMB Desktop PCs
Intelligent
Performance1 Easy PC Care1
Intel® Core™ processors
deliver intelligent
desktop performance
that accelerates in
response to demanding
tasks helping improve
business productivity,
reduce energy
consumption and enable
smaller and more
innovative form factors
Built-in smart security
technologies to help
guard against viruses,
data loss or corruption
and protect assets and
data in the event of PC
loss or theft
2
A new level of intelligent performance for desktop PCs
Industry leading
technologies to help
you or your service
provider remotely
manage and service
PCs regardless of PC
state or IT care model
to help improve PC
availability and reduce
your IT support cost
3. All New 2010 Intel® Core™ vPro™ Processor Family:
IT Computer Within the Computer
Smart Security and
Cost Saving Manageability
with activated features2:
• Built into the hardware
• Regardless of OS or software
agent health
• Even when powered off
Specifically:
• Secure power management
• Network isolation
• Remote remediation
2. Activated features include Intel Active Management Technology. Intel® Core™ vPro™ processor family includes Intel® Active Management
Technology (Intel® AMT). Intel AMT requires the computer system to have an Intel AMT-enabled chipset, network hardware and software, as
well as connection with a power source and a corporate network connection.
4. Intel® vPro™ Technology
Intel® AMT Architecture
Intel® AMT
Operating System
BIOS
HW Sensors Network Connection
SW
Apps
SW
Apps
HW Drivers
Network
Stack
Non-
Volatile
Storage
Event Log,
Alerts,
Redirection
Features
Secure Out Of Band
access
Remote troubleshooting
and recovery
Proactive alerting
More detailed HW
inventory
Third-party, nonvolatile
storage
SW
Apps
SW
Apps
SW
Apps
Secure access and control of Intel® vPro™ machines, even OOB
5. Intel® vPro™ Processor Technology
Usage summary
Usage to features
OOB
Access
Power
Control
KVM/IDEr
SOL/ IDEr
iMST
HW maintenance tasks
Change Management, Disk defrag, temp files,
security credentials
SW / Anti-virus updates
Change management, compliancy, security
HW updates/remediation
BIOS updates, HW/OS failure, disk image restore
• More secure Out of band (OOB) access
External access to systems the consoles can “see”, with more
secure posture than ASF or WOL, regardless of OS state and a
detailed list of HW inventory since last boot.
• Power Control
Gives consoles the ability to power up systems when they are
needed and reboot when the OS is not working
• KVM and Serial-over-LAN (SOL) Remote Control
Gives remote control consoles access to the system below the
OS for seeing pre-boot messages, boot into and edit BIOS,
launch OS into “Safe Mode”.
• IDE redirection (IDEr)
Tricks the BIOS into booting to an OS
image on the network; saving a truck roll
onsite to trouble shoot even if the HDD
has failed, or restore backup images.
• Intel Matrix Storage Technology
Internal mirrored drives; local instant
data back-up without the SW hassle.
External cloned drive; protect your data
and recover quickly
8. Secure your customers Passwords!
“Losing” them are as costly as key to your customers
front door…
Type Used for
BIOS
password
BIOS access
Intel® AMT
password
MEBx and Web
UI access
Local admin
password
OS level
access
Management
Application
Passwords
Management
console
For accessing
PCs
• OS != AMT
• Use strong Passwords
one char, number and UC letter.
• Only assigned techs
• Change regularly
• Change when techs leave
your company
Password management
9. Intel AMT configuration
DHCP
• Intel AMT conforms its settings to the
host (the PC’s OS) network settings. IP
address is the same for OS and MEBx,
access; Intel AMT MEBx through port
16992...
Static
• Use different IP addresses for Intel AMT
and the host (the PC’s OS).
Decide on IP addressing method
Common mistake:
using a different hostname for
Intel AMT MEBx than in the OS
10. Choosing a provisioning method
10
Manual Improved Manual Automatic (PSK) Automatic (PKI)
LevelofEffort
Labor Intensive
• Must visit every PC for
initial & on-going
configuration
• Must access the BIOS to
make changes
• Error Prone
• English Only
Less Labor Intensive
• Must visit every PC for
initial & on-going
configuration
• Configuration data
entered into Windows
utility
• Less Error Prone
• Localized
Less Labor Intensive
• Must visit every; reboot
only, no data entry
• Least error prone
• Localized
Least Labor Intensive
• Never requires a visit to
the PC
• Least Error Prone
• Localized
Preparation
• None • USB key purchase
• Download Intel AMT
Configuration Utility
• USB key purchase
• Download & install
Intel SCS 6.0 Lite
• Security Certificate
Purchase
• DHCP server with option
15
• Download & install Intel
SCS 6.0 Lite
11. Basic Provisioning – Manual
Manually configuring in MEBx
Multiple settings
typed into every
computer in SMB
site
•Time consuming
•Error Prone
•Supported in all AMT versions
12. Basic One Touch Provisioning
Simple AMT Configuration using a USB Key
• Simple Windows wizard for local AMT
Configuration using a USB Key
• Supported in AMT 4.0+ Only
13. Centralized Provisioning
Enter settings once, each PC calls in and provisions
automatically
13
One Touch Remote Configuration
USB key loads provisioning “secret”,
PSK or CA hash
Certificate hash already in firmware; purchase
matching certificate and load on Provision Server
Onsite Server?
Onsite Server
14. More Capabilities
Integrated Graphics
KVM Remote Control1
New AES instructions (AES-NI)
More Performance
Most cache, cores, threads & boost range
No integrated graphics
NO KVM Remote Control1 or AES-NI
Intel® Core™ vPro™ Processor Family
Using Integrated
Graphics ONLY.
Intel® Core™ i5 & i7 vPro™ Processors
For business clients
Intel® Core™ i7 vPro™ Processors
For workstations and high performance products
1 – KVM = Keyboard, Video, & Mouse; KVM Remote Control ONLY works over Intel® integrated graphics, not available on Lynnfield processors
Desktop: i5-670, 660, 650
Mobile: i5-580, 560, 540, 520, i7-640, 620
Desktop: i7-870, 860, 860s
Mobile: i7-840, 820, 740, 720
Software-based communication (which is through the software stack in the OS) can be disrupted for a variety of reasons, as listed via power being off, OS not operational, software agent being disabled via virus attack and hard drive not functioning. Therefore- hardware-based management via Intel Core vPro processor family can help monitor, maintain, update, upgrade, and repair PCs when software-based management agents are not available.For instance, software-based management is often unavailable when an Operating System blue screens. Therefore, without Intel vPro technology, you cannot remotely manage the computer from the IT management console. Also - a PC with an Intel Core vPro processor uses TLS encryption to secure an out-of-band communication tunnel to the IT management console. Intel vPro technology secures the communication tunnel Advanced Encryption Standard (AES) 128-bit encryption and RSA keys with modulus lengths of 2,048 bits. Because the encrypted communication is out-of-band, the PC’s hardware and firmware receive the magic packet before network traffic reaches the software stack for the operating system (OS). Since the encrypted communication occurs “below” the OS level, it is less vulnerable to attacks by viruses, worms, and other threats that typically target the OS level.Legal Disclaimer2. Intel® Core™ vPro™ processor family includes Intel® Active Management Technology (Intel® AMT). Intel AMT requires the computer system to have an Intel AMT-enabled chipset, network hardware and software, as well as connection with a power source and a corporate network connection. Setup requires configuration by the purchaser and may require scripting with the management console or further integration into existing security frameworks to enable certain functionality. It may also require modifications of implementation of new business processes.
TLS encryption – buy one cert for every client – Server authentication – MTLS (cert for mgmt console, 1 for each AMT client)Create your own certificates – Remote config – buy GoDaddy cert and provision systems – export certificate hash and put onto each AMT clientDirector - ownGoDaddy – Provision Server buys a cert to provision any # of systems