McAfee epo Deep Command 1.0.0

Transcription

1 Product Guide McAfee epo Deep Command For use with epolicy Orchestrator 4.6.x Software

2 COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUSHIELD, MA (MCAFEE SECURITYALLIANCE ECHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee epo Deep Command Product Guide

3 Contents Preface 5 About this guide Audience Conventions Finding product documentation Introduction 7 Product overview What you need to know to get started Intel AMT overview Installing the software 11 Requirements System requirements Software requirements Operating system requirements Install the epo Deep Command extensions Uninstalling the software Uninstall the epo Deep Command client Uninstall the Discovery plugin Remove the epo Deep Command extensions Provisioning your Intel AMT firmware 15 About provisioning Provisioning states Types of provisioning About authentication protocols About Certificate Authority integration epo Deep Command specific provisioning details Overview: Enterprise mode provisioning network configuration Deprovision Intel AMT firmware Setting up and configuring your software 25 Set up and configure the epo Deep Command software Deploy the epo Deep Command Discovery and Reporting plugin Deploy the Management Framework client Specify epo Deep Command credentials Import CA certificates Test your connection to an Intel vpro system Configuring permission sets Set up and configure the SCCM extension Install the SCCM extension Add registered SCCM servers Import data from SCCM servers Removing the SCCM extension McAfee epo Deep Command Product Guide 3

4 Contents Set up and configure your environment for CIRA epo Deep Command Gateway server configuration Reporting on your Intel vpro systems 37 Discovery and Reporting queries and their descriptions View default queries Properties collected by the Discovery plugin About the Intel MEI driver About the Intel AMT Summary dashboard Managing your Intel vpro systems 47 Using policies to manage Intel vpro systems About the policies Using the Client Task Execution policy Using Out-of-Band actions Power on your systems Use the Serial-over-LAN feature Boot or reboot using IDE-Redirect Boot or reboot to BIOS Boot or reboot a system normally Creating and using server tasks Schedule and enforce out-of-band AMT policies Schedule out-of-band power on for your systems Management Framework queries Frequently asked questions 59 A Appendixes 67 Supported Intel AMT features Sample configuration files Out-of-Band action logs Writing Python scripts Index 75 4 McAfee epo Deep Command Product Guide

5 Preface This guide introduces the McAfee epo Deep Command software and its features. It also gives information on using the Discovery and Reporting plug-in to get better reporting of your client system properties and provides instructions on using Management Framework to manage these systems. Contents About this guide Finding product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Conventions This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path Code Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. User interface Hypertext blue Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee epo Deep Command Product Guide 5

6 Preface Finding product documentation Finding product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 6 McAfee epo Deep Command Product Guide

7 1 Introduction 1 The McAfee epo Deep Command software integrates the management and automation features of epolicy Orchestrator software with the hardware-based security and manageability features of Intel vpro technology, which is included on your Intel AMT equipped desktop and laptop systems (Intel vpro systems). Contents Product overview What you need to know to get started Intel AMT overview Product overview McAfee epo Deep Command software is comprised of two independent modules. When installed on your epolicy Orchestrator server, these modules work with your Intel vpro systems to deliver greater control of your secure environment. epo Deep Command Discovery and Reporting module epo Deep Command Management Framework module epo Deep Command Discovery and Reporting module The epo Deep Command Discovery and Reporting module collects detailed information about the systems on your network that are equipped with Intel AMT. This module adds the following to your epolicy Orchestrator server: Discovery plugin The Discovery plugin detects the Intel vpro and BIOS properties of the managed systems in your organization, then displays them on the Intel AMT summary dashboard. This plugin is added automatically to the epolicy Orchestrator Master Repository during installation, then deployed to client systems by the default client update task that is included in the software. Default queries These predefined queries start collecting important details about the Intel vpro equipped systems in your network right away. They retrieve and display information about Intel vpro and BIOS properties. You can modify these queries, or create custom queries. Dashboard with default monitors The Intel AMT Summary dashboard organizes and presents the default queries for easy viewing. All Intel vpro and BIOS properties of epolicy Orchestrator managed systems are displayed in one place. AMT tag The AMT tag is assigned to managed systems that are fully Intel AMT provisioned. The AMT tag is added to the Tag Catalog automatically. Default client update task An automatically created task, Install/Update epo Deep Command Discovery Plugin task, is added to the Client Task Catalog. You can apply this update task to the managed systems you select. McAfee epo Deep Command Product Guide 7

8 1 Introduction What you need to know to get started epo Deep Command Management Framework module The epo Deep Command Management Framework module delivers "beyond-the-operating system" security management, allowing security administrators to reduce operation costs while enhancing their security posture. This module adds the following to your epolicy Orchestrator server: epo Deep Command Client The Deep Command client, which is added to the Master Repository when the software is installed, is responsible for the following core functionality: Running client tasks Enforcing policies Generating events Use the default product deployment task to install this client on your Intel vpro systems. Gateway module The Gateway module is installed on your Agent Handler. It facilitates communication between your epolicy Orchestrator server and managed Intel vpro systems located in your organization's DMZ. Default product deployment task The Deploy epo Deep Command Client deployment task is created automatically and added to the Client Task Catalog. You can assign this deployment task to the managed systems you select. What you need to know to get started Before you can manage your Intel vpro systems, the epo Deep Command software requires that you have specific software, hardware, and network configurations in place. The following diagram illustrates the high-level workflow we recommend for setting up your software. Installing epo Deep Command Discovery and Reporting software is your first step. Each additional action in the process is dependent on, or enabled by installing this module. Installation and configuration for each action in this process are detailed in the chapters that follow. 8 McAfee epo Deep Command Product Guide

9 Introduction Intel AMT overview 1 Intel AMT overview Intel AMT is a hardware-based technology for remotely managing and securing systems using Out-of-Band communication. Even with a crashed hard drive or a system that is shut down, you can access the system to perform basic system management tasks. Intel AMT is a part of the Intel Management Engine built into systems with Intel vpro technology. Intel AMT is designed into a secondary processor located on the motherboard. Its hardware-based remote management, security management, power management, and remote configuration features allow you to access an Intel AMT featured system from remote locations. It relies on a hardware-based Out-of-Band communication channel that operates below the operating system level. The communication channel is independent of the state of the operating system (whether present, corrupt, down, encrypted, crashed, or missing) and of the system's power state, presence of a management agent, and the state of many hardware components (such as hard disk drives). Using epo Deep Command, you can manage the client systems that have an Intel AMT-enabled chipset, network hardware and software, and a connection with a power source and a corporate network connection. Setting up the environment requires you to provision your Intel AMT firmware with certificates and integrate epo Deep Command into the existing security framework. McAfee epo Deep Command Product Guide 9

10

11 2 Installing the software epo Deep Command software is comprised of two software modules, which must be installed on your epolicy Orchestrator server. Once installed, you'll be able to set up and configure your epo Deep Command software. Contents Requirements Install the epo Deep Command extensions Uninstalling the software Requirements Verify that your system meets these requirements before you start the installation process. These are minimum requirements for the epo Deep Command Discovery and Reporting software. You must also consider the system requirements for any other products you are installing, such as McAfee epolicy Orchestrator. System requirements Systems McAfee epolicy Orchestrator server systems Client systems Requirements See the epolicy Orchestrator product documentation for 4.6 or later. CPU: Pentium III 1 GHz or higher RAM: 512 MB minimum (1 GB recommended) Hard Disk: 200 MB minimum free disk space Intel MEI driver Based on the hardware, the version of Intel MEI driver will vary. To obtain the correct version of this software, contact the hardware manufacturer for your systems. The installation of the Intel MEI driver is not required to use the Discovery and Reporting module, but is recommended. Installing it on the managed systems allows you to collect the complete Intel vpro and BIOS properties. This driver is required when using the Management Framework module. McAfee epo Deep Command Product Guide 11

12 2 Installing the software Install the epo Deep Command extensions Software requirements Make sure you have the required software installed for the epo Deep Command module you're installing. Software McAfee management software epo Deep Command module Discovery and Reporting Management Framework Requirements McAfee epolicy Orchestrator or later McAfee Agent for Windows or later McAfee epolicy Orchestrator or later McAfee Agent for Windows or later Internet browser All Internet Explorer 7.0 or later Mozilla Firefox or later Pop up windows must be enabled and allowed. The epo Deep Command Management Framework module requires the Discovery and Reporting module to function correctly. Operating system requirements System McAfee epolicy Orchestrator server systems Software See the epolicy Orchestrator product documentation for versions 4.6 or later Client systems for epo Deep Command software Windows P SP3 (32- or 64-bit) Windows Vista or higher (32- or 64-bit) Windows 7 or higher (32- or 64-bit) Windows Server 2003 or higher (32- or 64-bit) Windows Server 2008 R2 or higher (32- or 64-bit) Install the epo Deep Command extensions You can install the software extensions using the epolicy Orchestrator Software Manager. The Software Manager provides a single location within the epolicy Orchestrator console to review and obtain McAfee software and components. Task For option definitions, click? in the interface. 1 In the epolicy Orchestrator console, click Menu Software Software Manager. 2 On the Software Manager page under Product Categories, click Software Not Checked In Licensed. 12 McAfee epo Deep Command Product Guide

13 Installing the software Uninstalling the software 2 3 Select the epo Deep Command software components to be installed, then click Check In. Click Download to save the software to a temporary location to be checked in later, using the instructions provided in the epolicy Orchestrator documentation. 4 In the Check In Software Summary page, review and accept the End User License Agreement (EULA), then click OK to complete the installation. Installing the epo Deep Command software extensions automatically adds the epo Deep Command Discovery and Reporting plugin and Management Framework client available in the Master Repository under Menu Software. Uninstalling the software To uninstall epo Deep Command, you must remove epo Deep Command from the Intel vpro systems and remove the epo Deep Command extension from epolicy Orchestrator. Uninstall the epo Deep Command client Uninstalling the epo Deep Command Management Framework client from your Intel vpro systems is one of the steps required to remove the epo Deep Command software. Task For option definitions, click? in the interface. 1 In the epolicy Orchestrator console, click Menu Policy Client Task Catalog, then select Product Deployment under McAfee Agent. 2 Click New Task and select Product Deployment from the New Task dialog box. The Client Task Catalog: New Task page opens. 3 In the New Task page, define each option field according to your needs. In the Products and components option, select the epo Deep Command client from the components menu, and select Remove in the Actions menu. 4 Click Save and exit the New Task page. The Client Task Catalog page opens. 5 In the Client Task Catalog, in the Actions column of your new product deployment task, click Assign and select the systems or groups where you want to remove the epo Deep Command client, then click OK. 6 Click Next to schedule the task as required. 7 Click Next, then click Save. Uninstall the Discovery plugin Uninstalling the epo Deep Command Discovery and Reporting Discovery plugin from your Intel vpro systems is one of the steps required to remove the epo Deep Command software. McAfee epo Deep Command Product Guide 13

14 2 Installing the software Uninstalling the software Task For option definitions, click? in the interface. 1 In the epolicy Orchestrator console, click Menu Policy Client Task Catalog, then select Product Update under McAfee Agent. 2 From the New Task dialog box, click New Task and select Product Update. The Client Task Catalog: New Task page opens. 3 In the New Task page, name and describe your task, then set the remaining options as follows: Package selection Selected packages Package types In the Signatures and engines list, deselect all options. In the Patches and service packs list, select only the Discovery plugin remover option. 4 Click Save and exit the New Task page. The Client Task Catalog page opens. 5 In the Client Task Catalog, in the Actions column of your new product update task, click Assign and select the systems or groups where you want to remove the epo Deep Command client, then click OK. 6 Click Next to schedule the task as required. 7 Click Next, then click Save. Remove the epo Deep Command extensions You can remove the epo Deep Command extension from epolicy Orchestrator using the Software Manager. Task For option definitions, click? in the interface. 1 In the epolicy Orchestrator console, click Menu Software Software Manager. 2 On the Software Manager page, under Product Categories, click Checked In Software Licensed. 3 Select the product and the corresponding extension to be removed, then click Remove. Be sure to perform this step for each of the epo Deep Command extensions checked into your server. You can also remove the extension by navigating to the Extensions page, clicking Remove for the corresponding epo Deep Command extension, then clicking OK. 4 In the Remove Software Summary page, click OK. 14 McAfee epo Deep Command Product Guide

15 3 3 Provisioning your Intel AMT firmware Before you can use your epo Deep Command software to manage Intel vpro systems, you must provision the Intel AMT firmware on those systems. This chapter provides an overview of the requirements and processes needed to provision systems in your network in general, as well as information about provisioning that is specific to epo Deep Command software. There is no single source for complete instructions about provisioning your Intel AMT firmware. However, the Intel vpro Expert Center ( vproexpert) provides a comprehensive set of documentation and supporting materials you can use to complete the process. Contents About provisioning About authentication protocols About Certificate Authority integration epo Deep Command specific provisioning details Overview: Enterprise mode provisioning network configuration Deprovision Intel AMT firmware About provisioning By default, Intel AMT hardware is disabled on Intel AMT equipped systems. Before you can report on or manage these systems with epo Deep Command software, the Intel AMT hardware must be enabled. Provisioning is the process of enabling this hardware. To successfully provision your Intel vpro systems, you must ensure that your network infrastructure, as well as the individual components used in the process of provisioning, are configured correctly. Provisioning your Intel AMT firmware serves two purposes: It ensures that communication between your Intel vpro systems and your servers is secure and trusted. It makes Intel vpro features accessible to your epo Deep Command software. McAfee epo Deep Command Product Guide 15

16 3 Provisioning your Intel AMT firmware About provisioning The method you use to provision systems in your network is dependent on a variety of factors, including your network infrastructure, hardware and software, and which Intel AMT features you plan to use. The following diagram presents a high-level overview of the recommended process for provisioning systems. Provisioning states An Intel vpro system can be in any of these three different states during the provisioning process. Pre-provision By default, Intel AMT hardware on Intel vpro systems comes from the hardware manufacturer in Factory Mode. In this mode, Intel AMT is disabled and cannot be remotely managed by epo Deep Command. It requires a provisioning server to configure your system into Enterprise Mode. In-provision When an activation tool provided by the provisioning server is executed or if an administrator enters information via the Intel AMT MEBx (manually or with the aid of a USB storage device), Intel AMT makes the transition from the pre-provisioning state to the in-provisioning state. The Intel AMT device then periodically sends messages (Hello packets) to the provisioning server. When the provisioning server receives messages from the Intel AMT device, it responds by delivering the configuration settings and placing the device in post-provisioning state. Hello packets contain the IP address and UUID of an Intel vpro system. Post-provision The Intel vpro system enters Operational Mode once its configuration settings are supplied and committed. At this point, Intel vpro is ready to interact with management applications and the system is said to be post-provisioned. Types of provisioning Intel vpro systems can be provisioned in two modes, SMB and Enterprise. However, epo Deep Command software requires that you use Enterprise mode provisioning. Enterprise mode This provisioning mode is recommended for an enterprise environment, and is required for use with epolicy Orchestrator software. This mode enables a provisioning server to remotely configure the Intel vpro system. Enterprise mode provisioning is a centralized configuration that enables you to use enterprise infrastructure configuration options such as Microsoft Active Directory. This further enables the provisioning server to authorize and select the authenticated domain user to interact and manage the Intel vpro system. Using this provisioning 16 McAfee epo Deep Command Product Guide

17 Provisioning your Intel AMT firmware About authentication protocols 3 mode allows an administrator to have a common policy across the system and Intel AMT devices, such as: All traffic from epo Deep Command to the Intel AMT device is encrypted. Security guidelines facilitate frequent password changes and other management tasks from a central configuration server. Active Directory credentials are used to manage the Intel AMT device. Small and medium business (SMB) mode This mode is used for standalone management where security requirements are minimal. About authentication protocols To provision your systems, your network infrastructure must include a supported authentication protocol. The protocol you use depends on the unique needs of your network. The support authentication protocols are: Digest authentication Digest authentication is performed over the Internet using secure keys to authenticate users. For more information about Digest authentication, refer to the Internet Engineering Task Force document RFC 2617 ( Kerberos authentication Kerberos authentication is performed over an open network as a trusted third-party authentication service. Use of this protocol requires Active Directory integration. For more information about Kerberos authentication, refer to the Internet Engineering Task Force document RFC4120 ( You can use either, or a combination of both, when performing Enterprise mode provisioning. About Certificate Authority integration A Certificate Authority (CA) is used to issue the certificates to the proper trusted devices within the network. Certificate Authority integration An organization can use Transport Layer Security (TLS) communication by incorporating certificates issued by a CA. TLS is only available in Enterprise mode provisioning with an Intel AMT device. McAfee epo Deep Command Product Guide 17

18 3 Provisioning your Intel AMT firmware About Certificate Authority integration Two types of certificates are required for the Enterprise Mode Provisioning of Intel vpro systems: Server Authentication Certificate Certificate Authority integration requires a Self-Signed CA to be deployed in the network. Each Intel vpro device that needs to communicate using TLS requires a Server Authentication certificate, for which a Self-Signed CA must be deployed in the network. A certificate is automatically requested from the Root CA on behalf of the Intel AMT client by the Provisioning Server when the Intel AMT client is configured to use TLS. It is stored in the Non-Volatile RAM on the Intel AMT client. The Certificate is based on a standard Web Server Certificate Template that is available with Microsoft Certification Authority. Provisioning Certificate This requires a Vendor Supplied Certificate or a Self-Signed CA deployed in the Network. This is stored in the Certificate Storage of the Provisioning Server, found in the Computer Account or the User Account. If a Self-Signed Certification Authority is used for creating the Provisioning Certificate: A proper Certificate Template must first be created. The Computer Template available in the Microsoft Certification Authority can be duplicated. The OID has to be added in the Enhanced Key Usage section of the template. A Certificate request should be sent to the Self-Signed CA with the FQDN of the Provisioning Server in the Subject Name. The CA should use this template to generate the certificate, which is then saved in the Provisioning Server. If a Vendor Supplied Certificate is being used for the Provisioning Certificate: A Supported Vendor must be used. The list of Supported Vendors depends on the Root Certificate hashes present in the Intel AMT firmware, which depends on the Intel AMT versions being used. For more information on supported vendors, see the following Intel documentation: RemoteConfigurationCertificateSelection.pdf Purchase the appropriate SSL Certificate from the vendor and generate a Certificate Signing Request (CSR). Ensure the Intel Client Setup Certificate is provided in the OU field of the Certificate Signing Request. The CN in the Certificate Signing Request must match the Intel vpro System Domain Suffix. The key must be exportable and the Request Type must be PKCS10. For more information on purchasing the correct SSL Certificate, see the Working with vendors section of the Remote Configuration FAQ document available here: Install the Vendor Certificate on the system where Intel SCS Remote Configuration Service (RCS) will be running. For more information on installing the Vendor Certificate, see Installing a Vendor Certificate in the Intel SCS 7.0 Setup and Configuration User Guide. 18 McAfee epo Deep Command Product Guide

19 Provisioning your Intel AMT firmware epo Deep Command specific provisioning details 3 This table defined the certificates required for this environment: Purpose Provisioning of Intel vpro Systems by the Provisioning Server Communicating with Intel vpro Systems using TLS Certificate Template to Use Duplicate of Web server with Customizations or Vendor Supplied Certificate Web server Specific Information in Certificate Enhanced Key Usage value must contain Server Authentication ( ) and the object identifier: OR Intel Client Setup Certificate is provided in the OU field. The subject field must contain the FQDN of the Provisioning Server. The Enhanced Key Usage value must contain the Server Authentication ( ). The subject field must contain the FQDN of the Intel vpro system. epo Deep Command doesn't support the hierarchy of CAs. The CA used for generating the certificate for communication with Intel vpro systems needs to be checked in to the server setting for epo Deep Command. epo Deep Command specific provisioning details When provisioning your Intel vpro systems for use with epo Deep Command, keep these specifics in mind. In an epo Deep Command environment, Intel vpro systems will be in one of three states: Unconfigured Configured, but not compliant with epolicy Orchestrator Configured and compliant with epolicy Orchestrator Of these three states, the first two are of particular importance. Use the sections about these two states that follow as a reference to ensure the appropriate configurations, conditions, and details are in place to move your systems into the Configured and compliant state. Unconfigured systems If your Intel vpro systems are unconfigured, consider the following: Ensure the latest BIOS, Intel AMT firmware and Intel AMT drivers are applied to all Intel AMT equipped systems. Refer to the manufacturer of your hardware for details about obtaining this content. For security reasons, Intel AMT equipped systems are intentionally shipped in an unconfigured state. These systems should be configured only after they are in place in the target environment. Intel vpro systems can be configured before or after they are deployed to your enterprise environment. The preferred setup for initial configuration is a DHCP environment with your target systems on a production wired LAN interface with network ports 9971 and available. McAfee epo Deep Command Product Guide 19

20 3 Provisioning your Intel AMT firmware epo Deep Command specific provisioning details Intel vpro systems must be configured with at least one administrative account and TLS certificate. This configuration requires: An internal Microsoft Certificate Authority The Intel Setup and Configuration Service (SCS) Initial authentication to the Intel vpro system The Intel vpro systems must receive an initial profile to perform its function as a network service. The profile must be provided to your Intel vpro systems in a secure manner, and must provide the relevant information such as authentication or access control list (ACL) details, enabled service interface, securing of communications, and so forth. To ensure optimal performance, Intel vpro systems must be configured to use the Admin Control Mode. Intel SCS is an essential component that provides a centralized mechanism for initial and post configuration events. For more information about SCS requirements, setup, and configuration details, see the Intel Setup and Configuration Service (Intel SCS) User Guide ( downloadcenter.intel.com/detail_desc.aspx?lang=eng&dwnldid= The initial trust between Intel SCS and your Intel vpro system is accomplished via Pre-shared Key (PSK) or remote configuration certificates (PKI). For more details about PSK and PKI, see the Intel Setup and Configuration Service (Intel SCS) User Guide Configured, but not compliant systems If your Intel vpro systems are configured, but not compliant with epolicy Orchestrator, consider the following: epolicy Orchestrator requires TLS in the Intel AMT configuration. The internal CA root certificate must be in the Trusted Root Certificate store of the Intel vpro system, and must be imported into the epolicy Orchestrator server. epolicy Orchestrator can authenticate via Intel AMT Digest or a valid Kerberos account with PT Admin Realm access. Authentication and certificate details are applied to the epolicy Orchestrator Server Settings in the Intel AMT Credentials settings category. Only one set of credentials or one certificate can be applied per instance of epo Deep Command. If your Intel vpro systems were initially configured without using Intel SCS, it might be possible to change that configuration using the options provided by SCS. Additional resources Refer to the following sources for additional information about and to download the latest version of Intel SCS: 20 McAfee epo Deep Command Product Guide

21 Provisioning your Intel AMT firmware Overview: Enterprise mode provisioning network configuration Overview: Enterprise mode provisioning network configuration Enterprise mode provisioning requires that specific hardware, software, and configuration settings be in place. This illustration provides a high-level overview of a network configuration that supports Enterprise mode provisioning of your Intel vpro systems. Each of the server components in this illustration perform an essential function in Enterprise mode provisioning: Active Directory server The Active Directory (AD) server is an integration point for the Intel AMT device. This integration allows the configuration server to use the Kerberos authentication to securely manage Intel AMT credentials. Certificate Authority server The Certification Authority (CA) server issues certificates to the correct trusted devices within the network. An organization can use Transport Layer Security (TLS) communication by incorporating certificates issued by a CA. epo server The epolicy Orchestrator server is the management console from which application and enforcement of Intel AMT policies are configured and distributed. DHCP server Intel AMT devices obtain the IP address via the Dynamic Host Configuration Protocol server. The Management Engine software (not shown) also uses the DHCP server to dynamically update the DNS server with its FQDN. McAfee epo Deep Command Product Guide 21

22 3 Provisioning your Intel AMT firmware Deprovision Intel AMT firmware DNS server Intel vpro systems use the DNS server during the provisioning phase to locate the provision server and request their configuration information. Ensure your provisioning server is registered in DNS and an alias for ProvisionServer is created. Provisioning server This is used to provision an Intel vpro system. It automates the process of populating Intel vpro systems with the user names, passwords, and network parameters that enable the system to be administered remotely from epo Deep Command. Additional components and their configuration There are several additional components and configurations not depicted in the previous illustration. These components also play a role in the provisioning process: Firewall Intel vpro systems requires certain ports are open to allow management traffic to go through them. These tables refer to the ports being used for Intel vpro system communications, which should not be blocked. Communication ports TCP/UDP Intel AMT SOAP/HTTP TCP/UDP Intel AMT SOAP/HTTPS Redirection ports TCP/UDP Intel AMT Redirection/TCP TCP/UDP Intel AMT Redirection/TLS Port 9971 is used in Enterprise mode to listen for Hello packets from the Intel vpro systems. When using the Intel Setup and Configuration Service provisioning sever, the Microsoft Base Filtering Engine services intercept the provisioning process, which causes the provisioning process to fail. Ensure that firewall rules are enabled for the designated ports. BIOS version Use the latest BIOS and firmware from the OEM to ensure proper functionality. IP addressing scheme Enterprise mode only supports DHCP for an IP addressing scheme. Intel Management Engine Interface (MEI) driver The MEI driver is one of the prerequisites for provisioning, as these drivers are needed to deploy on the Intel vpro system. Confirm with the hardware vendors to have the right set of MEI drivers for the appropriate Intel vpro systems. Deprovision Intel AMT firmware You can deprovision a provisioned system, either Fully or Partially. A Full Deprovisioning removes the entire configuration (like the security credentials, and operational network settings) and disables the Intel vpro features on the system. A Partial Deprovisioning retains provisioning configuration data (like the host name, domain name, PKI settings, PSK settings), but disables the Intel AMT features on the system. The Intel vpro system can still communicate with the Provisioning Server. Perform a Full Deprovision on a client system. Task 1 Start the provisioned Intel vpro system, and press Ctrl + P or F12 to invoke the MEBx screen. 2 Log on to the Intel vpro system with the admin user name and password that were configured during the Provisioning process. 3 Select Intel ME General Settings and press Enter. 22 McAfee epo Deep Command Product Guide

23 Provisioning your Intel AMT firmware Deprovision Intel AMT firmware 3 4 Select Unconfigure Network Access and press Enter. A warning message saying that the Configuration will be Reset to the Default Values appears. 5 Press Y to continue. 6 In the next screen, select the option Full Unprovision and press Enter to execute a Full Deprovision, or select the option Partial Unprovision and press Enter to execute a Partial Deprovisioning. 7 Once the deprovisioning is complete, the menu appears. Select Return to go back to the previous screen and press Y to exit the MEBx menu. McAfee epo Deep Command Product Guide 23

24

25 4 Setting 4 up and configuring your software Once you've installed the epo Deep Command software, you need to set up and configure it to fully leverage all available features. Contents Set up and configure the epo Deep Command software Set up and configure the SCCM extension Set up and configure your environment for CIRA Set up and configure the epo Deep Command software These tasks guide you through the process of setting up and configuring your epo Deep Command modules. They assume that you have installed both the Discovery and Reporting module, and the Management Framework module. For details on installation, see Installing epo Deep Command software. Tasks Deploy the epo Deep Command Discovery and Reporting plugin on page 25 The epo Deep Command Discovery and Reporting plugin must be deployed to your managed systems. Assign the Install/Update epo Deep Command Discovery Plugin task to your managed systems to deploy the Discovery plugin. Deploy the Management Framework client on page 26 After the Management Framework extension is installed on the epolicy Orchestrator server, it automatically creates the client task, Deploy epo Deep Command Client. Specify epo Deep Command credentials on page 26 Specify epo Deep Command credentials and import the Server Authentication Certificate in epolicy Orchestrator. The credentials you specify must be the same as the provisioning credentials. This procedure authenticates your administrator rights to manage Intel vpro systems using epo Deep Command. Import CA certificates on page 27 Certificate Authentication (CA) certificates are required to facilitate secure communication between your clients and servers. Deploy the epo Deep Command Discovery and Reporting plugin The epo Deep Command Discovery and Reporting plugin must be deployed to your managed systems. Assign the Install/Update epo Deep Command Discovery Plugin task to your managed systems to deploy the Discovery plugin. This client task is automatically created when the epo Deep Command Discovery and Reporting module is installed on the epolicy Orchestrator server. Assign the client task to the desired client computers. McAfee epo Deep Command Product Guide 25

26 4 Setting up and configuring your software Set up and configure the epo Deep Command software Task For option definitions, click? in the interface. 1 In the epolicy Orchestrator console, click Menu Policy Client Task Catalog, then select Product Update under McAfee Agent. 2 Click Assign in the Install/Update epo Deep Command Discovery Plugin Actions column to open the Select a group to assign the task page. 3 Select the required system or system groups where you want to deploy the epo Deep Command Discovery and Reporting software Discovery plugin. 4 Click OK to open the Client Task Assignment Builder wizard. 5 On the Select Task page, verify the Product, Task type, and Task Name to deploy the product. Next to Tags, select a platform, then click Next. Send this task to all computers Send this task to only computers that have the following criteria Use one of the edit links to configure the criteria. 6 On the Schedule page, on Select type: select Run immediately and click Next. 7 Review the summary, then click Save to open the System Tree page. 8 In the System Tree page, select the systems or groups where you assigned the task, then click Actions Agent Wake Up Agents. The Wake Up McAfee Agent page appears. 9 In the Wake Up McAfee Agent, select Force policy update, then click OK. To evaluate each system against AMT tag criteria, the Run Tag Criteria must be executed. Deploy the Management Framework client After the Management Framework extension is installed on the epolicy Orchestrator server, it automatically creates the client task, Deploy epo Deep Command Client. Task For option definitions, click? in the interface. 1 In the epolicy Orchestrator console, click Menu Policy Client Task Catalog, then select Product Deployment under McAfee Agent. 2 Click Assign in Deploy epo Deep Command Client to open the Select a group to assign the task page. 3 Select the required systems or groups where you want to deploy Management Framework, then click OK. 4 Click Next to schedule the deployment task as required. 5 Click Next, then click Save. 6 Send an agent wake-up call. Specify epo Deep Command credentials Specify epo Deep Command credentials and import the Server Authentication Certificate in epolicy Orchestrator. The credentials you specify must be the same as the provisioning credentials. This 26 McAfee epo Deep Command Product Guide

27 Setting up and configuring your software Set up and configure the epo Deep Command software 4 procedure authenticates your administrator rights to manage Intel vpro systems using epo Deep Command. Task For option definitions, click? in the interface. 1 In the epolicy Orchestrator console, click Menu Configuration Server Settings. 2 In Setting Categories, select AMT Credentials, then click Edit to specify your Intel AMT credentials and import trusted certificates. The Edit Intel AMT Credentials page appears. 3 Type your user name and password, confirm your password, then click Save. If the credentials are invalid or not specified, all OOB actions fail. Click Edit to change your credentials anytime. 4 Click Edit. In Trusted Root Certificates, click Import to specify a PEM encoded (.pem file), DER encoded (.der file), or a PKCS12 (.p12 file) certificate. The certificate is required for CIRA, SOL and IDE-R policies. This is the Root Certificate of the CA that was used for creating and signing the Server Authentication Certificate. See the About Certification Authority Integration section in the Provisioning your Intel AMT firmware chapter for more information on the Server Authentication Certificate. 5 Click Save. Import CA certificates Certificate Authentication (CA) certificates are required to facilitate secure communication between your clients and servers. While specifying epo Deep Command credentials, import CA certificates to the system account where epolicy Orchestrator or Agent Handler is installed in a cross domain. This prevents the 401 or error from being displayed in the AMTService.log file. Refer to the Frequently asked questions section for more information on the AMTService.log file. When you use Internet Explorer to install the CA certificate to your Trusted Roots certificate store, it affects only the current user's certificates and not the local system. Users need to use the MMC certificates to install on the local system or a service account. This CA must be checked into Trusted Root Certification and Intermediate Certification Authorities, and the epolicy Orchestrator services must be restarted. This is the Root Certificate of the CA that was used for creating and signing the Server Authentication Certificate. See the Certification Authority Integration section in the Provisioning your AMT firmware chapter for more information on the Server Authentication Certificate. Task For option definitions, click? in the interface. 1 Specify epo Deep Command credentials and import the Server Authentication Certificate in epolicy Orchestrator. Refer to the Specify epo Deep Command credentials section for instructions. 2 Run mmc from the Command Prompt of your epolicy Orchestrator system. 3 From File, click Add/Remove Snap-in, then click Add. 4 In Add Standalone Snap-in, select Certificates, then click Add. McAfee epo Deep Command Product Guide 27

28 4 Setting up and configuring your software Set up and configure the epo Deep Command software 5 From the Certificates snap-in window, select Computer Account, then click Next. From the Select Computer page, select Local Computer, then click Finish. 6 Click Close. 7 Click OK. 8 Go to Console Root and expand Certificates (Local Computer), then expand Trusted Root Certification Authorities. The Certificates folder must be displayed in the right pane. Right-click Certificates, then click all Tasks Import. 9 In the Certificate Import Wizard, click Next, then Browse and select the CA Certificate. Make sure Trusted Root Certification Authorities is where the certificate is stored. Click Next, then click Finish to complete the certificate importing process. 10 Go to Console Root and expand Certificates (Local Computer), then expand Intermediate certification Authorities. The Certificates folder must be displayed in the right pane. Right-click Certificates, then click all Tasks Import. Test your connection to an Intel vpro system After provisioning your Intel AMT firmware, specifying product credentials to manage your Intel vpro systems, then deploying epo Deep Command to your Intel vpro systems, you can verify that the Intel vpro system is managed by your epolicy Orchestrator server by using the Power On and Boot/ Reboot features. Power On feature Follow the instructions in the Power on your systems section of the Managing your Intel vpro systems chapter. Boot/Reboot feature Follow the instructions given in the Boot or reboot using IDE-Redirect section of the Managing your Intel vpro systems chapter. Configuring permission sets Minimum permissions must be set for all users so they can execute different OOB actions on any Intel vpro system in the System Tree, and view epo Deep Command events. Common permissions for Out-of-Band actions View the list of Agent Handlers. View the System Tree tab in Systems. Access My Organization in System Tree. Other permissions For Out-of-band Power On feature access, configure these permission sets: Wake up agents and view the Agent Activity Log in Systems. Power On in epo Deep Command Out-of-Band actions. 28 McAfee epo Deep Command Product Guide

29 Setting up and configuring your software Set up and configure the SCCM extension 4 For Out-of-Band policy enforcement, configure these permission sets: Enforce Intel AMT Policies in epo Deep Command Out-of-Band actions. View policy and task settings in epo Deep Command policies. For SOL Terminal access, configure the following permission: Use Serial over LAN Terminal (SOL) in epo Deep Command Out-of-Band actions. For IDE-R access, configure the following permission: Boot/Reboot with Options (IDE-R) in epo Deep Command Out-of-Band actions. To view the CILA and CIRA Events in Threat Event log, configure the following permission: View Threat Event Log in Reporting. Set up and configure the SCCM extension Setting up and configuring the SCCM extensions on your epolicy Orchestrator server allows you to import data from your SCCM servers so you can view details about the software installed on a particular Intel vpro system. Install the SCCM extension Install the SCCM extension on your epolicy Orchestrator server to view specific details about any SCCM-managed systems that are also managed by your epolicy Orchestrator server, such as, status, domain, version, and operating system. This procedure is optional. Task For option definitions, click? in the interface. 1 In the epolicy Orchestrator console, click Menu Software Software Manager. 2 In Product Categories, click Software Not Checked In Licensed. 3 Select the SCCM extension you want to install, then click Check In. You can also download the SCCM extension to a temporary location on your system and install it later. For instructions on installing extensions, see the McAfee epolicy Orchestrator Product Guide. 4 In the Software Summary page, review and accept the End User License Agreement (EULA), then click OK. Add registered SCCM servers Adding SCCM servers allows you to import Intel vpro system details registered in the SCCM servers to epolicy Orchestrator. Before you begin You must install SCCM extensions on epolicy Orchestrator. McAfee epo Deep Command Product Guide 29

30 4 Setting up and configuring your software Set up and configure the SCCM extension Task For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Configuration Registered Servers. 2 Click New Server. The Registered Server Builder page appears. 3 In the Description field, under Server Type, select SCCM from the drop-down list, then type the server name. 4 In the Details field, specify the following information: DNS Name or IP of this site's provider (WMI Host) SCCM site code WMI user name WMI password 5 Confirm the WMI password and click Test Connection. You will receive one of these messages: Connection verified Failed to establish connection 6 Click Save. Import data from SCCM servers Import data from SCCM servers to epolicy Orchestrator. Task For option definitions, click? in the interface. 1 From the epolicy Orchestrator console, click Menu Automation Server Tasks. 2 Click New Task. The Server Task Builder page appears. 3 Type a name for the task, select Schedule Status as Enabled, then click Next. 4 In Actions, select SCCM - Import Data on epo systems, select the required SCCM server from which you want to import system data, select a tag as required, then click Next. 5 Schedule the task as required, then click Next. A summary of the task is displayed. 6 Click Save. 7 Click Run. The Server Task Log page is displayed with the status of the task. 8 Navigate to the System Properties page, select the Intel vpro system, then click the SCCM tab to view details of the Intel vpro system. Removing the SCCM extension Remove the SCCM extension from epolicy Orchestrator. 30 McAfee epo Deep Command Product Guide

31 Setting up and configuring your software Set up and configure your environment for CIRA 4 Task For option definitions, click? in the interface. 1 In the epolicy Orchestrator console, click Menu Software Software Manager. 2 On the Software Manager page in Product Categories, click Checked In Software Licensed. 3 Select the product and the corresponding SCCM extension to be removed, then click Remove. You can also remove the extension by navigating to the Extensions page, clicking Remove corresponding to SCCM extension, then clicking OK. 4 In the Remove Software Summary page, click OK. Set up and configure your environment for CIRA To use the Client Initiated Remote Access feature (CIRA), you must set up and configure an epo Deep Command Gateway server. The epo Deep Command Gateway server acts as a proxy responsible for mediating communication between the epolicy Orchestrator server and the remotely managed Intel vpro systems. It resides in the corporate DMZ sever where Agent Handler is installed. epo Deep Command Gateway server configuration The CIRA feature allows Intel vpro technology platforms to initiate a secured connection to a gateway server residing in the enterprise De-Militarized Zone (DMZ). To use CIRA policies, you must download, certify, install, and configure stunnel separately. Before installing stunnel, you must install epo Deep Command Gateway on the DMZ server where Agent Handler or the McAfee epo server is installed. You can download stunnel from Stunnel is a multi-platform program that acts as the SSL tunneling proxy between the McAfee epo server and your remote Intel vpro systems. For instructions on setting up Agent Handler, see the epolicy Orchestrator 4.6 Product Guide. McAfee epo Deep Command Product Guide 31

32 4 Setting up and configuring your software Set up and configure your environment for CIRA Install the epo Deep Command Gateway server Install the epo Deep Command Gateway server on the server in your corporate DMZ where the Agent Handler is installed. Task For option definitions, click? in the interface. 1 From the CA server, extract the contents from EPODCGateway <build number> Package.zip to a temporary location on your server in the DMZ where Agent Handler is installed. 2 Double-click the SetupAGS.exe file. The Welcome screen appears. 3 Click Next. Select the license type and accept the license agreement, then click OK. The Destination Folder screen displays a default folder where the software installation files are copied. 4 Click Change to specify a folder, or Next to copy them to the default location. Where epo Deep Command Gateway Information screen displays the default port the epo Deep Command Gateway listens for the new Intel AMT platform connection request. You can use the default port on this screen. If you change the port, stunnel configuration must be changed accordingly. Refer to Use the CIRA policy for instructions. 5 Click Next Finish. Install stunnel Install stunnel on the DMZ server where the Agent Handler or McAfee epo server is installed. Before you begin epo Deep Command Gateway must be installed on this DMZ server. 32 McAfee epo Deep Command Product Guide

33 Setting up and configuring your software Set up and configure your environment for CIRA 4 Task For option definitions, click? in the interface. 1 Go to then download the stunnel software package to a temporary location on the server system where the Agent Handler or epolicy Orchestrator is installed in the DMZ. 2 Double-click stunnel-<version>-installer.exe and follow the instructions. Stunnel is installed in C:\Program Files. Generate the certificate for stunnel installation The Server Authentication Certificate is required to use stunnel. For more information on the Server Authentication Certificate, see Certification Authority Integration in the Provisioning your Intel AMT firmware chapter. Before you begin OpenSSL generates stunnel certificates and requires a one-time setup. The step that follow provide an example of the process used to generate the certificate. For completed instructions on generating certificates, go to and see Generating the stunnel certificate and private key (pem). You can generate certificates on another system to avoid copying various certification dependent software, executables, or binaries on the DMZ. If you know how to generate stunnel certificates, follow these guidelines: The private key size must not exceed Do not include an address. Enter the fully qualified domain name of the epo Deep Command Gateway server. Ensure that the Web Server template is used when the certificate request is submitted for signing by the CA. Task For option definitions, click? in the interface. 1 Go to 2 Install vcredist_x86.exe, which is required for the OpenSSL installation. 3 Install Win32OpenSSL-1_0_0d, then select C:\OpenSSL-Win32 as the destination location. 4 Copy OpenSSL DLLs to The OpenSSL binaries (/bin) directory during the installation process. 5 After the installation is complete, copy openssl.cnf to the C:\OpenSSL-Win32\bindirectory. 6 From the command prompt, go to C:\OpenSSL-Win32\bin and run this command: openssl req -new -config openssl.cnf -newkey rsa:1024 -nodes -keyout cira.key -out cira.csr In this command, a private key (cira.key) and a cira.csr (certificate signing request) are created. 7 When prompted, specify the following values: Country name: US State: California McAfee epo Deep Command Product Guide 33

34 4 Setting up and configuring your software Set up and configure your environment for CIRA Location: Santa Clara Organization name: McAfee Do not provide your address. However, it is mandatory to provide the hostname of the system when generating the request for key. Sign the certificate using Certification Authority Sign the generated certificate using OpenSSL. The CA used to sign the certificate should be known to the Intel vpro system. Additionally, the CA Thumbprint value (CA Hash) must be present in the MEBx BIOS of the Intel vpro system. If this is not, the CIRA tunnel can't be established. Task For option definitions, click? in the interface. 1 Use a web browser to access the CA server. The CA server URL must include the server's FQDN followed by /certsrv. For example, FQDN>/certsrv. 2 Log on to the CA server as a domain administrator, click Request a Certificate Advanced Certificate Request. 3 Click Submit a Certificate request by using a base64 encoded file. 4 Select Web Server from the Certificate Template drop-down list. Copy the contents of the file C: \OpenSSL-Win32\bin\cira.csr in the text box Base-64-encoded certificate request, then click Submit. Notepad or WordPad can be used to open C:\OpenSSL-Win32\bin\cira.csr. 5 Select Base 64 Encoded and Download Certificate, then save to C:\Program Files\stunnel as cira.pem. This is the signed public certificate that stunnel uses. Configure stunnel Use this task to configure stunnel, for instance, to listen to port 81 for the incoming CIRA requests and forward it to port (default port you specify for the epo Deep Command Gateway server to listen to, during installation). Task For option definitions, click? in the interface. 1 Copy the cira.key (private key), which was created by the openssl command, to the folder C: \Program Files\stunnel. 2 Save the CA Root Certificate file to the folder C:\Program Files\stunnel as ca.cer. 34 McAfee epo Deep Command Product Guide

35 Setting up and configuring your software Set up and configure your environment for CIRA 4 3 Configure the stunnel configuration file C:\Program Files\stunnel\stunnel.conf and include these lines: cert = C:\Program Files\stunnel\cira.pem key = C:\Program Files\stunnel\cira.key CAfile = C:\Program Files\stunnel\ca.cer [ciraamt] accept = 81 connect = where "cert" is the publicly signed certificate, "key" is the private key for stunnel and "CAfile" is the Root Certificate which was used to sign the stunnel certificate If you have saved the files in some other name, update the stunnel.conf configuration file accordingly. See the sample stunnel configuration file in Appendix. The "ciraamt" section configures stunnel to listen at port 81 for incoming CIRA requests and forward it to the port which is the default port where epo Deep Command Gateway Server is listening. (This configuration was done during the installation of the epo Deep Command Gateway server. Rules must be enabled to allow inbound connections to the CIRA empty port. In this case, inbound connections must be allowed to port 81. Install stunnel as a Windows service Install stunnel as a service on a 32- or 64-bit Windows operating system where epo Deep Command Gateway Server is installed. Following are the instructions to install stunnel as a service for a 32-bit operating system. From the command prompt, run these commands. cd C:\Program Files\stunnel stunnel.exe -install Start the stunnel service Start the stunnel service to start processing any CIRA requests. From the command prompt, run these commands. cd C:\Program Files\stunnel stunnel.exe stunnel.conf McAfee epo Deep Command Product Guide 35

36 4 Setting up and configuring your software Set up and configure your environment for CIRA Validate certificate Verify that the certificate issued to the host name of your epo Deep Command Gateway server is correct. Task 1 Using Mozilla Firefox, go to of the epo Deep Command Gateway server>:81 (or the port you have configured in stunnel.conf to listen). 2 View the certificate installed on the site. It must be installed to the host name of the epo Deep Command Gateway server and issued by CA that is known to the Intel vpro system. 36 McAfee epo Deep Command Product Guide

37 5 Reporting on your Intel vpro systems With McAfee epo Deep Command Reporting and Discovery software, you can quickly determine the status of the Intel vpro systems in your network. The predefined queries and dashboards provide you with out-of-the-box functionality, since they are added to your epolicy orchestrator server when the software is installed. These queries can be configured to display results in charts or tables, which can also be used as dashboard monitors. Query results can be exported to several formats, any of which can be downloaded or sent as an attachment to an message. You can create additional, custom queries using the Query Builder wizard which is available in the epolicy Orchestrator server. For details on how to perform this task, see the epolicy Orchestrator product documentation for versions 4.6 or later. Contents Discovery and Reporting queries and their descriptions Properties collected by the Discovery plugin About the Intel AMT Summary dashboard Discovery and Reporting queries and their descriptions When the epo Deep Command Discovery and Reporting software is installed on your epolicy Orchestrator server, predefined queries are added to the Queries and Reporting feature. Table 5-1 epo Deep Command Discovery and Reporting queries Query CILA Supported epo Deep Command Detection Coverage IDE Redirect Supported and Enabled Intel AMT Fully Provisioned Intel AMT Provisioning Mode Description Displays a pie chart of detected client systems supporting Client Initiated Local Access (CILA), also known as Fast Call For Help. Displays a pie chart of the deployment status of the epo Deep Command plugin. Displays a pie chart of detected systems that have IDE-Redirect supported and enabled. Displays a pie chart of managed systems where Intel AMT is fully provisioned. Displays a pie chart of different Intel AMT provisioning modes for all detected systems supporting Intel AMT. Enterprise This mode requires a configuration service to provision the systems remotely. None This provisioning status means that no specific mode is selected. Small and Medium Business (SMB) In this mode, the administrator can manually provision the systems. McAfee epo Deep Command Product Guide 37

38 5 Reporting on your Intel vpro systems Discovery and Reporting queries and their descriptions Table 5-1 epo Deep Command Discovery and Reporting queries (continued) Query Intel AMT Provisioning State Description Displays a pie chart of different Intel AMT provisioning states for all detected systems supporting Intel AMT. In (In-provisioning) These systems are in a partially configured state with initial information Transport Layer and Security (TLS) networking. Post (Post-provisioning) These systems are in a fully configured state with security settings, certificates and settings that activate Intel AMT capabilities. Pre (Pre-provisioning) These systems have factory default settings and do not have any Intel AMT configuration defined. Intel AMT Supported Intel AMT Version KVM Supported and Enabled SOL Supported and Enabled Systems with AMT Tag Systems without Intel MEI Driver Web UI Enabled Systems Displays a pie chart of managed systems supporting Intel AMT. Displays a column chart of detected Intel AMT versions. Displays a pie chart of detected systems which have Keyboard, Video display unit and Mouse (KVM) supported and enabled. Displays a pie chart of detected systems which have Serial-Over-LAN (SOL) supported and enabled. Displays a summary table of managed systems which have the AMT tag applied to them. Displays a pie chart showing the number of managed systems that support Intel AMT without the Intel MEI driver installed on them. Displays a pie chart of the number of managed systems that have the web user interface enabled. View default queries Use these steps to run and view default queries for epo Deep Command Discovery and Reporting software. Task For option definitions, click? in the interface. 1 Click Menu Reporting Queries & Reports. To open the Queries page opens. 2 Select epo Deep Command Reporting from Shared Groups in the Groups pane. The Standard Discovery and Reporting query list appears. 3 Select a query from the Queries list, then click Run. In the query result page click on any item in the results to drill down and view the properties of each managed system under Intel AMT tab. 4 Click Close when finished. 38 McAfee epo Deep Command Product Guide

39 Reporting on your Intel vpro systems Properties collected by the Discovery plugin 5 Properties collected by the Discovery plugin The epo Deep Command Discovery and Reporting software Discovery plugin collects properties from the managed systems where it is installed. The properties that are reported depend on whether the system is an Intel vpro system, and whether or not the Intel MEI driver is installed. Property Description With Intel Alarm Enabled BIOS Release Date BIOS Version CILA Reports whether the epo Deep Command AMT policy has set the alarm clock in the Intel AMT firmware. Reports the release date of the BIOS running on this system using the DD/MM/YY format. Reports the version number of the BIOS running on this system. For example, A05. Reports whether the Client-Initiated Local Access (CILA), also known as Fast Call for Help feature is supported and enabled on this system. This property value is reported as: No Not Available Yes MEI Driver Installed Without Intel MEI Driver Installed Non-Intel vpro System CILA Agent Handler CILA Enabled CIRA Enabled Reports the FQDN of the Agent Handler assigned by the epo Deep Command Remote Access policy to handle CILA requests generated by this system. This property value is reported as: FQDN of Agent Handler Not Available Reports whether epo Deep Command Remote Access is enabled and enforced CILA on this system. This property value is reported as: No Not Available Yes Reports whether the epo Deep Command Remote Access policy has enabled and enforced Client-Initiated Remote Access (CIRA), also known as Fast Call for Help, on this system. This property value is reported as: No Not Available Yes McAfee epo Deep Command Product Guide 39

40 5 Reporting on your Intel vpro systems Properties collected by the Discovery plugin Property Description With Intel CIRA Agent Handler Reports the FQDN of the DMZ Agent Handler assigned by epo Deep Command Remote Access policy to handle CIRA requests generated by this system. This property value is reported as <FQDN> of DMZ Agent Handler Not Available MEI Driver Installed Without Intel MEI Driver Installed Non-Intel vpro System DHCP Enabled Reports whether DHCP is enabled on this system. This property value is reported as Yes or No. Endpoint Access Control Enabled Indicates whether Intel Endpoint Access Control is enabled to check for Intel AMT Network Policy Compliance. Firmware Update Enabled Reports whether the Firmware Update feature is enabled in the BIOS of this system. This property value is reported as Yes or No. Firmware Version Reports the version number of the Firmware running on this system. For example Hardware Crypto Enabled Reports whether the Intel AMT hardware crypto engine feature is enabled on this system. This property value is reported as Yes or No. IDE Redirection (IDE-R) Reports whether the IDE-R feature is supported and enabled on this system. This property value is reported as: Not Available Supported Supported and Enabled Supported and Enabled in BIOS only Intel AMT DNS Name Reports the full Domain Name System name stored in the Intel AMT firmware on this system. For example, C1amtepo.epoqa.in. Intel AMT Fully Provisioned Reports whether the Intel AMT hardware is fully provisioned. This property value is reported as Yes or No. Intel AMT Supported Reports whether this system is equipped with Intel AMT hardware. This property value is reported as Yes or No. Intel Anti-Theft Supported Reports whether this system supports Intel Anti-Theft technology. This property value is reported as Yes or No. Intel AMT Version Reports the version number of the Intel AMT hardware present on this system. For example, Intel MEI Enabled Reports whether the MEI hardware is present and turned on. This property value is reported as Yes or No. Intel MEI Version Reports the version number of the MEI driver running on this system. For example, McAfee epo Deep Command Product Guide

41 Reporting on your Intel vpro systems Properties collected by the Discovery plugin 5 Property Description With Intel Intel vpro System KVM Reports whether the target system is an Intel vpro system. This property value is reported as Yes or No. Reports whether the KVM (Keyboard, Video and Mouse switch) feature is supported on this system. This property value is reported as: Not Available Supported Supported and Enabled Supported and Enabled in BIOS only MEI Driver Installed Without Intel MEI Driver Installed Non-Intel vpro System Last Error Message Last IDE-R Session Start/ End Time Last IDE-R Session Status Last Power On Success Displays the error description for the error that occurred if the last Out-of-Band (OOB) action failed. Reports the time when the last IDE-R session was initiated or stopped. For example, DD/MM/YY 12:00 PM. Reports whether the status of the last IDE-R Session is active. This property value is reported as Yes or No. Reports whether the last attempt to power this system on using an OOB action was successful. This property value is reported as: Not Available Yes Last Power On Time Reports the last time this system was powered on as the result of an OOB action. For example, DD/ MM/YY 12:00 PM. Last SOL Session Start/ End Time Reports the time when the last SOL session was initiated or stopped. For example, DD/MM/YY 12:00 PM. Last SOL Session Status Reports whether the status of the last SOL Session is active. This property value is reported as Yes or No. Manageability Level Reports the manageability level for this system. These levels are reported as: Full Intel AMT is supported None Intel AMT is not supported Not Available non-intel AMT hardware Standard Intel AMT is partially enabled Mobile System (Laptop) Reports whether this system is a laptop. This property value is reported as Yes or No. Network Interface Enabled Reports whether the network interface is enabled on this system. This property value is reported as Yes or No. McAfee epo Deep Command Product Guide 41

42 5 Reporting on your Intel vpro systems Properties collected by the Discovery plugin Property Description With Intel Policy Enforced Policy Enforcement Time Provisioning Mode Reports whether the epo Deep Command AMT policy is enforced on this system. This property value is reported as Yes or No. Displays the last enforcement time for the epo Deep Command AMT policy on this system. For example, MM/DD/YY 12:00 PM. Reports the provisioning mode of this system: Enterprise mode Enterprise provisioning mode SMB Small and Medium Business provisioning mode MEI Driver Installed Without Intel MEI Driver Installed Non-Intel vpro System Provisioning Mode (TLS) Reports the TLS provisioning mode of this system: PKI Public Key Interface protocol PSK Pre-shared Key Based TLS protocol Provisioning State Reports the provisioning state for this system: In-provisioning The system is being provisioned. Post-provisioning The system has been provisioned. Pre-provisioning The system is unprovisioned. Remote Configuration Enabled Reports whether this system can be provisioned remotely. This property value is reported as Yes or No. Remote Configuration Server Reports the FQDN of the provisioning server configured during the provisioning process. For example, sccm.amtepo.epoqa.in Remote Configuration Server IP Address Reports the IP address of the provisioning server configured during the provisioning process. For example, Reported Local Alarm Clock Time Displays the alarm clock time set in the Intel AMT firmware during the epo Deep Command Alarm Clock policy enforcement. For example, MM/DD/YY 12:00 PM. Serial-over-LAN (SOL) Reports whether the SOL feature is supported and enabled on this system. This property value is reported as: Not Available Supported Supported and Enabled Supported and Enabled in BIOS only System Model System Manufacturer Reports this system's model. For example, OptiPlex 755. Reports this system's manufacturer name. For example, Dell Inc. 42 McAfee epo Deep Command Product Guide

43 Reporting on your Intel vpro systems Properties collected by the Discovery plugin 5 Property Description With Intel System Serial Number Transport Layer Security (TLS) Reports the serial number of this system. For example, 0ABC8BA. Reports whether this system is in the Post Configured state with TLS enabled. This property value is reported as: Not Available Supported Supported and Enabled Supported and Enabled in BIOS only MEI Driver Installed Without Intel MEI Driver Installed Non-Intel vpro System UUID Web UI Enabled Wired IPv4 Address Wired Link Status Wired MAC Address Wireless IPv4 Address Wireless Link Status Wireless MAC Address Reports the ID for this systems hardware. For example, 4C4C4D44-004A-4A C4C44F Reports whether the Intel AMT Web interface (configured during provisioning) is enabled on this system. This property value is reported as Yes or No. Reports the IPv4 address received over this system's physical network connection. For example, Reports whether this system's physical network connection is functioning. This property value is reported as Up or Down. Reports the MAC address received over this system's physical network connection. For example, 781bcb8cf20a. Reports the IPv4 address received over this system's wireless network connection. For example, Reports whether this system's wireless network connection is functioning. This property value is reported as Up or Down. Reports the MAC address received over this system's wireless network connection. For example, 781bcb8cf20a. About the Intel MEI driver The Intel Management Engine Interface (MEI) driver is the Intel AMT subsystem used by the client operating system (OS) to access Intel AMT capabilities. When this driver (also known as the HECI or Host Embedded Controller Interface driver) is installed on the Intel vpro system, the epo Deep Command Discovery and Reporting Discovery plugin is able to report a more complete set of system details. The MEI driver is bi-directional, allowing the host (OS) or the Intel AMT firmware to initiate transactions. If you need to install the Intel MEI driver, refer to the Intel product documentation McAfee epo Deep Command Product Guide 43

44 5 Reporting on your Intel vpro systems About the Intel AMT Summary dashboard About the Intel AMT Summary dashboard The Intel AMT Summary dashboard is added to your epolicy Orchestrator server when you install the epo Deep Command Discovery and Reporting software. The dashboard displays a collection of monitors based on the results of the default epo Deep Command Discovery and Reporting software queries. Using this monitor, you can see: Which of the managed systems are Intel AMT equipped The versions of Intel AMT hardware Configuration status These are the default dashboard monitors that appear after installing the epo Deep Command Discovery and Reporting software. CILA Supported Helps the administrator determine the number of managed systems that support CILA connections out of the total number of managed systems. The administrator can then determine the number of managed systems to enforce Remote Access Policy that enable CILA support. This allows the managed systems to send CILA request to the epolicy Orchestrator server. epo Deep Command Detection Coverage Helps the administrator determine the number of managed systems on which the epo Deep Command Discovery and Reporting Discovery plugin has been installed, out of the total number of managed systems. This monitor is useful to determine the coverage of the software. IDE-Redirect Supported and Enabled Helps the administrator determine the number of managed systems that support and can be remotely managed using IDE-R connections. Intel AMT Fully Provisioned Helps the administrator determine the number of managed systems that are fully Intel AMT provisioned, out of the total number of managed systems. The administrator can determine the number of managed systems that can be used for out-of-band actions, and the number of remaining systems that need to be provisioned. Intel AMT Provisioning Mode Helps the administrator determine the different provisioning modes that are present in the total number of managed systems. Because epo Deep Command currently supports the Enterprise mode only, the administrator must re-provision managed systems that are not in Enterprise mode. Intel AMT Provisioning State Helps the administrator determine the different Intel AMT provision states present in the total number of managed systems. The out-of-band actions can be used on any managed system that is in Post Provisioned state. Intel AMT Supported Helps the administrator determine the number of managed systems that are Intel AMT enabled. However, out-of-band actions might not be possible on all these Intel AMT enabled systems; they depend on the Intel AMT version and the provisioning state. Intel AMT Version Helps the administrator to obtain the different versions of Intel AMT hardware present on the managed systems. Because epo Deep Command supports specific versions of Intel AMT, this monitor enables the administrator determine how many systems can be used for out-of-band actions. KVM Supported and Enabled Helps the administrator determine the number of managed systems that support KVM connections out of the total number of managed systems. This enables the administrator determine the number of systems that can be managed remotely using KVM or third-party tools. SOL Supported and Enabled Helps the administrator determine the number of managed systems that support SOL connections out of the total number of managed systems. This helps to determine the number of systems that can be managed remotely using SOL. 44 McAfee epo Deep Command Product Guide

45 Reporting on your Intel vpro systems About the Intel AMT Summary dashboard 5 Systems without Intel MEI Driver Helps the administrator determine the systems that require installation of the MEI driver out of the total number of managed systems. The systems without Intel MEI driver cannot collect specific Intel vpro and BIOS properties. Web UI Enabled Systems Helps the administrator determine the number of managed systems that support web browsers. The administrator can open the browser and connect to the managed systems using its Fully Qualified Domain name (FQDN) to port, and log on to it. For more information on vpro and BIOS properties of each managed system, click the monitor, select the system, then select the Intel AMT tab. McAfee epo Deep Command Product Guide 45

46

47 6 Managing 6 your Intel vpro systems With epo Deep Command Management Framework software you can manage the Intel vpro systems in your network by using Intel AMT policies, client task execution policies, out-of-band actions, server tasks, and queries. Contents Using policies to manage Intel vpro systems Using Out-of-Band actions Creating and using server tasks Management Framework queries Using policies to manage Intel vpro systems Policies ensure that the product features are configured correctly, while client tasks are the scheduled actions that run on the managed systems hosting any client-side software. When you change a policy from your epolicy Orchestrator server, that policy is applied during the next agent-server communication interval (ASCI). As a result, the next time a system that has received the new policy is powered on, the new policy is enforced automatically. epo Deep Command has two policies: AMT Policy and the Client Task Execution Policy. About the policies If your remote Intel vpro systems need technical assistance, you can schedule a time to power on your systems and create a CILA or CIRA policy. You must define Alarm Clock, CILA, and CIRA settings in a single policy and assign it to the required systems or groups. Alarm Clock policy The Alarm Clock feature, introduced in Intel AMT version 5.1, enables you to remotely schedule Intel vpro systems that are powered off, to wake up and perform specific tasks. These tasks can be performed during off hours without interrupting Intel vpro system users. Users can also shut down their systems when they aren't using them, saving power and costs. For instructions on configuring the Alarm Clock policy, see the Create and enforce the Intel AMT Alarm Clock policy in this guide. CILA policy The CILA feature, introduced in Intel AMT version 6.0, allows the local Intel vpro system to initiate a Fast Call For Help inside the enterprise network. When a user initiates a connection, Intel AMT detects that it is inside the enterprise and sends a local CILA request directly to the epolicy Orchestrator server. McAfee epo Deep Command Product Guide 47

48 6 Managing your Intel vpro systems Using policies to manage Intel vpro systems CIRA policy The CIRA feature, introduced in the Intel AMT version 5.0, allows the remote Intel vpro systems located outside the corporate network to initiate a secured connection to a gateway server residing in the enterprise De-Militarized Zone (DMZ), to communicate with the epolicy Orchestrator server. Typically, these systems are located behind a firewall. If the Intel vpro system initiates a connection to your server, you can use this connection to administer it. CIRA relies on three components: The epolicy Orchestrator server. Intel vpro systems with Intel AMT (configured for remote connectivity). epo Deep Command Gateway server. See the Pre-installation configuration for using CIRA chapter for information on configuring the epo Deep Command Gateway server before using CIRA policies. The remote Intel vpro system or user initiates a connection to the epo Deep Command Gateway server that acts as a proxy server. The connection is either initiated manually by the user in an operating system level utility, or the pre-operating system level with a key combination. The connection can be scheduled to be initiated automatically according at a predetermined time. Once the connection reaches the epo Deep Command Gateway server, a secure encrypted tunnel is established back to the Intel vpro system. Your epolicy Orchestrator server is notified of the incoming CIRA request from the Intel vpro system. You can initiate any Intel vpro system command to the remote Intel vpro system. Create and enforce the Alarm Clock policy Use the Alarm Clock policy to schedule a time to power on your Intel vpro systems. Before you begin The time you set is based on the location of your Intel vpro system. If you specify the Alarm Clock time to be fewer than five minutes of the current time of your Intel vpro system, the policy enforces the Alarm Clock Time for the next day. An Intel vpro system might be powered on at an incorrect time if it moves to a different time zone. This can be resolved after an ASCI and manual policy enforcement, or through policy modification. You can verify the policy enforcement by going to the System Properties page and clicking Intel AMT. Make sure the alarm is enabled to update the Reported Local Alarm Clock Time. Task For option definitions, click? in the interface. 1 From the Policy Catalog, select the Product as epo Deep Command and Category as AMT Policies, then click New Policy. 2 In the New Policy dialog box, type a name for the Alarm Clock policy, then click OK. 3 Select Allow epo to enforce these settings. 48 McAfee epo Deep Command Product Guide

49 Managing your Intel vpro systems Using policies to manage Intel vpro systems 6 4 Enable the Alarm Clock at a particular time and specify the randomization minutes. Randomization minutes help balance the policy distribution to all the selected Intel vpro systems one at a time. The maximum value is 20 minutes. 5 Select Repeat Every to specify the days, hours, and minutes to power on your systems at regular intervals. 6 From the System Tree, select the systems you want to power on using the scheduled Alarm Clock policy. 7 Click Actions Out-of-Band Enforce AMT Policies, then click OK. In the amtservice.log, the policy enforcement should be successful and the Alarm Clock Set Time is shown in Universal Time Coordinated (UTC). Use the CILA policy Enforce the CILA policy to the local Intel vpro systems so they can initiate a call for technical help to the epolicy Orchestrator server from BIOS or the operating system. Before you begin The Local Area Network (LAN) Agent Handler being used for the CILA policy must be active. Task For option definitions, click? in the interface. 1 From the Policy Catalog, select the Product as epo Deep Command and the Category as AMT Policies, then click New Policy. 2 In the New Policy dialog box, type a new policy name, then click OK. 3 Click the Remote Access tab, then select the Allow epo to enforce these settings option. 4 From the Local Server, select Enable Client Initiated Local Access (CILA), then select an active LAN Agent Handler from the drop-down list. Select the required Connection Type from where the Intel vpro system must initiate the call to the epolicy Orchestrator server. Available options are BIOS Initiated and OS Initiated. 5 Click Save. 6 From the System Tree, select the systems, then click Assigned Policies Edit Assignment to select the policy from the drop-down list, then click Save. 7 From the System Tree, select the appropriate systems, click Actions Out-of-Band Enforce AMT Policies OK. To verify the CILA policy enforcement status, view the Server Task Log. After enforcing the CILA policy, you can also navigate to the System Properties page, click the Intel AMT tab to see the properties for CILA Enabled and CILA Agent Handler (that you chose while creating CILA policy). The Intel AMT user can also initiate a call from the Intel vpro system by opening the Intel Management and Security Status tool, then clicking Get Technical Help. After this action, the Threat Event Log on epolicy Orchestrator displays the Local Fast Call for Help log with an event id McAfee epo Deep Command Product Guide 49

50 6 Managing your Intel vpro systems Using policies to manage Intel vpro systems Use the CIRA policy Enforce the CIRA policy to the Intel vpro systems so they can initiate a call to the epolicy Orchestrator server for technical assistance from BIOS or the operating system. You can then use this data for system diagnosis. Before you begin McAfee epo Agent Handler 4.6 Patch 1 must be installed on the epo Deep Command Gateway Server DMZ and must be active. The FQDN of the epo Deep Command Gateway server must be resolvable from the Internet. The CIRA configuration ports must be allowed through the DMZ firewall and be accessible to the remote Intel vpro system clients. Usually, this is the port where stunnel is configured. See epo Deep Command Gateway server configuration. Stunnel version 4.36 or later must be installed on Agent Handler servers. OpenSSL is required for generating the certificates. CIRA is an advanced feature of Intel vpro technology platforms that helps initiate a secured connection from your server to the Intel vpro systems through a gateway server residing in the enterprise DMZ. Make sure you provide the correct details of your Intel vpro system environment while configuring a CIRA policy. If there's a mistake, especially while enforcing the CIRA policy to a larger environment, you might need to be physically present to deprovision each Intel vpro system, then re-provision them, which results in very high operational costs. Task For option definitions, click? in the interface. 1 From the Policy Catalog, select the Product as epo Deep Command and the Category as AMT Policies, then click New Policy. 2 In the New Policy dialog box, type a new policy name, then click OK. 3 Click the Remote Access tab, then select Allow epo to enforce these settings. 4 In Remote Server, select Enable Client Initiated Remote Access (CIRA). Select the required Connection Type from where the Intel vpro system must initiate the call to the epolicy Orchestrator server. Available options are BIOS Initiated and OS Initiated. 5 Type Home Domain Suffix, the last part of the host name of the Intel vpro systems, and click Add. This enables the Intel vpro systems access to the home domains. Also, select a primary DMZ Agent Handler and specify the stunnel port for the incoming CIRA requests. (This port is specified during stunnel configuration). The DHCP and DNS servers must be configured properly for the CIRA policy to work well. The details you specify in this step must match your connection-specific DNS suffixes in your LAN. Incorrect home domain suffix settings might turn off the access to the Intel vpro systems unless a CIRA session is established by the system itself. 6 In Tunnel Lifetime, specify the time (in seconds) the CIRA tunnel must be active after it is established. The default value is zero, which means there is no timeout for the Tunnel Lifetime. 50 McAfee epo Deep Command Product Guide

51 Managing your Intel vpro systems Using policies to manage Intel vpro systems 6 7 Select the following options: Allow User Initiated Tunnel Select this option so that an Intel AMT user can initiate a CIRA request to the server. Periodic Initiated Tunnel every If the tunnel connection terminates because of a specified timeout or for any other reason, selecting this option and specifying a time re-establishes the connection at regular intervals as specified. 8 Click Save. 9 In the System Tree, select the systems, click the Assigned Policies tab, click Edit Assignment to select the policy from the drop-down list, then click Save. 10 Select the systems that you want to enforce with the CIRA policy, then click Actions Out-of-Band Enforce AMT Policies OK. To verify the CIRA policy enforcement status, see the Server Task log. After enforcing the CIRA policy, you can also navigate to the System Properties page, click the AMT tab to see the properties for CIRA Enabled and CIRA Agent Handler (that you chose while creating CIRA policy). The AMT user can also initiate a call from the Intel vpro system by opening the Intel Management and Security Status tool, then clicking Get Technical Help. After this action, the Threat Event log on epolicy Orchestrator displays the Remote Fast Call for Help log with the event ID Using the Client Task Execution policy Enforcing Client Task Execution Policies to the Intel vpro systems executes the client tasks, the arbitrary command and additional parameters when powered on through the Out-of-Band Power On action or through the scheduled Alarm Clock. Server configuration requirements Configure your epolicy Orchestrator server so that the Intel vpro system reports any failures of the arbitrary command execution to your epolicy Orchestrator server. Event Filtering configuration 1 Click Menu Configuration Server Settings, select the category as Event Filtering, then click Edit. 2 Select the Only selected events to the server option, then select 34360: Command Not Found (Info) and 34361: Command Execution Failed (Info) options. 3 Click Save. Agent policy configuration 1 In the System Tree, click the Assigned Policies tab, then select McAfee Agent from the Product menu. 2 Click the policy name of General policy you want to modify. For example, click My Default. The McAfee Agent > General > <policy name page> policy page opens. 3 In the Events tab, select Enable priority event forwarding, and select Informational from the event priority menu. 4 Click Save. McAfee epo Deep Command Product Guide 51

52 6 Managing your Intel vpro systems Using policies to manage Intel vpro systems 5 Enforce the policy using one of these methods: From the epolicy Orchestrator server, select the systems or groups to which you want to assign this policy, then send an agent wake-up call. From the Intel vpro systems, go to McAfee Agent Status Monitor Collect and Send Properties Check New Policies Enforce Policies. If you do not enforce the policy to the Intel vpro systems using any of these methods, it is enforced automatically after an agent-server communication interval. Use the Client Task Execution policy Enforcing a client task execution policy to the Intel vpro systems executes its client tasks, the arbitrary command and parameters sequentially when the Intel vpro systems are started either through the Out-of-Band Power On action or through a scheduled Alarm Clock. Task For option definitions, click? in the interface. 1 From the Policy Catalog, create a client task execution policy by selecting epo Deep Command from the Product menu, and Client Task Execution from the Category menu. You can also use the existing client task execution policy. For example, My Default. 2 Next, add new or existing client tasks to this policy. Client tasks asking for a system restart must be added last in the sequence. 3 In Run the following Command afterwards (optional), you can add the arbitrary command and its additional parameters that must be executed after the client task executes. For example, the command <System32>\shutdown.exe shuts down your system after the client task is run. You can also include additional parameters for the command you type. If you type /h or / r as the parameters, it hibernates or restarts your Intel vpro system. 4 Click Save. 5 In the System Tree, select the systems and click the Assigned Policies tab. Click Edit Assignment to select the policy you want to assign to the Intel vpro systems, then click Save. 6 Enforce the policy using one of these methods: From the epolicy Orchestrator server, select the systems or groups you want to assign this policy, then send an agent wake-up call. From the Intel vpro systems, click McAfee Agent Status Monitor, then click Collect and Send Properties, Check New Policies, and Enforce Policies. If you do not enforce the policy to the Intel vpro systems using one of these methods, it is enforced automatically after the next agent-server communication interval. 52 McAfee epo Deep Command Product Guide

53 Managing your Intel vpro systems Using Out-of-Band actions 6 Client Task Execution policy logs and events These are the logs, services, and events displayed on the Intel vpro system Log files and services Log files Description AMTMgmtService_out.log On the Intel vpro systems, this log file displays the client task details added to the policy. AMTCT.exe AMTCT_out.log When the Intel vpro systems are powered on using the Out-of-Band Power On feature or the Alarm Clock policy, this service starts and executes the client task, specified arbitrary command and its additional parameters sequentially. Displays the status of the executing client task. Events in the Threat Event log Event ID Event description Description Command Not Found This event is displayed when the arbitrary command specified in the policy is not a valid command Command Execution Failed This event is displayed when the arbitrary command specified in the policy fails to execute for some reason. For example, when a user does not have sufficient rights to execute the command. Click on the event to view more details about it. Using Out-of-Band actions You can create and enforce the Out-of-Band actions on your post-provisioned remote Intel vpro systems. In the System Tree, verify that your managed systems have the AMT tag assigned to them. Using Out-of-Band actions, you can: Power on your Intel vpro systems to deploy security updates before a threat. Start and restart an Intel vpro system instantly, regardless of their current power state. Diagnose issues on your crashed Intel vpro systems by restarting through a recovery operating system image and accessing the system from the server-side using the SOL feature. Diagnose issues by interacting with an Intel vpro system BIOS and adjust its BIOS settings that might not be accessible after the operating system has already restarted. Power on your systems The Power On feature allows your Intel vpro systems to deploy the updated security programs ahead of a potential threat outbreak. Before you begin The Intel vpro systems must be post-provisioned. A power cable must be connected to the Intel vpro systems, including laptops. McAfee epo Deep Command Product Guide 53

54 6 Managing your Intel vpro systems Using Out-of-Band actions Task For option definitions, click? in the interface. 1 In the epolicy Orchestrator console, click Menu Systems System Tree. 2 Select the required systems or groups you want to power on. 3 Click Actions Out-of-Band Power On. The Power On dialog box appears. 4 Click OK. View the basic details of this action by clicking Menu Automation Server Task Log. You can also click the log to view the Log Messages and the Subtasks tabs for a detailed result summary of this action. Use the Serial-over-LAN feature Serial-over-LAN (SOL) is a mechanism that enables the input and output of the serial port of a managed Intel vpro system to be redirected over Internet Protocol (IP). Using SOL, you can connect to a remote Intel vpro system through a virtual serial port. After initiating an SOL session, you can see it is active. You can also access the BIOS of the Intel vpro system and send keyboard key combinations using SOL. Before you begin Correct AMT credentials must be set, and a trusted root certificate must be uploaded in the Server Settings page for the Intel AMT Credentials category. Enforce AMT policies on systems to which you are attempting to establish an SOL connection. SOL must be supported and enabled on your Intel vpro systems. Verify this on the System Properties page in the Intel AMT tab. Task For option definitions, click? in the interface. 1 In the epolicy Orchestrator console, click Menu Systems System Tree. 2 Select the systems you want to establish an SOL connection with. SOL is processed on a maximum of four systems at one time per Agent Handler. 3 Click Actions Out-of-Band Serial-Over-LAN Terminal (SOL). The SOL terminal appears. 54 McAfee epo Deep Command Product Guide

55 Managing your Intel vpro systems Using Out-of-Band actions 6 4 Click Connect to start a connection with the selected system. When the Terminal <=> epo: Connected message appears, the SOL session is active. You can send keyboard key combinations to the Intel vpro systems. These keys are specific to the terminals. For example, If Ctrl-C is the key that stops the ping command on a Linux terminal, selecting and sending this key to the Linux terminal by clicking Send on the SOL Terminal stops the ping command. View the basic details of this action by clicking Menu Automation Server Task Log. You can also click the log to view the Log Messages and the Subtasks tabs for a detailed result summary of this action. You can also access the BIOS of an Intel vpro system by navigating to the System Tree, selecting a system, and clicking Actions Out-of-Band Boot/Reboot with Options and then selecting Boot/Reboot to BIOS Setup. Click OK. Boot or reboot using IDE-Redirect IDE-Redirect allows you to reboot an Intel vpro system to a redirected disk. Before you begin IDE-R must be supported and enabled on the Intel vpro systems. Verify this on the System Properties page of the AMT tab. You must have enforced Intel AMT policies at least once on the target system(s) to enable the redirection port. The recovery operating system image file must be an.iso file shared on a UNC mount. It must be shared and accessible by the Agent Handler. Make sure the image file can be used for diagnosis, and is smaller than 30MB in size. If your ISO image is larger than 30MB, or you have network bandwidth constraints, see this document for more information about using a two stage boot process: Task For option definitions, click? in the interface. 1 From the System Tree, select the systems you want to diagnose using the IDE-R feature. IDE-R is limited and processes only four systems per Agent Handler. 2 Click Actions Out-of-Band Boot/Reboot with Options. The Boot/Reboot with Options dialog box appears. 3 Select the Boot/Reboot from Image (IDE-R) option to boot or reboot the target Intel vpro system using a recovery operating system image (.iso file) to diagnose issues. Type the path of the recovery operating system image file, then click OK. Click Menu Automation Server Task Log to see the status of the selected action. When the status of the Boot/Reboot with Options log is In Progress, a connection is established and you can start diagnosing the system issues. See Frequently asked questions for more information about why an IDE-R connection might fail. McAfee epo Deep Command Product Guide 55

56 6 Managing your Intel vpro systems Using Out-of-Band actions 4 Select Launch Serial-over-LAN Terminal (SOL) to access the target system from the server side. For more information on the SOL feature, see Use the SOL feature. 5 After diagnosing system issues, end the IDE-R connection by navigating to the System Tree, selecting the systems, then clicking Actions Out-of-Band Stop Image Redirection. The remote systems will not boot to its OS if the IDE-R is not stopped. 6 Click OK. Navigate to the Server Task Log to see the status of this action. The status of both the Boot/Reboot with Options and the Initiated Stop of Image Redirection logs display Completed. 7 After stopping the IDE-R connection, you can boot or reboot the systems normally using the Normal Boot/Reboot option or use SOL to restart the system. Boot or reboot to BIOS BIOS is the boot firmware program that controls your system from the time it starts until operating system takes over. You can boot or reboot to the BIOS of any Intel vpro system and diagnose issues by adjusting its BIOS settings, which might not be accessible after the operating system has restarted. Use the SOL option to access the Intel vpro system from the server during system diagnosis. For more information on SOL, see Use the SOL feature. For Intel vpro 7.0 systems, establish the SOL connection before initiating the Boot/Reboot to BIOS Setup action to get a full screen refresh in the SOL terminal. Task For option definitions, click? in the interface. 1 From the System Tree, select the systems you want to diagnose by booting to their BIOS. 2 Click Actions Out-of-Band Boot/Reboot with Options. The Boot/Reboot with Options dialog box appears. 3 Select Boot/Reboot to BIOS Setup to boot or reboot to the BIOS of the crashed Intel vpro system and diagnose issues by adjusting its BIOS settings. Also, select Launch Serial-over-LAN Terminal (SOL) to access the crashed system from the server side. You can use the arrow keys to navigate through the BIOS menu that is displayed on the SOL terminal. Boot or reboot a system normally You can boot or reboot the managed Intel vpro systems from epolicy Orchestrator when required. For example, when you want to leave the recovery operating system image. Task For option definitions, click? in the interface. 1 From the System Tree, select the systems you want to boot or reboot. 2 Click Actions Out-of-Band Boot/Reboot with Options. The Boot/Reboot with Options dialog box appears. 3 Select Normal Boot/Reboot to boot or reboot the Intel vpro system. You can also select Launch Serial-over-LAN Terminal (SOL) to access the Intel vpro system from the server side. 56 McAfee epo Deep Command Product Guide