Intel®EndpointManagement Assistant (Intel®EMA)

1 intel EndpointManagementAssistant( intel EMA)AdministrationandUsageGuideIntel EMAV ersion: : Tuesday,November23, ,andyouruseofthemisgovernedbytheexpressl icenseunderwhichtheywereprovidedtoyou("L icense").UnlesstheLicenseprovidesotherwi se,youmaynotuse,modify,copy,publish,dist ribute,discloseortransmitthissoftwareort herelateddocumentswithoutIntel' ,withnoexpressorimpliedwarranties, , (expressorimplied,byestoppelorotherwise) ,includingwithoutlimitation,theimpliedwa rrantiesofmerchantability,fitnessforapar ticularpurpose,andnon-infringement,aswel lasanywarrantyarisingfromcourseofperform ance,courseofdealing, featuresandbenefitsdependonsystemconfigu rationandmayrequireenabledhardware, ,theIntellogo, EMA AMTP rovisioning/SetupFlowinIntel (s) DNS SuffixinIntel ,Modifying, : EMA EMAA dministrationandUsageGuide-Tuesday,Novem ber23,202111 IntroductionIntel EndpointManagementAssistant( intel EMA)isasoftwareapplicationthatprovidesan easywaytomanageIntelvPro platform-baseddevicesinthecloud.

2 LIntelEMAcanconfigureanduseIntelAMTonInt elvProplatformsforout-of-band,hardware-l evelmanagementlIntelEMAcanmanagesystemsu singitssoftware-basedagent,whiletheOSisr unning,onnon-IntelvPro platformsoronIntelvPro platformswhereIntelAMTisnotactivatedlInt elEMAcanbeinstalledonpremisesorintheclou dlYoucanuseIntelEMA sbuilt-inuserinterfaceorcallIntelEMAfunc tionalityfromAPIsThisdocumentdescribesho wsetupandconfigureIntelEMAtomanageyouren dpoints, (referredtoasaTenant; ) ,itdefineskeyconceptsandterminologyforus ingIntelEMA, ,itpresentsthemanagementactionsyoucanper formonyourmanagedendpoints, EMAtomanageyourendpoints:lSupportedwebbr owsers:InternetExplorer*11+,Chrome*63+(s tartingfromDecember2017),Firefox*52+(sta rtingfromMarch2017).lKnowledgeofIntel ActiveManagementTechnology( intel AMT) : IntelAMTknowledgeisrequiredonlyifyouplan touseOut-of-Bandfeatures( ).ForadditionalinformationaboutIntel AMT,pleaseseethefollowingdocumentation: :lOperatingSystem: intel EMAA gentisofficiallysupportedonMicrosoftWind ows7and10, : EMAA dministrationandUsageGuide-Tuesday,Novem ber23,20212 EMA :WhenIntelEMAA gentisinstalled, ,makesurethatthefollowingin-boundrulesar esetfortheinstalledagentbinaryprocess:lP eer-to-peertraffic:UDPwithlocalportat169 90,anyIPforlocalandremoteaddresses, :TCPwithlocalportat16990,anyIPforlocalan dremoteaddresses, :TCPwithlocalportat16991, , ActiveManagementTechnology( intel AMT):IntelEMAonlysupportsIntel VersionBuildNumberIntelAMT (SupportforIntelAMT )IntelAMT 15allFormoreinformationaboutUSBR, ,components,roles,andprocessesusedintheI ntel ,atenantcanbeacompany, ,endpointgroups.

3 TheIntelEMAinstallerdoesnotcreateaTenant AdministratoruserfortheinitialTenant, ,profiles, EMAA dministrationandUsageGuide-Tuesday,Novem ber23,20213 Figure1: intel ,however, :lGlobalAdministrator:Thisroleperformsus ermanagement,tenantmanagement, (andcannot) scontrolspansalltenantsinasingleIntel :Thisroleisspecifictoaparticulartenantan dcanperformalloperations(userman-agement ,endpointmanagement) ,theTenantAdministratordoesnot(andcan-no t) :Thisroleisspecifictoaparticulartenant, ,anAccountManagercannotmanageuserswithhi gher-levelroles( ,aTenantAdministratororGlobalAdministrat or).AccountManagerscannotperformendpoint management, , ,theycanseethelistofallusergroupsandthel istofallEndpointGroupCreatorsandEndpoint GroupUsersinthattenant( ,userrolesinthattenantthatareequalorlowe rintheuserrolehierarchy;theycannotseeAcc ountManagers,TenantAdministrators,orGlob alAdmin-istrators).

4 intel EMAA dministrationandUsageGuide-Tuesday,Novem ber23,20214lEndpointGroupUser:Thisroleis specifictoaparticulartenant, ,buttheycannotperformuserman-agement, , , AMTauto-setup: intel EMAserver, (EndpointGroupCreatorsorEndpointGroupUse rs) (UserBinthefigurebelow).AnEndpointGroupa ndausermustbeassociatedwiththesameUserGr oupinorderfortheusertoperformactionsonth atEndpointGroup(UserBcanperformactionson EndpointGroup2becausetheyarebothinUserGr oup1,whichhasexecuterights).Anexceptiont othisisTenantAdministratorusers, ( ,readorexecute).lUserGroupscanhaveeither read or execute EMAA dministrationandUsageGuide-Tuesday,Novem ber23,20215 Figure2:RelationshipbetweenUsers,UserGro ups, EMA AgentTheIntel , , ,whichmustbothbepresentonthemanagedendpo intfortheagenttowork(seeSection4).Theage ntalsohasacommandlineinterfacethatcanbeu sedtodisplaybasicinformationabouttheagen t' :lOperatingSystem: intel EMAA gentisofficiallysupportedonMicrosoftWind ows7and10, : :WhenIntelEMAA gentisinstalled, ,makesurethatthefollowingin-boundrulesar esetfortheinstalledagentbinaryprocess:lP eer-to-peertraffic:UDPwithlocalportat169 90,anyIPforlocalandremoteaddresses, :TCPwithlocalportat16990,anyIPforlocalan dremoteaddresses, :TCPwithlocalportat16991, , EMAA dministrationandUsageGuide-Tuesday,Novem ber23,20216lIntel ActiveManagementTechnology( intel AMT):IntelEMAonlysupportsIntel VersionBuildNumberIntelAMT (SupportforIntelAMT )IntelAMT 15allFormoreinformationaboutUSBR, sinstallationdependonthearchitectureofth eMicrosoftWindowsOSandtheIntelEMAA gent(consoleandservice).

5 ThesearetheregistrypathsforIntelEMAA gentbyarchitecture:lWin64 Service:lHKEY_LOCAL_MACHINE-> Software\ intel \EmaAgent lWin32 Service(on64bitOS):lHKEY_LOCAL_MACHINE-> Software\Wow6432 Node\ intel \EmaAgent lWin64orWin32 Console:lHKEY_CURRENT_USER-> Software\ intel \EmaAgent Thefollowingregistrykeysshouldexistatthi sregkeyrootwhentheEMAA gentisinstalled/ : in-band , ,IntelEMAcantalktoIntelAMTviaoneofthefol lowingapproaches: intel EMAA dministrationandUsageGuide-Tuesday,Novem ber23,20217lTLSR elay:Inthisapproach, , ,itsagentbroadcaststotheotherIntelEMAage ntsinthegroup/sub-net,establishingcontac twithits neighbors , AMTCIRA(ClientInitiatedRemoteAccess):Int hisapproach,theendpointsystem sIntelAMTconnectstotheIntelEMAS erverviaaTCPTLS connectionatport8080(notethatthein-bandI ntel EMA AgentalsoconnectstotheIntelEMA serverviaTCPTLS atport8080).IntelAMTCIRA createsitsownencryptedtunnel, ,ifallattemptsfail, ,though, feature environmentdetection.

6 Whentheendpointsystem snetworkdomainmatchestheconfiguredCIRA domain, , , AMTP rovisioning/SetupFlowinIntel EMAT hissectiondescribeswhathappensprogrammat icallywhenyoueitherenableauto-setupofInt el AMTforyourmanagedendpointsystems( ),ormanuallyperformanon-demandsetupofInt elAMT( ).Note: intel EMAusesHostBasedConfiguration(HBC) (PKI)certificate,IntelEMAsetsIntelAMTtoC lientControlMode(CCM) ,suchasrequiringuserconsentateachendpoin tinordertoperformsomeofIntelEMA sIntelAMTintoAdminControlMode(ACM).LAN-l essendpointsrequireamanualIntelMEBX update(seeRound1below).Theaddedsecurityo fthePKIcertificateandACMallowsIntelEMAto connecttotheendpoint ,anduploadingPKIcertificatesforthem, : RefertoIntelAMTdocumentationformoreinfor mationaboutHostBasedConfiguration,Client ControlMode, ,ifyouhaveuploadedaPKIcertificateandsele c-tedTLS-PKIassetupmethodinyourIntelAMTa uto-setup, : ForLAN-lessendpoints,youmustfirstmanuall yupdatetheendpoint'sIntelMEBX toaddtheuploadedPKIcertificate'sDNS suffixinorderforIntelEMA EMAA dministrationandUsageGuide-Tuesday,Novem ber23, :Afterround1iscomplete( ,IntelAMTissuccessfullyprovisioned,eithe rinCCMorACM), intel EMAconfiguresotherIntelAMTsettingssuchas powerpolicy,KVMinterface,CIRA, ,IntelEMAwillun-provisiontheendpoint.

7 Forunprovision(deactivation)ofIntelAMT,i ftheunprovisionfails, (Round1,Round2,orunprovision),ifIntelEMA isdisconnectedfromtheendpoint, AMTC lientControlMode,IntelEMAtriestouseIntel EMAA genttoissueaCFG_UnprovisioncommandviaInt el MEIdriver, ,IntelEMAsendstoWSMAN requestAMT_SetupAndConfigurationService\ , , performsafullunprovisionofIntelAMTanddel etesanycustomrootcertificatehashesandthe PKIDNS ,ifyouunprovisionasystemonaremotenet-wor kandthenwanttoreprovisionthatsystemusing AdminControlMode, RedirectionTheUSB Redirection(USBR)featureofIntelEMA allowsyoutomountaremote diskimage(. ) ,orbrowsethemountedimagecontentfromtheco nsoleofthemanagedendpointviaKVM(imagemus tcontainUSB keyboardandmousedriversforKVM interaction).Onceyouhavemountedanimagefi le, ,youwillneedtoadjustthe USBRR edirectionThrottlingRate ,especiallyforIntel EMAA dministrationandUsageGuide-Tuesday,Novem ber23,20219 CIRA endpoints, ,accessiblefromthenavigationpaneatleftin theIntelEMA UI,letsyouuploadandstoreimagefiles(.)

8 VersionBuildNumberIntelAMT (SupportforIntelAMT )IntelAMT (RSE)isanIntelAMT featureintroducedinIntelAMT HardwareManageabilitytab( ),aswellasintheIntelEMA EMAAPIG uidefordetailsonspecificAPI callsforusingIntelEMA' featurecanbeusefulwhenanemployeeleavesan organization,inwhichcasetheirIT departmentcanremotelyerasetheentiredrive (bootablepartition)andthenuseIntelEMA'sK VM (eitherviatheuserinterfaceortheAPI),thet argetdevicemustbeamanagedendpointinIntel EMA anditsIntelAMT , 's RemoteSecureErasefeature,anditsrequireme nts,seetheIntelAMT DevelopersGuideatthefollowinglink: : WhenusingtheIntelEMA API,iftheattemptederaseoperationfails,th eIntelAMT providesanAPI,POST/api/latest/endpointOO BO perations/Single/SecureErase/{endpointId }/clear,whichwillcleartheIntelAMT (OCR) ,thisfeaturewillallowyoutoreturntheendpo int'sOS toalastknowngoodstate,aswellasrecoverfro mabadstate,bare-metalsituation, Out-of-Band(OOB) , EMAA dministrationandUsageGuide-Tuesday,Novem ber23,202110 ForfurtherinformationaboutOneClickRecove ry,seetheIntelAMTonlinedocumentationatth elinkbelow: FeaturesandInstallationIntelLocalManagea bilityService(IntelLMS)isaservicethatcan enhanceyourIntelEMA isnotapartofIntelEMA,andisnotrequiredfor IntelEMA tofunctionasdesigned,sinceIntelEMAdoesin cludea"microLMS" ,IntelLMSdoesfacilitatethefollowinguseca sesonmanagedendpoints.

9 IfIntelLMS ispresentonamanagedendpoint,IntelEMA , (IntelIMSS)-requiredforprivacylTimeSyncl WiFiProfileSynclStaticIPSynclWMIP roviderlLoggingeventsinsystemeventloglGr acefulreset(thoughtheIntelEMA agenthandlesthiswithinIntelEMA)Forfurthe rinformationaboutIntelLMS seetheIntelAMT ReferenceGuideatthelinkbelow: OEMsdistributeIntelLMS ontheirPC ,youcandothefollowingtoobtainandinstallI ntelLMS ,downloadthelatestIntelManagementEngine( IntelME) driverpackagezipfile(ME_SW_<version>.zip). , (ME_SW_<version>),thenopentheDrivers> LMS ,openDeviceManagerandensurethedeviceInte l(R)ManagementandIntel EMAA dministrationandUsageGuide-Tuesday,Novem ber23, <InstallerDirectory>/EMALog- intel :\ProgramFiles(x86)\ intel \PlatformManage r\PlatformManagerServer\ , :\ProgramFiles(x86)\ intel \PlatformMan-ag er\Runtime\MeshSettings\ (encrypted).C:\ProgramFiles(x86)\ intel \P latformManager\ :\ProgramFiles\ intel \ ,seeProgramFiles(x86).

10 C:\inetpub\ EMAA dministrationandUsageGuide-Tuesday,Novem ber23,2021122 LoggingintoIntel EMAT ologintoIntelEMA, (ifunsure,consultyourIntelEMAG lobalAdministrator).Inadistributedserver installation,thiswillbetheURL ,entertheusername( ,emailaddress) , :lTheIntelEMA websiteuserinterface(UI) ,theIntelEMA websiteUI ,theOverviewpagemaybeautomaticallydispla yed, , 'swebserversettingsontheServerSettingspa ge(seeSection9"Appendix-ModifyingCompone ntServerSettings"onpage 52), (whenalreadyloggedintoIntelEMA inanothertab) , , , EMA, : Thefirsttimeyoulogin, , , EMAA dministrationandUsageGuide-Tuesday,Novem ber23,202113 Figure3:OverviewforTenantAdministratorIn tel EMAA dministrationandUsageGuide-Tuesday,Novem ber23,2021143 SettingUpYourTenant(s)Thissectiondescrib eshowtosetupandconfigureaparticularTenan tontheIntel , ! EMAS ingleServerInstallationandMaintenanceGui deortheIntel EMAD istributedServerInstallationandMaintenan ceGuide,theGlobalAdministratorshouldhave alreadycreatedatleastoneTenantandTenantA dministratoruseraspartoftheGettingStarte dstepsfollowingtheIntelEMA : Notallofthetasksinthissectionmayberequir ed, ,manyofthetasks,suchasaddingnewusersandc reatingnewendpointgroups, , ,youcouldhaveanEndpointGroupforyourAccou ntingdepartment, , :TenantAdministrator, EMAA gentfilesforeachEndpointGroup-Regardless ofwhetheryouplantouseOOBfea-turesornot, (policies,IntelAMTprofile,etc.)