In order to enroll a client, we first need to create an AMT profile.
The easiest is to create a CCM (Client Control Mode) profile. However, this kind of profile has one limitation: user consent is always required for KVM or remote serial.
User consent means that the user (in front of the client machine) must provide a code that shows up on the computer display to the operator (the person trying to initiate a remote session) to allow the connection.
An ACM (Admin Control Mode) profile, on the other, can be configured so that user consent is not required. This possibility will be explored in a future article as it is significantly more complex to set up.
Create a CIRA configuration
Before creating an AMT profile, the CIRA configuration must be defined. The CIRA configuration allows the client to stay in touch with the server. The CIRA configuration will be the same with CCM and ACM.
Log in to the web UI, click on the
CIRA Configs tab then click the
Add New + button.
Choose a name for the configuration.
Select FQDN and type in the FQDN to join the server from the client. This should match the
MPS_COMMON_NAME set previously. Note that the FQDN will be used as the Common Name in the certificate to connect to the server, so if there is a mismatch, the connection will not be established. If
MPS_COMMON_NAME was erroneous, the certificate must be removed from the vault and the MPS service restarted.
Keep the default 4433 port, which is what was allowed in the firewall previously.
Keep the default
Save the configuration.
Create a CCM profile
In the web UI, select the
Profiles tab and click the
+ Add New button.
Choose a name for the profile.
Client Control Mode as the
AMT Features enabled (
Generate Random AMT Password For Each Device option. Although less secure, it is much easier to manage a single password for all devices.
AMT Password and save it somewhere safe. It will be required to unenroll the device if need be.
Select your preferred network configuration,
STATIC (static IP). DHCP is highly recommended for simplicity's sake. If static IP is chosen, you can keep the
IP Synchronization Enabled option enabled and install the LMS agent on the client (covered in a future article) to automatically set the IP in AMT.
Connection Configuration and choose your previously created
You can add tags as needed.
Finally, save the profile.
Enroll a client
In the next article, we will explain how to install Intel LMS (Local Manageability Service) as well as the
rpc-go tool on the client to connect to the server and configure Intel AMT with the profile we just created.