Key Terms
You can learn from this article the key terms we use in connection with the Intel vPro functionality.
- OOB (Out-of-band)
- In the context of out-of-band management, this refers to the ability to control a device via a control plane and communication channel that is independent of the device's core hardware, firmware, and software. OOB management is typically implemented on the hardware and firmware level, with Intel AMT being one example. With AMT, device information can be queried even when the device is powered off, and devices can be powered on or force-rebooted, and hardware-based KVM allows remote controlling machines even at the BIOS level. In-band management, in contrast, requires a functioning operating system with a service or agent software running on the managed device.
- KVM (Keyboard-Video-Mouse)
- Remote screen sharing and control of mouse and keyboard. In the context of Intel vPro / AMT, we typically speak about out-of-band (OOB) or hardware-based KVM, which refers to the ability to control a remote screen without the need for the operating system or an agent software to be running.
- Intel vPro
- An umbrella term for a collection of technologies found in Intel PCs, which includes the Intel AMT technology for out-of-band remote management. The full AMT feature set is only available for devices with "Intel vPro Enterprise" capabilities, whereas "Intel vPro Essentials" devices are missing important AMT features like hardware-based KVM and wireless AMT support.
- Intel AMT (Intel Active Management Technology)
- A combination of hardware and firmware for out-of-band remote management of enabled Intel PCs. In essence, a small computer running inside the PC that provides remote access to the PC hardware even when the PC is turned off, or the operating system is not running. It allows to query hardware information, power on/off the PC, or use hardware-based KVM to make modifications to the BIOS. Newer Intel chipsets / AMT versions come with more features, such as remote disk wiping. Intel AMT has a built-in security model with various constraints depending on how a device has been provisioned (for example, secure provisioning against a single fixed infrastructure, requiring user consent for certain operations, enforcing encrypted connections for out-of-band management, etc.).
- Intel EMA (Intel Endpoint Management Assistant)
- A Windows-based server software provided by Intel to provision and manage Intel vPro / AMT devices with the help of the Intel EMA Agent software installed on the devices. Intel EMA provides both out-of-band management features (implemented in terms of AMT) as well as in-band remote management features (implemented with the help of the Intel EMA Agent running on the devices). In the scope of AMT, Intel EMA serves as a "presence server," i.e., as a fixed infrastructure that AMT devices are provisioned with, which brokers the communication between a management console (like the Rescue Technician Console) and managed devices. The Intel EMA web application hosted on the server provides a built-in front-end to manage the server-provisioned devices and user permissions.
- CIRA (Intel Client Initiated Remote Access)
- An AMT communication protocol where managed devices actively open and keep a persistent secure connection to their provisioned presence server infrastructure, which helps to overcome common network separation and firewall issues. This enables technicians to reach AMT devices even when they are outside the company networks (e.g. field employees, home office). CIRA is the superior alternative to AMT TLS-based connectivity.
- TLS (Transport Layer Security)
- In the context of Intel vPro / AMT: an inferior alternative to the CIRA device connectivity where the remote device stays passive and waits for a management console to connect. The technician has to know in what network a device is currently located, what IP / host address it has assigned, and be able to access this network - or rely on in-band agent functionality of other devices in the same network to provide device discovery and jump-host functionality. TLS, therefore only works for well-controlled networks and excludes scenarios where portable computers transition between different networks, e.g., field employees, home office.
- CCM / ACM (Client Control Mode / Admin Control Mode)
- Two AMT provisioning methods that enforce different levels of access control. Most notably, only ACM allows initiating a KVM session and booting into the BIOS without requiring user consent. This is a requirement for access to unattended machines. In contrast to CCM, ACM requires the use of special certificates during AMT provisioning issued by one of the AMT-certified root certificate authorities.
Article last updated: 26 October, 2023
You are viewing the latest version of this article.