MeshCentral - Intel AMT security and activation improvements

This week, the focus will be on Intel® AMT with Intel® Setup and Configuration Server (Intel® SCS) no longer being available for download after March 31st some have asked that MeshCentral fill the void with additional features. One unique feature of Intel SCS is its ability to perform bare-metal activation of Intel® AMT without operating system help. This week, MeshCentral just gained this feature making it possible to turn on Intel AMT without the need to run any agent or software in the OS. More importantly, MeshCentral continues its security leadership with the addition of host-based end-to-end TLS Intel® AMT ACM activation. MeshCentral is the first activation tool to offer this capability for Intel® AMT v14 and above to further improve your asset and network security. In detail:

  • End-to-End TLS Host based ACM activation. With Intel AMT v14 and above there is a new and more secure Admin Control Mode (ACM) activation flow allowing MeshCentral to activate Intel AMT in ACM over the Internet with full end-to-end encrypted security. That is, MeshCentral will perform a TLS connection starting at the server and terminating within Intel AMT. The connection will go over the MeshAgent or MeshCMD internet tunnel and thru the agent and LMS. With this new method, no software or components in the operation system has visibility to the activation traffic. As a result, you can push account credentials, WIFI profiles and more into Intel AMT with more security then every before.
  • Intel® AMT ACM Bare-Metal Activation. As mentioned above, Intel® SCS is retiring. Up until now, it was the only widely available tool that could perform Intel® AMT bare-metal activation allowing organizations to enable and configure Intel® AMT without the need for any assistance from the operating system. Starting this week, MeshCentral now offers this capability. Once enabled, Intel AMT can send “hello” data to the MeshCentral provisioning server on port 9971 and MeshCentral will respond by connecting back, authenticating, and activating Intel AMT. MeshCentral will then log the event, add the device to a pre-defined agent-less device group and complete any remaining configuration. A trusted CA certificate is required to perform this operation fully automatically.
  • Bare-Metal USB key generation. To complement the feature above, MeshCentral now has an enhanced USB setup.bin generator allowing it to create a setup.bin file that can work for both host-based activation and bare-metal activations. Ideally administrators would get a trusted CA certificate to perform zero-touch ACM activation of Intel AMT. However, MeshCentral also offers the option to create USB key that you boot the computer with. This key will load settings unique to your MeshCentral server into Intel AMT and allow for over-the-internet or bare-metal ACM activation.
  • MeshCommander Improved USB setup.bin editor. As a result of the work done above, computers have been rebooted over 100 times during testing and MeshCommander USB setup.bin support had to be improved to support development of these features. So, MeshCommander was updated and is now available for download with improvements and bug fixes. It’s still v0.9.0, so if you need to update just uninstall, download and install again from the MeshCommander.com website.

As a reminder, Intel® AMT is not required to use MeshCentral and these features will used by the growing number of users that manage Intel® AMT devices using MeshCentral. In addition to this, MeshCentral has many more bug fixes and improvements. As usual, feedback is appreciated. If you see any problems or need support on something, please create a new issue on GitHub or help other users. For more information, visit the portal at https://meshcentral.com.

Enjoy!
Ylian
MeshCentral: https://meshcentral.com
Twitter: https://twitter.com/meshcentral
Reddit: https://www.reddit.com/r/MeshCentral/
GitHub: https://github.com/Ylianst/MeshCentral/issues





Popular posts from this blog

MeshCentral - Windows ARM64, NodeJS v11, NPM Packages

Starting work at Microsoft

MeshCentral - New Windows Agents - Installation Dialog, Customization and Server Lock