MeshCentral - Intel AMT security and activation improvements

This week, the focus will be on Intel® AMT with Intel® Setup and Configuration Server (Intel® SCS) no longer being available for download after March 31st some have asked that MeshCentral fill the void with additional features. One unique feature of Intel SCS is its ability to perform bare-metal activation of Intel® AMT without operating system help. This week, MeshCentral just gained this feature making it possible to turn on Intel AMT without the need to run any agent or software in the OS. More importantly, MeshCentral continues its security leadership with the addition of host-based end-to-end TLS Intel® AMT ACM activation. MeshCentral is the first activation tool to offer this capability for Intel® AMT v14 and above to further improve your asset and network security. In detail:

  • End-to-End TLS Host based ACM activation. With Intel AMT v14 and above there is a new and more secure Admin Control Mode (ACM) activation flow allowing MeshCentral to activate Intel AMT in ACM over the Internet with full end-to-end encrypted security. That is, MeshCentral will perform a TLS connection starting at the server and terminating within Intel AMT. The connection will go over the MeshAgent or MeshCMD internet tunnel and thru the agent and LMS. With this new method, no software or components in the operation system has visibility to the activation traffic. As a result, you can push account credentials, WIFI profiles and more into Intel AMT with more security then every before.
  • Intel® AMT ACM Bare-Metal Activation. As mentioned above, Intel® SCS is retiring. Up until now, it was the only widely available tool that could perform Intel® AMT bare-metal activation allowing organizations to enable and configure Intel® AMT without the need for any assistance from the operating system. Starting this week, MeshCentral now offers this capability. Once enabled, Intel AMT can send “hello” data to the MeshCentral provisioning server on port 9971 and MeshCentral will respond by connecting back, authenticating, and activating Intel AMT. MeshCentral will then log the event, add the device to a pre-defined agent-less device group and complete any remaining configuration. A trusted CA certificate is required to perform this operation fully automatically.
  • Bare-Metal USB key generation. To complement the feature above, MeshCentral now has an enhanced USB setup.bin generator allowing it to create a setup.bin file that can work for both host-based activation and bare-metal activations. Ideally administrators would get a trusted CA certificate to perform zero-touch ACM activation of Intel AMT. However, MeshCentral also offers the option to create USB key that you boot the computer with. This key will load settings unique to your MeshCentral server into Intel AMT and allow for over-the-internet or bare-metal ACM activation.
  • MeshCommander Improved USB setup.bin editor. As a result of the work done above, computers have been rebooted over 100 times during testing and MeshCommander USB setup.bin support had to be improved to support development of these features. So, MeshCommander was updated and is now available for download with improvements and bug fixes. It’s still v0.9.0, so if you need to update just uninstall, download and install again from the MeshCommander.com website.

As a reminder, Intel® AMT is not required to use MeshCentral and these features will used by the growing number of users that manage Intel® AMT devices using MeshCentral. In addition to this, MeshCentral has many more bug fixes and improvements. As usual, feedback is appreciated. If you see any problems or need support on something, please create a new issue on GitHub or help other users. For more information, visit the portal at https://meshcentral.com.

Enjoy!
Ylian
MeshCentral: https://meshcentral.com
Twitter: https://twitter.com/meshcentral
Reddit: https://www.reddit.com/r/MeshCentral/
GitHub: https://github.com/Ylianst/MeshCentral/issues





Popular posts from this blog

Starting work at Microsoft

Image
Hi everyone. It’s been a while since the last blog post and I wanted up update everyone on what is going on. As many of you know already from a discussion on GitHub , Bryan and I have been laid-off from Intel in early November 2022. This was quite a surprise as MeshCentral, MeshCommander, MeshCMD and other tools where widely used. This said, Intel has been having poor financials and Bryan and I where part of a very large first wave of downsizing by the company that involved many people that I know and worked with for a long time. I had been working for Intel for over 25 years having started in September 1998. Over the years I worked on IPsec key negotiation, Universal Plug & Play, DLNA and Intel® AMT. I loved working on all these projects and especially loved working with the open-source community on Mesh projects. Obviously, this was not my decision and Bryan and I had look for what comes next. One option was to continue working on MeshCentral as part of another company or with
Read more

MeshCentral - Windows ARM64, NodeJS v11, NPM Packages

Image
Hi all. It's been a while since I last posted and now that I am settling a bit more in my work at Microsoft, I have a bit of time to occasionally look after MeshCentral again. It's about time, there where a bunch of things that needed to get fixed. Before that, I want to say that I am doing great. I am working on Microsoft Forms which is one of the offerings of Microsoft 365. For kicks, I started a YouTube channel on Microsoft Forms here during a Microsoft hacking week. I tried to up my game since the videos I last published for MeshCentral. Also, I wanted to share pictures below. I was at a Tesla Supercharger last weekend and, by luck, got to see a Tesla Cybertruck in person. It's very big. Obviously, this is a release candidate driven by a Tesla employee. I saw it after attempting to see the solar eclipse over Oregon, but sadly, too many clouds and saw nothing. In any case, back to MeshCentral. In the last few months a few things have happened with the new releases. Wind
Read more

MeshCentral - New Windows Agents - Installation Dialog, Customization and Server Lock

Image
Lots is going on with MeshCentral, just yesterday Bryan Roe released a new MeshAgent for Windows with many improvements. An improved installation dialog box, logo customization and, to continue MeshCentral’s leadership in security, a new agent code signing locking feature that will surely be used by many to improve trust and security of their MeshCentral installation. In addition to this, we have many more server improvements to cover. In detail: MeshAgent with improved installation dialog box . The new MeshAgent for Windows is much improved with months of changes and bug fixes. The most noticeable feature is by far the new installation dialog with the new logo and connection details button. The new installer is a lot friendlier and easier on end-users. MeshAgent with improved customizations . In addition to all the existing agent customizations available in prior versions, the MeshAgent has new server settings for the installation text and logo. You can now set your own 200x200 PNG c
Read more