Just a quick follow up on the new Meshcentral.com location feature from my previous post. I just added in the web UI a new entry in the device page that shows which other devices are physically nearby. The new entry is just below the Intel AMT line, and is ranked starting with the nearest node. The distance is determined by how many WIFI access points both devices can see in common. If you hover the mouse over the links, a little box will show the number of AP's in common.

Ok, that is it. Again, this wifi feature is opt-in only and you need to set the mesh policy to enable it. Also, nodes need to have Wifi to have this work and it will show only other nearby devices that are also in your account.

Ylian
meshcentral.com

Quick post to update everyone on a few things:

• Meshcentral.com has been having outages. A few hours 2 days ago and a few hours yesterday both times during the night. The server is actualy fine but administrators of my server room are doing some work on the network. I did get a few mails about this and forwarded the concerns to the server room administrators. Hopefully it will not happen again.
• Mesh agent v1.71. I just release a new version of the agent to fix a problems with the agent running on some machines. Version 1.70 had a new wireless scanning feature and made use of "wlanapi.dll" which I assumed all versions of Windows had, even back to Windows XP. Well, the was not correct, some version of Windows Server don't come with wireless services installed and the new agent failed to run. Agent v1.71 has dynamic bindings to this DLL, so if the DLL is not present, it's ok, it will still run but with WiFi scanning disabled.
• Intel Developer Forum. It's this time of year again, IDF 2013 will be in San Francisco September 10 to 12th. I will be a speaker this time around with one session and two labs. My topic is connecting Intel Platforms to the cloud, I will have a great time using a much hardware features as I can possibly use to make Intel computers work with the cloud. More blogs on this to come.

That is it for now,
Ylian
meshcentral.com

Banks and the payment industry have realized long ago that knowledge is not enough to confirm money transactions through the web. Even apparently strong techniques such as tokens and smartcards have been facing the challenge to deal with Malware and Hacker attacks. Then, to avoid blind signing, institutions have been appealing to external devices, which are likely to fail due to network flaws or challenging user experience.

However, since the second generation of Intel Core family (aka Sandy Bridge) a new security feature was introduced inside processors. I am talking about IPT (Indentity Protection Technology), created by Intel and integrated by companies like InfoSERVER/Tix11. This technology allows small applications to run inside processor, without Operating System (OS) interference. It means, that even if a Operating System  is infected with a virus or malware, the application that runs inside the processor will be isolated.

One of the first applications developed to run inside Sandy Bridge processors was the TOTP algorithm (RFC 6238), the same piece of code that runs inside bank tokens and is used to provide two-factor authentication (aka strong authentication) for sites. In fact, two-factor authentication had become an important topic nowadays, after so many important companies have been compromised by indentity theft problems. Google, Dropbox, Microsoft are among the most important players which have implemented strong authentication based on OTPs (One time passwords). These implementations relies in mobile tokens, software tokens and even sms tokens, with disposable passwords sent to mobile phones by messages. But even these implementations can suffer Man-in-the-middle attacks that can steal OTPs using malicious apps installed in mobile phones and computer operating systems. Also, the old and common hard tokens can have its OTPs stolen when an user is a victim of phishing. Thus, even with a strong authentication, security holes in the Operating Systems can be a threat to every kind of authentication and transaction over the Internet. In this environment, the only promising solution is in the hardware, inside the processor. This is what Intel have done with the introduction of IPT.

But maybe you are making a question: How can I get an OTP from processor and send it to a website? Well the quick answer is: Through Intel Management Engine Components. The complete answer is: Intel Management Engine Components is a bundle of software that enables special features present inside the Management Engine (ME), which is an engine which works integrated with Intel processor and Intel processor chipset. One of these special features is the IPT. One of the best ways to explain the purpose of Management Engine Components, is: It works as an interface, between ME and OS. Thus, is possible to develop applications which communicate with Management Engine Components and then request OTPs from processor, after that this same application can inject the OTP in a website.

With the understanding of how IPT works and how the IPT benefit (such as OTP generation) can be integrated with an common application, is possible to forsee a safer authentication/transactions methods which rely in safe code execution that occurs inside a processor.

This is what I would like to "say" today. In the next article I will give more details of the integration between browser based applications and IPT.

Best Regards,

Damico

For people following work on Meshcentral, this day has been a long time coming. Today we are announcing that we started making Meshcentral available for hosting on Amazon EC2. Computer administrators anywhere now have a choice of using Meshcentral.com or launch their very own instance of Meshcentral on Amazon. They get control over the management data, user accounts and more. With many other online service, you have to use servers you don’t control and give up your data to someone else. Now, with this new option, you’re launching your own Meshcentral instance and take all of the control back, enabling a truly personal and secure cloud of devices.

Right now, we are making a free instance of Meshcentral available publically on Amazon with a 10 device management limit. This instance can run on the smallest Amazon instance, the “t1.micro”. Users new to Amazon AWS can run a t1.micro instance for 1 year for free, and so, many can try their own Meshcentral instance completely free of change. We have made amazing efforts to make Meshcentral fit on such a small virtual machine.

Even in such a tight virtual machine, Meshcentral instances packs loads of features: in-band web based remote desktop, terminal, file access, remote power control, audit logs, web page relay, TCP relay, mesh messaging, remote WMI, WiFi location, Intel AMT cloud provisioning, Intel AMT control, wide OS/CPU support and much more. When you launch a Meshcentral instance, fresh updated software is downloaded from Meshcentral.com and installed. Instances are always kept updated as new mesh features are added thanks to our unique Platform Manager software, that keeps track of signed software packages and deploys updates to all Amazon instances.

To get startedwe have documentation that includes a quick start guide, along with a YouTube tutorial video. Takes about 5 minutes to launch the instance and 15 to 20 minutes for the instance to set itself up. Instances create new certificates and cryptographic keys upon first launch so each Meshcentral instance is unique and secure. Give it a try, and give us feedback.

Ylian
meshcentral.com

Use a Meshcentral Amazon instance to create a truly personal cloud.
Run your own small business online management console.

Mesh Amazon Instances are setup and kept up to date from Meshcentral.com.

The all new online Mesh Settings Editor allows administrators to configure the Mesh Server online.
(You can even change IIS security and certificates, we restart and reconfigure IIS automatically)

Today I am announcing Meshcentral’s support for in-band Windows multi-display. This is by far the most requested feature to date. In Meshcentral, administrators can select a device and click on the desktop tab, this bring them to a fully web-based Javascript remote display viewer what can connect to remote computes and get full remote desktop. The protocols is fully web-optimized offering high speed remote desktop over the internet and inside a browser. No need to download a special application, all you need is an HTML5 web browser. Today, we added multi-display capability to this viewer. Users can see all the displays at once, or select to view only one. They can also switch in real time between the different viewers.

In addition to in-band remote display, Meshcentral already supports Intel AMT out-of-band remote multi-display. So, on select Intel platforms, administrators can perform web-based remote desktop in both in-band mode (then the OS is up) or out-of-band mode (when the OS is down). Allowing for complete control over a computer under any circumstances. Administrators will favor in-band remote desktop when possible because it can see all the multi-displays at once and has much greater speed over the Internet.

The new multi-display feature is part of Mesh Agent v1.72. The new mesh agent solves a problem where the agent would not switch correctly on some computers when pressing CTRL-ALT-DEL, so all around improvements.

Enjoy!
Ylian
https://meshcentral.com

Meshcentral now supports multi-monitor devices in our remote desktop web viewer.
(Unlimited monitor count)

Meshcentral also supports Windows 8 and Intel AMT out-of-band multi-monitor (up to 3 monitors*).
*Depending on Intel AMT version

I just added certificate based Intel AMT cloud activation support (TLS-PKI) in Meshcentral.com that works behind NAT’s and HTTP proxies, uses a reusable USB key and makes use of Intel AMT one-time-password (OTP) for improved security.

Ok, let’s back up a little. Computers with Intel AMT need the feature activated before it can be used. Historically it’s been difficult to setup the software, network, certificates and settings to start activating Intel AMT, especially for smaller businesses in a way that allows administrators to use all of its features. It’s even more difficult if all the computers are mobile. With Mesh, we want to put all of the Intel AMT activation in the cloud, so administrators don’t need to worry about the how it all works. Administrators can launch their own instance of Mesh on Amazon AWS, install the mesh agent on each their machines and, when time permits create and use a single USB key to touch each machine for Intel AMT activation.

Meshcentral.com will automatically detect when a computer can be activated and do all of the appropriate work in the background, and this, even behind a HTTP proxy or NAT/double-NAT routers. Mesh fully supports Intel AMT Client Initiated Remote Access (CIRA) so once activated, Intel AMT can call back to the Mesh server independent of OS state. Administrators can then use the web site or tools like Manageability Commander Mesh Edition to use Intel AMT features across network obstacles. Mesh will automatically route traffic using direct, relay or CIRA, so administrators don’t never need to worry about how to connect to a machine over the Internet. As an aside, Mesh fully supports Host Based Provisioning, so that is still an available option if you don’t want to touch using a USB key and are ok with the client mode limitations.

A full video demonstration is available here.

Enjoy!
Ylian
https://meshcentral.com

Hi everyone! This year I have been asked to make a comeback at IDF, the Intel Developer Forum! As my blog readers know, I work on many interesting projects as a one man development team: Meshcentral.com, Manageability Developer Tool Kit (DTK), Intel System Defense Utility (ISDU) and the Intel Developer Tools for UPnP Technologies. Many of these projects make direct use of unique Intel platform technologies like: Intel Active Management Technology (Intel AMT), Intel Remote Wake, Intel Identity Protection Technology (Intel IPT), Digital Random Generator, AES-IN, Wake-on-LAN, etc. So, I am in a pretty good position to share with developers my experiences and help more people use these great platform features.

This year, I am giving one session (1 hour) and one lab (2 hour). The lab is given twice, so the program will show two, two-hour blocks. Here is my schedule as currently planned:

BCSS003:Meshcentral.com – Using Intel® AMT and Intel® Smart Connect Features From the Cloud.
Day 1, Tuesday September 10th, 3:45 to 4:45pm, Room 2007

SFTL003: Using Intel® AMT and Intel® Smart Connect Features From the Cloud
Day 2, Wednesday September 11th, 1:00 to 3:15pm, Room 2000
Day 2, Wednesday September 11th, 3:45 to 6:00pm, Room 2000

In both classes the goal is the same: show that Intel platforms are great at connecting to the cloud. Lets say you want to connect a device to a server in the cloud. We are going to look at how it's usualy done with a regular client-to-server connection. Then we are going to leverage all the Intel platform technologies at our disposal to add many more capabilities to our cloud service. The session will be a quick overview, I will demonstrate the benefits of using platform features and show you how to get started quickly and what code we have already available. The labs are typically smaller, more indepth and much more interactive, I get to answer questions that can help developers in their day-to-day work, show where to get source code, how to get started and much more. The entire lab will be demos, code & fun!

I look forward to seeing you there. To register or for more information, links below:

IDF Main Page: http://www.intel.com/IDF
IDF Registration: https://secure.idfregistration.com/IDF2013/

Ylian
Meshcentral.com

I just added certificate based Intel AMT cloud activation support (TLS-PKI) in Meshcentral.com that works behind NAT’s and HTTP proxies, uses a reusable USB key and makes use of Intel AMT one-time-password (OTP) for improved security.

Ok, let’s back up a little. Computers with Intel AMT need the feature activated before it can be used. Historically it’s been difficult to setup the software, network, certificates and settings to start activating Intel AMT, especially for smaller businesses in a way that allows administrators to use all of its features. It’s even more difficult if all the computers are mobile. With Mesh, we want to put all of the Intel AMT activation in the cloud, so administrators don’t need to worry about the how it all works. Administrators can launch their own instance of Mesh on Amazon AWS, install the mesh agent on each their machines and, when time permits create and use a single USB key to touch each machine for Intel AMT activation.

Meshcentral.com will automatically detect when a computer can be activated and do all of the appropriate work in the background, and this, even behind a HTTP proxy or NAT/double-NAT routers. Mesh fully supports Intel AMT Client Initiated Remote Access (CIRA) so once activated, Intel AMT can call back to the Mesh server independent of OS state. Administrators can then use the web site or tools like Manageability Commander Mesh Edition to use Intel AMT features across network obstacles. Mesh will automatically route traffic using direct, relay or CIRA, so administrators don’t never need to worry about how to connect to a machine over the Internet. As an aside, Mesh fully supports Host Based Provisioning, so that is still an available option if you don’t want to touch using a USB key and are ok with the client mode limitations.

A full video demonstration is available here.

Enjoy!
Ylian
https://meshcentral.com

Just a quick note to say that I arrived this morning in San Francisco to participate in IDF 2013! I find it all very exciting... I am speaking on the tomorrow afternoon on Intel Platform technologies and the cloud, going to use Meshcentral.com as an example of how anyone can leverage Intel technologies to make cloud services better. Information about my session:

BCSS003:Meshcentral.com – Using Intel® AMT and Intel® Smart Connect Features From the Cloud.
Day 1, Tuesday September 10th, 3:45 to 4:45pm, Room 2007

If you saw this blog and see me tomorrow, please say hi and let me know you saw my blog! Always nice to put faces to visitors. I got a chance to see all of the early IDF setup and as usual it's wonderful.

Ylian
meshcentral.com

I am back in my hotel after the first day at IDF2013. I did not do any of the fun stuff today, but I did work... practiced my session content and in mid-afternoon delivered a session on Meshcentral.com and Intel platform features, it was a lot of fun! Thank you to everyone that attended. Tomorrow I am doing it again, this time two 2 hour labs back-to-back.

SFTL003: Using Intel® AMT and Intel® Smart Connect Features From the Cloud
Day 2, Wednesday September 11th, 1:00 to 3:15pm, Room 2000
Day 2, Wednesday September 11th, 3:45 to 6:00pm, Room 2000

For people that want more technical details, I will be diving into code and showing off even more features of Meshcentral.com. Hope to see many of you there.

Ylian
meshcentral.com

Based on Intel® Core™ microarchitecture (formerly codenamed Ivy Bridge) and manufactured on 22-nanometer process technology, these processors provide significant performance and power-efficiency improvement over the previous-generation Intel® Xeon® processor E5-2600 product family. This is the first Intel® Xeon® processor family with extended lifecycle support to offer 12-core/single-socket and 24-core/dual-socket configurations, resulting in Performance Boosts of up to 50 percent¹ thanks to additional cores, larger cache and increased memory bandwidth and Increased Energy Efficiency of up to 45 percent²

A more in depth discussion of the key features, and the architecture of the  Intel® Xeon® E5-2600 v2 product family is here

Key supported features you should be aware of, as a Software Developer:

• Intel® Secure Key provides high quality, high performance entropy and random number generation, allowing you to develop software that is more secure. Read More ›
• Intel® OS Guard helps prevent Escalation of Privilege attacks and is enabled at the VMM and Operating System levels. It protects the operating system (OS) from applications that have been tampered with or hacked by preventing an attack from being executed from application memory. Intel OS Guard also protects the OS from malware by blocking application access to critical OS vectors. Please contact your OS or VMM providers to find out when support will be integrated into their releases.
• Intel® Advanced Vector Extensions Float 16 Format Conversion Instructions (AVX Float16) introduces half-precision (16-bit) floating point format, often used in graphics and imaging applications, and provides 2x more compact data representation than single precision format, resulting in a reduction in application data size and memory bandwidth needs. The instructions supporting conversion between half and single precision floating-point data are VCVTPS2PH and VCVTPH2PS. Support for these instructions exists in the Intel® Composer XE 2012 compiler (or later), Microsoft* Visual Studio 2012 or later, and gcc 4.6 or later
• Interrupt/APIC Virtualization decreases the overhead in the handling of instruction interrupts in the core, and eliminates the need for virtual machines to wait for thousands of instruction cycles per exit; this results in performance benefits on many I/O operations. Contact your VMM provider to find out when they will include support for this feature.

 Learn More about the Intel® Xeon® E5-2600 v2 product familyhere.

¹ Baseline Configuration and Score on SPECVirt_sc2013* benchmark: Platform with two Intel® Xeon® Processor E5-2690, 256GB memory, RHEL 6.4(KVM). Baseline source as of July 2013. Score: 624.9 @ 37 VMs. New Configuration: IBM System x3650 M4* platform with two Intel® Xeon® Processor E5-2697 v2, 512GB memory, RHEL 6.4(KVM). Source as of Sept. 2013. Score: 947.9 @ 57 VMs.

² Baseline Configuration and Score on SPECpower_ssj2008* benchmark: Platform with two Intel® Xeon® Processor E5-2660, 16GB memory, Microsoft Windows Server 2008 Enterprise x64 Edition. Baseline source as of November 2012. Score: 5,544 overall ssj_ops/watt. New Configuration: Fujitsu PRIMERGY RX300 S8* platform with two Intel® Xeon® Processor E5-2660 v2, 48GB, Microsoft Windows Server 2012 Standard Edition. Source: Submitted to SPEC for review/publication as of Sept. 10, 2013. Score: 8,097 overall ssj_ops/watt.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. Intel does not control or audit the design or implementation of third party benchmark data or Web sites referenced in this document. For more information go to http://www.intel.com/performance Intel encourages all of its customers to visit the referenced Web sites or others where similar performance benchmark data are reported and confirm whether the referenced benchmark data are accurate and reflect performance of systems available for purchase.*Other names and brands may be claimed as the property of others.

Download Article

Download Intel® Business Client Community Frequently Asked Questions [PDF 380KB]

Getting Started
General
Troubleshooting
Other
Remote Encryption Management

Getting Started

This section contains answers for those new to the Intel® Manageability and Security Developer Community (now called Intel® Business Client Community) and Intel® Active Management Technology^[1].

Q1 What is the Intel Business Client Community?

A1 This is an online site (previously known as the Manageability and Security Developer Community) created to increase the expertise for developers of Intel® Active Management technology and security features in Intel® vPro™ technology^[2]-based solutions. It contains articles, blogs, videos, downloads, a forum, and other items to help developers reduce the time required to create manageability and security solutions for business client systems.

Q2 What is Intel® Active Management Technology (Intel® AMT)?

A2 Intel® notebooks and desktops with Intel AMT combine high-end performance with security and manageability integrated within the chip. Optimized for business, Intel vPro technology allows IT to reduce desk-side visits by remotely monitoring and diagnosing PCs and notebooks even when the OS is off or unresponsive.

• Discover. With built-in manageability, IT can discover assets even while PCs are powered-off.
• Diagnose. Providing out-of-band management capabilities, IT can remotely diagnose and recover systems reducing downtime.
• Verify. Hardware-based agent presence checking proactively detects the software agents that are running while missing agents are automatically detected and alerts are sent to the management console.
• Isolate. Proactively block incoming threats, and isolate infected systems while containing infected clients before network impact and alerting IT to the critical software agents removed.
• Update. Help keep patches and virus protection software up-to-date. Intel AMT provides the capability to store version numbers or policy data in non-volatile memory for off-hours retrieval.

Q3 What is Intel vPro technology?

A3 Intel vPro technology is “IT” embedded into the HW platform. Intel vPro technology is a platform brand that enables business-class PCs with capabilities to help address the needs and requirements faced by business today. Intel vPro technology comprises a processor, chipset, networking, Intel AMT, and other components working together to enable enhanced remote management capabilities for PCs. With Intel AMT a feature of Intel vPro technology, IT personnel can use a third-party manageability and/or security software controller to collect inventory information, remotely diagnose problems, and provide remote services even to PCs that are turned off or have an inoperable OS. Administrators can also better protect individual PCs and the network from threats.

Q4 What are the following Intel AMT tools for: SDK, Open Manageability DTK, SCS, WS-ManTranslator, JavaLib ?

A4 These are all tools that can be used when experimenting with or writing applications for Intel AMT. Here are some brief descriptions and when to use them:

Intel AMT SDK: Software Development Kit - Provides sample code and all the APIs needed for implementing Intel AMT. The Open Manageability DTK uses the APIs provided in the SDK. Be sure to use the most recent release of the SDK to integrate Intel AMT into your application.

Open Manageability DTK: Developer Tool Kit - This is a solution written in C# using the Intel AMT SDK. Use this to get an idea of how Intel AMT works. Many engineers use the DTK to verify if a certain feature is working. The source code is also available.

Intel® SCS: Intel(r) Setup and Configuration Software– allows you to discover, set up and configure, and maintain a secure connection to every managed device on your network. Using Intel SCS is an easy process for unlocking the features and the value of systems with Intel® processors with Intel vPro technology.

Intel® WS-Man Translator: WS-Management Translator - makes it possible for WS-Management-based software to be used in conjunction with Intel AMT platforms older than version 3.0.

JavaLib: Intel® WS-Management Java Client Library– is a lightweight WS-Management protocol library designed for software developers who want to quickly and easily support WS-Man but want to avoid the complexity of writing their own Java*-based WS-Man client library.

Q5 How do I get started writing Intel AMT software using WS-Management?

A5 Download the latest Intel® AMT SDK and look at the documentation. Starting with version 6.0, WS-Management is the only interface that supports new features. Also take a look at this article on WS-Management development.

Q6 What are the guidelines for Intel® AMT Management Engine (ME) passwords?

A6 You have to change the default ME password (admin) to a strong password the first time you log in to the Management Engine BIOS Extensions (MEBx). Follow these guidelines. The ME password should contain:

• 7-bit ASCII characters, in the range of 32-126, excluding ':', ',' and '"' characters.
• No more than 32 characters.
• At least one number ('0', '1', .... '9')
• At least one 7-bit ASCII non alpha-numeric character, above 0x20, (e.g., '!', '$', ';'...). Note that '_' is considered alpha-numeric.
• At least one lower-case letter ('a', 'b',...,'z') and one upper case letter ('A', 'B', ...'Z')

Q7 Is there some type of software I can install on my computer or server to remotely manage computers with Intel vPro technology?

A7 This detailed document, Intel® AMT SDK Start Here Guide, will help you get started.

Q8 Will my management console be helpful when deployed without any systems with Intel vPro Technology?

A8 To take advantage of the usage models supported by Intel AMT, you need the support from PCs with Intel vPro Technology and a Management console.

Q9 Why can’t I connect to the Intel AMT system locally through WebUI?

A9 Intel AMT versions prior to 7.0 cannot serve web pages locally. The Intel AMT system was not accessible locally through the WebUI or ping, even if it has a static IP.

Q10 Is there a utility to check if my system supports Intel vPro technology?

A10 The Intel® Setup and Configuration Service version 7.0 and later has a discovery module called the SCS Discovery Tool. Here is a blog on How to Run the SCS Discovery Tool.

Q11 Which systems support Intel vPro technology?

A11 Refer to this blog: Intel® vPro Technology™ Release 9.0: Platform Requirements for information on what processors and SKUs are Intel AMT 9+ capable.

Q12 What hardware components make up an Intel AMT 4.0 system?

A12 The main hardware ingredients that are present in an Intel AMT 4.0 system include:

• Intel® Wireless Wi-Fi* Link 5000 Series AGN adapters
• Processor: Intel® Centrino® 2 with vPro™ Technology
• Chipset: Intel® M45 series chipset with Intel® ICH09DO
• CPUs: Intel® Core™ 2 Duo mobile processor T9600, T9400, P9500, P8600, and P8400 series

Note: Intel AMT 4.0 systems are no longer being supported. The oldest version of Intel AMT being supported is AMT 7.0 and newer.

Q13 What hardware components make up an Intel AMT 5.0 system?

A13 The main hardware ingredients that are present in an Intel AMT 5.0 system include:

• Intel Wireless Wi-Fi Link 5100 or 5300 AG
• Processor: Intel® Core™ 2 processor with vPro™ Technology
• Chipset: Intel® Q45 Express Chipset with Intel® ICH10DO
• CPUs: Intel® Core™ 2 Quad Q9xxx and Duo E8xxx series CPUs.

Note: Intel AMT 5.0 systems are no longer being supported.

Q14 What hardware components make up an Intel AMT 6.0 System?

A14 The main hardware ingredients that are present in an Intel AMT 6.0 system include:

• Networking:
  • Intel® 82577LM Gigabit network connection
  • Notebooks: Intel® Centrino® Ultimate-N 6300 (3x3) 802.11a/b/g/n
  • Notebooks: Intel® Centrino® Advanced-N 6200 (2x2) 802.11a/b/g/n
  • Chipsets:
    • Mobile: QM57
    • Desktop: Q57
    • Small Form Factor (SFF) QS57
  • Intel® Core™ i7/i5 processors
    • Desktop: i5-650, i5-660, i5-670
    • Laptop: i7-620M, i7-640LM, i7-620LM , i7-640UM, i7- 620UM, i5-540M, i5-520M, i5-520UM

Q15 What hardware components make up an Intel AMT 7.0 system?

A15 The main hardware ingredients that are present in an Intel AMT 7.0 system include:

• Networking
  • Intel® 82579LM Gigabit Ethernet PHY
  • Intel Wi-Fi Adapters supporting vPro technology:
    • Intel Centrino Ultimate-N 6300
    • Intel Centrino Advanced-N 6230
    • Intel Centrino Advanced-N 6205
  • Chipsets supporting Intel vPro/ Intel AMT technologies 7.0
    • Q67 for Desktop Systems; QM67 and QS67 for Mobile chipsets
  • Intel® Core™ i7/i5 processors
    • Desktop: i7-870, i7-860, i7-860s, i5-650, i5-660, i5-670, i5-680
    • Laptop: i7-840, i7-820, i7-740, i7-720, i7-660, i7-640, i7- 620, i5-580, i5-560, i5-540, i5-520

Refer to this Blog post for additional information like support for KVM Remote Control.

Q16 What hardware components make up an Intel AMT 8.0 system?

A16 The main hardware ingredients that are present in an Intel AMT 8.0 system include:

• Networking
  • Intel® 82579LM Gigabit Ethernet PHY
  • Intel Wi-Fi adapters supporting Intel vPro technology:
    • Intel Centrino Ultimate-N 6300
    • Intel Centrino Advanced-N 6230
    • Intel Centrino Advanced-N 6205
    • Intel Centrino Advanced-N 6200
    • Intel Centrino Advanced-N + WiMAX 6250
  • Chipsets supporting Intel vPro/AMT technologies 8.0
    • Q77 for Desktop Systems; QM77 and QS77 for Mobile chipsets
  • Intel® Core™ i7/i5 processors
    • Desktop: i7-3770, i7-3770T, i7-3770S, i5-3550, i5-3550S, i5-3570T
    • Laptop: i7-3920XM, i7-3820QM

Q17 What hardware components make up an Intel AMT 9.0 system?

A17 Refer to this blog: Intel® vPro Technology™ Release 9.0: Platform Requirements for information on what processors and SKUs are Intel AMT 9+ capable.

Q18 What are the allowed network setup modes?

A18 Intel AMT supports DHCP and static IP. It is advised that the Intel AMT network settings coincide with the system network settings.
• When using DHCP – Intel AMT hostname should be set to the same hostname as the host.
• When using static IP – Intel AMT host name AND IP address should differ from the host IP and hostname.

Q19 Does Intel AMT support Windows Vista*?

A19 Intel AMT is generally OS independent. Intel AMT supports drivers for Windows Vista starting with AMT 2.1 for features that use local drivers.

Q20 What features do the various versions of AMT support?

A20 Refer to the AMT SDK Start Here Guide to see a list of versions and features http://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9 .

Q21 Does Intel AMT support Linux*?

A21 Intel AMT is generally OS independent. Please refer to this post on Intel AMT with Linux.

Q22 Can I control Intel AMT clients from a Management Console running on a non-Intel AMT computer with Windows* or Linux?

A22 The computer that runs the Intel AMT Management console does not have to have AMT installed.

Q23 Will Intel AMT technology be coming to Apple Macintosh* computers?

A23 Intel® Centrino® Pro processor technology on the Macintosh would be Apple's version of their mobile platforms with Intel Core 2 Duo processors. There are currently no plans to have Intel AMT on Apple systems.

Q24 Do I need a server (such as Windows Server 2003) to manage and control AMT PC clients?

A24 No. If you use the Intel Manageability Commander, any Microsoft Windows computer is ok.

Q25 Are there any software applications available to perform hardware inventory on Intel AMT systems?

A25 You can do it in two ways:
1. Log on to your Intel AMT system through web URL http://<ipaddress>:16992. On the left side, you will see hardware Information and under that are system, processor, memory, and disk. You can click on each of them and see the details.

2. Through Intel Manageability Commander, which comes with the Intel AMT Manageability DTK. You can download the latest version from http://www.intel.com/software/amt-dtk .

Q26 Which versions of Intel AMT can be configured using the Intel SCS?

A26 Please refer to the latest release of the Intel SCS for information on supported Intel AMT versions and configuration methods.

Q27 What is the “Hello” message?

A27 This is a message that an Intel AMT device sends once it has been loaded with a PID/PPS key pair and had its default password changed. This indicates the start of the setup and configuration process. Note that “Hello” messages start once a PID/PPS is entered though the MEBx or USB key. They can start even if the Setup and Configuration Service is not installed.

Q28 What is Host Based Configuration?

A28 Host Based Configuration (HBC) is a feature introduced with Intel AMT 7.0 that allows configuration of Intel AMT systems locally through the host operating system. More info is available in this video.

General

This section contains answers to common questions for those developing management solutions based on Intel® Active Management Technology(Intel® AMT).

Q29 Are there any commercial Intel AMT tools available for modifying the BIOS settings on an Intel AMT system?

A29 Use the “Open” Intel AMT Manageability Commander included in the Open Manageability DTK for this. Under the Remote Control tab, you can start an SOL session and boot into the BIOS options of your Intel AMT client. You can also use IMRGUI in the Redirection sample included in the Intel® AMT SDK.

Also try the Intel® vPro Platform Solution Manager.

Q30 Can multiple administrators through various tools connect to Intel AMT on one machine at the same time?

A30 The SOAP and WS-Man protocols used by Intel AMT are request/response protocols, so it will seem like everybody is getting connected at the same time. But really what's happening underneath is that Intel AMT is responding to the requests one by one. You cannot perform multiple instances of Serial over LAN or IDE Redirection at the same time.

Q31 How do you detect computers with Intel AMT Technology without SCS or similar tools?

A31 Assuming the Intel AMT-enabled systems are provisioned, you can send a SOAP command for GetCoreVersion API that can be found in the SDK. Intel AMT-enabled systems will provide a response containing the Intel AMT firmware version. Systems without Intel AMT will not respond to the SOAP request.

Q32 How can I find the Intel AMT MAC address of my client system?

A32 If the Intel AMT device is configured to work in DHCP mode, check to see that its MAC address is exactly the same as the host LAN. Another way is to use the MEInfo tool on the Intel AMT local machine. The MEInfo tool comes with the utilities for upgrading the firmware (contact your OEM for this). If you use this tool, just make sure you are using the right version for your firmware. MEInfo exists in both Windows and DOS versions.

Q33 Can I force my system to boot to a local CD using IDE-R?

A33 Booting to a local CD-ROM is not supported by Intel AMT. You can use ASF for doing that.

Q34 Will the flash update utility work remotely?

A34 The flash update utility only works remotely. This is a security feature of Intel AMT.

Q35 Can an Intel AMT application be developed for an older version of Intel AMT using a newer version of the Intel AMT SDK?

A35 Yes, as long as the application is aware of the IntelAMT version and does not try to perform operations only available on newer IntelAMT systems. Differences between the versions are generally called out in the SDK documentation. Additionally, many older APIs have been deprecated.

Q36 Can an application compiled with an older version of the Intel AMT SDK manage newer Intel AMT Firmware versions?

A36 Yes, most all interfaces are forward compatible. But you need to be wary of items that are deprecated. Refer to the documentation in the Intel AMT SDK.

Q37 What are the limitations of using Intel AMT in a wireless environment?

A37 Here is a high-level list detailing wireless usage in IntelAMT. For more information please take a look at http://software.intel.com/en-us/articles/technical-considerations-for-intel-amt-in-a-wireless-environment

• Setup and Configuration is not supported over a wireless interface.
• There is no host wireless connection in link-sensitive flows (i.e., SOL/IDE-R redirection use-cases); local agents will not be able to connect unless there is a LAN connection.
• System Defense filters are software based, not hardware based as in the wired interface.
• Static IP is not supported on the wireless management interface.
• The wireless management interface may not be enabled by default depending on which setup and configuration tool is being used (even if valid wireless profiles are configured in the Management Engine and Intel AMT is enabled).
• Wired and wireless management interfaces cannot be on the same subnet concurrently.
• 802.1x profiles are applied independently on wired and wireless.

Q38 What is the difference between IDE-R and PXE?

A38 IDE-Redirect (IDE-R) is a feature of Intel AMT that allows the management console to remotely mount CDROM and floppy disk drives on an Intel AMT computer and cause a remote boot on the remote drives. PXE (pre-boot execution Eenvironment) is a form of remote boot that has been used for a long time before IDE-R. Here are the main differences between the two:

• PXE is a BIOS technology and has access to the entire system RAM and loads the entire disk image from a remote TFTP server before booting. IDE-R, being part of Intel AMT, does not have access to the entire system RAM and can’t pre-load the entire disk image, so it forwards each disk request to the console. The console must then answer back to each disk request. Due to this, PXE may be slower at first, but faster later and does not need a permanent connection to the server.
• IDE-R is console initiated; PXE is client initiated. PXE is generally used for diskless workstations, and IDE-R is used by administrators to remotely fix problems.
• IDE-R is routable, PXE is not. Because PXE gets it’s instructions from DHCP, each DHCP server on each subnet must support PXE. No particular DHCP infrastructure is required for IDE-R.
• When Intel AMT is set up in TLS mode, IDE-R is more secure than PXE.

Q39 Is the Intel AMT terminal compatible with telnet?

A39 We do not recommend using Telnet or Hyperterm as terminals for Intel AMT. You may use IAmtTerm.exe from the Open Manageability DTK.

Q40 How much memory is available in the 3^rd Party Data Store?

A40 Intel AMT 1.0 systems have 96k of NVRAM. All computers with Intel AMT 2.0 and beyond have 192k of NVRAM. This said, vendors can probably change this, and it's generally accepted that any single application should not use more than 48k of it so that several applications can share this space.

You could also try to use some type of compression when placing data into the 3^rd Party Data Store (3PDS) so that this space can be used most efficiently.

Q41 Does Intel AMT provide an API for ISVs to modify the PRTC timer remotely?

A41 You can find it in Intel AMT SDK documentation in the AMT_TimeSynchronizationService. To learn more about this clock refer to this post.

Q42 How can one discover an Intel AMT machine before a user goes into the Intel AMT configuration screen at boot-time and sets a new username/password from the default password?

A42 The Intel® Setup and Configuration Software version 7.0 and later has a discovery module. You can use a tool as described in this blog: http://software.intel.com/en-us/blogs/2008/11/03/do-you-know-where-your-intel-amt-systems-are/ .

Q43 Can one get the host UUID to run before registration?

A423Yes, the ISVS_GetHostUUID API call can be used after library initialization and before registration. It's one of a very few calls that can be used prior to registration.

Q44 Can I access my 3^rd Party Data Store block by name later as a named block?

A44 Yes, please refer to the Storage feature in the latest Intel AMT SDK documentation.

Q45 Can 3^rd Party Data Store blocks smaller than 4K be allocated? What about the scratchpad?

A45 No, please refer to the Storage feature in the latest Intel AMT SDK documentation.

Q46 Does one need to lock while reading from 3^rd Party Data Store? What happens if one does not lock?

A46 To ensure the data is consistent, lock before performing reads. If a lock is not done before reading you may get inconsistencies in data, partially from before and partially from after a write that has taken place.

Q47 Will Intel be supplying a library or code to translate the PCI Vendor and Device ID values to human friendly strings?

A47 No, there are no plans to add this functionality to the library. In the meantime, ISVs can go to standard sources to get PCI string tables, e.g., http://pciids.sourceforge.net*.

Q48 When an event filter is created, the FW returns a handle. When the handle is lost (system failure, etc.), how can a console recover the handle? Does the firmware clean up?

A48 Event handles live forever, but they can be recovered. An application can use the SDK CircuitBreakerService interface to enumerate the filters and determine which filters belong to it. To do this, use the EnumerateEventFilters method to return an EventFilterHandleArrayType that lists the filter handles. A loop that applies GetEventFilter SOAP function to each handle can then be created to get the properties of each filter, which allows the application to determine which filters are of interest.

Q49 Is there a license restriction that would not allow redistribution of the IMRSDK.DLL allowed with our product?

A49 The IMRSDK.dll can be distributed with your product.

Q50 What is the maximum size of the Intel AMT event log?

A50 The maximum number of event log entries is 390.

Q51 How does one set up authentication?

A51 To establish a SOAP over HTTPS connection (i.e., TLS authentication), all that needs to be done is specify the proper endpoint. https://<hostname>:16993. Windows security mechanisms will be employed to perform the proper certificate checking to establish the encrypted session. Once the encrypted session is established, the credentials are then passed to perform the userid authentication. This means there will be no change to any code except to when a specification of the new endpoint is needed.

Q52 When accessing the local storage on an Intel AMT machine, an URL (e.g. http://localhost:16992/StorageService) is specified. If the machine is in TLS mode, is it necessary to have the certificate on the local machine that's normally on the core server only?

A52 Yes, please specify the URL as https://localhost:16993/StorageService. Remember that TLS mode is defined on an interface level. This means that one can configure the Intel AMT device to utilize TLS communications on the network (remote) interface and utilize non-TLS communications on the local interface.

Q53 Is there a specific API that will indicate which version(s) of Intel AMT that a device supports?

A53 Yes, call: GeneralInfoService::GetCodeVersions.

Q54 Is it possible to recover the Intel AMT ID/Password without re-programming the device?

A54 No - the password is not recoverable (this is a security feature).

Q55 How can I tell whether an API can be executed locally (on the Intel AMT Client) or remotely (from the management console via network access?)

A55 Please refer to the Functionality on the Realm Mapping page in the latest Intel AMT SDK documentation.

Q56 Where can we get a Linux driver for LMS/SOL and HECI?

A56 You can get Linux drivers here: http://www.openamt.org

Q57 We want to upgrade our Intel AMT firmware. Where we can get new firmware?

A57 Your OEM should be able to tell you if firmware upgrades are available for your system and provide them for you.

Q58 What is the BIOS update process for Intel® Desktop Boards DQ965CO, DQ965GF, and DQ965WC ?

A58 Please refer to the documentation at:
http://support.intel.com/support/motherboards/desktop/sb/CS-025681.htm

Q59 What are the different options available to setup PID/PPS in Intel AMT?

A59

• At manufacturing time: Some vendors could probably push firmware on a computer with some settings pre-loaded.
• Manually: Going into the BIOS or MEBx and entering these values yourself. This is time consuming.
• Using USB Flash: You put these settings into a "setup.bin" file on a USB flash drive (512M or less, will not work on larger sticks).

Q60 What happens if a local application tries to bind to port 16992 or 16993?

A60 This is not recommended. Intel has registered these ports at IANA and they should not be used.

Q61 How do you disable the Intel AMT privacy notification popup?

A61 There are registry settings to do this. Disable.reg has [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun] “atchk”=””
This will prevent the privacy icon application from ever running again.
If you want to keep the app running, but minimized to get rid of the “popup,” then
[HKLMSOFTWAREIntelNetwork_Servicesatchk] “MinimizePrivacyIconAtStart”=dword:00000001
This can also be done by altering the oementry.reg file that contains this entry. The atchk (privacy icon) app gets installed when you install the SOL/LMS driver software.
The disable.reg and oementry.reg files should be shipped on the OEM driver CDs.

You can refer to this blog: http://software.intel.com/en-us/blogs/2007/04/26/instructions-to-disable-the-intel-amt-privacy-notification-popup/

Q62 What is a UUID to FQDN mapping?

A62 A UUID is a Universally Unique Identifier assigned to each machine. This identifier is a part of the machines BIOS and can be used to identify the machine independent of its host OS or host name. Before provisioning can be completed, you must provide a mapping of the machines UUID to its host name. This can be done using the SCS UI and setting the Intel AMT properties.

Q63 Does the alarm clock support multiple alarms?

A63 Starting with Intel AMT 8.0, the PC alarm clock will support an additional 5 alarms with unique identifiers.

Q64 What happens when an alarm clock is scheduled to wake a mobile system that is in an inappropriate location (e.g., a briefcase in airplane overhead bin)?

A64 Intel AMT does not operate on mobile systems that are not plugged into AC power. So the alarm clock feature would not wake the system.

Q65 How can someone determine if a system was booted up due to the alarm clock?

A65 An event is created in the event log that states the alarm clock feature powered up the system. The event also indicates what the previous power state was. Starting with Intel AMT 8.0 the IPS_HostBootReason call can be used to determine the reason for last boot.

Q66 Does the Intel AMT alarm clock feature put the system back to sleep?

A66 No, the intention is to allow local agents to perform tasks on the system at the specified time. When the local agent is finished with its tasks, it should put the system back into the previous state it was in before the alarm.

Q67 What’s different regarding power policies in Intel AMT 6.0 vs. previous generations?

A67 In version 6.0 there are only two power polices supported (Desktop/Mobile on in S0, Desktop/Mobile on in S0 with Wake On ME in S3-S5). The default power policy is Desktop/Mobile on in S0 with Wake on ME in S3-S5. The Idle wake timeout is set to ~45 days. This means the Manageability Engine should always be awake and ready to respond to manageability requests unless ISV software explicitly configures Intel AMT to enter lower power states by reducing the Idle Wake timeout.

Q68 Will the Manageability Engine accept multiple KVM Remote Control connections?

A68 No.

Q69 Can unattended KVM Remote Control sessions (no user consent) be enabled without touching the machine?

A69 Yes, if the OEM enables this option. This may have privacy issues in some countries or user environments. In most cases, the user will have to select this option in the MEBx or the IT administrator will have to set it with a USB key during pre-provisioning.

Q70 Is the KVM Remote Control proxy required to connect to a system with Intel® vPro™ technology?

A70 No. The ME will listen on port 5900 for a standard VNC viewer (RFB 3.8 and above). In this model, extensions such as TLS and Kerberos authentication are not supported even if configured for Intel AMT.

Q71 How does the user give consent for a KVM Remote Control connection when consent is required for each session?

A71 Upon a connection attempt, sprite is used to display a key that the user must read to the remote operator. The user may opt to disable the per-session consent requirement in MEBx.

Q72 What is a "sprite"?

A72 The term "sprite" in the context of a platform with Intel vPro technology enabled refers to a graphic that is drawn directly to the local display by the integrated hardware. Sprites are independent of any host software or operating system.

Q73 Is the Intel® Management and Security Status (IMSS) service required to use KVM Remote Control?

A73 No. IMSS provides additional notifications to the user, the ability for the user to terminate a KVM Remote Control session and control over the sprite behavior (e.g., language selection).

Q74 What Remote Frame Buffer (RFB) protocol version is supported?

A74 RFB 3.8 and 4.0 are both supported. RFB 4.0 offers some performance, usability, and extensibility enhancements.

A74 What is the "RFB (or VNC) Password"?

A74 The RFB password is part of the RFB protocol's "VNC Authentication." The KVM viewer is required to provide the RFB password when it establishes a session. By default, the RFB password is set to the MEBx password. Anyone with access to the Intel AMT Redirection Realm can change the RFB password.

Q75 Can the KVM Remote Control feature be enabled / disabled remotely?

A75 Yes, unless the feature is explicitly disabled in MEBx.

Q76 Can the local keyboard and mouse be blocked during a KVM Remote Control session?

A76 Yes.

Q77 Can you disable the standard VNC port 5900?

A77 Yes. During configuration, you must enable either the Intel AMT redirection ports (16994/16995) or the standard VNC port (5900).

Q78 What RFB versions does the proxy support?

A78 The proxy will support both RFB 3.8 and RFB 4.0 with equal functionality. The protocols themselves may have differences independent of the proxy.

Q79 Does the proxy use GPL?

A79 No.

Q80 What WS-Events are created by KVM Remote Control?

A80 Local KVM Remote Control events are generated when a session starts or stops.

Q81 How complex is the user consent password?

A81 The user consent password is a 6-digit number.

Q82 What resolutions are supported by the AMT 6.0 hardware?

A82

• 640x480 (4:3 aspect ratio)
• 800x600
• 1024x768 (4:3 aspect ratio)
• 1280x1024 (5:4 aspect ratio)
• 1280x800 (16:10 aspect ratio)
• 1366x768 (16:9 aspect ratio)
• 1440x900 (16:10 aspect ratio)
• 1600x1200

Q83 What resolutions are added by the AMT 7.0 hardware?

A83Release 7.0 also supports screens with a resolution of 1920x1200 with 16 bits of color depth.

Q84 What do I need to do to use the Intel ME WMI provider?

A84 It will come pre-loaded on a system with Intel AMT version 6.0 or later (it should also be part of driver installation kit that comes from OEMs). For some of the discovery information (like Intel AMT and firmware versions), Intel AMT doesn’t even need to be provisioned to make calls to the provided WMI provider. There are some example scripts in the SDK that call the WMI provider, but in general if you already know how to use WMI, you’ll understand how to call the provider.

Q85 What is the Intel ME WMI Provider?

A85 The WMI provider gives access to several pieces of functionality that were previously only accessible with separately downloaded tools such as the Activator or the Intel AMT Scan Tool, or where the data could be read locally from the IMSS, but not obtained programmatically locally.

Q86 What advantages are there to using the WMI provider over existing tools?

A86 The Intel ME WMI provider will be part of the installation that goes to OEMs, so the WMI provider should be present on all Intel AMT 6 systems (in the same way that the Intel Management and Security Status program is part of all the previous generation of AMT systems that launched in 2008). Primarily it was created to give developers more flexibility in how they develop their apps (and hopefully make it easier to develop).

Q86.1 What is the Intel Manageability Firmware Recovery Agent?

A86.1 The Intel Manageability Firmware Recovery Agent is part of the Intel AMT driver stack provided to OEMs. Starting in 2011, it is relevant for any platform that has a Manageability Engine (ME). For more information, refer to the following blog: http://software.intel.com/en-us/blogs/2013/02/06/intel-manageability-firmware-recovery-agent

Q86.2 Does Intel AMT 9 still support the SOAP (EOI) interface?

A86.2 No. From Release 3.2, Intel AMT added WS-Management as a management layer over SOAP. From Release 6.0, SOAP was deprecated and no longer supports new Intel AMT features. With Intel AMT 9, no SOAP APIs are supported and as a result, older management consoles developed under older versions of Intel AMT will no longer work (for the features implemented with the SOAP interface.) Refer to the following blog: http://software.intel.com/en-us/blogs/2012/12/01/intel-amt-wsman-interface-is-replacing-the-soapeoi-interface

Troubleshooting

This section contains answers to some common issues encountered when developing and implementing solutions that use Intel® Active Management Technology (Intel® AMT).

Q87 Intel AMT/ME is setup correctly, but my password is always rejected when trying to connect through the WebUI or the Manageability DTK tools. What is wrong?

A87 The problem could be with your keyboard mapping. MEBx thinks that you are typing on a QWERTY keyboard and if you are using an operating system that has a different keyboard mapping, the password will not match.

Q88 How do I submit a bug on the Manageability DTK (a.k.a. AMT Commander?)

A88 Send an email to Support_DOPD_SWE@intel.com and ask for a bug report.

Q89 Is there something in Intel AMT that blocks remote desktop traffic?After installing the chipset drivers (Intel® AMT HECI, Intel® AMT SOL, and Intel® Chipset Software) I am no longer able to remote desktop to or from this system. I have a Dell Optiplex* 755 system.

A89 There aren’t any settings in Intel AMT that could block the remote desktop traffic. The problem could be due to the wrong video driver. The Dell driver CD comes with RADEON HD 2400 PRO* and RADEON HD 2400 XT. You have to make sure that you install the correct one. The Device Manager does not show any issues with the wrong driver. So, go to your Event Viewer and see if you have any errors with RDPDD.dll. If so, try installing the correct driver from the CD or support.dell.com.

Q90 Is it possible to have a null or invalid GUID on an Intel AMT system?

A90 The GUIDs are initialized, stored, and handled by the BIOS. So it is possible that an Intel AMT device gets a null or invalid GUID, but Intel AMT will detect it as invalid and won't use it.

Q91 Can malware detection in Intel AMT replace antivirus applications?

A91 No, you want to have both at the same time. When you put policies in Intel AMT for malware detection, they cannot be circumvented in any way from the host. The drawback is that Intel AMT is located underneath the host operating system and doesn't have all the information that a host application would have. So really a combination of the two is ideal.

Q92 Is there a way to install an operating system on 20 computers at the same time with Intel AMT?

A92 Yes. Intel AMT provides the ability to boot a disk remotely on the computer. The first step is to mount a CD-ROM drive onto the remote computer and then boot off of the remote CD-ROM drive. The rest of it is up to the administrator to build an ISO image that performs all the operations the administrator wants to perform.

Q93 What if the DHCP server is not working? There is no way to connect to the machine, right?

A93 When Intel AMT is configured for DHCP mode, if the DHCP server is not working, Intel AMT will never be able to obtain a valid IP address and you will not be able to connect to it remotely. If Intel AMT is configured in static IP mode, you can connect to it using the static IP address.

Q94 I am getting an error message about communication to the Intel Manageability Engine. I have an Intel DQ35MP motherboard and an Intel® Core™ 2 Quad. I had previously updated to the latest BIOS and it was working fine. I have re-flashed the BIOS but the problem persists?

A94 You should do a CMOS reset. For this, disconnect the power cord and LAN cable. Remove the CMOS battery for 15 seconds and insert it back in. When you power on, the Manageability Engine settings will revert to their factory defaults. The default user name and password is admin/admin. Please remember to change it to a strong password before configuring the ME further.

Q95 The system is unresponsive and won't boot. How can this be resolved?

A95

• Unplug the power cord, wait 20 seconds, and boot the system again.
• DIMM 0 must be populated with memory for AMT to work. AMT firmware is uncompressed and run in DIMM 0.

Q96 I am having difficulties with building the Sample Code in the AMT SDK.

A96 Please refer to the “Using the Intel AMT SDK” section in the Intel AMT SDK documentation. Also, review this video: http://software.intel.com/en-us/videos/how-to-compile-intel-amt-sdk-sample-code

Q97 The Intel AMT system will not boot on USB key.

A97

• The USB boot partition needs to be 256MB or smaller.
• Format the USB key to be DOS bootable.

Q98 After a few successful writes to Intel AMT storage, write errors occurred for all subsequent writes. Re-flashing the AMT memory did not help, but leaving the system on overnight did help. Why is this?

A98 Flash write limits may have been exceeded. Optimize writes to see if this resolves the problem. Flash wear out protection is enforced by Intel AMT to avoid permanent damage to flash by malware. Once the limit is exceeded, there is a time limit (40 minutes) that must be satisfied in order to write again.

Q99 Hello packets are sent only when OS is on.

A99 This is probably because the Intel AMT has been configured to only be active in S0 state. Try changing the Intel AMT communicate when the system is in Sx state (when the OS is not up). Look for Power Policy configuration settings in the MEBx.

Q100 When working in DHCP and setting a block-all policy in System Defense, after a certain amount of time Intel AMT will be inaccessible.

A100 When in DHCP mode, the Intel AMT system relies on the host operating system (OS) to respond to IP network traffic requests (ARP requests). These requests are cached, so the OS will continue to respond to the ones from the cache even after the filter has started to block new ones coming in.

Workaround: When defining a block-all policy, make sure to define 2 extra filters.
1. Pass Tx filter on Ethernet header for 0x806 (ARP)
2. Pass Rx filter on Ethernet header for 0x806 (ARP)
3. Make sure these filters are part of the policy.
This will ensure that the host will answer ARP requests.

Q101 I just provisioned my Intel AMT system; why doesn't SOL/IDER work?

A101 There may be a couple of reasons why your system is not allowing SOL/IDER sessions. First, you must make sure that both SOL and IDER are enabled in the BIOS (check the configuration settings in the ME/AMT menus). Secondly, if you have just moved from provisioning your systems in SMB mode to Enterprise mode, then you will need to programmatically enable the Redirection Port (SMB mode provisioning does this automatically for you.) Even though you selected that you wanted SOL and IDER to be enabled interfaces in your profile (another requirement), the Setup and Configuration Service will not enable the port for you (this is considered a security issue so it is left closed.)

There are a couple of ways you can enable this port:

1. Connect to your Intel AMT system using the Manageability DTK, go into the "Remote Control" menu and enable the Redirection Port (you will probably see that it is disabled.) Remember when doing this, you should disable the port when finished with your SOL/IDER session. It is not a good idea to leave this port open.
2. Add the appropriate API calls to your own Management Console Software: GetRedirectionListenerState or SetRedirectionListenerState. When you are ready to perform a SOL/IDER session, have your software open the port and then when finished, close the port. This makes for a more secure implementation.

Q102 What happens if the flash images update crashes in mid-update?

A102 There isn't an issue re-flashing the device if there is a flash write error. There is no dependency between corrupt data and the ability to re-flash the device with a good image.

Q103 How can I make sense out of the Intel AMT Event Log messages?

A103 There is a conversion in the IPMI (Intelligent Platform Management Interface) Specification that takes the event data number and turns it into text. You can get the IPMI Specifications at the following link: http://www.intel.com/design/servers/ipmi/spec.htm

Q104 How do you reset the password for the Intel Management Engine BIOS if you have forgotten the password?

A104 To reset the password of ME BIOS, disconnect the power cord and LAN cable. Remove the CMOS battery for 15 seconds and re-insert it. This time when you power on, the ME settings will revert to the factory defaults. The default user name and password is admin/admin. Please remember to change it to a strong password before configuring the ME further.

Q105 Where is the SCS getting it’s time from? Windows time is set correctly, but the SCS’s time is different.

A105 The SCS gets the time from the OS (displays as UTC.) The Intel AMT Clock can be synchronized from within the SCS.

Other

This section contains answers to questions that are not common or frequently asked, but still may be of interest to developers using Intel® Active Management Technology (Intel® AMT).

Q106 Is Intel AMT aware of Virtual Machine Hosts installed on a machine?

106 Intel AMT is neither aware of nor does it control any of the software installed on the system including virtual machines. Intel AMT allows remote management consoles to connect to it and manage the system as a whole not the individual software components. Host-based software components need to be managed the same way with or without Intel AMT.

Q107 What market segment does Intel AMT address?

A107 Intel AMT has initially been targeted at the corporate environment. Large IT shops that manage lots of computers that want to reduce the number of desk side visits. But there are a lot of other markets that love Intel AMT. The embedded market has actually been really big (e.g., cash registers and ATM machines). They have computers at remote sites and it is a big cost to remotely fix those systems. Intel AMT is also helping a lot with smaller businesses, the internet cafes, schools, and elsewhere where management of computers remotely is important.

Q108 Can Intel AMT be standalone or integrated with other applications? Please give a specific example?

A108 Intel AMT is much like an agent that is located in the hardware. Any management application can integrate with Intel AMT to provide additional and enhanced features. ISVs that address manageability are encouraged to supplement their solution with Intel vPro technology. A specific example would be software asset inventory, where an application running on the host would store inventory information in Intel AMTs 3^rd party data store where it could be retrieved by a remote management console via Intel AMT calls, even when that system is off or disabled.

Q109 Is Intel vPro technology available in laptops and handheld devices?

A109 It is available on laptops and on any platform that is branded Intel® vPro™ technology (refer to this link for available systems). Handheld devices are not currently supported.

Q110 Is Intel AMT disabled by default on Intel vPro devices? If not, can it be disabled or have any default passwords changed by end users not part of the IT-supported network?

A110 All Intel vPro computers come with Intel AMT turned off by default. Some OEMs configure their Intel vPro computers to attempt to find a configuration server when first attached to a network. If they don't find this configuration server, they will remain off. This is a very important security precaution. The default password in the Manageability Engine is changed the first time it is accessed, before it is provisioned and operational. If a configuration server is found and authenticated correctly, Intel AMT can be setup and configured, but that requires certificates and so on.

Q111 Whenever an SOL session is opened using the IMRGUI, 100% of the CPU resources are taken.

A111 Check if the Windows firewall is blocking communication. IMRGUI should start working once HyperTerminal is working properly.

Q112 When I use Intel AMT IDE-R and SOL to boot a remote Intel AMT client with a Linux rescue boot image, I cannot receive any messages through SOL after the image begins to boot. Is there any Linux rescue boot image that can keep sending messages to SOL while booting?

A112 The reason why the Linux boot image stops sending messages to the SOL terminal could be that the image isn't configured to send messages to the serial console. To enable the boot image to do so, pass some parameters to the boot image when it begins to boot. You can find more details in the Linux Configuration section in this doc:
http://download.intel.com/support/motherboards/server/sb/solsetupguide.pdf

Q113 Can you transfer the private key to the system wrapped by the ISV in their public key?

A113 No

Q114 Is there a way to determine if the user has correctly selected a valid floppy and CD boot drive and/or image file?

A114 There isn't any way from Intel AMT to determine this.

Q115 Why are there events in the event log when running in an unprovisioned state?

A115 There are default filters defined even in the unprovisioned state.

Remote Encryption Management

This section contains answers to some common questions encountered when developing solutions that utilize the Remote Encryption Management capability available with Intel AMT systems.

Q116 How do I get started with the code and documentation on Remote Encryption Management?

A116 It depends on whether your solution already manages encrypted hard drives (or is being developed to do so), or you simply want to request unlocked drives provisioned by another solution. In the Remote Encryption Management documentation, a company with a solution that manages encrypted hard drives (including the initial provisioning) is referred to as an Encryption (or Security) ISV, and one that interacts with that solution to request an unlock is a Manageability ISV. There is documentation targeted at both use models in the “SDK Resources” section of the Intel AMT SDK documentation.

Q117 Do I need to use the included ISO file and IDE Redirection to use Remote Encryption Management?

A117 No, a developer can incorporate the functionality into an already existing pre-boot authentication (PBA) implementation that handles a local user unlocking the hard drive. This of course assumes that the developer’s solution has a PBA that unlocks the drive before the system boots into the OS.

Q118 What is the difference between developing a solution with Remote Encryption Management using the provided ISO file, compared to including the functionality into a pre-boot authentication (PBA) implementation?

A118 There are two primary differences. First, incorporation into a PBA will likely require more development work. But more importantly, incorporation into a PBA will result in a solution that can unlock systems substantially faster. Using the ISO image, the system will need to go through a reboot to load the ISO over the network, which takes time and bandwidth.

Q119 Is the source code for the ISO image available?

A119 Yes, it is provided in the folder .\Windows\Remote_Encryption_Management\src\linux-sources in the Intel AMT SDK.

Q120 What is the Manageability Interface that is documented in the SDK?

A120 The Manageability interface is an example of a programmatic interface that allows an Intel vPro system to be powered on and unlocked by a separate management solution (or possibly scripting). Since many IT shops often have a different solution that manages the computers in their environment than the one that manages the encrypted hard drives (or potentially even multiple solutions that manage the computers in their environment), this gives a mechanism to the management solution to allow an unlock and manage blocks of systems (which is a common use case of Intel vPro technology). The provided example shows a way to implement this functionality that is structured very close to how a management ISV implements Intel vPro technology calls. Note that it is important to implement authentication on this interface, typically with either Digest or Kerberos authentication.

Q121 If I want to develop a solution that will request an unlock from another ISV’s encryption solution, what do I need to do?

A121 That partially depends on the ISV, but as a first step you should refer to the Manageability Interface document in the SDK. Intel is recommending that encryption ISVs implement a solution (and use the provided Manageability Interface example as a template), but it is up to the individual solution vendors for how (and whether) they implement.

Notices

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.

UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.

Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information.

The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.

Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark* and MobileMark*, are measured using specific computer systems, components, software, operations, and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products.

Any software source code reprinted in this document is furnished under a software license and may only be used or copied in accordance with the terms of that license.
Intel, the Intel logo, Centrino, Core, and vPro are trademarks of Intel Corporation in the U.S. and/or other countries.
Copyright © 2013 Intel Corporation. All rights reserved.
*Other names and brands may be claimed as the property of others.

[1] Requires activation and a system with a corporate network connection, an Intel® AMT-enabled chipset, network hardware and software. For notebooks, Intel AMT may be unavailable or limited over a host OS-based VPN, when connecting wirelessly, on battery power, sleeping, hibernating or powered off. Results dependent upon hardware, setup and configuration. For more information, visit Intel® Active Management Technology.

[2] Intel® vPro™ Technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and configuration of your hardware, software and IT environment. To learn more visit: http://www.intel.com/technology/vpro.

Once you have instantiated a secured software environment (known as an enclave) with the new instructions from the Intel(r) Software Guard Extensions (SGX) you are now ready to load secrets into it for processing and storing on the platform. This is the purpose of the attestation and sealing features in SGX.

The SGX attestation architecture provides an enclave on the platform a mechanism to 'strongly authenticate' that it exists.  This authentication can then form the basis of a secret delivery protocol between the enclave and a local entity (i.e another enclave running on the same platform) or a remote entity (a service in the cloud). For now think of it as being able to terminate an SSL like session protocol inside the enclave, where the enclave is using client authentication mode.

Once the enclave has been authenticated as existing and a secret has been delivered, the enclave would now like to persist this secret locally on the platform. This is purpose of the sealing architecture.This architecture relies on the programmer to perform the work of protecting your secrets and storing them on the platform, the hardware provides you with a 128-bit enclave specific key to protect your data.

More details can be found in the white paper we have written to explain these important features of the SGX architecture.

I hope you find this info useful and any feedback or questions you may have regarding the white paper or the attestation and sealing features in general can be posted as a comment to this blog entry.

At IDF in September I led a technical session in the security track on developing applications that make use of Secure Key. In that presentation I put up the following chart:

It plots the maximum, total throughput of the RDRAND instruction in a multithreaded application for six different systems. The Y axis is the ratio to single threaded throughput, and the X axis is the number of threads executing RDRAND as rapidly as possible. What this chart says is that total RDRAND performance scales nearly linearly with the number of threads: if you have two threads executing RDRAND you get twice the throughput of one thread, if you use three threads you get three times the throughput, and so on. This scaling continues until you hit an overall hardware limit on the CPU, such as maxing out your hardware threads or saturating the bus.

After the talk was done, I had a session attendee come up to me and ask a question: Why is it that multiple threads give the DRNG (the digital random number generator) higher throughput? Why can't one thread simply pull as much random data via RDRAND as the DRNG is capable of generating?

The answer lies in the overall architecture of the CPU and the DRNG itself. Single-threaded performance is limited by the round-trip latency between when a RDRAND instruction is executed and when the random number is returned.

Round-trip latencies

The DRNG is connected to the cores via a bus. There are multiple busses within the CPU, and which bus is used for the DRNG is a decision that is made by the product groups when the CPU is designed. Those decisions are based on specific feature requirements and design constraints, and they can vary from generation to generation (3rd generation Core to 4th generation Core) as well as from family to family (Core to Xeon to Atom). No matter which bus is used, however, the process followed by the CPU when processing a RDRAND instruction is the same:

1. The execution unit receives the RDRAND instruction
2. A request for a random number is placed on the bus
3. The DRNG receives the request from the bus
4. The DRNG places a random number back on the bus
5. The random number is returned to the execution unit that issued the instruction
6. The random number is placed in the destination register

The time that elapses between steps 2 and 5 is the round-trip latency for the RDRAND instruction. The hardware thread cannot execute another RDRAND until the previous RDRAND has completed, and so this latency becomes the limit for single-thread throughput. It issues a request, waits for the answer, and then moves on.

With multiple threads executing RDRAND in parallel, however, each thread may place a request on the bus regardless of what the other threads are doing. While each thread still sees the same round-trip latency, and the same per-thread throughput, the total number of requests that are in flight on the bus increases. The end result is that the total throughput across all threads is roughly equal to the single-threaded throughput times the number of active threads. Hence, the throughput of the DRNG appears to increase.

§

Downloads

Libcryptorandom [PDF 398KB]
Libcryptorandom Source Code[ZIP 376KB]

Libcryptorandom is a cross-platform library that allows programmers to obtain cryptographically secure random numbers from the best available entropy source on the underlying system. The library frees the programmer from having to understand and code for various OS-specific crypto implementations and/or hardware devices. The calling program merely specifies what grade of random bytes are needed, and the library returns a random number provider that will satisfy the request (if available).

This library supports Intel® Secure Key.

Underlying sources of random numbers are referred to as providers. The library chooses the best available provider from the list of defined providers that will satisfy the request. "Best" is a somewhat subjective term, but the intention is to favor high-throughput sources over lower ones, and high-quality hardware devices over OS implementations.

Linux*, OS X*, and Windows* operating systems are supported, in both 32- and 64-bit builds.

API Overview

The API includes the following functions:

int random_open(crypto_random_t *provider,unsigned int flags);

Open a random provider that meets the requirements specified in flags.

int random_close(crypto_random_t*provider);

Close an open provider and free its resources.

int random_info(crypto_random_t*provider,int parameter,void*value);

Obtain information about a provider, or about all known providers.

ssize_t random_read(crypto_random_t*provider,void *buf, ssize_tlen);

Read random bytes from an open provider.

int random_reseed(crypto_random_t*provider);

Explicitly force a reseed of the underlying random provider.

const char *random_strerror(interrornum);

Obtain an error string from an error code.

The random providers known to libcryptorandom are:

OS

The OS facility for obtaining cryptographically secure random numbers. On Linux and OS X this would be the /dev/random and /dev/urandom devices. On Windows, random numbers come from the CryptGenRandom() function in Microsoft's CryptoAPI.

DRNG

Intel Corporation's digital random number generator, marketed under the name Intel® Data Protection Technology with Intel Secure Key. For more information, see  DRNG Software Implementation Guide.

Building and Installation

Libcryptorandom is distributed as source code and must be built on the target platform.

Linux

Builds and installs via Gnu Autotools, using either gcc or the Intel® compiler. The build target is a shared library, libcryptorandom.

OS X

Same build procedure as Linux.

Windows

Builds via Visual Studio*, using either the Microsoft or Intel compiler. The build target is a static library.

Licensing

Libcryptorandom is an open source library distributed under the terms of the BSD 2.0 license. The license text is included in the distribution.

Any software source code reprinted in this document is furnished under a software license and may only be used or copied in accordance with the terms of that license. 

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Copyright © 2013 Intel Corporation. All rights reserved.
*Other names and brands may be claimed as the property of others.

Today the Intel® Software Guard Extensions (Intel® SGX) programming reference manual was published (more information is available here).  Given the significant time and effort that my colleagues and I have spent defining Intel® SGX, I can't find a strong enough word in my thesaurus to describe how thrilled/elated/ecstatic I am to finally be able to write about it publicly.

At its root, Intel® SGX  is a set of new CPU instructions that can be used by applications to set aside private regions of code and data.  But looking at the technology upward from the instructions is analogous to trying to describe an animal by examining its DNA chain.  In this short post I will try to uplevel things a bit by outlining the objectives that guided the design of Intel® SGX and provide some more detail on two of the objectives.  In future posts, I will dive deeper into the remaining objectives and review some of our experiences using Intel® SGX to protect various software applications.

Much of the motivation for  Intel® SGX can be summarized in the following eight objectives:

1. Allow application developers to protect sensitive data from unauthorized access or modification by rogue software running at higher privilege levels.

2. Enable applications to preserve the confidentiality and integrity of sensitive code and data without disrupting the ability of legitimate system software to schedule and manage the use of platform resources.

3. Enable consumers of computing devices to retain control of their platforms and the freedom to install and uninstall applications and services as they choose.

4. Enable the platform to measure an application’s trusted code and produce a signed attestation, rooted in the processor, that includes this measurement and other certification that the code has been correctly initialized in a trustable environment.

5. Enable the development of trusted applications using familiar tools and processes.

6. Allow the performance of trusted applications to scale with the capabilities of the underlying application processor.

7. Enable software vendors to deliver trusted applications and updates at their cadence, using the distribution channels of their choice.

8. Enable applications to define secure regions of code and data that maintain confidentiality even when an attacker has physical control of the platform and can conduct direct attacks on memory.

Here is a little more detail behind the first two objectives

Objective 1 – Allow application developers to protect sensitive data from unauthorized access or modification by rogue software running at higher privilege levels.

Several aspects of Objective 1 are worth amplifying.  First, protecting sensitive data demands both confidentiality (preventing data disclosure) and integrity (preventing data tampering).  Second, it implies a need to protect sensitive code as well as data (consider, for example, that an attacker can easily obtain unauthorized access to data by modifying or skipping authorization checks).  Third, data must be protected not only when it is stored in encrypted form, but also at run-time when the data is unencrypted and being actively used for computation.  Finally, it is critical to maintain run-time protection despite attacks from rogue software that has subverted legitimate system software to gain amplified privilege levels.

Objective 2 – Enable applications to preserve the confidentiality and integrity of sensitive code and data without disrupting the ability of legitimate system software to schedule and manage the use of platform resources.

While sensitive data must be protected from attack by rogue software running at high privilege levels, legitimate system software must be allowed to do its job.  It is unacceptable to require protected applications to take over or significantly disrupt the basic operating system features (job scheduling, device management, etc.).  Operating systems have evolved over many generations to perform these roles well, and requiring a duplicate, parallel environment would be impractical.

I will follow up shortly with more details on the remaining objectives.

I am constantly on a quest to add support for more devices and this week I got one more... ChromeOS! Now, it's not official support really, what I did was put my x86 based Google Chromebook in developer mode and then fixed up the Linux/x86 mesh agent so it could run on it. So, this is only for people that are developers of know what they are doing. It took me a while to figure out how to get it going, but here are the basic steps:

• Remove the battery under the Chromebook and toggle the switch to the other position to enable developer mode.
• Turn the computer on, press CTRL-D at the error mesage, follow instructions it will take a few minute.
• Once booted again, hit CTRL-D again and you will be at the desktop... the device is basicaly "rooted".
• Press CTRL-ALT-T to enter the console.
• Type "shell" and "sudo sh" to login as root.
• Type a few commands to re-mount the file system in read/write mode. (You can Google this part).
• In Meshcentral.com, "My Account" and "Install". Select the Mesh and Linux/x86 agent and cut & paste the script into the terminal.

That is it. I have not looked at adding the Mesh Agent so it can auto-start yet. I need to work on that. I did a video showing that Meshcentral with ChromeOS looks like.

Enjoy!
Ylian
meshcentral.com

Well, this is exciting! A week back we released and started testing a new Mesh Agent for Android published on the Google Play store. You can now manage your Android devices from Meshcentral.com! Since the new agent is just a normal Android application, you only need to install and activate it and you are ready to go. So, if you already have a Meshcentral.com account, just go to "My Account" / "Install" and select "Android/All" as the type of agent you want to install. Follow instructions from there.

If you are just getting started with Meshcentral.com, we published a Powerpoint presentation that shows how to install the new Mesh Agent step-by-step. Create a meshcentral account and get started, it's free. Actualy, it's not completely free, we need your feedback on any problems you encounter. If you have feedback, go to the Meshcentral information page and mail us.

Now, once you get the Mesh agent installed, what can you do? For now you can remotely access your files on the Android device from Meshcentral.com. You can rename, move, upload, download, etc. You can also make the device vibrate, flash the light and send little remote messages. We have a Youtube video demonstrating the installation and the features of this agent.

Now for the technical part: Rick, my cubemate at Intel is the brains behind this new mesh agent port. The agent on Android is compiled using the Android NDK, so it's mostly native code which makes it very fast and efficient. We compiled the agent in what is called a "fat" binary, with x86, ARMv5, ARMv7 and MIPS architectures all rolled into one. The agent package is larger as a result of the support for all 4 architectures, but I hear Google optimizes this so you only keep in your phone the binary that is compatible with your phone.

Enjoy!
Ylian
Meshcentral.com

Instructions on how to install the Mesh agent on Android.

Overview of the network routing used with Meshcentral.com and the Mesh Agent

Right next to where I sit at Intel sits Rick Edgecombe who now works full time on the Mesh Agent for Android. Last week he released a new version of the Mesh Agent on the Google Play store with many new features. Essentially, the new agent can relay Android API calls from the web to the Android operating system. So, you can call a command in Javascript and that command will be relayed to the Android device. This new API relay feature can be used to do a lot of things.

Then, with the help of Matt Primrose, another co-worker that sits next to me, we updated the Android actions on Meshcentral.com so users could make use of some of the new features. We now have remote dial, open a web page, remote text messaging, access for calandar and contact information. All this in addition to flash, vibrate and alerts we had before.

So, if you want to try these new features, add your Android device to Meshcentral and check out the new features. We have a Youtube video demonstration and a screen shot of the new features below.

Enjoy!
Ylian
https://meshcentral.com

下载Introducing 4th Generation Intel® Atom™ Processor, BayTrail, to Android Developers.pdf

Abstract