Active Management Technology (AMT)

From TBP Wiki
Jump to: navigation, search

Intel Active Management Technology is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a separate microprocessor not exposed to the user, in order to monitor, maintain, update, upgrade, and repair them. Out-of-band (OOB) or hardware-based management is different from software-based (or in-band) management and software management agents.

Intel AMT includes hardware-based remote management, security, power management, and remote configuration features that enable independent remote access to AMT-enabled PCs. Intel AMT is security and management technology that is built into PCs with Intel vPro technology.

Hardware-based AMT features on desktop PCs include:

  • Encrypted, remote communication channel for network traffic between the IT console and Intel AMT.
  • Ability for a wired PC (physically connected to the network) outside the company's firewall on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console. Examples of an open LAN include a wired laptop at home or at an SMB site that does not have a proxy server.
  • Remote power up / power down / power cycle through encrypted WOL.
  • Remote boot, via integrated device electronics redirect (IDE-R)
  • Console redirection, via serial over LAN (SOL)
  • Keyboard, video, mouse (KVM) over network.
  • Hardware-based filters for monitoring packet headers in inbound and outbound network traffic for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters.
  • Isolation circuitry (previously and unofficially called "circuit breaker" by Intel) to port-block, rate-limit, or fully isolate a PC that might be compromised or infected.
  • Agent presence checking, via hardware-based, policy-based programmable timers. A "miss" generates an event; and this can also generate an alert.
  • OOB alerting.
  • Persistent event log, stored in protected memory (not on the hard drive).
  • Access (preboot) the PC's universal unique identifier (UUID).
  • Access (preboot) hardware asset information, such as a component's manufacturer and model, which is updated every time the system goes through power-on self-test (POST).
  • Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information.
  • Remote configuration options, including certificate-based zero-touch remote configuration, USB key configuration (light-touch), and manual configuration.
  • Protected Audio/Video Pathway for playback protection of DRM-protected media.