Product GuideMcAfee ePO Deep Command 2.1.0For use with ePolicy Orchestrator 4.6.x, 5.x.x Software
• Intel® AMT-enabled chipset• Network hardware and software• Corporate network connection (with an AC power source)Setting up the environment requires
• From the Intel® AMT systems, click McAfee Agent Status Monitor, then click Collect and Send Properties,Check New Policies, and Enforce Policies.• Cl
7In the System Tree, assign the policy to the required systems or group.• To assign the policy to selected systems, select the systems, click Actions
4In Run the following Command afterward (optional), select the product, task type, and client tasks.Client tasks that require a system restart must be
TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Policy Comparison, select ePO Deep Command 2.1.0 or ePO
cType the Intel® MEBX password, then retype it to confirm.Select Show Password to see the password as you type. Password confirmation is not required
• For Kerberos account,1Select New Kerberos User or New Kerberos Group, as needed, select the required user or group,then click OK.2Select the user or
Tasks• Turn on your systems on page 106The Power On feature allows your Intel® AMT systems to deploy the updated securityprograms ahead of a potential
Obtain User ConsentObtain User Consent to perform Intel® AMT actions using a passcode generated on the Intel® AMTsystem screen to connect.TaskFor opti
4(Optional) In Additional Action, select Launch Serial-over-LAN Terminal (SOL) to access the target system fromthe server side.You can use the arrow k
Connect to a system using the Serial-over-LANSerial-over-LAN (SOL) is a mechanism that enables the input and output of the serial COM port of amanaged
Management Framework moduleThe ePO Deep Command Management Framework module delivers "beyond-the-operating system"security management. This
• The recovery operating system image file must be an .iso file shared on a UNC mount.It must be shared and accessible by the Agent Handler. Also, mak
See also Connect to a system using the Serial-over-LAN on page 109McAfee KVM Viewer options on page 127Stop image redirection You can stop an in-progr
Automate Intel AMT policy enforcementCreate and use the server tasks to enforce Intel® AMT policies and turn on the remote Intel® AMTsystems at a sche
TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, from Server Tasks, click New Task.2In Description, type a name for th
• Renew Active Directory Password — Resets the password of the Active Directory object representing theIntel® AMT system.• Renew Administrative Passwo
TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Client Task Comparison, select ePO Deep Command 2.1.0 as
Name ID Generates when...ConfigurationeventsDeep Command - ConfigureFailure34362 A configuration attempt has failed.Deep Command - UnconfigureFailure3
TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Configuration | Server Settings, select Event Filtering,
File name Location DescriptionAMTRCSMgmtService_out.log..\Program Files\McAfee\ePO Deep Command RCSManager\AMTRCSMgmtService_out.logProvides a log of
9Connecting to Intel AMT systems usingKVMWith the McAfee KVM Viewer, you can remotely access Intel® AMT systems using theKeyboard-Video-Mouse (KVM) fe
McAfee KVM Viewer moduleAdministrators can use the McAfee KVM Viewer module to remotely access Intel® AMT systems that areKVM-enabled and -supported.
KVM Viewer overviewUse the McAfee KVM Viewer to remotely access your Intel® AMT systems and perform actions such asPower on, shutdown, start or restar
KVM requirementsMake sure that your system meets these requirements to connect to a system from McAfee KVMViewer.System RequirementsKVM host system (f
Add McAfee root CA certificateImport the McAfee ePO Deep Command root CA certificate to the KVM host system to authenticate aKVM connection. This task
Use Microsoft Management ConsoleAdd the McAfee ePO Deep Command Root CA certificates, when used, to the certificate store of thesystem where you'
Task1From the KVM host system, browse to the folder where McAfee KVM Viewer is stored, thendouble-click the MKVMView file.2On the McAfee KVM Viewer Co
• Authentication settings — Provide credentials used in the configuration profile policy or under Intel®AMT credentials in Server Settings. Or select
Connect to a local systemConnect to a local Intel® AMT system to send power control commands to the client.Task1From the KVM host system, browse to th
TaskFor option definitions, click ? in the interface.1From the McAfee KVM Viewer screen, click Connection | Stop.The current active session is stopped
Option Suboption DescriptionWireless LinkPreferenceAllows selecting the link preference for a session connected over awireless connection. For a syste
10TroubleshootingError messages are displayed by programs when an unexpected condition occurs that can't be fixed bythe program itself. Use this
Getting startedBefore using ePO Deep Command, make sure that you have specific software, hardware, and networkconfigurations in place.Setting up your
Issue Description Corrective actionExit code 32 A certificate request has beensent to the CertificationAuthority but the createdcertificate has put it
Issue Description Corrective actionConfiguration/unconfiguration taskfails with this error inServer Task Log:Intel® AMTunconfiguration failed.Initial
Issue Description Corrective actionHTTP 401 inAMTservice.logThis issue occurs when theserver is not able toauthenticate and connect tothe Intel® AMT s
Issue Description Corrective actionSocket Error — Redirectionport is not enabled on the Intel®AMT System. This error alsooccurs when a certificate ora
IDE-RedirectionIssue Description Corrective actionIDE-Redirectionsession does notinitiatesThis issue might occur due tovarious reasons.Perform these c
Remote Access using the Gateway serverIssue Description Corrective actionRemote Accessconnection fails with"Unknown CA" error inthe Stunnel
WirelessIssue Description Corrective actionIDE-Redirection over a wirelessconnection fails with this error:Boot disk missing, please insert boot disk
Issue Description Corrective actionIntel® AMT policy enforcementfails with errors similar tothese errors in AMTservice.log:•Failed to convert time of
Issue Description Corrective actionRemote Access request usingGet Technical Help in the Intel®Management and SecurityStatus tool fails with an errorst
Issue Description Corrective actionAlarm Clock policy doesn'tenforceThis issue might occur dueto various reasons.Perform these checks, then perfo
Architecture and how components communicateePO Deep Command is comprised of multiple modules, which help you identify, manage, configure,and troublesh
Issue Description Corrective actionSome AMT commands notwork when selected fromAutomatic Response | New Response| Actions | Run System CommandSome of
11Frequently asked questions Here are answers to frequently asked questions.Power on and Normal boot or restartWhat happens if a normal boot or restar
• Client Tasks are enabled.• Appropriate managed products are installed on the Intel® AMT system.• Intel® AMT system is able to communicate with the A
• Intel® Management and Security Status (IMSS)• ACUconfig status or SystemDiscoveryPropertiesWhen does the Last Power On Time parameter get updated on
3Locate and select the Unconfigure Network Access option.A warning message states that the configuration is reset to the default values appears.4Press
AAdditional informationSee these topics for more information that you may require to set up or manage ePO Deep Command.Contents Create a configurat
4If using Digest authentication, skip to the next step. Otherwise, in the Active Directory Integration page,click ... next to Active Directory OU and
6On the Transport Layer Security (TLS) page, select Request certificate via CA plugin to configure the profile thatrecognizes McAfee ePO Deep Command
7On the Network Configuration page, perform these steps to set up wireless connections, then click Next.aSelect Allow WiFi connection with the followi
•IDE redirection•KVM redirectionbIn Power Management Settings, select Always on (S0-S5).cIn Network Settings, type the password for locally accessing
Step Details1 Discovery and Reporting plug-in is installed on McAfee ePO, then deployed to client systems.This plug-in detects the Intel® AMT systems
Set up the environment for Microsoft CA authenticationTo use certificates generated by Microsoft CA, perform these tasks in addition to the other mand
Import certificates to serverIn an environment where McAfee ePO is deployed across different domains, import Microsoft CAcertificates to the system wh
Task1On the Certificate Authority server, click Start | Programs | Administrative Tools | Certification Authority.2From the Console Root tree, right-c
3Right-click the Certificate Templates and select Manage.4In the right-pane, right-click the Computer template and select Duplicate Template to open t
Enable the certificate template Enable the certificate template that you created for Intel® AMT configuration.Task1In the Certificate Authority server
Task1From the Intel® SCS Console, click the icon to create a profile and to open the Configuration Profilewizard.2In Profile Description, enter a uniq
cIn Network Settings, type Intel® ME BIOS Extension (MEBX) password for locally accessing theMEBX settings (default is admin on a new system).If you w
6Select Include all certificates in the certification path.7Type a password, then save the file as with .pfx extension.For example, test.pfx.8Run thes
TaskFor option definitions, click ? in the interface.1Click Start | Administrative Tools, then click Server Manager.2Expand Configuration, right-click
Modify DCOM permissions to add domain computers The configuration process requires appropriate DCOM permissions for domain computers in the serverwher
1IntroductionGetting started16McAfee ePO Deep Command 2.1.0 Product Guide
cAdd Domain Computers if it's not listed, then allow these permissions for the Domain Computers group.•Full Control•Read•Special Permission8Close
Intel® AMT action logsHere is the information about the feature-wise list of log entries created as a result of Intel® AMTactions.Table A-1 Server Ta
Table A-2 Audit Log entries (continued)Feature Audit Log entry DescriptionNormal Boot/Restart Initiated Normal Boot/Reboot Displays when Normal Boot/
IP address" print "Provide help as the first parameter to get more information"else: if input == "help" or input == &qu
try: print "Error in doing OOB Policy Enforcement on as the command failed to invoke properly due to the following err
IndexAactionsAMT policies, enforcing 111boot/reboot to BIOS 107configuration policy, enforcing 111IDE-redirection 109image redirection, stopping 111no
Ffrequently asked questions 141Hhost-based configurationauthentication 38client control mode 36move to admin control 95overview 36policy 49, 94user co
Sserver tasksAMT policies, enforcing 112AMT tag, assigning 25power on 112Tthird-party CAauthentication, setting up 150certificate chain, creating 151c
0-00
2InstallationPerform a series of tasks to set up your ePO Deep Command software.1Make sure that your system meets the requirements.2Install the ePO De
RequirementsVerify that your system meets these requirements before you start the installation process.System requirements Systems RequirementsMcAfee
Software requirements Make sure that you have the required software installed for the ePO Deep Command module thatyou're installing.Software Requ
COPYRIGHTCopyright © 2014 McAfee, Inc. Do not copy without permission.TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee
Upgrade requirements You can upgrade to ePO Deep Command 2.1.0 from the software version 2.0.0.Supported Intel® AMT versionsSome features aren't
Required portsMake sure that your network security software doesn't block ports and services that are needed forIntel® AMT communications.Add the
Services installed on managed Intel® AMT systemsService/process Feature Ports DescriptionAMTMgmtService.exe Remoteconfiguration135 This process config
ePO Deep Command components in Software ManagerHere are the components that you see in Software Manager, when you select ePO Deep Command fromthe prod
Install the softwareInstall the extensions and deploy them to manage your Intel® AMT systems.Tasks• Install or upgrade the ePO Deep Command extensions
Deploy the Discovery and Reporting plug-inDeploy the Discovery and Reporting plug-in to Intel® AMT systems.Before you beginMake sure that the plug-in
Deploy the Management Framework clientDeploy the Management Framework client to your Intel® AMT systems to manage them using Intel®AMT actions, polici
3In Trusted Root Certificates, a pre-activated McAfee ePO Deep Command Root CA (CN=McAfee ePO DeepCommand Root <Date and time>) is listed. If yo
5In Credentials for Intel® AMT actions, select Change credentials, then select Use above credentials, or type the username and password. Use domain\us
TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | User Management | Permission Sets.2Select the permission
Contents1 Introduction 7Product features ... 7Intel AMT overview ... 9Product components
Manage certificatesUse certificate management options to export a ePO Deep Command root CA certificate for reuse,import it, or regenerate it with the
3For Trusted Root Certificate, click Generate New Certificate.A new entry is added for McAfee ePO Deep Command Root in Trusted Root Certificates.4Sele
Uninstall the ePO Deep Command clientCreate a client task to remove the client from Intel® AMT systems, then assign it to the systems.TaskFor option d
TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Software | Software Manager.2On the Software Manager pag
2InstallationUninstall the software34McAfee ePO Deep Command 2.1.0 Product Guide
3Basics of Intel AMT configurationYou must configure your Intel® AMT systems before you can manage them using ePO Deep Command.You can configure your
Host-based configurationIn this method Intel® AMT systems are configured locally using an XML profile containing the requiredconfiguration settings.Th
Client Control mode network architectureThis illustration is an overview of a network configuration where your Intel® AMT systems supportClient Contro
Host-based configuration authenticationFor host-based configuration, provide credentials for Intel® AMT configuration and use McAfee ePODeep Command R
Admin Control mode network architectureThis illustration is an overview of a network configuration where your Intel® AMT systems supportAdmin Control
4 Configuring Intel AMT systems 43Synchronize with Windows Active Directory ... 43Register Windows Active Directory server ...
How RCS Manager plug-in worksThe RCS Manager plug-in helps you manage the configuration of your Intel® AMT firmware, throughMcAfee ePO.This diagram il
Certificates for TLSYou can use the Transport Layer Security (TLS) protocol to secure and authenticate communicationsacross your network.Intel® AMT us
Configuration statesePO Deep Command adds a system property to determine the configuration status of Intel® AMTsystems.• Pre-configuration — By defaul
4Configuring Intel AMT systemsYou can configure an Intel® AMT system using host-based configuration or remote configuration.• Host-based configuration
3On the Details page, complete these options.aSelect Active Directory from LDAP server type, then type the DNS-style domain name or IP address ofthe s
Tasks• Import a configuration profile template on page 45Import a configuration profile that you created in the Intel® RCS console or by usingACUWizar
TaskCreate policies based on the default policies such as McAfee Default or My Default. The default policiesprovide templates where you can add the da
fIn AMT User accounts and rights, perform one of these steps:• For Digest account, click New Digest User, type user name, type password, retype passwo
• IP address — Select the source for the IP address settings:• DHCP — from the DHCP server.• Static — the same IP address as the host.• FQDN — Select
4In Credentials for Intel® AMT actions, do one of these:• Use the default ePO_Admin account — Select Use above credentials, then select Show password
Create the Intel AMT configuration policies ... 94Create the Intel AMT policies ...96Creating the Client Task
Perform remote configurationInstall and configure the RCS Manager plug-in to manage the Intel® AMT firmware configuration fromMcAfee ePO.Before you be
• Intel® AMT systems must not be in a virtual private network (VPN) environment. Home domains ofMcAfee ePO and Intel® AMT systems differ in VPN enviro
TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Software | Software Manager.2On the Software Manager pag
Configure Intel AMT systems using remote configuration policyCreate and enforce a remote configuration policy and select the Intel® RCS server and con
See also Create a policy to configure Intel AMT systems on page 94Enforce Intel AMT configuration policy on page 111Test your connection to an Intel A
Unconfigure Intel® AMT systems using policyYou can unconfigure your Intel® AMT systems using the Intel® AMT configuration policy.TaskFor option defini
TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Reporting | Queries & Reports, then select ePO Deep
5Setting up your environment for RemoteAccessThe McAfee ePO Deep Command Gateway server acts as a proxy responsible for mediatingcommunication between
Remote Access depends on these components:• McAfee ePO• Intel® AMT systems configured for remote connectivity. (In some environments, these systems ar
TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Software | Software Manager.2On the Software Manager pag
Create a configuration profile that uses Microsoft CA certificates ... 154Generate certificates for Stunnel using Microsoft CA ...
5Copy the files to the Stunnel installation directory. For example, C:\Program Files(x86)\stunnel.You can also rename these files:• CN_McAfee_ePO_Deep
2In cert, key, and CAfile, replace the file names and location for cira.pem, cira.key, and ca.cerrespectively with the actual values.3In ciraamt, use
5Setting up your environment for Remote AccessValidate certificate62McAfee ePO Deep Command 2.1.0 Product Guide
6Enabling Intel AMT wirelessmanageabilityWith Intel® AMT over a wireless connection, you can perform Intel® AMT actions on systems within theenterpris
Prerequisites for using wireless with ePO Deep CommandConsider these guidelines while performing Intel® AMT actions on the wireless clients.• Intel® A
An Intel® AMT wireless profile might not be updated when:• A profile with similar "SSID" is present on the system.• The system is configured
4On the Optional Settings page, select Network Configuration, select WiFi Connection, then click Next.5On the Network Configuration page, perform thes
bComplete these settings, then click OK.• Setup Name — Type a name for the Wi-Fi setup (up to 32 characters, and must not contain (/ \< >: ; * |
TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, navigate to System Tree and open the system details of the wirelesscl
7Reporting on your Intel AMT systems With the ePO Deep Command Discovery and Reporting software, you can quickly determine the statusof the Intel® AMT
1IntroductionMcAfee ePO Deep Command provides centralized control to your Intel® Active Management Technology(AMT) systems regardless of whether they
Query DescriptionIntel® AMT ConfigurationStateDisplays a pie-chart of different Intel® AMT configuration states for alldetected systems supporting Int
Predefined RCS management queriesWhen the Profile Manager software is installed on McAfee ePO, these predefined queries are added tothe ePO Deep Comma
TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Reporting | Queries & Reports.2From the Groups pane,
Group Filter Filters the results based on...BIOS Release DateThe release date of the BIOS running on Intel® AMTsystems.BIOS VersionThe version number
Group Filter Filters the results based on...KVMWhether the KVM (Keyboard, Video and Mouse switch)feature is supported on Intel® AMT systems.Last Error
Group Filter Filters the results based on...Wired Link StatusWhether Intel® AMT systems' physical networkconnection is functioning.Wired MAC Addr
• CILA Supported — Determines the number of managed systems that support Local Access connectionsout of the total number of managed systems. The admin
• Intel® AMT Configuration Mode — Determines the different configuration modes that are present in thetotal number of managed systems. Because ePO Dee
• Intel® AMT Version — Displays the different versions of Intel® AMT hardware present on the managedsystems. Because ePO Deep Command supports specifi
• SOL Supported and Enabled — Displays the number of managed systems that support SOL connectionsout of the total number of managed systems. This moni
Feature DescriptionIntel® AMT firmwareconfigurationUse ePO Deep Command to perform host-based configuration or remoteconfiguration on your Intel® AMT
Management Summary dashboardThe Management Summary dashboard displays a collection of monitors based on the results of the defaultePO Deep Command Fra
• Intel® AMT Configuration Events by Event type — Displays a pie chart representing the number ofconfiguration events for all detected Intel® AMT syst
• Ready for Host Based Configuration — Displays a pie-chart representing the number of Intel® AMT systemsthat meet and that do not meet the host-based
• Troubleshoot Remote Devices (KVM) — Displays a pie-chart representing the number of Intel® AMT systemsthat can be accessed using McAfee KVM to troub
• Quick reset of pre-boot password on McAfee encrypted devices — Displays a pie-chart representing the numberof Intel® AMT systems that can reset thei
• Wake-up devices for security scans and updates — Displays a pie-chart representing the number of Intel® AMTsystems that can automatically update the
Property Description WithIntel®MEIdriverinstalledWithoutIntel®MEIdriverinstalledNon-Intel®AMTSystemCILAReports whether the Client-Initiated Local Acce
Property Description WithIntel®MEIdriverinstalledWithoutIntel®MEIdriverinstalledNon-Intel®AMTSystemConfigurationStateReports the configuration state f
Property Description WithIntel®MEIdriverinstalledWithoutIntel®MEIdriverinstalledNon-Intel®AMTSystemIntel® MEIVersionReports the version number of the
Property Description WithIntel®MEIdriverinstalledWithoutIntel®MEIdriverinstalledNon-Intel®AMTSystemLast IDE-RSession StatusReports whether the status
Feature DescriptionMaintenance tasks Configure these maintenance tasks:• Synchronize Intel® AMT time • Renew Active Directorypassword• Synchronize net
Property Description WithIntel®MEIdriverinstalledWithoutIntel®MEIdriverinstalledNon-Intel®AMTSystemReported LocalAlarm ClockTimeDisplays the alarm clo
Property Description WithIntel®MEIdriverinstalledWithoutIntel®MEIdriverinstalledNon-Intel®AMTSystemWireless IPv4AddressReports the IPv4 address receiv
Option DefinitionHost-Based ConfigurationWhether host-based configuration is supported on the client: Supported orNot Supported.Is Embedded HBC Enable
8Managing your Intel AMT systems Manage the Intel® AMT systems in your network by using Intel® AMT policies, client task executionpolicies, Intel® AMT
Create the Intel AMT configuration policies Use the AMT Configuration Policies category to create policies to configure or unconfigure your Intel® AMT
3Select Allow ePO to enforce these settings, then perform one of these steps based on configuration modeof systems.• Admin Control mode — Select Remot
Create the Intel AMT policiesUse the AMT Policies category to create a policy to turn on your Intel® AMT systems, configure LocalAccess or Remote Acce
5Select Repeat Every to specify the days, hours, and minutes to turn on your systems at regularintervals, then save the policy.6In the System Tree, as
6Click Save.7In the System Tree, assign the policy to the required systems or group.• Systems — Select the systems, click Actions | Agent | Set Polici
TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, from Policy Catalog, select ePO Deep Command 2.1.0 as the product and
Commentaires sur ces manuels