User Consent

Intel® Active Management Technology Developers Guide

Download PDF

ID 772055

Date 1/05/2021

Version 2021

Public

Visible to Intel only — GUID: GUID-7C867AC6-D1E2-44D0-BD69-7839C4945D4E

View Details

Document Table of Contents

Document Table of Contents x

Intel® Active Management Technology Developers Guide

Intel® Active Management Technology Developers Guide x

Getting Started with Intel® Active Management Technology Discovery Configuration Wi-Fi* Connections Remote Power Management KVM Storage Redirection Remote Secure Erase Object Missing User Consent

Getting Started with Intel® Active Management Technology x

Intel® AMT Basic Concepts Intel® Active Management Technology 11 Intel® Active Management Technology 10 Intel® Active Management Technology 9

Discovery x

Integrating Intel® AMT Discovery into a Management Console

Configuration x

Integrating Intel® AMT Configuration into a Management Console Intel® SCS Configuration Tools

Intel® SCS Configuration Tools x

Intel® AMT Configuration Utility

Intel® AMT Configuration Utility x

Profile Creation, file only Profile Creation, USB Key - Single Use Profile Creation, USB Key - Multi Use Host Based Configuration via OS

Profile Creation, file only x

Profile Creation, Delta Profiles

Wi-Fi* Connections x

Wireless Configuration Concepts Wireless Configuration Methods

Remote Power Management x

Integrating Intel® AMT Remote Power Management Solution into a Management Console Remote Power Management of Intel® AMT Devices with InstantGo

KVM x

Integrating KVM feature into a Management Console

Remote Secure Erase x

Implementing Remote Secure Erase Remote Secure Erase FAQ

Intel® Active Management Technology Developers Guide

Getting Started with Intel® Active Management Technology

Intel® AMT Basic Concepts

Intel® Active Management Technology 11

Intel® Active Management Technology 10

Intel® Active Management Technology 9

Discovery

Integrating Intel® AMT Discovery into a Management Console

Configuration

Integrating Intel® AMT Configuration into a Management Console

Intel® SCS Configuration Tools

Intel® AMT Configuration Utility

Profile Creation, file only

Profile Creation, Delta Profiles

Profile Creation, USB Key - Single Use

Profile Creation, USB Key - Multi Use

Host Based Configuration via OS

Wi-Fi* Connections

Wireless Configuration Concepts

Wireless Configuration Methods

Remote Power Management

Integrating Intel® AMT Remote Power Management Solution into a Management Console

Remote Power Management of Intel® AMT Devices with InstantGo

KVM

Integrating KVM feature into a Management Console

Storage Redirection

Remote Secure Erase

Implementing Remote Secure Erase

Remote Secure Erase FAQ

Object Missing

User Consent

Console Integration of the User Consent Feature

Visible to Intel only — GUID: GUID-7C867AC6-D1E2-44D0-BD69-7839C4945D4E

View Details

User Consent

The User Consent feature of Intel® Active Management Technology (Intel® AMT) is one of the distinguishing differences between Admin Control Mode (ACM) and Client Control Mode (CCM). (See Intel® AMT Basic Concepts for more information.)

The User Consent feature adds another level of security for remote users. When redirection is required of the remote client, a User Consent code must be submitted. Accessing an Intel AMT device via the Intel® KVM Remote Control feature or executing storage redirection are considered redirection operations. While performing operations such as remote power management doesn’t redirect data, so the technician doesn’t need further authentication beyond the typical AMT authentication.

The User Consent code is provided on the client-side as a sprite on the Intel AMT device’s display. This sprite is generated by the Intel® GPU and is not available to the OS. This is a 6-digit code that the technician will use when making the connection requiring the consent, such as an Intel KVM connection. (see Figure 1)

Figure 1. The 6-digit User Consent code

Console Integration of the User Consent Feature

If the console performs client configuration using host-based configuration, then User Consent will be enabled by default, which makes the integration of the User Consent feature mandatory for redirection operations.

The basic steps in the process are:

Making the initial AMT connection:
Using the HLAPI, we can easily make the connection and authenticate with the firmware; the solution will require the use of several files: HLAPI.dll, imrsdk.dll, and IWSManClient.dll.

This is done by creating an object for each Intel AMT device. The instance is created using the AMTInstanceFactory.Create method and the IAMTInstance interface.
Requesting the User Consent code to be displayed:
The User Consent code can be generated by calls from the HLAPI either remotely or locally by using the DisplayConsentCode HLAPI method.
End user to provide the code to the technician:
This is a manual process as the sprite is not available to the CPU, so software-based means will not be able to “see” the code.
The admin console sends the User Consent code back to the Intel AMT client:
The remote operator will send the User Consent code as a string by the UserConsent.SendCode function.
Intel AMT client processes incoming code and enters into an in-session state:
The Intel AMT device authenticates the user consent code and then the Intel AMT device changes the ConsentProcessState enumeration to ReadyForSessionStart until such time as the SessionTimeout value of the UserConsentSettings has expired or a redirection operation has commenced that will change the enumeration of ConsentProcessState.InSession.SessionTimeout.

For more information, visit out site on the Intel AMT HLAPI User Consent feature.

*No product or component can be absolutely secure.

Parent topic: Intel® Active Management Technology Developers Guide

Level Two Title

Object Missing

Select Your Language

Using Intel.com Search

Quick Links

Recent Searches

Advanced Search

Only search in

Intel® Active Management Technology Developers Guide

User Consent