Introduction: You can remotely control Intel vPro based CPU that includes AMT using Linux. Intel Active Management Technology (AMT) is a combination of hardware, software and firmware technology for remote out-of-band management of servers, desktops, and laptop computers. AMT is built into modern CPUs such as i7, i5, Xeon (look for vPro) and based on Intel ME. This page shows how to remotely access Intel AMT KVM from Linux desktop when you have vPro enabled system from Intel. DASH is an acronym for Desktop and Mobile Architecture for System Hardware. A set of DMTF specifications for standardizing the management and security of desktop and mobile client systems independent of the machine state, operating system, and hardware vendor. DASH takes full advantage of WS-Management. As DASH has evolved, Intel AMT has moved towards increasing support for DASH standards. Intel AMT Release 5.1 and later releases comply with DASH 1.0.
How to install wsmancli/wsman on Linux to access KVM
Starting with Intel AMT version0 3.2, all Intel AMT features supported with WS-Management (Web Services Management protocol) DASH specification supported by both Intel vPro and AMD Pro CPUs. Openwsman is an opensource implementation of WS-Management. To interact with a wsman server.
Debian/Ubuntu Linux install wsmancli
Use the following apt command/apt-get command to install wsmancli:
$ sudo apt install wsmancli
RHEL/CentOS Linux Linux install wsmancli
Type the following yum command to install wsmancli:
$ sudo yum install wsmancli
Fedora Linux Linux install wsmancli
Enter the following dnf command to install wsmancli:
$ sudo dnf install wsmancli
How to configure Intel AMT/MEBx as for remote access
As pointed out earlier only vPro CPUs such as i7, i5 and Xeon CPU support Intel AMT. Intel does not support AMT on all processors but does include Intel ME in every CPU made since 2008. Boot your system and visit BIOS settings. For demo purpose I am going to use ThinkPad x230 laptop with Intel vPro. To enable Hardware KVM and Intel AMT find option that read as follows in your BIOS and enable it:
You mist save setting in BIOS and restart the computer. Press CTRL+p to configure the Intel Management engine and AMT hardware KVM by login into MBEx:
You must log in to MEBx. If AMT has never been set up on your server or desktop, use admin as password:
Setting up an IP address
- Enter “AMT Configuration“
- Set “Manageability feature Selection” to Enabled
- Press Enter to select “Network Setup” and choose TCP/IP Settings
Finally choose Wired LAN IPv4 Configurations. Set “DHCP Mode” to “Disabled” and set all IPv4 settings as per your network:
You are all. Press “ESC” key to get back to main menu. Enter “MEBx Exit” and wait until the system reboot. I suggest that you unplug your system for 1 minute and then plug it back.
How to access Intel AMT web interface
Once your system turned on. Go back to your Linux desktop. Fire a web browser and type the following url:
http://192.168.2.88:16992
Type username as “admin” and password set previously:
Remotely access Intel AMT KVM from Linux desktop
Create a Linux shell script as follows:
#!/bin/bash # Name: kvm.sh # Purpose : Control remote server/laptop/desktop using KVM and VNC client # Author: nixCraft {https://www.cyberciti.biz/} under GPL v3.x # ---------------------------------------------------------------------- xIP='192.168.2.88' xPASSWORD='PasssordHere' xVNC_PWD='In9t8el@' # random but must be 8 charter long xVNC_PORT='5900' wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k RFBPassword=${xVNC_PWD} wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k Is5900PortEnabled=true wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k OptInPolicy=false wsman put http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData -h $xIP -P 16992 -u admin -p ${xPASSWORD} -k SessionTimeout=0 wsman invoke -a RequestStateChange http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_KVMRedirectionSAP -h ${xIP} -P 16992 -u admin -p ${xPASSWORD} -k RequestedState=2 echo "Open Linux vnc client. Use \"$xIP:$xVNC_PORT\" as host and when promoted enter \"$xVNC_PWD\" as password" |
Run the script:
chmod +x kvm.sh
./kvm.sh
For remote KVM use any standard Linux VNC client
So far we verified that web UI worked and ran the Linux shell script. It is time to access KVM console. Intel AMT KVM allows you to access the desktop remotely, install the operating system, change bios settings, turn on/off the system and much more. Open Linux VNC client:
Type the password as set in $xVNC_PWD and you should able to login to remote desktop using Intel AMT. You can reboot the device. Access BIOS. Unlock disk. Turn off PC. Turn it on from Web interface. Fix OS disk or networking. Install a new OS and so on.
Here is a quick demo that shows remotely access Intel AMT KVM from Linux desktop, BIOS, power on/off and other stuff one can do with it:
(HTML5 Video 01: Click to play)
Conclusion
I just used Intel AMT with vPro to remotely manage my laptop or server. Intel AMT enables sysadmin to manage remote servers, desktops, laptops regardless of the operating system installed. Intel AMT can be disabled or unprovisioned by the sysadmin to reduce security risk. Intel ME cannot be disabled on any Intel CPUs since 2008. Some vendor such as System76 and Dell allows disabling Intel Me. Next time I will talk about MeshCommander a web based tool for remote management of your Intel AMT computers.