Intel SM (Standard Manageability) configuration

[sysadmin-us]

How to install MeshCentral in localhost with root certificate, and configure intel AMT devices in ACM with CIRA,

Is there any way to do everything in offline mode?

[Ylianst]

This is a big question. Start by watching this video from my old MeshCentral video series. It will show the basics on how to get AMT setup with CIRA.

[smartekIT]

in my case server is in hybrid mode. when i try to connect a client through the internet with meshcmd and the setup command from that group (AMT only no agent group), in the meshcmd command window on the client computer all the steps goes well until the CIRA after adding the root certificate then it says invalid CIRA state. while at the meshcentral webpage i see the client get registered in the group there but it's greyed out !!!! tried to delete that group and create another one, now what happened is one of the clients registered there but still greyed out while the second client shoed the same result in the cmd when running the meshcmd command but on the server it's not registered anymore in that group or any group.

for being greyed out i don't know why it's like that if it could register on the server, but can't do any thing else, advised in the server Trace tab, server shows all the log from the client connection steps !!!! but connected to the web socket then closed web socket connection. !!!

for the second issue where the client stopped even appear greyed out or not, even though it used to appear in the deleted group but greyed out, i checked in the client level with (meshcmd amtinfo) and it shows connection status (undefined) where before it used to show (Direct). also in the server checking amtaction.txt file, i can see the client got a new password and it's uuid is there but the (mesh//xxxxx) is for the deleted group which doesn't exist anymore. so no matter what meshcmd config command i issue in the client still register itself on the server with the wrong deleted group !!!

further troubleshooting for both the greyed out client and the client which even stopped from appearing on the server, i can do (meshcmd MicroLMS) and certificates are there (root and client) but when try to add connection to the server manually through port 4433 i get error 400 no matter what i used (DNS name or IP address of the server).

[smartekIT]

by the way when i go to https://subdomain.domain.com:4433 from the client pc, I can see the message: MeshCentral MPS server. Intel® AMT computers should connect here. and also the certificate is the untrusted self-signed certificate issued from your root certificate for my server. which i think indicate that my server and ports are configured correctly.

also i tried the server provisioning by going to http://subdomain.domain.com:9971 which will give me: Intel AMT hello server. Intel® AMT devices should send notification to this port for activation.

[smartekIT]

by the way I don't have any of these problems when connecting using agents. it's just the AMT thing.

[smartekIT]

this is what happend for the device not appearing on the server list anymore:

Setting up MEI...
Setting up LME...
Starting Intel AMT configuration...
Started APF tunnel...
Checking Intel AMT state...
Succesfully activated in CCM mode, holding 10 seconds...
Intel AMT connected.
Performing clock sync.
Performing Commit()...
Enabled TLS, holding 10 seconds...
Intel AMT connected with TLS.
Performing clock sync.
Added server root certificate.
Invalid CIRA state.

c:\Users\Admin\Desktop>meshcmd amtinfo

Intel ME v8.1.20, activated in Client Control Mode (CCM).
Wired Enabled, DHCP, 00:00:00:00:00:00
Connection Status: undefined, CIRA: Disconnected.

[smartekIT]

this is what happened for the client appearing in the server list but greyed out:

Setting up MEI...
Setting up LME...
Starting Intel AMT configuration...
Started APF tunnel...
Checking Intel AMT state...
Succesfully activated in CCM mode, holding 10 seconds...
Intel AMT connected.
Performing clock sync.
Performing Commit()...
Enabled TLS, holding 10 seconds...
Intel AMT connected with TLS.
Performing clock sync.
Added server root certificate.
Invalid CIRA state.

c:\Users\Admin\Downloads>meshcmd amtinfo
Intel SM v8.1.72, activated in Client Control Mode (CCM).
Wired Enabled, DHCP, F0:XX:XX:XX:XX:B1, 10.1.1.2
DNS suffix: home.gateway
Connection Status: Direct, CIRA: Disconnected.

[smartekIT]

both clients connecting using agent just fine

[jsastriawan]

The first one it looks like the active Ethernet being used by your computer is not AMT capable NIC. Typically NIC with -LM suffix is the AMT NIC.

The second example seems a Standard Manageability system. It has subset of AMT capability without CIRA and it looks like it has correct IP address. I hope this help.

[smartekIT]

but the first one you referring to, was connecting before and registering in that group list on the server but of course greyed out in the list, no not even appeared there and nothing was changed on it's NIC !!!! i think we need the cleanup.mescript and setup.mescript but where can i get them from?

[Ylianst]

Oh. I see the problem. For my reference, the error comes from here.

If you look at the following:

c:\Users\Admin\Downloads>meshcmd amtinfo
Intel SM v8.1.72, activated in Client Control Mode (CCM).
Wired Enabled, DHCP, F0:XX:XX:XX:XX:B1, 10.1.1.2
DNS suffix: home.gateway
Connection Status: Direct, CIRA: Disconnected.

It says "Intel SM v8.1.72". That is Intel Standard Manageability. This is not Intel AMT. Standard Manageability does not have CIRA or KVM support. So, this explains why CIRA can't be setup.

Yes, the device will show up in the device group, but since CIRA is not supported, the device will never connect and so, it will always stay gray. I need to change the error message to make it clear CIRA is not supported on this device. I also need to change MeshCMD to not display CIRA state if the device is not capable of it.

[smartekIT]

Thanks, but how about the other one where it says Intel ME v8.1.20 ? That client stopped from appearing in the list group and instead in the log it shows it trying to connect to a deleted group. and on it's status saying undefined.

[Ylianst]

Oh, I see the Intel ME now. I fixed your post above to make it clear. That device does not support CIRA for sure, but I don't know what that device is. Certainly not Intel AMT. Can you type "meshcmd amtversions" and report back?

C:\Temp>meshcmd amtversions
BIOS Version = 1.10.0
Flash = 12.0.71
Netstack = 12.0.71
AMTApps = 12.0.71
AMT = 12.0.71
Sku = 16392 (AMT, Corporate)
VendorID = 8086
Build Number = 1681
Recovery Version = 12.0.71
Recovery Build Num = 1681
Legacy Mode = False

This is the report on my AMT 12 machine. You can see the "Sku" line will clearly indicate AMT. I wonder what your device will report.

[smartekIT]

c:\Users\Admin\Desktop>meshcmd amtversions
BIOS Version = ENB7510H.86A.0045.2013.0307.1509
Flash = 8.1.20
Netstack = 8.1.20
AMTApps = 8.1.20
AMT = 8.1.20
Sku = 73728 (AT-p)
VendorID = 8086
Build Number = 1336
Recovery Version = 8.1.20
Recovery Build Num = 1336
Legacy Mode = False

[smartekIT]

discovered something interested in this one, i just updated the bios from 0045 to 0046. looking at this machine details in meshcentral server which connected by agent it shows the bios been updated.

BUT

when doing command in that machine it still showing the old bios 0045. so i wanted to cut off the doubt, so rebooted and looked at the bios and yes it's been updated to 0046, which leads to meshcmd some how caching old data and not updating. and this guide me to think that whenever i do meshcmd config --url (setup comand) it still trying to connect to an old deleted group no matter what the server ID or server hashes or whatever details in the setup command !

[Ylianst]

There is no caching in MeshCMD, this is just how the Intel ME is reporting it. Intel ME gets updated information about the BIOS on next reboot.

[smartekIT]

thanks but i already rebooted the system and still the Meshcmd amtversions showing the old bios not the current one!! same with config --url , it still trying to connect to the deleted group ignoring my setup command !!

BIOS Version = ENB7510H.86A.0045.2013.0307.1509
Flash = 8.1.20
Netstack = 8.1.20
AMTApps = 8.1.20
AMT = 8.1.20
Sku = 73728 (AT-p)
VendorID = 8086
Build Number = 1336
Recovery Version = 8.1.20
Recovery Build Num = 1336
Legacy Mode = False

and the following is what shows in mechcentral for this client using agent:

[Ylianst]

This is a bug to report to Intel, nothing MeshCmd can do about that.

[Ylianst]

Just made a change to MeshCentral, instead of "Invalid CIRA state", it will say "This device does not support CIRA." and keep going to with configuration.