perm_phone_msgUNDER ATTACK? S.O.S. LINE 0114 354 0054

Top Categories



Cyber security The Register

Ukraine blames Belarus for PC-wiping ‘ransomware’ that has no recovery method and nukes target boxen

After last week’s website defacements, Ukraine is now being targeted by boot record-wiping malware that looks like ransomware but with one crucial difference: there’s no recovery method. Officials have pointed the finger at Belarus. Fountain at Independence Square in Minsk, Belarus Targets of this new malware wave “span multiple government, [...]

Top Voted
Sorry, there is nothing for the moment.

How to scale endpoint management, improve employee productivity and reduce costs

Cyber security The Register today11/06/2020 97

share close

Sponsored Life is getting more complicated for IT professionals responsible for managing endpoint hardware. An expanding number of devices are connecting to the corporate network and the diversity of device types is also growing. This can include workers with business laptops to point-of-sale (PoS) terminals, digital signage systems and numerous smart devices that make up the Internet of Things (IoT).

At the same time many workers are using laptops and other devices outside of the office, and many digital signage and IoT systems are located at remote sites where it is costly and time consuming to send out engineers for maintenance and fix. Meanwhile, tech support teams are expected to help reduce operational costs and minimise downtime. To meet these challenges, IT departments need management tools that can reach out to devices and take control of them – regardless of their state or location; collect appropriate status information; and enable engineers to remotely fix any problem short of catastrophic hardware failure.

Requirements like these led to the development of the Intel® vPro® platform, a set of technologies embedded in the system hardware that deliver a full suite of enterprise-grade capabilities for devices based on Intel® Xeon® or Intel® Core™ vPro® processors. More specifically, a key feature of the Intel vPro® platform is Intel® Active Management Technology (Intel® AMT), which provides out-of-band network access at the silicon level. Capabilities include remote power control, access to BIOS settings, access to system information such as the hardware asset information and event logs.

An IT administrator can also invoke boot redirection, to force an endpoint system to boot from a different local or remote boot device, to load a known good instance of the operating system. Intel® AMT’s power control enables the tech department to power on systems so that whatever software update tools a company uses can run inside the operating system.

Because these capabilities are embedded in silicon, Intel® AMT gives an engineer access to a device built on the Intel vPro® platform – so long it is connected both to a known network and has power – even if the operating system will not boot and even if the system is powered down. Intel AMT thus allows the IT department to diagnose problems remotely, avoiding the need for a desk-side visit to fix an employee’s device. With the help of this technology, a small team of engineers could potentially manage thousands of endpoints. At launch nearly 15 years ago, Intel AMT was designed for wired management of systems on an Ethernet network. Later, the Intel® vPro® platform was also added to laptops, bringing IT departments the ability to diagnose, update and repair systems using Intel AMT over a Wi-Fi connection.

Outside the corporate firewall

However, the corporate IT environment has changed radically since those versions of the Intel vPro® platform made their debut. In today’s cloud-driven world, more and more employees are working while on the move or outside the traditional office environment. The covid-19 pandemic has accelerated this long-term trend, with vast numbers of employees working from home during this global lockdown period. And of course, devices operating outside the corporate firewall are more vulnerable to security risks. They must be kept refreshed with patches and software updates in order to reduce the threat attack surface.

Intel AMT has obvious utility here, but in surveying IT professionals Intel discovered some barriers to broader adoption of some of Intel AMT’s advanced features. These centred on the apparent difficulty in provisioning Intel AMT to endpoint devices and the management of some use cases such as remote wake-up and remote KVM.

Such difficulties might easily arise when attempting to activate Intel AMT on new machines that may have been delivered to remote branch offices with no IT staff on-site, for example, or to workers that are connecting to the corporate network from outside the firewall. To address these issues, Intel has extended the Intel vPro® platform with a new software service known as Intel® Endpoint Management Assistant (Intel® EMA), which builds on and modernises the capabilities of Intel® AMT.

Intel® EMA has been designed as a cloud-based point of control for managing endpoint devices wherever they may be, inside and outside the corporate firewall. It provides a user-friendly GUI interface that gives IT operators a view of the status of any particular device, and to carry out any necessary support tasks by clicking into a KVM session and taking remote control.

The platform is multi-tenant and so enables Intel’s service provider partners to support multiple customer organisations from a single cloud-hosted instance of Intel EMA. However, it can alternatively be deployed by an organisation itself onto one of the public cloud platforms, or even on-premises (in the latter scenario, Intel recommends the customer deploys Intel EMA into a DMZ to help manage endpoint devices outside the firewall). Intel EMA also comes with its own software agent that gets deployed onto each endpoint managed by the platform. This provides an easier way of activating and provisioning the Intel AMT capabilities on a device based on Intel vPro®platform. And it also means that Intel EMA can be used to manage any non-Intel vPro® platform-based endpoint system. The Intel EMA agent needs to be a Windows executable which must first be distributed to the endpoint devices, typically through a commonly used management system such as System Center Configuration Manager. Once on the device, the Intel EMA agent enables Client Initiated Remote Access (CIRA), which connects Intel AMT directly to the Intel EMA server.

Under CIRA, each device will call home to the management server, making it easier to discover and manage the device across different networks. To reduce the surface area for potential attacks, CIRA provides a more secure TLS-encrypted communications channel for management traffic traversing the internet while also disabling the legacy Intel AMT management ports on a device.

Productivity bonus

Even without Intel EMA, organisations can expect to see significant cost benefits from making effective use of the Intel vPro® platform and the capabilities of Intel AMT to manage their endpoint systems. A study conducted by Forrester Research estimated that a mid-size company with 750 desktops and laptops could expect to see reduced security support and management costs of up to $1.2m.

This has a knock-on effect on employee productivity, with the saving of an estimated 28,160 hours due to the reduction in IT support tickets and speedier remediation. In other words, workers need to make fewer support calls and spend much less time waiting for issues to be resolved.

Forrester estimated this boost to employee efficiency would be worth up to $1.3 million over three years to the organisation in the study. Another advantage of Intel EMA is that it can integrate into existing third-party management tools and consoles via a REST API, providing these with access to Intel vPro® platform manageability features. For example, Intel AMT monitors hardware inventory, including system assets and components, and provides a greater level of detail for the Configuration Management Database (CMDB) than many other management tools. There are some prerequisites for using Intel® AMT and Intel EMA. It requires a known network, such as the corporate LAN, to fit with supported network proxy and firewall configurations, and some network configurations may require specific generations of Intel® vPro® platform hardware. Intel® AMT also requires the network to support 802.1x authentication, and pre-shared keys for Wi-Fi networks.

And there are ultimately limitations on Intel® AMT and Intel EMA. For scenarios such as a hotel or a railway station, where the user typically has to open a browser to accept terms and conditions of use to access their Wi-Fi, a laptop with a dead operating system will not be able to authenticate to the network in order to connect to the Intel EMA server. However, few other tools are able to match the reach of the Intel vPro® platform with Intel AMT and the new Intel EMA cloud-based management service, which enables IT professionals to discover and connect with endpoints inside and outside the corporate firewall and carry out management and troubleshooting tasks, even if a target system will not start. By utilising the full spectrum of capabilities offered by the Intel vPro® platform, the IT department can quickly and efficiently scale endpoint management services while reducing support time and costs. This is a win-win for the business.

Sponsored by Intel®

See the original article here: The Register

Written by: The Register

Rate it
Previous post


  • 2

Cyber security ITPro.

What is a botnet?

Botnets came from humble beginnings, starting life as nothing more than docile systems that were designed to run repetitive tasks. The problem is, they were so good at what they ...

Designed by Cloud Boffins