Optimize Endpoint Management with Intel EMA | Learn the Key Configurations

Table of Contents:

1. Introduction
2. Overview of Intel Endpoint Management Assistant
3. Multi-tenancy in Intel EMA
4. Different Installation Options for Intel EMA
5. Benefits of Client Initiated Remote Access (CIRA)
6. Considerations for Cloud-based Install with Intel EMA
7. Network Requirements for Intel EMA
8. Supported Network Scenarios for Intel EMA
9. Difficult to Support Network Scenarios for Intel EMA
10. Provisioning Modes for Active Management Technology (AMT) in Intel EMA

Introduction

In this article, we will explore the high-level concepts of Intel Endpoint Management Assistant (EMA). We will discuss the various installation options, the benefits of client initiated remote access, network requirements, and provisioning modes for active management technology in Intel EMA. By the end of this article, you will have a better understanding of the key concepts and considerations for deploying Intel EMA for effective endpoint management.

Overview of Intel Endpoint Management Assistant

Intel Endpoint Management Assistant (EMA) is a multi-tenant platform that allows users to manage and monitor endpoint devices remotely. It provides out-of-band capabilities and remote management features, making it an ideal solution for systems integrators, ISPs, and IT departments. With EMA, you can have a single install and create multiple tenants, each with their own unique collection of computers. The tenants are isolated from each other, ensuring privacy and security.

Multi-tenancy in Intel EMA

The multi-tenancy feature in Intel EMA allows you to separate different types of users, devices, and groups for better organization and control. This is particularly useful for businesses with varied requirements or diverse user groups. For example, IT departments can create separate tenants for different departments or teams within the organization. This segmentation enables efficient management and easy customization based on specific business needs.

Different Installation Options for Intel EMA

Intel EMA offers different installation options to cater to various deployment scenarios. The first option is a cloud-based web service that enables you to install EMA in the cloud and manage devices from anywhere with a single installation. This option is recommended for its flexibility and convenience. Another option is an on-premises installation, which is suitable for legacy IT shops that prefer to keep everything inside the firewall. It provides more configuration models for AMT but may limit certain features of managing devices outside the firewall. Lastly, there are DMZ options that allow you to run EMA VMs either on-premises or in the cloud and establish a secure network layer between your cloud provider and IT network.

Benefits of Client Initiated Remote Access (CIRA)

Client Initiated Remote Access, or CIRA, is a crucial feature for hardware level manageability within active management technology. When using Intel EMA in a cloud-based install, CIRA provides a secure Channel for managing data flowing over the internet. It ensures that the management traffic is encrypted and inaccessible to unauthorized parties. CIRA also shuts off the local management ports on devices, eliminating potential attack surfaces. Additionally, it simplifies the process of clients and management servers finding each other, facilitating device discovery and management in diverse internet environments.

Considerations for Cloud-based Install with Intel EMA

If you plan to use Intel Endpoint Management Assistant and active management technology in a cloud-based installation, there are a few considerations to keep in mind. Firstly, you need a known network, which has internet access and supports Intel AMT authentication. Secondly, certain proxy configurations may limit AMT's functionality, requiring specific platform generations to work effectively behind a proxy server. By carefully evaluating these factors, you can ensure a smooth and secure deployment of Intel EMA in a cloud environment.

Network Requirements for Intel EMA

Intel EMA relies on a known network for seamless communication and management of devices. A known network is a network that has access to the internet, allowing the Intel EMA server in the cloud to pass traffic back and forth with the devices under management. For Wi-Fi networks, supporting IEEE 802.1X and pre-shared keys is essential. Wired networks should also support the same authentication standards. It is crucial to establish a reliable and secure network connection to enable effective endpoint management with Intel EMA.

Supported Network Scenarios for Intel EMA

Supported network scenarios for Intel EMA include traditional offices, co-working spaces, and home offices. In these scenarios, there is no need for users to accept terms and conditions to connect to Wi-Fi, making device management straightforward. Moreover, IoT and embedded usage, such as digital signage or smart vending machines, can leverage on-premises internet if available for seamless management. In cases where on-premises internet is unavailable, Ethernet or Wi-Fi to cellular devices can bridge the connection back to the internet. These supported network scenarios offer reliable connectivity for Intel EMA.

Difficult to Support Network Scenarios for Intel EMA

Certain network scenarios pose challenges for Intel EMA in terms of management and authentication. These scenarios usually involve captive portals, where users have to accept terms and conditions or provide credentials to access Wi-Fi. Examples include coffee shops, restaurants, and airports. If users cannot accept these terms and conditions, AMT authentication with the network becomes impossible. However, workarounds exist, such as providing users with a personal hotspot or configuring settings on their phones to establish a Wi-Fi to cellular bridge. These solutions enable continued management capabilities for road warrior types and devices in difficult network scenarios.

Provisioning Modes for Active Management Technology (AMT) in Intel EMA

Intel EMA supports two provisioning modes for active management technology: TLS provisioning and CIRA provisioning. TLS provisioning, primarily designed for on-premises usage, offers the convenience of automatic certificate issuance by Intel AMT. It retains the local management ports on devices, allowing easy interoperability with other on-premises tools. On the other HAND, CIRA provisioning establishes a VPN-like tunnel from the chipset to the Intel EMA server, bypassing the need for open management ports on devices. This mode is ideal for cloud-based installations, offering secure remote management capabilities over the internet.

Highlights:

• Intel Endpoint Management Assistant (EMA) is a multi-tenant platform for remote device management.
• EMA offers a cloud-based install, on-premises install, and DMZ options for deployment.
• Client Initiated Remote Access (CIRA) provides secure communication and device discovery for EMA.
• Network requirements for EMA include a known network with internet access and authentication support.
• Intel EMA works well in traditional offices, home offices, and IoT/embedded scenarios.
• Difficult network scenarios, such as captive portals, can be overcome with workarounds like personal hotspots.
• Provisioning modes in EMA include TLS provisioning for on-premises usage and CIRA provisioning for cloud-based installations.

FAQ:

1. Q: What is the purpose of Intel Endpoint Management Assistant (EMA)?

   • A: Intel EMA allows for remote management and monitoring of endpoint devices.

2. Q: Can I have multiple tenants with unique device collections in Intel EMA?

   • A: Yes, Intel EMA is multi-tenant, allowing separate collections of devices for each tenant.

3. Q: What are the installation options for Intel EMA?

   • A: Intel EMA offers a cloud-based install, on-premises install, and DMZ options for flexibility.

4. Q: What is CIRA and why is it important for Intel EMA?

   • A: CIRA (Client Initiated Remote Access) provides secure and authenticated communication for device management in Intel EMA.

5. Q: What are the network requirements for Intel EMA?

   • A: A known network with internet access and support for Intel AMT authentication is required for Intel EMA.

6. Q: Can Intel EMA manage devices in difficult network scenarios?

   • A: Workarounds like personal hotspots or Wi-Fi to cellular bridging can enable device management in challenging network scenarios.

7. Q: What are the provisioning modes for active management technology in Intel EMA?

   • A: Intel EMA supports TLS provisioning for on-premises usage and CIRA provisioning for cloud-based installations.

Resources:

• Intel Endpoint Management Assistant