The desktop PC may be an invaluable business tool, but it also presents huge challenges in terms of day-to-day management and support — especially when it comes to large organisations with hundreds, if not thousands, of them to cope with.
Just keeping track of who has what hardware and where can be a real headache, let alone making sure it’s all configured correctly with the right application software, the latest patches, suitable firewall, antivirus and other security tools, and so on. Factor in the human element — users — and it’s easy to understand why desktop management can account for the lion’s share of any IT budget.
Desktop management: the story so far
There are plenty of available products designed to address the issues of desktop management. Most start with some kind of inventory tool, to discover and identify desktop assets and how they’re configured. To this can then be added tools to distribute applications, patches and other software, along with utilities to ensure that licence counts are enforced and yet more to enable support staff to remotely diagnose and fix faults when they arise.
Some of these tools are now built into the Windows desktop itself, but that’s a fairly recent innovation. Most are, therefore, implemented as standalone third-party applications or, more commonly, as part of larger integrated management suites from vendors such as Computer Associates, HP, Microsoft, Novell, Symantec and others.
Software-based management solutions are far from perfect, though. For a start, one or more client agents will normally have to be installed on each and every desktop PC for them to work. Distribution of these agents can be complex and presents a logistical challenge in itself. More importantly, most only work while the client PC is turned on and running a fully functional operating system. When users turn their systems off — at the end of the day, for example — management is effectively blocked except where specialised hardware features, such as Wake-on-LAN (WOL), enable them to be remotely powered back on.
Unfortunately WOL doesn’t help that much because even when desktops are on, the operating system needs to be fully operational. There are additional security and performance issues. For example, in most cases there's no encryption to protect the traffic sent between the remote management agents and central consoles; management traffic is also carried along with everything else over standard shared Ethernet LAN/WAN links — which are, again, only available with a fully functioning OS in place.
Compatibility can be an issue too, with only very basic common standards to insure interoperability between the hardware and software being managed, and the tools designed to facilitate that management. Finally, the whole setup can be compromised by a general lack of security on the desktop itself. Indeed, no matter how well you manage your desktops, it’s still hard to prevent users — or worse still, viruses and other malware — getting through the defences and messing them all up again.
Enter vPro
Intel’s answer to these and other desktop management issues is to take the functionality currently provided by software-based management clients, add extra features, make it more secure and build it into the PC. An approach it calls vPro, although as with the Centrino mobile platform and Viiv, Intel’s digital entertainment brand, vPro is more of a marketing concept than a single discrete technology. Indeed, just as with those brands, vPro really describes a collection of technologies. Some are new and others have been around for a while, but all are designed to work together to address desktop management issues.
Announced towards the end of 2006, the various bits of hardware and software required for vPro have taken a while to develop and deliver, but are starting to appear. The latest vPro development adds wireless support, about which more later.
In the meantime one of the most important of the vPro components is AMT (Active Management Technology), which has actually been around for a number of years. It’s the second generation of AMT, which is now built into Intel’s Q965 chipsets, which forms the core of what vPro is all about.
AMT at the core
One of the main things AMT does is take over where hardware enhancements such as Wake-on-LAN leave off, by making sure a desktop PC is always available to be managed, no matter what its power or operational status. In fact, as long as the PC is connected to a power supply, AMT makes sure the desktop is always accessible to management software, even when it’s otherwise switched off or there’s no functioning operating system.
To facilitate this always-on availability, AMT adds a secure communication channel connected via another key vPro component — an integrated Intel Gigabit Ethernet adapter. Described as 'out-of-band', this new secure channel is implemented using a logically separate and independent networking stack implemented in the hardware. This, like the other parts of vPro, is always available whether or not the PC is powered up or the host OS loaded. It’s also accessible using standard TCP/IP and addressing rather than a special communications protocol as with WOL.
Using this secure channel, a PC can be remotely powered up or down and crashed PCs rebooted even when the OS has hung. Moreover, using another vPro component — IDE-Redirect — it’s possible to remotely boot a PC to a known clean state by redirecting the boot device to a clean image on local storage, a CD mounted at the help desk or an image held on another remote drive.
Error logs and inventory information can, similarly, be accessed regardless of desktop state, the AMT firmware storing inventory data in secure non-volatile memory every time the PC is powered up.
The secure AMT channel can also be used by support staff to diagnose and resolve problems remotely. Indeed, using yet another vPro component technology — Serial-over-LAN (SOL) — engineers can remotely manage the PC independent of the OS, right down to editing BIOS settings remotely over the network.
All of this can be performed over secure encrypted links with access controlled by an Access Control List (ACL), which is stored in the non-volatile memory managed by vPro. The AMT firmware itself (digitally signed and encrypted) is also stored in this memory, along with third-party code and data for use by management applications, which make up another part of the vPro story.
