Hacker News new | past | comments | ask | show | jobs | submit login

I'm very surprised that no-one on HN has talked about their experiences of using AMT for enterprise IT management. Aside from the security problems, I've personally never encountered or seen it's use, which makes the ME's inclusion (on all chips, for about 6 years) seem like an odd decision from Intel.



My previous employer used it, and it was pretty useful. When we got a new PC, we'd enroll our local keys by booting with a USB drive with the keyfile in the root of the filesystem. The firmware would offer to enroll the keys, after which (remote) sysadmins could remotely administer the machine through AMT -- basically a remote KVM.

The firmware has an on-screen indication that's happening, so it couldn't be used for spying. Plus for most day-to-day purposes, we could use AD to administer the machines (which probably could be used for spying, if that were necessary). But when things broke enough that AD stopped working (or when first setting up a box), much of the time AMT meant that we didn't need a physical presence to fix them again.


Its nice, I've seen demos of it. Its probably not in use a lot because there are so many better management suites out there. System Center on the expensive end, which is native MS, and a slew of other things on the lower end.

We just replaced our System Center setup and now use a mix of Spiceworks and PQDeploy, but we certainly could have looked at using AMT. Its such a buyers market and other apps have more features, it just didn't seem worth looking into. Intel's AMT/ME stuff seems more barebones than competitors. I can see why other shops are shying away from it.

FWIW, System Center was really, really nice and I wish we could have kept it, but MS discontinued the small office version of it and moving to the big boy version was just cost prohibitive. Unless you have over 250 machines to babysit, SC isn't worth it. SC eats a lot of competitors lunches. I suspect this is why big shops don't bother with AMT.

Also, AMT being unstoppable is a feature not a bug. You don't want end users being able to disable it or make changes if you manage an IT environment, even if they are local admins.


> I've personally never encountered or seen it's use, which makes the ME's inclusion (on all chips, for about 6 years) seem like an odd decision from Intel.

I consider it as quite plausible that the reason why Intel included ME into all chips is that it is much cheaper to add those unnecessary gates to any chip than to create two different versions of it. The much more interesting question is why ME cannot be disabled. It is clear (see http://www.intel.com/content/dam/doc/product-brief/mobile-co...) why Intel has a reason why ME should not be possible to disable on some chips. I can imagine that Intel fears that if it can be disabled on some chips, hackers will find a backdoor to also disable it on those chips where it shouldn't be possible.


> it is clear why Intel has a reason why ME should not be possible to disable on some chips.

Only "under some conditions" should not be possible, that is, once you as a user turn on the anti-theft protection. Theoretically, turn-on-once, afterwards-no-turn-off technology can be implemented.


It could be hardware switch on motherboard.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: