2.6.3 Controlling devices

You can control the devices managed by JP1/IT Desktop Management 2. This section describes how to control devices in the following ways:

Send messages to users

You can send a message to a user of a computer. You can also send the same message to several computers at once.

Note that this function is not supported on the Citrix XenApp and Microsoft RDS server.

Control a computer's access to the network

You can permit or deny a computer network access.

Collect user information

You can collect information from users by displaying an input window on the user's computer.

Turn a computer on or off

You can restart computers remotely and turn computers on and off. This function can be used for device management, remote control, ITDM-compatible distribution, and distribution using Remote Install Manager.

Collect the latest device information

You can collect the latest device information any time you wish.

Define prohibited software

You can view a list of software installed on a computer, and designate certain software as prohibited software. This allows you to view the violation level of the computer in terms of installed software in the Security module. You can also prevent users from using certain software, or uninstall it remotely.

Uninstall software

You can uninstall software by selecting it from a list of software installed on a computer.

Remotely control a computer

You can access the desktop of a computer and control it remotely.

Control smart devices

You can lock, wipe, and reset passcodes on smart devices managed by JP1/IT Desktop Management 2.

Tip: In the case of an agent for UNIX or Mac, device control options you can perform are control of the network connection (only manual control for agents for UNIX) and collection of the latest device information. When you collect the latest information, the Get system information from computer (UNIX) and Get software information from computer (UNIX) jobs are executed. In addition,by default, notifications of system information and software information are sent every 24 hours (once a day) from agents for Mac to the management server.

Tip: Only network connection control for computers is possible with the use of the API. Registration of user information, on the other hand, is possible with the use of the API.

Organization of this subsection

(1) Conditions for power control
(2) Prerequisites for using AMT

(1) Conditions for power control

This section describes the conditions that must be met to control the power status of a computer.

Conditions for turning on a computer

If there is a value for AMT Firmware Version in the device information, the system uses AMT to turn on the computer. If not, the system uses Wake on LAN. The following conditions must be met to turn on a computer:

Important

You cannot turn on a computer if any of the following apply:

The computer is in a wireless LAN environment
A LAN and wireless LAN are connected to the same subnet
The computer is suspended in battery mode
The computer is an agent for UNIX
The computer is an agent for Mac

Conditions on the management server

When using AMT

The AMT user ID and password must be registered in the AMT view under Inventory in Settings module.

In a multi-server configuration, you need to make settings on the management server that manages the device you want to turn on.
Port 16992 used by AMT must be available.
The name of the device to be turned on must be resolved from a host name.

When using Wake on LAN

None.

Conditions on the computer

When using AMT

The computer is connected to the management server.
The agent is installed on the computer.
The computer supports AMT.

A computer supports AMT if a value appears for AMT Firmware Version in the device information.
The user name and password for AMT are entered in the BIOS settings.
Port 16992 used by AMT must be available.

Tip: You can configure AMT in agent configurations which you can then apply to computers with the agent installed. This means that the administrator does not need to configure the BIOS on each computer individually.

Tip: You can register one combination of AMT user ID and password on a given management server. For this reason, when using AMT to turn computers on and off, the same ID and password must be used on each computer.

When using Wake on LAN

The computer is connected to the management server.
The agent is installed on the computer.
The computer supports Wake on LAN.
Magic Packet mode is enabled in the Wake on LAN settings.

Conditions for turning off a computer

The following conditions must be met to turn off a computer:

Important

You cannot turn off a computer if any of the following apply:

The computer is a management relay server
The computer is a relay system
The computer is an agent for UNIX
The computer is an agent for Mac

Conditions on the management server

None.

Conditions on the computer

The computer is connected to the management server.
The agent is installed on the computer.

A Shutdown Computer dialog box appears on a computer you are turning off.

[Figure]

If there is no intervention by the user, the computer will shut down automatically after 180 seconds.

Note the following when shutting down a computer:

A computer will not shut down automatically if its screen saver is active and password protected.
A locked computer will not shut down automatically.
A computer will not shut down automatically if a user is working on an open file.
A computer will not shut down automatically if another user is logged on to the computer.
If the user has not yet logged on to the computer, the computer shuts down without displaying the Shutdown Computer dialog box.
If the computer is instructed to turn off by the management server while the Shutdown Computer dialog box is displayed, the latter instruction is ignored.

Conditions for restarting a computer

The following conditions must be met to restart a computer:

Important

You cannot restart a computer if any of the following apply:

The computer is a management relay server
The computer is a relay system
The computer is an agent for UNIX
The computer is an agent for Mac

Conditions on the management server

None.

Conditions on the computer

The computer is connected to the management server.
The agent is installed on the computer.

A Restart Computer dialog box appears on a computer you are restarting.

[Figure]

A computer is restarted at a time specified in the Settings to shut down and restart the computer area in the User notification settings view in the agent configuration. If the Automatically start if no response is received from the user within the specified period check box is selected in the agent configuration, and the user does not respond to the dialog box, the computer automatically restarts after the time period specified in the agent configuration elapses from when the dialog box was displayed. If the Follow the response of the user in the dialog box that instructs the user to shut down or restart the computer check box is selected in the agent configuration, the dialog box remains on screen, and the computer does not restart until the user clicks the appropriate button.

Note the following when restarting a computer:

A computer will not restart automatically if its screen saver is active and password protected.
A locked computer will not restart automatically.
A computer will not restart automatically if a user is working on an open file.
A computer will not restart automatically if another user is logged on to the computer.
If the user has not yet logged on to the computer, the computer restarts without displaying the Restart Computer dialog box.
If the computer is instructed to turn off by the management server while the Restart Computer dialog box is displayed, the instruction to turn off takes precedence. In this scenario, the Restart Computer dialog box is replaced with a Shutdown Computer dialog box.

To Page Top

(2) Prerequisites for using AMT

If the AMT version is lower than 6.0, a DHCP environment is a prerequisite. A wireless LAN environment is not supported.

The features of JP1/IT Desktop Management 2 have different requirements in terms of the AMT version required on the computer.

The following table shows the version of AMT required to use each feature.

Feature		Description	Required AMT version
Power control		Turns remote computers on and off.	3.0 to 9.5
Collecting AMT firmware versions		Collects the AMT version as part of a computer's device information.
Using IDE redirection^#		Allows you to use CD-ROM drives remotely when using the remote control feature.
Remote control over RFB connections		Allows you to use the remote control feature over a RFB connection.	6.1 to 9.5
AMT configuration	Enable IDE redirection	This feature allows the use of the IDE redirection feature of AMT.	6.1 to 9.5
	Enable remote KVM	By enabling remote KVM on a computer in the agent configurations, you can remotely control the computer over an RFB connection. You can also set the authentication information needed to remotely control the computer.	6.1 to 9.5
	Enable AMT and set passwords for AMT users with administrator permission	This feature enables AMT if disabled. You can also set the password for AMT users with administrator permission (the admin user).	7.0 to 9.5

#: In AMT versions 7.0 and 8.0, you cannot use the IDE redirection feature on computers on which AMT is enabled in the AMT Settings view in the Settings module.

To automatically enable AMT on a computer:

AMT must be enabled on a computer before you can use AMT-based features.

To automatically enable AMT on a computer, set an administrator-permission password used by AMT in the AMT Settings view of the Settings module.

You can then enable AMT automatically on computers and access them with administrator permission.

If there is no administrator password set for AMT on the computer, the password you enter in the AMT Settings view is registered in AMT. You cannot set a new password if one is already registered in AMT. In this case, specify the registered password. If an administrator password is set but AMT is disabled, you need to first enable AMT on the computer.

Enabling AMT on the computer starts the following services:

Service name: LMS

Display name: Intel(R) Management and Security Application Local Manage
Service name: UNS

Display name: Intel(R) Management and Security Application User Notification Service

To use these features, the management server must be configured in the following ways:

To control the power of a computer using AMT:

Set the credentials needed to communicate with AMT on the computer in the Set Credentials area of the AMT Settings view of the Settings module.

Thereafter, AMT will be used to control the power state of the computer.

To collect the AMT firmware version from a computer:

Set the credentials needed to communicate with AMT on the computer in the Set Credentials area of the AMT Settings view of the Settings module.

Thereafter, the AMT firmware version will be collected at the time when the device information is collected.

To remotely control a computer via RFB connection:

The remote KVM feature must be enabled in AMT on the remote computer.

You can edit agent configurations in the Windows Agent Configurations and Create Agent Installers view of the Settings module. In the AMT view, select the Allow Remote KVM check boxes.

If AMT is enabled on the computer, changes to AMT settings take effect each time the agent configurations are applied to the computer. If AMT is disabled on the computer, you need to configure the agent configurations to enable ATM automatically.

When you set up the computer in this manner, when an attempt by the remote control feature to connect to a computer using a standard connection fails, the remote control feature then attempts to connect using RFB. You can configure the system to use RFB when connecting from the Connect item in the File menu of the Remote Control view.

To use IDE redirection:

The IDE redirection feature must be enabled in the AMT settings on the computer. However, in AMT versions 7.0 and 8.0, you must set AMT from BIOS because you cannot use the IDE redirection feature, even if AMT is enabled on the computers.

Edit the agent configuration in the Windows Agent Configurations and Create Agent Installers view in the Settings module. At this time, select the Enable IDE redirection check box in AMT Settings.

If AMT is enabled on the computer, the AMT settings will be changed as soon as the agent configurations are applied. If the AMT is disabled on the computer, a configuration to automatically enable AMT on the computer is required.

In this way, you can use the IDE redirection feature when remotely controlling a computer.

In a multi-server configuration, the IDE redirection functionality can be used for a device that can be connected from the controller via the network.

Important

If you select the management window - Agent Configuration Items - AMT Settings tab - Allow IDE Redirection check box, AMT - SOL/IDER - Legacy Redirection Mode value is set to Enabled. This value is not set to Disabled even when you uninstall an agent, so you need to perform either of the following operations to disable it:

Clear the management window - Agent Configuration Items - AMT Settings tab - Allow IDE Redirection check box before uninstalling an agent.
Set AMT - SOL/IDER - Legacy Redirection Mode value to Disable after uninstalling an agent.

Related Topics:

(1) Conditions for power control

To Page Top