Sign in with
Sign up | Sign in

Intel vPro, McAfee, And The Atom Platform

Intel vPro: Three Generations Of Remote Management
By

A long time ago, Intel realized that security and support are significant costs in the IT world. Running down to a user's desk to help troubleshoot a problem has gone out of vogue, replaced by IT service desks on-premise (in the case of enterprises) and located remotely (for many SMBs). Sometimes a phone call is all it takes to fix a customer's problem. Other times, a suite of support tools like vPro and AMT are the answer. And now, the most expensive type of support is break/fix, where a power supply or memory module goes bad, necessitating a trip to the source.

With the recent acquisition of McAfee, Intel made a strong statement that it wants to make an impact on the security market. Soon, it'll be able to provide a vertically-integrated hardware and software stack for desktop and laptop management.

Interestingly, McAfee's competitors are already looking to the next generation of device support. Apple's iPad (along with the iPhone and various Android-based devices) continue to gain the blessing of corporate executives. Holdout IT departments that don't support those devices are starting to realize that policy-driven standardization on Windows and BlackBerry devices isn't going to cut it for much longer. As a result, many organizations that still don't allow that foreign hardware onto the network are at least evaluating what it'd take to support those platforms.

Current-generation iOS and Android devices utilize ARM, not Intel architectures. That means there's already built-in demand for third-party security firms to build a security and management software stack that caters to the ARM market. Moreover, with Windows 8 already confirmed to run on ARM-based SoCs, there might come a time when we see organizations move completely to ARM hardware where vPro does not play.

With this in mind, Intel needs to start enabling vPro on more of its hardware, particularly the Atom processors. That's a bit of a dangerous move for Intel. The sale of inexpensive Atom-based systems takes unit sales away from Intel’s higher-margin processor and chipset businesses. This is a classic example from Clayton M. Christensen’s Innovator’s Dilemma: When New Technologies Cause Great Firms to Fail, where a low-end product cuts into the higher-end space (Intel’s 8088 was a classic case.)  

If you're familiar with the Innovator’s Dilemma, then you realize it means that, in order to sell a vertically-integrated security and management stack, Intel needs to expose vPro functionality on the Atom platform and embrace the resulting disruption. That development, coupled with lower-power Atom processors able to compete in the smartphone and tablet space, could empower an organization with one vendor's management and security suite across client devices. 

Closing Thoughts

Overall, we've seen Intel make great strides in incrementally adding features to vPro. Due to continued innovation in manufacturing and architecture, there are substantial performance benefits in shifting from Core 2 Duo to today's Core i5. Meanwhile, we're being exposed to higher-resolution KVM support, Anti-Theft technology, AES-NI, and Quick Sync.

The one notable downside is that you're compelled to pay for a management app like RealVNC Viewer Plus if you want to fully realize the platform's potential. Priced at $100, that's yet another cost adder to discourage already price-sensitive buyers. It certainly would be preferable to have an open-source alternative that could be easily integrated into management suites. With that said, when you compare the price of a single on-site visit, if RealVNC Viewer Plus saves even one trip, that customer is back in the black.

At the end of the day, an organization with a small office and a dedicated IT support staff probably wouldn't take advantage of vPro. For everyone else, though, there are some pretty clear benefits associated with the technology. Larger, more sprawled out organizations stand to save significantly by using remote management tools. At the other end of the spectrum, SMBs who can't pay their own IT person stand to achieve much faster recovery if a service provider can log right into problematic PCs, rather than having to make an office visit.

Ask a Category Expert

Create a new thread in the Reviews comments forum about this subject

Example: Notebook, Android, SSD hard drive

Display all 21 comments.
This thread is closed for comments
  • 7 Hide
    cngledad , September 27, 2011 6:37 AM
    Can I suggest an article comparing different remote access tools we can use? From the freeware TeamViewer, VNC Viewer to such things like WebEx? I think that would be a very good topic.
  • 3 Hide
    Anonymous , September 27, 2011 11:43 AM
    ^^Don't forget Logmein Rescue which has vPro support.
  • -4 Hide
    pro-gamer , September 27, 2011 1:17 PM
    intel man please give me a job.
    Intels rock
  • 0 Hide
    NirXY , September 27, 2011 8:53 PM
    Glad to see you made it to publish day, was waiting for this piece.
    Looking great !
  • 0 Hide
    Anonymous , September 27, 2011 10:28 PM
    One correction: DQ57TM *does* contain a v1.2 TPM, the same as found on DQ67SW and DQ67EP. It's required to be vPro compliant (necessary for Intel TXT).
  • 0 Hide
    jhansonxi , September 27, 2011 10:44 PM
    Nifty but I don't like the single-vendor lock-in. I can see real improvements in IT efficiency if this was combined with AoE. Would like to see SSH support, however.
  • 1 Hide
    extremepcs , September 28, 2011 9:09 AM
    Hopefully they have improved the activation mechanism. Kind of a PITA if you don't buy a certificate from a trusted CA. I used an internal cert and had to activate each machine by booting from a flash drive.
  • 1 Hide
    chovav , September 28, 2011 9:20 AM
    If my hard drive is encrypted using TrueCrypt pre-boot authentication, would I be able to fill in the password using Intels vPro?
  • 0 Hide
    jowunger , September 28, 2011 1:29 PM
    The voice of the guy in the video is bad. The guy talks like he is speedreading a book...
  • 0 Hide
    cangelini , September 28, 2011 6:02 PM
    cdw-vproOne correction: DQ57TM *does* contain a v1.2 TPM, the same as found on DQ67SW and DQ67EP. It's required to be vPro compliant (necessary for Intel TXT).


    Fixed, thanks!
  • 0 Hide
    chovav , September 29, 2011 2:10 PM
    Chris can you answer my question?
  • 0 Hide
    pjkenned , September 30, 2011 3:44 PM
    chovavIf my hard drive is encrypted using TrueCrypt pre-boot authentication, would I be able to fill in the password using Intels vPro?


    Generally you don't want to do this. Pre-boot authentication on encrypted drives is a security measure so that someone gaining access to a shut-down PC cannot cold boot onto the contents of the disk. For example, one shuts down a notebook that is subsequently stolen in an airport.

    In that scenario (actually fairly common) the user that now has the notebook can boot to the contents of the disk if a password was pre-filled.
  • 0 Hide
    kevikom , October 10, 2011 11:13 AM
    HP insight manager is better. Weird thing is I found out about it from a whitepaper on Dells site. I thought HP and Dell hated each other?? but we use it for PCs, servers, and it has a plugin for Vmware.... AND IT IS FREE.
  • 0 Hide
    dj christian , November 11, 2011 4:56 AM
    pjkennedFor example, one shuts down a notebook that is subsequently stolen in an airport. In that scenario (actually fairly common) the user that now has the notebook can boot to the contents of the disk if a password was pre-filled.


    So you saying that's a bad idea for the owner that he typed the pre-filled the password using vPro?

  • 0 Hide
    Anonymous , January 2, 2012 8:10 AM
    Hi, does anybody know if Intel Dq67sw motherboard Support 8Gb ddr3 Single Modules . Because Intel Technical product specification states " Support for 32GB of System Memory with four DIMMS using 4GB memory technology ".

    Are there any other Intel boards which support vPro ( VT-X , VT-D ) with 32GB for i7 2nd Generation.

    As i want to build one myself for VM.
  • 0 Hide
    omerl , January 29, 2012 7:49 PM
    pjkennedGenerally you don't want to do this. Pre-boot authentication on encrypted drives is a security measure so that someone gaining access to a shut-down PC cannot cold boot onto the contents of the disk. For example, one shuts down a notebook that is subsequently stolen in an airport. In that scenario (actually fairly common) the user that now has the notebook can boot to the contents of the disk if a password was pre-filled.

    dj christianSo you saying that's a bad idea for the owner that he typed the pre-filled the password using vPro?


    Chovav, pjkenned and dj christian - yes, you can use Intel vPro AMT to fill the Pre-Boot Authentication. You can do this either with AMT KVM (which is the simple way, but requires AMT 6 and above) or with AMT SOL (assuming TrueCrypt allows SOL.
    pjkenned - there are several scenarios which it would makes much sense to send the password for PBA remotely: 1. Support agent trying to recover a user's password. 2. Trying to boot to a computer you left in the office. The idea is not that the password is pre-filled, it is filled on real-time.
    It's actually can be a very powerful tool for the service-desk at your organization.

  • 1 Hide
    omerl , February 14, 2012 8:18 AM
    qwer5678So you saying that's a bad idea for the owner that he typed the pre-filled the password using vPro?

    I didn't really understand what you mean. If you utilize this feature correctly you can gain real value to your organization. Note my 2 suggestion of usage. If you have it kept in a DB or something similar, you must make sure this DB is encrypted and secured properly, since this is sensitive information, but you can still get it and send it to your computer using vPro encrypted over TLS/SSL channel.
  • 0 Hide
    omerl , March 21, 2012 12:37 PM
    okokpkpk - I'm saying DO NOT PRE-FILL THE PASSWORD. This is not what's vPro is all about.
    I'm saying, create a solution for your organization that allow real time password push to your clients, in case a password is forgotten. Passwords are stored securely inside the organization and are only used in case of password forgotten. Nothing else. Do no bypass the pre-boot authentication mechanism.
  • 0 Hide
    masi87 , August 10, 2012 6:19 PM
    Why does noboy complain about the missing SSL for the logon page of the Web-Interface? (even thought not only logon but everything after that should also be encrypted to prevent cookie theft).
  • 0 Hide
    michealPW , August 11, 2012 7:09 PM
    I'm not sure what's more unsettling... The fact that this technology's being rolled out in so many mainstream Intel CPUs and Chipsets or the fact that I seem to be the only one that sees this as a major attack vector :|

    Good gawd what a frightening world we're marching into. Security and Privacy is becoming an unattainable dream.
Display more comments