- Generate a Management Certificate capable of minting device certificates (isCA = true in the zman icc command).When the Management Certificate is minted with the isCA flag as true , it has the capability of minting all of the iAMT Device Certificates. In this workflow the ZENworks Administrator does not have to generate each iAMT Device certificate.
The iAMT Device would have to be configured with the Management Certificate hash. This can be done either using the USBFile.exe utility or configuring it via the MEBx Menu, refer documentation for more details.Once this is done the Device should be discovered and should start appearing in ZCC (in Discovered state). The ZENworks Administrator can now provision the iAMT device. The ZENworks Server uses the Management Certificate that was imported earlier to mint the iiAMT Device certificates and completes the Enterprise mode provisioning.
If using isCA was set to true, then the way that the devices receive certificate is by following this step in the provisioning documentation:Provisioning iAMT Devices with the Device Certificate and a Private Key
- Generate a Management Certificate which does not have the capability to mint device certificates (isCA = false, in zman icc cmd).
When the Management Certificate is minted with the isCA flag as false, it means the ZENworks Administrator is choosing to mint the iiAMT Device certificates directly from the external CA and does not want ZENworks to mint the iiAMT Device certificates. The Device Certificates also in this workflow would have to be minted using the external CA of the Zone.
If isCA was set to false, then the way that devices receive a certificate is by manually minting one using the external CA server, then applying by following this step in the provisioning documentation:
Provisioning iAMT Devices with an External Certificate
- If the external CA used to mint the iAMT Management Certificate is well known (like VeriSign or GoDaddy), then all that the Administrator has to do is to configure the iAMT Devices with Provisioning Server as the ZENworks Server. Now on a restart of the iAMT Device, one would see that the ZENworks Server would have discovered the AMT Device and it would appear in the ZCC under the Discovered iAMT Devices section (Devices -> Discovered -> IntelÂ® AMT Devices).
- If the external CA used to mint the iAMT Management Certificate is not well known (not part of the factory default trust list of the iAMT Device), then the Administrator would have to configure the iAMT Devices with the Management Certificate Hash. This can be done either using the USBFile.exe utility or configuring it via the MEBx Menu. Once the iAMT Device is configured with the Provisioning Server details and the Management Certificate Hash, one should see the AMT Device appear in the ZCC under the Discovered iAMT Devices section.