Intel® Active Management Technology: Privacy Statement Last updated: 5/23/2018
Intel Corporation is committed to protecting your privacy. This statement describes what privacy-sensitive functions and capabilities Intel® Active Management Technology (Intel® AMT) enables, what Intel AMT allows and does not allow IT administrators to do, and indicates the types of data Intel AMT stores on the user's system. This statement is supplemental to Intel's Online Privacy Notice and applies to Intel AMT only.
What is Intel AMT?
Intel AMT enables the Out-Of-Band (OOB) remote support and management of networked computer systems, in the enterprise, by authorized IT administrators.
What are the potential privacy issues raised by Intel AMT?
Remote management capabilities have been available from software vendors, and have been in use by many organizations’ IT departments, for a considerable time.
However, Intel AMT allows IT administrators to remotely support and manage a user’s computer, even if the user is not present or has turned off the computer.
How can the user tell whether Intel AMT is enabled on the system?
Intel has developed a system tray icon to provide transparency and notification to the end user about the current status of Intel AMT. Currently, the standard Intel AMT software includes an Intel® Management and Security Status (IMSS) application and system tray icon that is installed along with drivers and services. The IMSS system tray icon displays the current status of Intel AMT on the system (enabled or disabled) and also provides instructions on how to enable/disable Intel AMT capabilities. Intel recommends that each Original Equipment Manufacturer (OEM) loads the IMSS application. However, OEMs may elect not to comply with this recommendation by Intel, and additionally end-customer IT managers may choose to remove the IMSS application prior to providing Intel AMT-enabled systems to end-users. Depending on OEM implementation, users may also check the status of Intel AMT in their computer’s system BIOS. However, it is important to note that some enterprise IT departments may not grant users the required access to the system BIOS that is necessary to enable/disable Intel AMT or check Intel AMT status.
What personal information does Intel AMT collect from the user?
Intel AMT does not collect any personal information (for example, name, address, phone number, etc.) from the user.
What type of information is sent by Intel AMT to Intel Corporation and how is that information used?
Intel AMT does not send any data to Intel Corporation.
What type of information does Intel AMT store?
Intel AMT stores information in flash memory on the system motherboard. This information includes firmware code, hardware inventory data (for example, memory size, CPU type, hard-disk type), an event log which records platform events (for example, CPU heating up, Fan Failure, BIOS POST message), Intel AMT security events (for example, a warning of Intel AMT password attack event, or System Defense filter tripping), as well as Intel AMT configuration data (for example, network settings, access control lists, and universal unique identifiers (UUIDs), including provisioning data, LAN MAC address, keys, Keyboard-Video-Mouse (KVM) passwords, Transport Layer Security (TLS) certificates, and IT configured wireless network profiles). All configuration data that is deemed sensitive is stored in an encrypted form on the flash. More information regarding UUIDs may be found in the section below.
Intel AMT versions 11.0 and older allow registered Independent Software Vendor (ISV) applications to store data on an area of the flash memory repository known as third party data store (3PDS). Starting in Intel AMT version 11.6, this feature was replaced with Web Application Hosting which allows Intel AMT to host web applications in the Non-Volatile Memory (NVM) that Intel AMT manages locally on the client platform.
While Intel communicates what it believes to be best privacy practices for responsible data management to its ISVs, ultimately Intel does not make the determination as to what data may be stored in this area of flash memory and does not support encryption methods for ISV data. ISVs are therefore encouraged to encrypt their data prior to storing it on the flash if they deem their data to be sensitive. If you have concerns about potential privacy risks due to the data stored here, please contact the appropriate third-party software developer for further details regarding the type of information and web applications they are storing in the NVM and how it is protected.
How does Intel AMT use UUIDs? What functionality do UUIDs enable and not enable on Intel AMT-enabled platforms?
Universal unique identifiers (UUIDs) are artifacts used by Intel AMT for a number of purposes, including the provisioning process, the security of the system (for example, passwords, keys, and TLS certificates), and to ensure that IT administrators are able to accurately connect to and manage a particular user’s system within an enterprise.
Intel has not created any UUIDs to enable the functioning of Intel AMT, nor are UUIDs something new to Intel AMT. UUIDs are present in virtually all modern PCs, and are commonly installed by OEMs on all platforms, without relation to Intel AMT. Indeed, UUIDs are currently utilized by applications found on many PCs to isolate unique system information in order to provide expected functionality, such as the delivery of OS or virus control system updates. Intel AMT uses platform UUIDs in a very similar fashion – the primary difference being that in order to enable Intel AMT to access the UUID OOB, the UUID is copied to the flash memory repository.
It is important to note that the UUIDs on Intel AMT-enabled systems cannot be used by Intel to track users or their PCs, nor do they allow Intel to access user systems via a back door into the platform, nor do they allow Intel to force firmware down to the platform without user consent. Any UUID stored in flash by Intel AMT is only accessible to authorized IT administrators for a particular Intel AMT-enabled platform. The list of authorized IT administrators is configured by the end customer IT during a protected process using either enterprise certificates or physical presence at the Intel AMT system (via BIOS menu or USB key) to establish trust, and thus occurs entirely with consoles residing on trusted servers designated as such by the end customer IT. In other words, neither UUIDs nor any other information can be communicated to or from any party external to the end customer via Intel AMT unless the end customer expressly configures this. To identify authorized administrators for a particular system, see the Intel AMT Software Developer Kit (SDK) documentation available at https://software.intel.com/en-us/business-client/manageability which provides an API to retrieve the ACLs or the Kerberos authorized accounts.
What type of information does Intel® Active Management Technology (Intel® AMT) send across the network?
Intel AMT sends and receives data over predefined IANA network ports: port 16992 for SOAP/HTTP, port 16993 for SOAP/HTTPS, port 16994 for Redirection/TCP, and port 16995 for Redirection/TLS. DASH compliant systems will send and receive data over ports 623 for HTTP and 664 for HTTPS. The Keyboard-video-mouse (KVM) session can run either over the above redirection ports (16994 or 16995) or over the customary RFB (VNC Server) port - 5900. The type of information sent over the network includes Intel AMT command and response messages, redirection traffic, and system alerts. Data transmitted over ports 16993 and 16995 is protected with Transport-Layer Security (TLS) if that option is enabled on the user's system.
Intel AMT may send data over either an IPV4 or IPV6 network and is compliant with RFC 3041 privacy extensions.
What identifiable information does Intel® Active Management Technology (Intel® AMT) expose on the network?
While Intel® AMT is enabled, open ports will present information that may be used to identify the computer to others on the network. This includes HTTPS certificate, HTTP digest realm, Intel AMT version and other information that can be used to fingerprint the computer. This information is given as part of the normal operations of protocols supported by Intel® AMT. A operating system firewall will not block access to Intel® AMT ports, however administrators can use Environment Detection and Fast Call for Help (CIRA) to close Intel® AMT local ports and limit access to this information.
What does Intel AMT allow an authenticated IT administrator to do?
- Remotely power up, power down, and reboot the system for troubleshooting and repair.
- Remotely troubleshoot the system even when the host OS is off or damaged.
- Remotely review and change BIOS configuration settings on the system. The Intel AMT has an option to allow an IT administrator to bypass the BIOS password, but not all OEMs implement this feature.
- Configure network traffic filters to protect the system.
- Monitor registered applications in execution on the system (for example, whether antivirus software is running).
- Receive alerts generated by the Intel AMT firmware reporting events on the user's system that may require technical support, such as: CPU heating up, Fan Failure, or System Defense filter tripping. Further examples are available publicly at www.intel.com/software/manageability.
- Remotely troubleshoot the user's system by redirecting the boot process to a floppy disk, CD-ROM or an image located on the IT administrator's system.
- Remotely troubleshoot the system by redirecting keyboard input and text-mode video output on the user's systems to the IT administrator's system.
- Remotely troubleshoot the system by redirecting keyboard, video, and mouse to and from the user's system and the IT administrator's system (KVM redirection).
- Configure in what network environments Intel AMT manageability functionality will be accessible (for example, by defining trusted domains).
- Use a registered ISV application to write/delete data on the flash repository (i.e., the 3PDS area)
- Host a web applications in the Non-Volatile Memory (NVM) that Intel AMT manages locally on the client platform (Intel AMT 11.6 and newer).
- Identify the user's system on the enterprise network via a UUID.
- Unprovision Intel AMT and delete Flash contents.
- Remotely connect to systems even outside of the Enterprise network using preconfigured Client-Initiated-Remote-Access (CIRA) profiles.
Does Intel AMT allow an authenticated IT administrator to access a user’s local hard drive(s)?
During a remote management session, the IT administrator does have access to the user's local hard-drives. What this means is that the IT administrator could read/write files from the user's hard disk, for instance, to repair the user's system by recovering or reinstalling a faulty application or OS. Intel AMT supports two features that help mitigate potential privacy risks raised by providing IT administrators with access to this type of information: IMSS and Audit Logging. Audit Logging capabilities provide a layer of administrator accountability by logging instances of IT administrator access to user systems via Intel AMT. However, what events are actually logged are defined by the auditor, which in the enterprise is not typically the user. While Intel recommends to its customers that remote access to the Intel AMT system is the type of information that should be logged, it is possible that this information will not be available to users in some enterprise environments. Information regarding how IMSS can provide users with notifications of instances where IT administrators have accessed their system is provided immediately below.
Does Intel AMT KVM Redirection allow an authenticated IT administrator to take remote control of a user's PC as if they are physically sitting at their keyboard?
During a remote management session with KVM redirection, the IT administrator does have control of the user's PC as if they were sitting at their keyboard. With respect to the KVM redirection session, Intel AMT enables the requirement that a KVM session cannot be started without the explicit consent from the user, known as KVM user consent. To enforce the user's consent to opt-in to the redirection session, a secure output window ("sprite") is displayed on the user's screen, on top of any other window, in which the user is prompted to read out to the IT administrator a randomly-generated number. Only if the IT administrator types in the correct session number will the KVM session begin. Once a valid KVM session was invoked, the user's entire screen will be surrounded by a flashing red and yellow border – indicating that an IT administrator is in the process of a KVM remediation session. This flashing red and yellow border will persist as long as the session is active. Note that KVM user consent is mandatory when the Intel AMT system is in Client Control Mode but is optional when in Admin Control Mode.
According to the OEM's settings, SOL/IDER or KVM features in Intel AMT are enabled or disabled in the BIOS or the Intel® Management Engine BIOS Extension (Intel® MEBX). The requirement for KVM opt-in may be changed by the IT administrator through BIOS settings or Intel AMT configuration settings. Intel recommends utilizing the obligation for the user's consent in order to maintain his privacy.
How can the user tell whether an IT administrator has accessed the system through Intel AMT?
TThe IMSS system tray icon enables and supports user notifications for several events, including whether an IT administrator is accessing or has accessed their system through the opening/closing of a remote redirection session (i.e., SOL/IDER), as well as System Defense activation and Remote Boot of the user's system by an IT administrator. Additionally, a flashing icon in the upper right of the screen will appear during an active remote redirection session. However, the events that are actually enabled by the IMSS, in an enterprise setting, are defined by an IT administrator, not the user. While Intel recommends that those enterprises deploying Intel AMT systems enable the IMSS notifications referred to in this paragraph, it is possible that information regarding remote connections to the Intel AMT system may not necessarily be available to all users.
How can a user clear all Intel AMT configuration and private data?
Intel AMT provides BIOS options to partially/fully unprovision an Intel AMT system. Intel recommends end-users to fully unprovision a system before resale/recycling and verify that Intel AMT is fully unprovisioned if you purchase a used Intel AMT capable system.
Privacy statement updates
We may occasionally update this privacy statement. When we do, we will revise the last updated date at the top of the privacy statement.
For more information
Should you have any questions or would like more information about this privacy supplement, please use this form to contact us.