intel unite entreprise deployment guide - hp store laptops,...

Intel® Corporation Confidential

SIGNED NDA ONLY

Intel and Intel Unite are trademarks of Intel Corporation in the U.S. and/or other countries.

Intel® Unite™ Enterprise Deployment Guide July 2015 Version 2.3

2 of 53 Intel® Corporation Confidential Enterprise Deployment Guide

SIGNED NDA ONLY

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR

OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND

CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED

WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A

PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.

A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death.

SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL

AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL

CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF

PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL

OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS.

Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics

of any features or instructions marked "reserved" or "undefined". Intel reserves these for future definition and shall have no responsibility whatsoever

for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice.

Security features enabled by Intel® AMT require an enabled chipset, network hardware and software and a corporate network connection.

No computer system can provide absolute security under all conditions. Built-in security features available on select Intel® Core™ processors may

require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your PC

manufacturer for more details. . Requires an Intel® OS Guard enabled system with a 3rd gen Intel® Core™ vPro™ processor and an enabled operating

system. Consult your system manufacturer for more information.

No system can provide absolute security under all conditions. Requires an Intel® Identity Protection Technology-enabled system, including a 2nd or 3rd

gen Intel® Core™ processor, enabled chipset, firmware, and software, and participating website. Consult your system manufacturer. Intel assumes no

liability for lost or stolen data and/or systems or any resulting damages. For more information, visit

http://ipt.intel.com.

Requires an Execute Disable Bit enabled system. Check with your PC manufacturer to determine whether your system delivers this functionality. For

more information, visit http://www.Intel.com/technology/xdbit/index.htm.

Intel® vPro™ Technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and

configuration of your hardware, software and IT environment. To learn more visit: http://www.Intel.com/technology/vPro.

The original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and

may not be available in all countries.

No system can provide absolute security. Requires an Intel® Secure Key enabled PC with a 3rd gen Intel® Core™ vPro™ processor and software optimized

to support Intel Secure Key. Consult your system manufacturer for more information.

Material in this presentation is intended as product positioning and not approved end user messaging.

This document contains information on products in the design phase of development.

Intel, Intel Core, the Intel logo, and Centrino are trademarks of Intel Corporation in the U.S. and other countries.

Microsoft, Windows, and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.

Copyright © 2014-2015 Intel Corporation. All rights reserved.

http://ipt.intel.com/

http://www.intel.com/technology/xdbit/index.htm

http://www.intel.com/technology/vPro

Revision History

Enterprise Deployment Guide Intel® Corporation Confidential 3 of 53

SIGNED NDA ONLY

Revision History

Revision Number Date Author Notes

0.1 11/24/2014 M. Gulliford Outline

0.2 2/10/2015 B. Cockrell Rough draft.

1.0 4/24/2015 J. Shidek Review and Edit

1.1 5/7/2015 J. Shidek Addition of Admin Web Portal

1.2 5/12/2015 C. Valle Product updates, Name change

1.3 5/22/2015 C. Valle General updates to this guide

1.4 5/27/2015 J. Shidek Updating images

1.5 5/27/2015 C. Valle Update Profile Provisioning and Add Quiet Installers

1.6 6/5/2015 C. Valle Updates for new software released

1.7 6/8/2015 C. Valle Added more released features

1.8 6/9/2015 C. Valle Added Appendix, Architecture, additional overview details

1.9 6/16/2015 C. Valle Changed document flow, and updates in deployment information

2.0 6/17/2015 C. Valle Added screenshots and IIS details

2.1 6/23/2015 C. Valle Added more installation details and screenshots for Hub

and Client

2.2 6/30/2015 C. Valle Added feedback in installation process and uninstall instructions

2.3 7/7/2015 C. Valle Minor grammar fixes, added hyperlinks for easier navigation

Table of Contents


SIGNED NDA ONLY

Table of Contents

1 Introduction ............................................................................................................................................................................. 6

1.1 Audience................................................................................................................................................................... 6

1.2 Intel Unite Overview ....................................................................................................................................... 6

1.3 Intel Unite Terminology & Definitions................................................................................................. 7

1.4 Intel Unite Architecture ................................................................................................................................. 7

2 Intel Unite Security Overview ..................................................................................................................................... 8

2.1 Unite Software - Security Flow ................................................................................................................ 8

2.1.1 Step 1: PIN Assignment ......................................................................................................... 9 2.1.2 Step 2: PIN Lookup ................................................................................................................. 10 2.1.3 Step 3: Connection Initiation ........................................................................................... 11 2.1.4 Step 4: Connection Approval ............................................................................................ 12

3 Intel Unite Requirements ............................................................................................................................................. 13

3.1 Software Requirements ............................................................................................................................... 13

3.2 Hardware Minimum Requirements ...................................................................................................... 13

3.3 Network Requirements ................................................................................................................................ 13

3.4 Hardware Components ................................................................................................................................ 14

3.5 Other Considerations .................................................................................................................................... 14

4 Intel Unite Deployment ................................................................................................................................................. 15

5 Enterprise Server Deployment ................................................................................................................................. 16

5.1 Enterprise Server Overview ..................................................................................................................... 16

5.2 Enterprise Server Pre- Installation ..................................................................................................... 16

5.2.1 IIS Enabling ................................................................................................................................... 16 5.2.2 Microsoft SQL Server Install .............................................................................................. 18 5.2.3 Quiet Installers ........................................................................................................................... 19 5.2.4 Registry Keys ............................................................................................................................... 20 5.2.5 Privacy Statement .................................................................................................................... 21

5.3 Enterprise Server Installation:............................................................................................................... 22

5.4 Uninstalling Intel Unite ................................................................................................................................ 25

6 Intel Unite Hub Deployment ...................................................................................................................................... 27

6.1 Intel Unite Hub Pre-Installation ............................................................................................................ 27

6.1.1 Public Key ....................................................................................................................................... 27 6.1.2 ServerConfig file and DSN Record content ............................................................. 27

6.2 Intel Unite Hub Installation ...................................................................................................................... 28

6.3 Intel Unite Configuration Options ........................................................................................................ 33

6.4 Hub Best Practices .......................................................................................................................................... 33

6.5 Hub Security........................................................................................................................................................ 33

6.6 Intel Unite Plugins ........................................................................................................................................... 33

7 Intel Unite Client Deployment .................................................................................................................................. 34

Table of Contents


SIGNED NDA ONLY

7.1 Intel Unite Client Pre-Installation ........................................................................................................ 34

7.2 Intel Unite Client Installation .................................................................................................................. 34

7.3 Launching Intel Unite in a Client .......................................................................................................... 37

7.3.1 Fail to launch Intel Unite in a Client ............................................................................ 38

7.4 Intel Unite Client Configuration ............................................................................................................. 38

8 Profile Configuration ........................................................................................................................................................ 39

8.1 Profile Provisioning ......................................................................................................................................... 39

8.1.1 Pin Refresh Interval ................................................................................................................. 41

8.2 Alerting and Monitoring ............................................................................................................................... 41

9 Admin Portal Guide ........................................................................................................................................................... 42

9.1 Create a new account ................................................................................................................................... 42

9.1.1 Assign access rights to the new account ................................................................. 43

9.2 The Admin Portal Navigation Bar ......................................................................................................... 44

9.2.1 Admin Portal Home page ..................................................................................................... 44

9.3 Devices page ....................................................................................................................................................... 45

9.4 Groups page ........................................................................................................................................................ 46

9.4.1 Groups > Device Groups ..................................................................................................... 46 9.4.2 Groups > Profiles ...................................................................................................................... 46

9.5 Management page .......................................................................................................................................... 47

9.5.1 Management > Server Properties ................................................................................. 47 9.5.2 Management > Users ............................................................................................................. 48 9.5.3 Management > Roles ............................................................................................................. 48 9.5.4 Management > Role Assignments ................................................................................ 49 9.5.5 Management > Permissions .............................................................................................. 50

10 OS and PC Security Controls ..................................................................................................................................... 51

10.1.1 Minimum Security Standards (MSS) ........................................................................... 51 10.1.2 Machine Hardening .................................................................................................................. 51 10.1.3 Other security controls .......................................................................................................... 51

11 Maintenance........................................................................................................................................................................... 52

11.1 Nightly reboot .................................................................................................................................................... 52

11.2 Patching strategy ............................................................................................................................................. 52

11.3 Reporting ............................................................................................................................................................... 52

11.4 Monitoring ............................................................................................................................................................. 52

11.4.1 Backend monitoring: .............................................................................................................. 52

Appendix A. Intel Unite Installation Example ................................................................................................................................. 53


SIGNED NDA ONLY

1 Introduction Welcome to the Intel® Unite™ Enterprise Deployment Guide. Intel Unite offers a simple application creating an

innovative conference space anywhere a display is located. Intel Unite also allows communication and flexibility

while incorporating business needs and functionality with the enterprise application.

The content of this document includes an overview of the application and the security within; the software

architecture, the needed requirements, and how to deploy / configure on a network within an IT environment.

1.1 Audience

This document is designed for use by IT professionals within a corporate environment.

1.2 Intel Unite Overview

Intel Unite software is designed to allow fast wireless screen sharing and collaboration in 3 steps:

Launch the client application

Enter a PIN to connect to a specific session

Click ‘Share’ to display content

Intel Unite uses a non-touch display and can support any reasonably sized monitor or projector (depending on

room size normally 42’’or larger). User interaction is limited to wireless display but includes easy connection via

PIN entry and easy handover between presenters.

The goal is to provide ‘same time same place’ wireless display with embedded capability supporting remote

connection to the room system (requires a person in the room to provide the PIN to the remote person) and ability

to annotate on a presenter’s screen.

Leveraging your existing network infrastructure, Intel Unite works with Microsoft® Windows 7, 8, or 8.1 operating

system. The software has built-in security features (TLS) and sharing capabilities to create an easy and flexible

solution for sharing information visually.

Intel Unite has the following features:

Intel Unite Features

Wireless Display Users can connect to a session and display their screen, no cables needed

Multi-client split screen display

Multiple users can connect and share concurrently to the same monitor

Lync Status Integration Intel Unite will set a user's status to “Do Not Disturb” when the user is presenting, disabling toast messages; in addition it will display “Presenting with Intel Unite”

Interactive Participant List

Users can see everyone connected to the same session

Presenter View A user has the ability to view the screen of the current presenter(s)

Annotation When viewing a presentation, users can create annotations on the presenter’s display, which will disappear after 5 seconds or remain permanently,

depending on the configuration


SIGNED NDA ONLY

1.3 Intel Unite Terminology & Definitions

Client – Client software installed on a client system and connects to a hub.

Hub – A system that is displaying a PIN and hosting plugins as in a conference room display.

Enterprise Server (Server) – Directory Service that assigns PINs, configuration data, and allows PIN to HUB and PIN

to user resolution.

FQDN – Fully Qualified Domain Name

IP Address – Internet Protocol Address

Plugin – A software component installed on a hub that surfaces additional functionality.

IIS - Internet Information Services

SSL – Secure Socket Layer

1.4 Intel Unite Architecture The image below provides the architecture and overview of all of the components and interactions of the

application. All communication is encrypted using SSL except for the high-speed UPD updates for the Fast Mouse

Cursor feature.

The expected use of the system is for an individual to step into this shared physical environment and instantly

project their screen to the room monitor/projector. Other participants can create connections to the room system

and be able to share the screen area and take ownership of the presentation.

The system is built to allow any connected user to take over, managed meetings are not supported nor

considered necessary for an ‘in the room’ usage. If the original presenter wants to get back to presenting he/she

can just co-present again and ‘go solo’ as required. As the interactions are expected in this architecture to be in

the same room, it is expected that there is no need for an arbitrated meeting.


SIGNED NDA ONLY

2 Intel Unite Security Overview

2.1 Unite Software - Security Flow The following image contains a high level overview of how the Client and Hub applications securely receive PINs,

resolve PINs, and establish a connection when connecting to a display that has Intel Unite, depicting the main

steps involving key exchange and other security elements.


SIGNED NDA ONLY

2.1.1 Step 1: PIN Assignment The image below describes how PINs are assigned. All network communication during this processes is SSL

encrypted over a web service (TCP 443).

In addition to receiving PINs, the Hub and Client also register their connection information and a public key to the

server. The public key is used during connection to validate that each component is communicating with the

intended target.

Please note the following behaviors

The refresh interval is configurable

PIN assignment for Client and Hub follow the same flow

When Hub or Client sends connection information, IP addresses in the local host (127.0.0.0/8) and

169.254.0.0/16 ranges are ignored

The TCP port can be configured per Client or Hub, or pushed via a profile from the Admin Portal. The

default behavior is to let the operating system assign a port.

Expired PINs will be allowed access for up to 15 seconds

Expired PINs will not be reassignment for up to 5 minutes after expiration to ensure that users don’t

accidentally connect to the wrong display.


SIGNED NDA ONLY

2.1.2 Step 2: PIN Lookup The image below describes how PINs are resolved to connect to the Enterprise Server. All network

communication during the PIN lookup processes is SSL encrypted over a web service (TCP 443).

When a user enters a PIN of the target in the Intel Unite Client, the Client sends the PIN to the Enterprise Server to

resolve into connection information. On a successful lookup, the Enterprise Server returns the valid connection

information of the target. The target can either be a Hub or an Intel vPro Client running the Intel Unite software.

In addition to receiving connection information, the public key of the target is also given, so that the Client

application can validate that it is communicating with the correct target.

NOTE: Pin Lookup for Hub and Clients follow the same flow.

2.1.2.1 PIN Lookup Back off To prevent attackers from trying to harvest PINs from the Enterprise Server, failed attempts are logged. A user

can have up to 3 failed attempts in a 10 second period before the back off mechanism begins enforcing a delay in

responses (2^x seconds, where x=number of failed attempts within a 5 minute period).


SIGNED NDA ONLY

2.1.3 Step 3: Connection Initiation The image below describes how a connection is initiated. In this phase, the client initiates a TCP peer-to-peer

connection with the target (a Hub or an Intel vPro client running the Intel Unite software), and starts SSL. The

certificate provided by the target is hashed and compared against the hash the Client received during step 2. This

type of validation prevents attacks and also prevents situations where IP addresses of DHCP clients may change.


SIGNED NDA ONLY

2.1.4 Step 4: Connection Approval The image below describes how the target, which could be a Hub or an Intel vPro Client running the Intel Unite

software, validates the Client.


SIGNED NDA ONLY

3 Intel Unite Requirements

Before you start with the installation process, please verify that the software, hardware and network requirements

are met as specified below.

Deployment of the Intel Unite software consist of installing three components on a network:

Enterprise Server

Hub

Client

3.1 Software Requirements

Server HUB Client

Microsoft® Windows

server 2008 or greater

Microsoft Internet

Information Services

Microsoft® SQL Server

2008 or greater

Microsoft® .Net 4

Microsoft® Windows 7, 8,

or 8.1

Microsoft® .Net 4

Microsoft® Windows 7, 8,

or 8.1

Microsoft® .Net 4

Mac OSX 10.9 and

greater

3.2 Hardware Minimum Requirements

Server HUB Client

4 GB RAM

32GB available storage

System meeting the Intel®

vPro Technology

4 GB RAM

Wired or Wireless

Network Connection

32GB available storage

1 GB Ram 1 GB available storage

3.3 Network Requirements

It is strongly suggested to use a Fully Qualified Domain Name (FQDN) and to setup DNS for Enterprise Server

resolution.

It is also recommended to connect all units to LAN for three reasons:

1. Potential fan-out resulting from multiple (especially remotely) connected users that require the Intel

Unite room system sending multiple copies of the display concurrently

2. Better display quality of high frame rate display over LAN compared to WLAN


SIGNED NDA ONLY

3. WLAN infrastructure bandwidth optimization through avoiding the room system to access point WLAN

traffic (even if the sender is on WLAN the same packet is sent - sender-> access point ->receiver in

infrastructure mode)

3.4 Hardware Components Hardware comprised of a business class vPro enabled Mini PC Intel NUC, a backup video cable path (VGA / HDMI

switcher) and a motion sensor.

Mini PC Intel NUC kit (NUC5I5MYHE) with 8 GB ram, 120GB Intel SSD, Intel 7260 AC WiFi card, Win8.1

PRO license

Mini Display Port to HDMI converter cable – 3 ft (1m)

Existing display / projector or a non-touch display

Optional for above Display - floor stand

If you would like to see an example of a layout about how Intel Unite was installed in a conference room, please

refer to Appendix A. Intel Unite Installation Example

3.5 Other Considerations

The Intel Unite Hub and Client installation should be managed using your IT department established process for

software distribution. There might be specific install instructions provided by the vendor providing your Intel

Unite software.

One of the important things to consider is in the following firewall settings: Your firewall settings may cause Intel Unite to have difficulty connecting.

You will need to create an exception in your firewall for Intel Unite.exe

o TCP traffic.

o UDP traffic

You should contact your firewall vendor for specific details on how to create application exceptions.

https://www-ssl.intel.com/content/www/us/en/nuc/nuc-kit-nuc5i5myhe-board-nuc5i5mybe.html


SIGNED NDA ONLY

4 Intel Unite Deployment

When you are ready to deploy Intel Unite, identify the location of the folder or media provided to your

organization containing the following installers (install in the same order as shown):

1) Enterprise Server Installer: Intel Unite Server.msi

2) Hub Installer : Intel Unite Hub.msi

3) Client Installer: Intel Unite Client.msi

It is important that the Enterprise Server is installed once you have understood and validated the pre-installation

requirements.

You also have to install the Intel Mini-PC NUC in the monitor or device you want to use.

The Intel Unite software installers create default options when installing, you can choose to leave them like they

are or configure to your organization needs.

NOTE: It is not required to have a separate database instance into production. The Intel Unite application will

create its own database, data tables and indexes in your existing database without interfering with other

databases.

The next section “Enterprise Server Deployment” contains the steps to deploy the Server and general information

about each component needed to have a successful install, however, If you setting up as in a “Test environment”,

follow the default values provided by the application through the installation process and for convenience

purposes.

If your organization wants to setup a “test environment” in addition to select the default values, some of the

information in this guide will be for information purposes, since you may choose to skip the optional

configurations.

It is the IT account administrator or your solution provider decision to adjust to your organization preferences.


SIGNED NDA ONLY

5 Enterprise Server Deployment

5.1 Enterprise Server Overview The Enterprise Server Installer includes the PIN server, Admin Portal, and Client download page.

The Enterprise Server is the directory server that assigns pins to Intel Unite Clients and Hubs, it also resolves PIN

to IP address lookups.

The Enterprise Server contains 4 components:

1) MS SQL database: maintains all state information for the Intel Unite infrastructure.

2) Web Service: is a standardized messaging service that communicates with the database and the Intel

Unite Hubs and Clients.

3) Administration Portal Website: manages Hubs and Clients, generates statistics, and provides monitoring

and alerting.

4) Client download landing webpage: contains the client Intel Unite software.

In addition, it is important to know that Intel Unite Hubs and Clients locate your Enterprise Server on your network

infrastructure through the following 2 methods: ServerConfig.xml file or DNS Service Record. Depending on your

infrastructure configuration, use one or the other.

It is recommended that you use the DNS service record as this enables zero-touch configuration for the Client and

Hub, however, if you are not able to acquire a DNS service record, the PIN service can be defined in the

ServerConfig.xml file

5.2 Enterprise Server Pre- Installation

1. Verify that the Server that you are installing to meets the minimum software and hardware requirements

specified in section 3. Intel Unite Requirements

2. Verify that IIS version 7.0 or greater is installed on your Server. The Server installer requires IIS to be enabled,

otherwise it will fail. For help enabling and setting up IIS, see section IIS Enabling (by default SSL is not

enabled so https requests sent by the Admin Portal are not handled until IIS is enabled).

3. Make sure you have and enable ASP.net 4.5 (you may need to install it in Server 2008) and SSL, you must set

up a server certificate (Self-Signed or existing).

4. Make sure you have MS SQL installed in your Server and you have access to MS SQL via Windows

authentication or SQL authentication, see section Microsoft SQL Server Install.

5.2.1 IIS Enabling

By default ISS is not installed in a Windows Server, please verify that IIS (Internet Information Services) is enabled,

if is it, skip to the next section.

If IIS has not been enabled or to find out if it is enabled, follow the steps described below to enable it or go to the

links used as reference in this section.


SIGNED NDA ONLY

For Windows 2008:

In Windows Server 2008, you would need to download the Update for .NET Framework 4.5 (Microsoft

download page, if you don’t have it)

Click Start, point to Administrative Tools and then click Server Manager

In Roles Summary, click Add Roles

Use the Add Roles Wizard to add the Web Server (ISS) role (check this box)

Click Next until you have the Select Role Services window

In the Application Development section, verify that ASP.NET is also checked, if not, select it. Please note

that ASP.NET will not be checked by default. You also need ASP.NET 4.5

Click on Add Required Role Services to add the Web Server (ISS) role

Once the role was created, under the Roles menu, go to Web Server (ISS) - on the right side of the panel,

go to Internet Information Services (IIS) Manager and select your server in the left Connections pane

In the middle pane, under your server, select and click on Server Certificates

In the Actions (right pane), click on Create Self-Signed Certificate

Specify a friendly name for the certificate and click Ok

In the left Connections pane, expand Sites and click on Default Web Site

In the right Actions pane, select Bindings (located under Edit Site)

In the Site Bindings window, click on Add

Use the following information:

o Type: https (Note: not http)

o IP Address: All Unassigned

o Port: 443

o Hostname: (leave blank)

o SSL Certificate: (select the one you created in the steps above)

o Click Ok

Select Close

Reference: Windows Server Library link Installing IIS on Windows Server 2008

For Windows 2012:

1. Open Server Manager.

2. Under Manage menu, select Add Roles and Features:

3. Select Role-based or Feature-based Installation

4. Select the appropriate server (local is selected by default),

5. Select Web Server (IIS)

6. Add the following features for IIS (as they are not default options):

o .Net Framework 4.5 Features

o ASP.NET 4.5

o WCF Services

o HTTP Activation

7. Click Next

8. Add Web Server (IIS) as a role to your server or accept the default value.

9. Add SSL/HTTPS to the default web service:

10. Click Install

11. Once the role was created, under the Roles menu, go to Web Server (ISS) - on the right side of the panel,

go to Internet Information Services (IIS) Manager and select your server in the left Connections pane

12. In the middle pane, under your server, select and click on Server Certificates

13. In the Actions (right pane), click on Create Self-Signed Certificate

14. Specify a friendly name for the certificate and click Ok

15. In the left Connections pane, expand Sites and click on Default Web Site

https://technet.microsoft.com/en-us/library/cc771209.aspx


SIGNED NDA ONLY

16. In the right Actions pane, select Bindings (located under Edit Site)

17. In the Site Bindings window, click on Add

18. Use the following information:

1. Type: https (Note: not http)

2. IP Address: All Unassigned

3. Port: 443

4. Hostname: (leave blank)

5. SSL Certificate: (select the one you created in the steps above)

6. Click Ok

19. Select Close

Reference: Windows Server Library link Installing IIS on Windows Server 2012

Note about port 443: The Intel Unite web service communicates with the Intel Unite Clients and Hubs using

port 443, make sure this port is enabled as mentioned above.

5.2.2 Microsoft SQL Server Install

The Enterprise Server requires MS SQL to run, minimum requirements are version 2008 or higher. You can install

a new separated database if you wish to run a “test environment” and get comfortable with the application,

however, it is NOT required. Intel Unite will create its own database, data tables and indexes in your existing

database without interfering with other tables or existing data.

Some things to consider in SQL: In the Authentication field you have two options, Windows authentication or SQL

authentication.

Windows Authentication is the default security mode, if you wish to authenticate the users against windows

system users [created by Administrator] then you will go for Windows Authentication in your Application, but if

you want to authenticate the users against set of users available in your application database, then you will want

to go for SQL Authentication.

See below for additional information about Windows authentication vs SQL authentication and choose the option

that best fits your organization, considerations are test mode vs production mode.

SQL Authentication

SQL Authentication is the typical authentication used for various database systems, composed of a username

and a password. Obviously, an instance of SQL Server can have multiple such user accounts (using SQL

authentication) with different usernames and passwords. In shared servers where different users should have

access to different databases, SQL authentication should be used. Also, when a client (remote computer)

connects to an instance of SQL Server on other computer than the one on which the client is running, SQL

Server authentication is needed. Overall, SQL authentication is the main authentication method to be used

while Windows Authentication is more of a convenience.

Windows Authentication

When you are accessing SQL Server from the same computer it is installed on, you shouldn't be prompted to

type in a username and password. And you are not, if you're using Windows Authentication. With Windows

Authentication, the SQL Server service already knows that someone is logged in into the operating system

with the correct credentials, and it uses these credentials to allow the user into its databases. Of course, this

works as long as the client resides on the same computer as the SQL Server, or as long as the connecting

client matches the Windows credentials of the server. Windows Authentication is often used as a more

http://www.iis.net/learn/get-started/whats-new-in-iis-8/installing-iis-8-on-windows-server-2012#TOC301258517


SIGNED NDA ONLY

convenient way to log-in into a SQL Server instance without typing a username and a password, however

when more users are involved, or remote connections are being established with the SQL Server, SQL

authentication should be used.

5.2.3 Quiet Installers

If you want to continue with the defaults settings skip this section. This step is optional but it is preferred if you

want to run the installers quietly, without any menus or windows appearing. In this way, property parameters will

be passed to the installer via command line.

To run the quiet installers:

Open the command prompt, and use the following command line:

msiexec /i "PATH_TO_CLIENT_MSI" PARAMETER=VALUE PARAMETER=VALUE … /qn /l* “PATH_TO_LOG”

NOTE: The /qn flag will run the installer in quiet mode. The msi can be run on their own by double clicking them.

(/i for install, /qn for quiet mode, /l* to record debug output to specified file).

Below is the full list of property parameters that can be passed into each installer:

Server variables:

DBHOSTNAME = “local” or “{IP}” or “{server},{port}” defaults to local

Host name of the machine where MS SQL is installed. This will be where the installer creates the

UniteServer database. If installing the database to the current machine, you do not need to include this

parameter, as it defaults to local.

DBLOGONPASSWORD = “{service account password}”


SIGNED NDA ONLY

Password to be used by the service account to connect to UniteServer database.

DBLOGONPASSWORDCONF = “{service account password}”

(must be identical to DBLOGONPASSWORD)

DBLOGONTYPE = “WinAccount” or “SqlAccount” defaults to WinAccount

Selects the logon type to access the MS SQL server. Options are Windows authentication and SQL

authentication.

If logon type is SqlAccount, provide the username and password via the parameters below.

DBUSER = “{SQL username}”

DBPASSWORD = “{SQL password}”

For server features:

ADDLOCAL = “ALL” installs database

Do not include if not installing database, it is not installed by default

Client/hub variables:

PINSERVERLOOKUPTYPE = “Lookup” or “Manual” defaults to Lookup

Specifies how the application will find the server. Lookup will utilize the DNS service record, while Manual

requires the input of the parameters below.

PINSERVER = “{hostname}”

The host name of the server to connect to.

CERTKEYCHECKED = “1” (checked) or “0” (unchecked)

Optional. Check if you know the certificate public key.

CERTKEY = “{certificate key}”

Optional. Enter the certificate public key (see section 4.2.4 for details regarding the public key).

5.2.4 Registry Keys

This section is for information purposes only. The registry keys are written to the registry by the installers, to know

what keys have been written by the Intel Unite application see below:

* Registry Keys: (current user):


SIGNED NDA ONLY

* HKEY_CURRENT_USER\software\Intel\Unite\ ActiveConnection (DWORD) [0 no users connected, 1 users

connected]

* HKEY_CURRENT_USER\software\Intel\Unite\ PublicKey (String) [public key of connection certificate]

* HKEY_CURRENT_USER\software\Intel\Unite\ CurrentPin (string) [current PIN of this system]

* HKEY_CURRENT_USER\software\Intel\Unite\ DoNotShowPrivacyStatement (DWORD) [0 show privacy

statement on launch, 1 do not show statement]

* HKEY_CURRENT_USER\software\Intel\Unite\ HWThumbprint (String) [hash of HW]

* HKEY_CURRENT_USER\software\Intel\Unite\ LogFile (String) [path to filename with write access to log

runtime debug messages]

* HKEY_CURRENT_USER\software\Intel\Unite\ ServicePort (DWORD) [port that service is listening on]

* Registry Keys: (machine)

* HKEY_LOCAL_MACHINE\software\Intel\Unite\ HubUnlockPassword (String) [password to exit hub

application]

* HKEY_LOCAL_MACHINE\software\Intel\Unite\ DisableCheckCertificateChain (DWORD) [Set for Self-Signed

Certificates, where if 1 = do not check certificate chain of Enterprise (Server Certificate)]

* HKEY_LOCAL_MACHINE\software\Intel\Unite\ DisableUsageCollection (DWORD) [1 = block all telemetry

data collection]

5.2.5 Privacy Statement

Intel Unite has the capability to collect information that may help Intel to understand how well the product

performs. The following Privacy Statement dialog will be displayed when launching the application; you can

suppress this dialog (hide or show) by changing the value in the Registry Key for Privacy Statement, which is

shown in the Registry Key section below.


SIGNED NDA ONLY

5.3 Enterprise Server Installation:

Once you have verified and/or validated all the steps in the previous section - Enterprise Server Pre- Installation -,

continue with the software installers (this process needs to be run on the server that host the IIS environment).

1. Locate the “Intel Unite Server.msi” file and double click to install on the target server(s).

2. The installation wizard provides the option to install these components: Unite Database, Unite Web

Service, Intel® Unite™ Client Download page, and Administration Portal.

3. After launching IntelUniteServer.msi, accept the license agreement.

4. Click Next to continue to the Database Server window


SIGNED NDA ONLY

5. In the Database Server window, select the Database Server Connection Details, available options are:

In the SQL Hostname box, (local) is the default value for the Server, you can change it by editing

your Hostname or leave the default value (leave (local) if SQL is installed in the same server)

The default value for the Server is Trusted, (if you’re already login), or select Specify Username and

Password if you have valid credentials that have access to the database and prefer SQL

authentication. If you choose the latter, make sure you TEST the database connection by clicking

Test Connection. For additional information in what option you want to choose go to section

Microsoft SQL Server Install

In the Intel Unite Database Connection/Setup Details section, you need to create a new password

for the UniteServer database, this is the password used to access the new Intel Unite database

named UniteServer, and Confirm the Password in the next box

The password must contain at least 8 characters, at least one uppercase character, one lowercase

character, one digit and one symbol.

6. Click Next to continue to the Custom Setup window for feature selection.


SIGNED NDA ONLY

7. Before you click next, expand the Intel Unite Database feature and select one of the Database features

Will be installed on local hard drive or Entire feature will be installed in local hard drive (same result),

this is only for the first instance, for subsequent installs this becomes a default value. For remote

installation (where the database is installed on another server), continue to the next step.

8. Click Next to verify feature selection and begin the installation by clicking on Install.

9. Click Finish to complete the setup.

10. Optional: You should be able to view and test the connection with the UniteServer database.


SIGNED NDA ONLY

11. You now have installed Intel® Unite™ Server, continue to the next section to install the Hub.

5.4 Uninstalling Intel Unite

If for any reason you need to uninstall the application, you would also need to delete the UniteServer database

created previously to avoid conflict within the application.

When the installer is launched, you will have the following options:

Change: change how the features were installed

Repair: fix and repair missing or corrupted files and registry entries

Remove: Removed according to the installer you are running


SIGNED NDA ONLY

1. Click on Remove to uninstall and Next to continue

2. After the un-install has ended, go to SQL Server Management Studio

3. Manually delete the UniteServer SQL Database and the UniteServiceUser account located under

Logins. See below in the highlighted areas

4. You can now repeat the installation process


SIGNED NDA ONLY

6 Intel Unite Hub Deployment

6.1 Intel Unite Hub Pre-Installation

The Intel Unite executable needs an exemption in the Hub firewall to check in and communicate with the Intel

Unite Enterprise Server, since the Hub needs to be able to locate and check in with the Enterprise Server.

When you run the Hub installer, it will prompt you for server connection details and give you the option of

bypassing the manual lookup (named Specify Server in the install process) in favor of retrieve information from

the DNS Service Record. When running the Hub installer, it will edit the ServerConfig.xml.

Depending on the method chosen for PIN lock up, you need to know if you will use the Automatically Find Server

or the Specify Server selection when executing the installation.

If you know that the DNS Service record exists, then you can select Automatically Find Server, it is preferable to

use the automatic lookup to avoid mistyping errors. If unsure, use the Specify Server option (manual lookup),

where you would need to know the hostname for Intel Unite. DNS Service Record is applicable only when the

serverconfig.xml file found on a Hub or Client does not contain a value in the server field that a DNS Service

record is using.

If you have edited the ServerConfig.xml with the public key (see next section Public Key), you are not required to

input the key again for the client and hub installers.

Note: If a server is defined in the ServerConfig.xml that will take precedence over the DNS Service Record.

6.1.1 Public Key

The public key is optional, what it does is specifying how the Client will talk to the Enterprise Server. If left blank or

unspecified, the Hub and the Client will validate the root of trust. If the application does not accept the certificate

it will prompt for the user.

The public key would be used when you execute the installation of the Hub and the Client. You will need this key

when running the installers for the Hub and the Client. To obtain the public key, go to:

https://<your_server_url_here>/unite/ccservice.asmx

In the URL bar, click the lock and view the certificate information. Go to details, click show all, scroll down the field

to “Public Key”, then click public key to view. Optionally, you may copy the value out there and paste it into the

ServerConfig.xml file.

Make sure you remove the spaces from the string after you paste in the ServerConfig file. If you have edited the

ServerConfig.xml with the public key, you are not required to input the key again for the client and hub installers.

6.1.2 ServerConfig file and DSN Record content

When running the Hub installer, it will edit the ServerConfig.xml, and it will place it under Program Files/Intel/Intel

Unite/Hub. Please see below for content details.

ServerConfig.xml file content:


SIGNED NDA ONLY

You must have the server host name and the public key for your server available when you start the

installation process.

DNS Service record content:

The hub or client will look for the service named _uniteservice._tcp within the DNS service records

_uniteservice._tcp.example.com 86400 IN 0 5 443 uniteserver.example.com

To add a DNS Service Record in Microsoft Windows:

i. Open DNS Manager

ii. Expand the Forward Lookup zone (left pane)

iii. Right click on the zone and select "Other New Records..."

1. In "Select a resource record type:" select "Service Location (SRV)" and select

"Create Record"

2. For "Service" enter: _uniteservice

3. For "Protocol" enter: _tcp

4. For "Port" enter: 443

5. Host offering this service: Enter the hostname/IP of the Enterprise server(s)

6.2 Intel Unite Hub Installation 1. Locate the installer folder and run the file for the Hub: Intel Unite Hub.msi

2. Click Next to continue.


SIGNED NDA ONLY

3. Click Next after you check the box I accept the terms in the License Agreement.

4. In this window you must specify the PIN sever connection settings, your choices are:

Automatically Find Server: This is the most convenient choice (default)

Specify Server: In this step you need to know the hostname for Intel Unite

Enter the certificate public key: this option only be enable when you select Specify Server

Enter the certificate public key if you have it and have selected this method


SIGNED NDA ONLY

5. Select your choice and click on Next.

6. The Destination Folder window will open up with the default folder where the Hub in Intel Unite will reside,

you can change the destination folder if you wish, otherwise keep the default location. In this step you can

also create a desktop icon.

7. In this step you can go back to review your settings or click on Install to continue.

8. Once the installation has ended, you will see the Completed the Intel Unite Setup Wizard window.


SIGNED NDA ONLY

9. If you want to launch the application, select Launch Intel Unite and click on Finish or just click on Finish

to end the installation process.

10. When you launch the application for the first time, you will see the following Intel Unite Privacy

Statement.

11. The Intel Unite Privacy Statement function is used to collect anonymous usage data. Intel is always

looking to improve its products and would like to collect data to continue to improve the product. Please

select YES or NO and check the box if you do not want to show the dialog box again.


SIGNED NDA ONLY

12. You will now see a PIN displayed in your screen or monitor. This is the PIN you will need to connect to

your client devices.

13. Verify the installation was successful by accessing the Admin Portal, following the link:

https://<yourservername>/admin (Default value: https://unite/admin)

Default admin account:

User: [email protected]

Password: Admin@1

Note: If you receive an error page when accessing the Admin Portal, which complains about a specific xml

tag in the Web.config, remove the tag from the Web.config in the top level of the portal’s virtual directory

(accessible from IIS management console).

14. Verify the Web Service installation was successful, following the link:

https://<yourservername>/unite/ccservice.asmx

Select “GetProfile”

Enter “test” in the value field and press invoke.

15. Optional: Verify that you can view the default profile in the ServerConfig.xml file as is shown below. The

file is located under the Intel Unite/ Hub directory. This indicates that the pin service can access the Unite

database and successfully retrieve data.

https://unite/admin

mailto:[email protected]


SIGNED NDA ONLY

6.3 Intel Unite Configuration Options

The Intel Unite configuration options for Hubs is configured in the Admin Web Portal. The Admin Portal contains

a default configuration option that is applied to all Intel Unite hubs that are checking in. The configuration options

are pushed to the client after a connection from client to the Enterprise Server is established. The settings are

updated each time the hub checks in.

To access the Admin Portal, follow the link using the server name created for Intel Unite:

https://<yourservername>/admin (Default value: https://unite/admin)

Default admin account:


Password: Admin@1

6.4 Hub Best Practices

In order to ensure the best possible end user experience the hub should be configured so that it is always ready to

be used and system alerts or popups that display on the screen are suppressed. Best practices include the

following:

Microsoft Windows should automatically login the domain or user that Intel Unite will execute

Screen savers should be disabled

The system should be set to never go to standby

The system should be set never to log out

Display should be set to never turn off

System alerts should be suppressed

6.5 Hub Security

The hub administrator should ensure that best security practices are followed for each attended and unattended

hub. Intel Unite does not require administrative privileges to execute. If the local user is logged on automatically

ensure that the user does not run with administrative privileges.

6.6 Intel Unite Plugins

Intel Unite supports the use of plugins. Plugins are software elements that extend the features and capabilities of

Intel Unite, implementing user experience modalities. Plugins may be unique to each system.

Each plugin should be installed in the plugin directory within the Intel Unite installation directory ([Unite App

Root\Plugins\[PluginNamespace]Plugin.dll). Plugins are enumerated at application start. If a new plugin is added

the application will need to be restarted.

Please consult the “Intel Unite API Guide” for specific Plugin details and instructions.

https://unite/admin



SIGNED NDA ONLY

7 Intel Unite Client Deployment

7.1 Intel Unite Client Pre-Installation

The Intel Unite Client needs to be able to locate and check in with the Intel Unite Enterprise Server. The Intel

Unite executable needs an exemption in the client firewall to check in and communicate with the Intel Unite

enterprise server.

When you run the Client installer, it will prompt you for server connection details and give you the option of

bypassing the manual lookup (named Specify Server in the install process) in favor of retrieve information from

the DNS Service Record. When running the installer, it will edit the ServerConfig.xml.

Depending on the method chosen for PIN lock up, you need to know if you will use the Automatically Find Server

or the Specify Server selection when executing the installation.

If you know that the DNS Service record exists, then you can select Automatically Find Server, it is preferable to

use the automatic lookup to avoid mistyping errors. If unsure, use the Specify Server option (manual lookup),

where you would need to know the hostname for Intel Unite. DNS Service Record is applicable only when the

serverconfig.xml file found on a Hub or Client does not contain a value in the server field that a DNS Service

record is using.

Note: If a server is defined in the ServerConfig.xml that will take precedence over the DNS Service Record.

7.2 Intel Unite Client Installation

1. Locate the installer folder and run the file for the Client: Intel Unite Client.msi

2. Click Next to continue.


SIGNED NDA ONLY

3. Click Next after you check the box I accept the terms in the License Agreement.

4. In this window you must specify the PIN sever connection settings, your choices are:

Automatically Find Server: This is the most convenient choice (default)

Specify Server: In this step you need to know the hostname for Intel Unite

Enter the certificate public key: this option only be enable when you select Specify Server

Enter the certificate public key if you have it and have selected this method

5. Select your choice and click on Next to continue.


SIGNED NDA ONLY

6. The Destination Folder window will open up with the default folder where your Client in Intel Unite will

reside, you can change the destination folder if you wish, otherwise keep the default location. In this step

you can also create a desktop icon.

7. At this point, you can go back to review your settings or click on Install to continue.

8. Once the installation has ended, you will see the Completed the Intel Unite Setup Wizard window.


SIGNED NDA ONLY

9. Click on Finish and launch the installation if you wish.

7.3 Launching Intel Unite in a Client

1. Once you have installed the Client, launch Intel Unite.

2. The following Connect to a screen window appears:

3. The user then needs to enter a PIN number to connect. This PIN is the one displayed on the Hub, the user

can also request a PIN and be the hub.

4. You will see the trying to contact your server screen. The PIN changes every few minutes, every

participant can use the PIN to connect and share simultaneously.


SIGNED NDA ONLY

5. Once connected, you can click on “Share” if they wish to present or show their screen.

7.3.1 Fail to launch Intel Unite in a Client In the situation when the server is using a self-signed certificate with an invalid trust chain, and when launching

the Client, the user will see the following screen:

Intel Unite has a user override for self-signed certificates on the Enterprise Server, in this case, the user has the

following options to continue: Click on View Certificate, Accept, or Cancel as displayed in the window below:

Please go to the “Intel Unite Users Guide” for additional user’s information about the Intel Unite application.

7.4 Intel Unite Client Configuration

The Intel Unite configuration options for clients is configured in the Admin Portal. The Admin Portal contains a

default configuration option that is applied to all Intel Unite Clients that are checking in. The configuration

options are pushed to the client after a connection from the Client to the Enterprise Server is established. The

settings are updated each time the Client checks in. Please refer to section 8, Profile Configuration and section 9,

Admin Portal Guide to understand your configuration options.


SIGNED NDA ONLY

8 Profile Configuration

The Intel Unite Admin Portal enables Intel Unite Profile Provisioning, Alerting and Monitoring.

When Intel Unite is installed, the Clients and Hub receive a default profile when they check into the Enterprise

Server for the first time. The default values in the Profiles are specified below.

Your IT administrator can change the values to customize the application and the experience of the meeting

space.

8.1 Profile Provisioning Please note that new profiles / customization of the application can be created and or modified in the Admin

Portal with the Hubs and Clients assigned to those profiles, see section Admin Portal Guide to understand the

available menus and options you have in the Intel Unite configuration .

The table below shows the available options (Keys), followed by a description of the profile. For example, some of

the configurable options include, changing the size of the file to be transferred, text colors, show clock,

background color of the Hub, URL for download of the Client, text instructions of the Hub, etc.

To access these Keys, go to the Admin Portal, log in, under the Groups menu select Profiles, you will see a list of

the available Profile names, click on Details of the Profile you want, refer to section Groups > Profiles.

Key Description Data Type Default Value

DisplayPinSize Size in Pixels. The value is the height in pixels for the onscreen pin (larger values make the pin easier to read from across the room)

Integer 48

TileCompression JPG compression level. % of compression to apply to a changed portion of the display (tile) being transmitted over the network

Integer 80

(valid range: 5-100)

TileSize Tile size for breaking screen into chunks. The size, in pixels, for each tile. A tile is a section of the screen which is evaluated for change. Only changed tiles are transmitted

Integer 128

(valid range: 32-512)

ServiceListenPort The TCP port that the service should listen on Integer 0

(0 indicates OS assigned port)

FileMaxSize Max file size for file transfers 2000000000

(2GB)

(valid range: 0-2GB)

FileBlockedExtensions Comma separated list of blocked file extensions Integer


SIGNED NDA ONLY

FullScreenRoomModeTextColor

Text color of onscreen text Integer

FullScreenRoomMode

PinColor

Text color of PIN Integer

FullScreenRoomModeTextFont

Name of font for instructions Integer

AllowFileTransfer Flag to enable/disable the ability for a hub or client to transfer a file

Boolean True

HubLockKeyboard

Lock out the following: Ctrl-Esc, Alt-Tab, Charms bar, Windows keys and Alt-F4 in Hub If set to True hub lock out is enabled. Can

override with password set in Reg Key Machine

Boolean False

HubShowClock Show clock in bottom right corner Boolean True

FullScreenRoomMode Enable/disable hub full screen

False: Pin in upper right only

True: Pin in upper right and a full screen background

Boolean True

FullScreenRoomModeBackgroundURL

Sets the Hub background to the URL or image (jpg/png) specified. Set value to True if you want this feature

Example: http://myserver.com/background.jpg

Boolean Blank

FulScreenRoomModeBackgroundColor

Background color of the Hub. Named color or html style color

Valid values are named colors or RGB values/HTML colors in the format: #000000

(For example red is #FF0000)

String Blank

FullScreenRoomModeShowPin

Show instructions. Set value to True if you want this feature.

Boolean True

FullScreenRoomModeInstructions

Text instructions to be displayed on Hub. can use {pin} and {host} as replacements

URL for download of the client. This item is displayed on the full screen room mode screen.

String Blank

VerifyPluginPublicKey Verify plugin public key before loading plugins Boolean False


SIGNED NDA ONLY

8.1.1 Pin Refresh Interval

The default pin refresh interval is 5 minutes. This can be changed in 1 minute increments from 2 – 60 by

modifying the web.config file in the root of the web service site virtual directory. This is accessed via the IIS

manager.

Modify the <add key=”PinExpireTimeInMinutes” value=”5”></add> tag to the desired refresh interval.

8.2 Alerting and Monitoring

A monitoring and alerting service is installed on the Enterprise Server. This is an opt-in service and is configured

in the Admin Portal.

Any client that is configured for alerts will be monitored and if it has not checked in within the warning threshold

an email will be sent to specified users.

To opt in to receive emails about inactive clients, make sure that in your Admin Web Portal account the

Notifications role has been assigned. To opt a client into being monitored, add the key EnableReporting to its

metadata and set the value to True.

The warning threshold is configured in Management ->Server Properties. Defaults to 60 minutes.

InactiveCount: If user wants to get an immediate email in the next check it should be set to a low number.

The email address and email server must be specified in the clocktower.exe.config file, which is located in:

../productfiles/release/clocktower.exe.config

<mailSettings>

<smtp from="[email protected]" deliveryMethod="Network">

<network enableSsl="false" host="smtp.myco.com" port="25" userName="[email protected]"

password="pass" />

</smtp>

</mailSettings>


SIGNED NDA ONLY

9 Admin Portal Guide

The Admin Portal is installed on the server alongside the backend database for Intel Unite, though they do not

have to be installed on the same server, as long as the portal can access the Intel Unite database.

The default administrator account created during the installation is:


Password: Admin@1

This account has complete access to the Admin Portal and it is recommended that the user changes the password

or creates their own account.

9.1 Create a new account 1. Make sure you are logged out of the web portal.

2. Click on the “Register” link at the top right of the navigation bar.

3. Fill in the form with the desired email address and password and click Register.



SIGNED NDA ONLY

Or alternatively, to create a user with the default user name:

1. Log in to the Admin Portal as [email protected].

2. Click on the “Management” link in the navigation bar, and “Users” in the dropdown menu.

3. Click “Create” and enter the desired email address and password.

NOTE: Creating an account with the default username will not automatically send an email verification. To

manually verify the email address, log in to the new account, click the “Hello <your user name>!” in the top right of

the navigation bar, and hit the “Send Email Verification” button at the bottom of the page.

9.1.1 Assign access rights to the new account

1. Make sure you are logged into as [email protected]

2. Click on the “Management” link in the navigation bar, and select “Role Assignments” in the dropdown

menu.

3. Click “Create”.

4. Find and select the email address of the new account in the User ID field and select the role desired in

the Role ID field.




SIGNED NDA ONLY

9.2 The Admin Portal Navigation Bar

The navigation bar will direct you to the different areas of the web portal. The web portal pages are:

Admin Portal Home Page

Devices

Groups

Management

9.2.1 Admin Portal Home page

This page contains a welcome message and provides a quick overview of all active client devices (Active Devices),

as well as client status, client name, last time they check-in, location, and details of each of them when following

the link.

Table of active devices may be filtered with multiple keywords, and each keyword will search through every

column. Columns in the table may be shown or hidden by clicking the “Edit Columns” button, but will be counted

in the filtering regardless of visibility.


SIGNED NDA ONLY

NOTE: when not logged in you will see the “Register” option in the navigation bar, by clicking on it, it will direct

you to the register and log in page.

9.3 Devices page

The Devices page contains all devices currently in the database. This page allows you to select what device

information you want to see in this screen, click on “Edit Columns” to customize your page, see below for field

description.

Available fields to display in this page are:

Status – active (green icon) or inactive (yellow icon) device

Friendly Name – customized device name

Client FQDN – client name

Profile – type of access

Last Check-in – last time online

Location - to view the device location

Version – version number, if applicable

Details – detailed information of each device

You can also access a device’s details page when you click in the “Details” link, available for each device.

The Device Details page shows a detailed view including its Client properties and Client metadata. There are

several important metadata key names to note that the portal uses to populate certain areas such as the tables.


SIGNED NDA ONLY

9.4 Groups page

The Groups page will give you two options in the menu:

9.4.1 Groups > Device Groups

In this page you can view Group Name, Total Devices in Group, Edit and View Devices. This page shows all created

groups and is the interface for group manipulation. You can create new groups here, as well as edit group details,

delete groups and go to a device view for devices contained in a group.

9.4.2 Groups > Profiles

This page is similar in layout and function to “Device Groups”, but contains profiles. Profiles differ in that these

contain the configuration options for Intel Unite devices. Devices may only belong to one profile, while they can

belong to many device groups. To access and edit configuration settings of profiles, click on the “Details” of a

particular profile.


SIGNED NDA ONLY

9.5 Management page

The Management page drops down into several sub-pages:

Server Properties: is the portal user management, contains the interface for viewing and modifying server

keys and values.

Users: you may add, remove or manually edit any account.

Roles: will allow you to create new roles

Role Assignments: will allow you to assign users to roles.

Permissions: takes you to the page where you may edit access rights for actions on the portal.

Below are brief overviews of each page and what you can do on them.

9.5.1 Management > Server Properties

On this page you can view, create, edit and delete key values for the server. The two notable keys that the Admin

Portal uses are “InactiveCount” and “WarningThreshold”. The first is used by the Intel Unite health monitoring tool

that emails users in the “Notifications” role. The second is used to determine the threshold of when a device is

considered to be inactive, in minutes. The default is 1 hour.


SIGNED NDA ONLY

9.5.2 Management > Users

This page allows you to view the current users of the Admin Portal, as well as view details such as if a user account

has been locked out, change your passwords, and manually add other users without them having to register.

By clicking “Create”; you can add a new user, an email and password are required for this action. When changing

passwords, an email address verification is required, look for a manual email verification. You may also view your

current roles and which actions on the site you are allowed to execute, and/or request higher access permission if

you do not have access.

NOTE: The email server settings for requesting permission can be modified in the web.config file in the root of

the web server folder for the Admin Portal. See Management > Permissions for additional information.

9.5.3 Management > Roles

This page shows the roles currently defined for the database. You can add new roles and delete current roles.

Roles alone do not regulate access to the portal, instead the actions on the portal (e.g. creating a user) are

restricted to roles, which are associated with sets of users. By default, the roles “Admin” and “Notifications” are

defined. The “Admin” role will have access to all actions on the portal. The “Notifications” role does not have any

access, but is used by the monitoring tool to determine which users to send email notifications.


SIGNED NDA ONLY

9.5.4 Management > Role Assignments

This page will allow you to assign defined users to roles. When a user is assigned a new role, they are notified via

email.

To assign roles just click on “Create”, the following screen will open:


SIGNED NDA ONLY

9.5.5 Management > Permissions

This page contains the definitions of all actions in the portal. These actions can be customized to allow a set of

roles to perform the action. If Allow Anonymous Users is checked, then any user or visitor to the portal will be able

to perform that action.

By clicking Create it will take you to the create new permission page, here you can add Activity Name, its

Description and if you choose Anonymous Users.

NOTE: The email server settings for requesting permission can be modified in the web.config file, located in the

root directory of the Intel Unite folder. The settings in the file are as follows:

<mailSettings>

<smtp from="[email protected]" deliveryMethod="Network">

<network enableSsl="false" host="smtp.myco.com" port="25" userName="[email protected]"

password="pass" />

</smtp>

</mailSettings>


SIGNED NDA ONLY

10 OS and PC Security Controls When connecting to a display that has Intel Unite installed, use the following steps to display a client system’s

screen on the remote display.

10.1.1 Minimum Security Standards (MSS) All Intel® Unite™ devices are built with the Intel standard build for Windows 8.1 64 bit.

It is recommended to meet your default organization MSS standards, have an agent installed for patching, and an

antivirus / IPS / IDS and other necessary control as per the MSS specification (McAfee suite for Anti Malware, IPS,

IDS was tested for compatibility).

10.1.2 Machine Hardening Machine Unified Extensible Firmware Interface (UEFI) should be locked to boot the Windows boot loader only (so

trying to boot from a USB disk / DVD will not work), Execute disable bit enabled, Intel trusted execution

technology enabled, and settings are locked with a password.

Windows OS Hardening: As a baseline, the system is running with non-elevated user rights.

It is also recommended to remove unused software from the OS including unnecessary pre-installed software and

Windows components (PowerShell, Print and Document services, Windows location provider, XPS services).

GUI subsystem lock: Since the systems uses a non-touch screen only without keyboard or mouse it make it

harder to break out of the GUI subsystem. If an attacker tries to attach a HID device (USB keyboard/mouse) we are

programmatically blocking Alt / Tab, Ctrl Shift Esc, and The ‘Charms’ bar. If the UI crashes or the user does

connect a keyboard/mouse and manages to break outside the launcher UI, the system service restarts the UI

within a few seconds.

10.1.3 Other security controls It is recommended to lock the machine user account per specific machine account in Active Directory. If the

deployment includes a high number of units, user accounts can be locked per a designated floor of a specific

building.

Machine ownership: Each machine is recommended to have an identified owner. In case the machine goes offline

for an extended period the identified owner will get notified.

Beyond the security mechanisms provided by the Intel vPro platform and the Intel Unite software itself, it is

recommended to harden the Windows OS per Microsoft's guidelines for machine hardening, for reference, please

consult the Microsoft Security Compliance Manager (SCM) in the following link: https://technet.microsoft.com/en-

us/solutionaccelerators/cc835245.aspx

Note: information in the link contains a wizard based hardening tool, including hardening BKM’s and relevant

documentation.

http://en.wikipedia.org/wiki/NX_bit

http://www.intel.com/content/www/us/en/architecture-and-technology/trusted-execution-technology/trusted-execution-technology-security-paper..html

http://www.intel.com/content/www/us/en/architecture-and-technology/trusted-execution-technology/trusted-execution-technology-security-paper..html

https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx


SIGNED NDA ONLY

11 Maintenance

Your organization and IT administrator will decide in a regular maintenance program, the following maintenance

tasks are recommended:

11.1 Nightly reboot It is recommended to reboot the machines on a daily base (preferably at night time) and prior to this reboot; run

maintenance tasks such as: wiping cached temp files and initiating the standard patching procedure.

11.2 Patching strategy If available, run your standard patching mechanism in an unattended mode (no GUI prompts) preferably before

the above mentioned nightly reboot.

11.3 Reporting Collect the machine uptime indicators and create a tailored report per your organization needs.

11.4 Monitoring Use a health tracking system based on machines heartbeat and do backend uptime analysis according to need.

11.4.1 Backend monitoring: Use standard virtual server monitoring tools to generate and send alerts to second level support.


SIGNED NDA ONLY

Appendix A. Intel Unite Installation Example

The following is an example of how Intel Unite has been configured in a conference room.

intel unite entreprise deployment guide - hp store laptops,...

Documents