intel unite entreprise deployment guide - hp store laptops,...
TRANSCRIPT
Intel® Corporation Confidential
SIGNED NDA ONLY
Intel and Intel Unite are trademarks of Intel Corporation in the U.S. and/or other countries.
Intel® Unite™ Enterprise Deployment Guide July 2015 Version 2.3
2 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR
OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND
CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED
WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A
PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death.
SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL
AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL
CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF
PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL
OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS.
Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics
of any features or instructions marked "reserved" or "undefined". Intel reserves these for future definition and shall have no responsibility whatsoever
for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice.
Security features enabled by Intel® AMT require an enabled chipset, network hardware and software and a corporate network connection.
No computer system can provide absolute security under all conditions. Built-in security features available on select Intel® Core™ processors may
require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your PC
manufacturer for more details. . Requires an Intel® OS Guard enabled system with a 3rd gen Intel® Core™ vPro™ processor and an enabled operating
system. Consult your system manufacturer for more information.
No system can provide absolute security under all conditions. Requires an Intel® Identity Protection Technology-enabled system, including a 2nd or 3rd
gen Intel® Core™ processor, enabled chipset, firmware, and software, and participating website. Consult your system manufacturer. Intel assumes no
liability for lost or stolen data and/or systems or any resulting damages. For more information, visit
http://ipt.intel.com.
Requires an Execute Disable Bit enabled system. Check with your PC manufacturer to determine whether your system delivers this functionality. For
more information, visit http://www.Intel.com/technology/xdbit/index.htm.
Intel® vPro™ Technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and
configuration of your hardware, software and IT environment. To learn more visit: http://www.Intel.com/technology/vPro.
The original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and
may not be available in all countries.
No system can provide absolute security. Requires an Intel® Secure Key enabled PC with a 3rd gen Intel® Core™ vPro™ processor and software optimized
to support Intel Secure Key. Consult your system manufacturer for more information.
Material in this presentation is intended as product positioning and not approved end user messaging.
This document contains information on products in the design phase of development.
Intel, Intel Core, the Intel logo, and Centrino are trademarks of Intel Corporation in the U.S. and other countries.
Microsoft, Windows, and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others.
Copyright © 2014-2015 Intel Corporation. All rights reserved.
Revision History
Enterprise Deployment Guide Intel® Corporation Confidential 3 of 53
SIGNED NDA ONLY
Revision History
Revision Number Date Author Notes
0.1 11/24/2014 M. Gulliford Outline
0.2 2/10/2015 B. Cockrell Rough draft.
1.0 4/24/2015 J. Shidek Review and Edit
1.1 5/7/2015 J. Shidek Addition of Admin Web Portal
1.2 5/12/2015 C. Valle Product updates, Name change
1.3 5/22/2015 C. Valle General updates to this guide
1.4 5/27/2015 J. Shidek Updating images
1.5 5/27/2015 C. Valle Update Profile Provisioning and Add Quiet Installers
1.6 6/5/2015 C. Valle Updates for new software released
1.7 6/8/2015 C. Valle Added more released features
1.8 6/9/2015 C. Valle Added Appendix, Architecture, additional overview details
1.9 6/16/2015 C. Valle Changed document flow, and updates in deployment information
2.0 6/17/2015 C. Valle Added screenshots and IIS details
2.1 6/23/2015 C. Valle Added more installation details and screenshots for Hub
and Client
2.2 6/30/2015 C. Valle Added feedback in installation process and uninstall instructions
2.3 7/7/2015 C. Valle Minor grammar fixes, added hyperlinks for easier navigation
Table of Contents
4 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
Table of Contents
1 Introduction ............................................................................................................................................................................. 6
1.1 Audience................................................................................................................................................................... 6
1.2 Intel Unite Overview ....................................................................................................................................... 6
1.3 Intel Unite Terminology & Definitions................................................................................................. 7
1.4 Intel Unite Architecture ................................................................................................................................. 7
2 Intel Unite Security Overview ..................................................................................................................................... 8
2.1 Unite Software - Security Flow ................................................................................................................ 8
2.1.1 Step 1: PIN Assignment ......................................................................................................... 9 2.1.2 Step 2: PIN Lookup ................................................................................................................. 10 2.1.3 Step 3: Connection Initiation ........................................................................................... 11 2.1.4 Step 4: Connection Approval ............................................................................................ 12
3 Intel Unite Requirements ............................................................................................................................................. 13
3.1 Software Requirements ............................................................................................................................... 13
3.2 Hardware Minimum Requirements ...................................................................................................... 13
3.3 Network Requirements ................................................................................................................................ 13
3.4 Hardware Components ................................................................................................................................ 14
3.5 Other Considerations .................................................................................................................................... 14
4 Intel Unite Deployment ................................................................................................................................................. 15
5 Enterprise Server Deployment ................................................................................................................................. 16
5.1 Enterprise Server Overview ..................................................................................................................... 16
5.2 Enterprise Server Pre- Installation ..................................................................................................... 16
5.2.1 IIS Enabling ................................................................................................................................... 16 5.2.2 Microsoft SQL Server Install .............................................................................................. 18 5.2.3 Quiet Installers ........................................................................................................................... 19 5.2.4 Registry Keys ............................................................................................................................... 20 5.2.5 Privacy Statement .................................................................................................................... 21
5.3 Enterprise Server Installation:............................................................................................................... 22
5.4 Uninstalling Intel Unite ................................................................................................................................ 25
6 Intel Unite Hub Deployment ...................................................................................................................................... 27
6.1 Intel Unite Hub Pre-Installation ............................................................................................................ 27
6.1.1 Public Key ....................................................................................................................................... 27 6.1.2 ServerConfig file and DSN Record content ............................................................. 27
6.2 Intel Unite Hub Installation ...................................................................................................................... 28
6.3 Intel Unite Configuration Options ........................................................................................................ 33
6.4 Hub Best Practices .......................................................................................................................................... 33
6.5 Hub Security........................................................................................................................................................ 33
6.6 Intel Unite Plugins ........................................................................................................................................... 33
7 Intel Unite Client Deployment .................................................................................................................................. 34
Table of Contents
Enterprise Deployment Guide Intel® Corporation Confidential 5 of 53
SIGNED NDA ONLY
7.1 Intel Unite Client Pre-Installation ........................................................................................................ 34
7.2 Intel Unite Client Installation .................................................................................................................. 34
7.3 Launching Intel Unite in a Client .......................................................................................................... 37
7.3.1 Fail to launch Intel Unite in a Client ............................................................................ 38
7.4 Intel Unite Client Configuration ............................................................................................................. 38
8 Profile Configuration ........................................................................................................................................................ 39
8.1 Profile Provisioning ......................................................................................................................................... 39
8.1.1 Pin Refresh Interval ................................................................................................................. 41
8.2 Alerting and Monitoring ............................................................................................................................... 41
9 Admin Portal Guide ........................................................................................................................................................... 42
9.1 Create a new account ................................................................................................................................... 42
9.1.1 Assign access rights to the new account ................................................................. 43
9.2 The Admin Portal Navigation Bar ......................................................................................................... 44
9.2.1 Admin Portal Home page ..................................................................................................... 44
9.3 Devices page ....................................................................................................................................................... 45
9.4 Groups page ........................................................................................................................................................ 46
9.4.1 Groups > Device Groups ..................................................................................................... 46 9.4.2 Groups > Profiles ...................................................................................................................... 46
9.5 Management page .......................................................................................................................................... 47
9.5.1 Management > Server Properties ................................................................................. 47 9.5.2 Management > Users ............................................................................................................. 48 9.5.3 Management > Roles ............................................................................................................. 48 9.5.4 Management > Role Assignments ................................................................................ 49 9.5.5 Management > Permissions .............................................................................................. 50
10 OS and PC Security Controls ..................................................................................................................................... 51
10.1.1 Minimum Security Standards (MSS) ........................................................................... 51 10.1.2 Machine Hardening .................................................................................................................. 51 10.1.3 Other security controls .......................................................................................................... 51
11 Maintenance........................................................................................................................................................................... 52
11.1 Nightly reboot .................................................................................................................................................... 52
11.2 Patching strategy ............................................................................................................................................. 52
11.3 Reporting ............................................................................................................................................................... 52
11.4 Monitoring ............................................................................................................................................................. 52
11.4.1 Backend monitoring: .............................................................................................................. 52
Appendix A. Intel Unite Installation Example ................................................................................................................................. 53
Enterprise Deployment Guide Intel® Corporation Confidential 6 of 53
SIGNED NDA ONLY
1 Introduction Welcome to the Intel® Unite™ Enterprise Deployment Guide. Intel Unite offers a simple application creating an
innovative conference space anywhere a display is located. Intel Unite also allows communication and flexibility
while incorporating business needs and functionality with the enterprise application.
The content of this document includes an overview of the application and the security within; the software
architecture, the needed requirements, and how to deploy / configure on a network within an IT environment.
1.1 Audience
This document is designed for use by IT professionals within a corporate environment.
1.2 Intel Unite Overview
Intel Unite software is designed to allow fast wireless screen sharing and collaboration in 3 steps:
Launch the client application
Enter a PIN to connect to a specific session
Click ‘Share’ to display content
Intel Unite uses a non-touch display and can support any reasonably sized monitor or projector (depending on
room size normally 42’’or larger). User interaction is limited to wireless display but includes easy connection via
PIN entry and easy handover between presenters.
The goal is to provide ‘same time same place’ wireless display with embedded capability supporting remote
connection to the room system (requires a person in the room to provide the PIN to the remote person) and ability
to annotate on a presenter’s screen.
Leveraging your existing network infrastructure, Intel Unite works with Microsoft® Windows 7, 8, or 8.1 operating
system. The software has built-in security features (TLS) and sharing capabilities to create an easy and flexible
solution for sharing information visually.
Intel Unite has the following features:
Intel Unite Features
Wireless Display Users can connect to a session and display their screen, no cables needed
Multi-client split screen display
Multiple users can connect and share concurrently to the same monitor
Lync Status Integration Intel Unite will set a user's status to “Do Not Disturb” when the user is presenting, disabling toast messages; in addition it will display “Presenting with Intel Unite”
Interactive Participant List
Users can see everyone connected to the same session
Presenter View A user has the ability to view the screen of the current presenter(s)
Annotation When viewing a presentation, users can create annotations on the presenter’s display, which will disappear after 5 seconds or remain permanently,
depending on the configuration
Enterprise Deployment Guide Intel® Corporation Confidential 7 of 53
SIGNED NDA ONLY
1.3 Intel Unite Terminology & Definitions
Client – Client software installed on a client system and connects to a hub.
Hub – A system that is displaying a PIN and hosting plugins as in a conference room display.
Enterprise Server (Server) – Directory Service that assigns PINs, configuration data, and allows PIN to HUB and PIN
to user resolution.
FQDN – Fully Qualified Domain Name
IP Address – Internet Protocol Address
Plugin – A software component installed on a hub that surfaces additional functionality.
IIS - Internet Information Services
SSL – Secure Socket Layer
1.4 Intel Unite Architecture The image below provides the architecture and overview of all of the components and interactions of the
application. All communication is encrypted using SSL except for the high-speed UPD updates for the Fast Mouse
Cursor feature.
The expected use of the system is for an individual to step into this shared physical environment and instantly
project their screen to the room monitor/projector. Other participants can create connections to the room system
and be able to share the screen area and take ownership of the presentation.
The system is built to allow any connected user to take over, managed meetings are not supported nor
considered necessary for an ‘in the room’ usage. If the original presenter wants to get back to presenting he/she
can just co-present again and ‘go solo’ as required. As the interactions are expected in this architecture to be in
the same room, it is expected that there is no need for an arbitrated meeting.
8 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
2 Intel Unite Security Overview
2.1 Unite Software - Security Flow The following image contains a high level overview of how the Client and Hub applications securely receive PINs,
resolve PINs, and establish a connection when connecting to a display that has Intel Unite, depicting the main
steps involving key exchange and other security elements.
Enterprise Deployment Guide Intel® Corporation Confidential 9 of 53
SIGNED NDA ONLY
2.1.1 Step 1: PIN Assignment The image below describes how PINs are assigned. All network communication during this processes is SSL
encrypted over a web service (TCP 443).
In addition to receiving PINs, the Hub and Client also register their connection information and a public key to the
server. The public key is used during connection to validate that each component is communicating with the
intended target.
Please note the following behaviors
The refresh interval is configurable
PIN assignment for Client and Hub follow the same flow
When Hub or Client sends connection information, IP addresses in the local host (127.0.0.0/8) and
169.254.0.0/16 ranges are ignored
The TCP port can be configured per Client or Hub, or pushed via a profile from the Admin Portal. The
default behavior is to let the operating system assign a port.
Expired PINs will be allowed access for up to 15 seconds
Expired PINs will not be reassignment for up to 5 minutes after expiration to ensure that users don’t
accidentally connect to the wrong display.
10 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
2.1.2 Step 2: PIN Lookup The image below describes how PINs are resolved to connect to the Enterprise Server. All network
communication during the PIN lookup processes is SSL encrypted over a web service (TCP 443).
When a user enters a PIN of the target in the Intel Unite Client, the Client sends the PIN to the Enterprise Server to
resolve into connection information. On a successful lookup, the Enterprise Server returns the valid connection
information of the target. The target can either be a Hub or an Intel vPro Client running the Intel Unite software.
In addition to receiving connection information, the public key of the target is also given, so that the Client
application can validate that it is communicating with the correct target.
NOTE: Pin Lookup for Hub and Clients follow the same flow.
2.1.2.1 PIN Lookup Back off To prevent attackers from trying to harvest PINs from the Enterprise Server, failed attempts are logged. A user
can have up to 3 failed attempts in a 10 second period before the back off mechanism begins enforcing a delay in
responses (2^x seconds, where x=number of failed attempts within a 5 minute period).
Enterprise Deployment Guide Intel® Corporation Confidential 11 of 53
SIGNED NDA ONLY
2.1.3 Step 3: Connection Initiation The image below describes how a connection is initiated. In this phase, the client initiates a TCP peer-to-peer
connection with the target (a Hub or an Intel vPro client running the Intel Unite software), and starts SSL. The
certificate provided by the target is hashed and compared against the hash the Client received during step 2. This
type of validation prevents attacks and also prevents situations where IP addresses of DHCP clients may change.
12 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
2.1.4 Step 4: Connection Approval The image below describes how the target, which could be a Hub or an Intel vPro Client running the Intel Unite
software, validates the Client.
Enterprise Deployment Guide Intel® Corporation Confidential 13 of 53
SIGNED NDA ONLY
3 Intel Unite Requirements
Before you start with the installation process, please verify that the software, hardware and network requirements
are met as specified below.
Deployment of the Intel Unite software consist of installing three components on a network:
Enterprise Server
Hub
Client
3.1 Software Requirements
Server HUB Client
Microsoft® Windows
server 2008 or greater
Microsoft Internet
Information Services
Microsoft® SQL Server
2008 or greater
Microsoft® .Net 4
Microsoft® Windows 7, 8,
or 8.1
Microsoft® .Net 4
Microsoft® Windows 7, 8,
or 8.1
Microsoft® .Net 4
Mac OSX 10.9 and
greater
3.2 Hardware Minimum Requirements
Server HUB Client
4 GB RAM
32GB available storage
System meeting the Intel®
vPro Technology
4 GB RAM
Wired or Wireless
Network Connection
32GB available storage
1 GB Ram 1 GB available storage
3.3 Network Requirements
It is strongly suggested to use a Fully Qualified Domain Name (FQDN) and to setup DNS for Enterprise Server
resolution.
It is also recommended to connect all units to LAN for three reasons:
1. Potential fan-out resulting from multiple (especially remotely) connected users that require the Intel
Unite room system sending multiple copies of the display concurrently
2. Better display quality of high frame rate display over LAN compared to WLAN
14 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
3. WLAN infrastructure bandwidth optimization through avoiding the room system to access point WLAN
traffic (even if the sender is on WLAN the same packet is sent - sender-> access point ->receiver in
infrastructure mode)
3.4 Hardware Components Hardware comprised of a business class vPro enabled Mini PC Intel NUC, a backup video cable path (VGA / HDMI
switcher) and a motion sensor.
Mini PC Intel NUC kit (NUC5I5MYHE) with 8 GB ram, 120GB Intel SSD, Intel 7260 AC WiFi card, Win8.1
PRO license
Mini Display Port to HDMI converter cable – 3 ft (1m)
Existing display / projector or a non-touch display
Optional for above Display - floor stand
If you would like to see an example of a layout about how Intel Unite was installed in a conference room, please
refer to Appendix A. Intel Unite Installation Example
3.5 Other Considerations
The Intel Unite Hub and Client installation should be managed using your IT department established process for
software distribution. There might be specific install instructions provided by the vendor providing your Intel
Unite software.
One of the important things to consider is in the following firewall settings: Your firewall settings may cause Intel Unite to have difficulty connecting.
You will need to create an exception in your firewall for Intel Unite.exe
o TCP traffic.
o UDP traffic
You should contact your firewall vendor for specific details on how to create application exceptions.
Enterprise Deployment Guide Intel® Corporation Confidential 15 of 53
SIGNED NDA ONLY
4 Intel Unite Deployment
When you are ready to deploy Intel Unite, identify the location of the folder or media provided to your
organization containing the following installers (install in the same order as shown):
1) Enterprise Server Installer: Intel Unite Server.msi
2) Hub Installer : Intel Unite Hub.msi
3) Client Installer: Intel Unite Client.msi
It is important that the Enterprise Server is installed once you have understood and validated the pre-installation
requirements.
You also have to install the Intel Mini-PC NUC in the monitor or device you want to use.
The Intel Unite software installers create default options when installing, you can choose to leave them like they
are or configure to your organization needs.
NOTE: It is not required to have a separate database instance into production. The Intel Unite application will
create its own database, data tables and indexes in your existing database without interfering with other
databases.
The next section “Enterprise Server Deployment” contains the steps to deploy the Server and general information
about each component needed to have a successful install, however, If you setting up as in a “Test environment”,
follow the default values provided by the application through the installation process and for convenience
purposes.
If your organization wants to setup a “test environment” in addition to select the default values, some of the
information in this guide will be for information purposes, since you may choose to skip the optional
configurations.
It is the IT account administrator or your solution provider decision to adjust to your organization preferences.
16 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
5 Enterprise Server Deployment
5.1 Enterprise Server Overview The Enterprise Server Installer includes the PIN server, Admin Portal, and Client download page.
The Enterprise Server is the directory server that assigns pins to Intel Unite Clients and Hubs, it also resolves PIN
to IP address lookups.
The Enterprise Server contains 4 components:
1) MS SQL database: maintains all state information for the Intel Unite infrastructure.
2) Web Service: is a standardized messaging service that communicates with the database and the Intel
Unite Hubs and Clients.
3) Administration Portal Website: manages Hubs and Clients, generates statistics, and provides monitoring
and alerting.
4) Client download landing webpage: contains the client Intel Unite software.
In addition, it is important to know that Intel Unite Hubs and Clients locate your Enterprise Server on your network
infrastructure through the following 2 methods: ServerConfig.xml file or DNS Service Record. Depending on your
infrastructure configuration, use one or the other.
It is recommended that you use the DNS service record as this enables zero-touch configuration for the Client and
Hub, however, if you are not able to acquire a DNS service record, the PIN service can be defined in the
ServerConfig.xml file
5.2 Enterprise Server Pre- Installation
1. Verify that the Server that you are installing to meets the minimum software and hardware requirements
specified in section 3. Intel Unite Requirements
2. Verify that IIS version 7.0 or greater is installed on your Server. The Server installer requires IIS to be enabled,
otherwise it will fail. For help enabling and setting up IIS, see section IIS Enabling (by default SSL is not
enabled so https requests sent by the Admin Portal are not handled until IIS is enabled).
3. Make sure you have and enable ASP.net 4.5 (you may need to install it in Server 2008) and SSL, you must set
up a server certificate (Self-Signed or existing).
4. Make sure you have MS SQL installed in your Server and you have access to MS SQL via Windows
authentication or SQL authentication, see section Microsoft SQL Server Install.
5.2.1 IIS Enabling
By default ISS is not installed in a Windows Server, please verify that IIS (Internet Information Services) is enabled,
if is it, skip to the next section.
If IIS has not been enabled or to find out if it is enabled, follow the steps described below to enable it or go to the
links used as reference in this section.
Enterprise Deployment Guide Intel® Corporation Confidential 17 of 53
SIGNED NDA ONLY
For Windows 2008:
In Windows Server 2008, you would need to download the Update for .NET Framework 4.5 (Microsoft
download page, if you don’t have it)
Click Start, point to Administrative Tools and then click Server Manager
In Roles Summary, click Add Roles
Use the Add Roles Wizard to add the Web Server (ISS) role (check this box)
Click Next until you have the Select Role Services window
In the Application Development section, verify that ASP.NET is also checked, if not, select it. Please note
that ASP.NET will not be checked by default. You also need ASP.NET 4.5
Click on Add Required Role Services to add the Web Server (ISS) role
Once the role was created, under the Roles menu, go to Web Server (ISS) - on the right side of the panel,
go to Internet Information Services (IIS) Manager and select your server in the left Connections pane
In the middle pane, under your server, select and click on Server Certificates
In the Actions (right pane), click on Create Self-Signed Certificate
Specify a friendly name for the certificate and click Ok
In the left Connections pane, expand Sites and click on Default Web Site
In the right Actions pane, select Bindings (located under Edit Site)
In the Site Bindings window, click on Add
Use the following information:
o Type: https (Note: not http)
o IP Address: All Unassigned
o Port: 443
o Hostname: (leave blank)
o SSL Certificate: (select the one you created in the steps above)
o Click Ok
Select Close
Reference: Windows Server Library link Installing IIS on Windows Server 2008
For Windows 2012:
1. Open Server Manager.
2. Under Manage menu, select Add Roles and Features:
3. Select Role-based or Feature-based Installation
4. Select the appropriate server (local is selected by default),
5. Select Web Server (IIS)
6. Add the following features for IIS (as they are not default options):
o .Net Framework 4.5 Features
o ASP.NET 4.5
o WCF Services
o HTTP Activation
7. Click Next
8. Add Web Server (IIS) as a role to your server or accept the default value.
9. Add SSL/HTTPS to the default web service:
10. Click Install
11. Once the role was created, under the Roles menu, go to Web Server (ISS) - on the right side of the panel,
go to Internet Information Services (IIS) Manager and select your server in the left Connections pane
12. In the middle pane, under your server, select and click on Server Certificates
13. In the Actions (right pane), click on Create Self-Signed Certificate
14. Specify a friendly name for the certificate and click Ok
15. In the left Connections pane, expand Sites and click on Default Web Site
18 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
16. In the right Actions pane, select Bindings (located under Edit Site)
17. In the Site Bindings window, click on Add
18. Use the following information:
1. Type: https (Note: not http)
2. IP Address: All Unassigned
3. Port: 443
4. Hostname: (leave blank)
5. SSL Certificate: (select the one you created in the steps above)
6. Click Ok
19. Select Close
Reference: Windows Server Library link Installing IIS on Windows Server 2012
Note about port 443: The Intel Unite web service communicates with the Intel Unite Clients and Hubs using
port 443, make sure this port is enabled as mentioned above.
5.2.2 Microsoft SQL Server Install
The Enterprise Server requires MS SQL to run, minimum requirements are version 2008 or higher. You can install
a new separated database if you wish to run a “test environment” and get comfortable with the application,
however, it is NOT required. Intel Unite will create its own database, data tables and indexes in your existing
database without interfering with other tables or existing data.
Some things to consider in SQL: In the Authentication field you have two options, Windows authentication or SQL
authentication.
Windows Authentication is the default security mode, if you wish to authenticate the users against windows
system users [created by Administrator] then you will go for Windows Authentication in your Application, but if
you want to authenticate the users against set of users available in your application database, then you will want
to go for SQL Authentication.
See below for additional information about Windows authentication vs SQL authentication and choose the option
that best fits your organization, considerations are test mode vs production mode.
SQL Authentication
SQL Authentication is the typical authentication used for various database systems, composed of a username
and a password. Obviously, an instance of SQL Server can have multiple such user accounts (using SQL
authentication) with different usernames and passwords. In shared servers where different users should have
access to different databases, SQL authentication should be used. Also, when a client (remote computer)
connects to an instance of SQL Server on other computer than the one on which the client is running, SQL
Server authentication is needed. Overall, SQL authentication is the main authentication method to be used
while Windows Authentication is more of a convenience.
Windows Authentication
When you are accessing SQL Server from the same computer it is installed on, you shouldn't be prompted to
type in a username and password. And you are not, if you're using Windows Authentication. With Windows
Authentication, the SQL Server service already knows that someone is logged in into the operating system
with the correct credentials, and it uses these credentials to allow the user into its databases. Of course, this
works as long as the client resides on the same computer as the SQL Server, or as long as the connecting
client matches the Windows credentials of the server. Windows Authentication is often used as a more
Enterprise Deployment Guide Intel® Corporation Confidential 19 of 53
SIGNED NDA ONLY
convenient way to log-in into a SQL Server instance without typing a username and a password, however
when more users are involved, or remote connections are being established with the SQL Server, SQL
authentication should be used.
5.2.3 Quiet Installers
If you want to continue with the defaults settings skip this section. This step is optional but it is preferred if you
want to run the installers quietly, without any menus or windows appearing. In this way, property parameters will
be passed to the installer via command line.
To run the quiet installers:
Open the command prompt, and use the following command line:
msiexec /i "PATH_TO_CLIENT_MSI" PARAMETER=VALUE PARAMETER=VALUE … /qn /l* “PATH_TO_LOG”
NOTE: The /qn flag will run the installer in quiet mode. The msi can be run on their own by double clicking them.
(/i for install, /qn for quiet mode, /l* to record debug output to specified file).
Below is the full list of property parameters that can be passed into each installer:
Server variables:
DBHOSTNAME = “local” or “{IP}” or “{server},{port}” defaults to local
Host name of the machine where MS SQL is installed. This will be where the installer creates the
UniteServer database. If installing the database to the current machine, you do not need to include this
parameter, as it defaults to local.
DBLOGONPASSWORD = “{service account password}”
20 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
Password to be used by the service account to connect to UniteServer database.
DBLOGONPASSWORDCONF = “{service account password}”
(must be identical to DBLOGONPASSWORD)
DBLOGONTYPE = “WinAccount” or “SqlAccount” defaults to WinAccount
Selects the logon type to access the MS SQL server. Options are Windows authentication and SQL
authentication.
If logon type is SqlAccount, provide the username and password via the parameters below.
DBUSER = “{SQL username}”
DBPASSWORD = “{SQL password}”
For server features:
ADDLOCAL = “ALL” installs database
Do not include if not installing database, it is not installed by default
Client/hub variables:
PINSERVERLOOKUPTYPE = “Lookup” or “Manual” defaults to Lookup
Specifies how the application will find the server. Lookup will utilize the DNS service record, while Manual
requires the input of the parameters below.
PINSERVER = “{hostname}”
The host name of the server to connect to.
CERTKEYCHECKED = “1” (checked) or “0” (unchecked)
Optional. Check if you know the certificate public key.
CERTKEY = “{certificate key}”
Optional. Enter the certificate public key (see section 4.2.4 for details regarding the public key).
5.2.4 Registry Keys
This section is for information purposes only. The registry keys are written to the registry by the installers, to know
what keys have been written by the Intel Unite application see below:
* Registry Keys: (current user):
Enterprise Deployment Guide Intel® Corporation Confidential 21 of 53
SIGNED NDA ONLY
* HKEY_CURRENT_USER\software\Intel\Unite\ ActiveConnection (DWORD) [0 no users connected, 1 users
connected]
* HKEY_CURRENT_USER\software\Intel\Unite\ PublicKey (String) [public key of connection certificate]
* HKEY_CURRENT_USER\software\Intel\Unite\ CurrentPin (string) [current PIN of this system]
* HKEY_CURRENT_USER\software\Intel\Unite\ DoNotShowPrivacyStatement (DWORD) [0 show privacy
statement on launch, 1 do not show statement]
* HKEY_CURRENT_USER\software\Intel\Unite\ HWThumbprint (String) [hash of HW]
* HKEY_CURRENT_USER\software\Intel\Unite\ LogFile (String) [path to filename with write access to log
runtime debug messages]
* HKEY_CURRENT_USER\software\Intel\Unite\ ServicePort (DWORD) [port that service is listening on]
* Registry Keys: (machine)
* HKEY_LOCAL_MACHINE\software\Intel\Unite\ HubUnlockPassword (String) [password to exit hub
application]
* HKEY_LOCAL_MACHINE\software\Intel\Unite\ DisableCheckCertificateChain (DWORD) [Set for Self-Signed
Certificates, where if 1 = do not check certificate chain of Enterprise (Server Certificate)]
* HKEY_LOCAL_MACHINE\software\Intel\Unite\ DisableUsageCollection (DWORD) [1 = block all telemetry
data collection]
5.2.5 Privacy Statement
Intel Unite has the capability to collect information that may help Intel to understand how well the product
performs. The following Privacy Statement dialog will be displayed when launching the application; you can
suppress this dialog (hide or show) by changing the value in the Registry Key for Privacy Statement, which is
shown in the Registry Key section below.
22 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
5.3 Enterprise Server Installation:
Once you have verified and/or validated all the steps in the previous section - Enterprise Server Pre- Installation -,
continue with the software installers (this process needs to be run on the server that host the IIS environment).
1. Locate the “Intel Unite Server.msi” file and double click to install on the target server(s).
2. The installation wizard provides the option to install these components: Unite Database, Unite Web
Service, Intel® Unite™ Client Download page, and Administration Portal.
3. After launching IntelUniteServer.msi, accept the license agreement.
4. Click Next to continue to the Database Server window
Enterprise Deployment Guide Intel® Corporation Confidential 23 of 53
SIGNED NDA ONLY
5. In the Database Server window, select the Database Server Connection Details, available options are:
In the SQL Hostname box, (local) is the default value for the Server, you can change it by editing
your Hostname or leave the default value (leave (local) if SQL is installed in the same server)
The default value for the Server is Trusted, (if you’re already login), or select Specify Username and
Password if you have valid credentials that have access to the database and prefer SQL
authentication. If you choose the latter, make sure you TEST the database connection by clicking
Test Connection. For additional information in what option you want to choose go to section
Microsoft SQL Server Install
In the Intel Unite Database Connection/Setup Details section, you need to create a new password
for the UniteServer database, this is the password used to access the new Intel Unite database
named UniteServer, and Confirm the Password in the next box
The password must contain at least 8 characters, at least one uppercase character, one lowercase
character, one digit and one symbol.
6. Click Next to continue to the Custom Setup window for feature selection.
24 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
7. Before you click next, expand the Intel Unite Database feature and select one of the Database features
Will be installed on local hard drive or Entire feature will be installed in local hard drive (same result),
this is only for the first instance, for subsequent installs this becomes a default value. For remote
installation (where the database is installed on another server), continue to the next step.
8. Click Next to verify feature selection and begin the installation by clicking on Install.
9. Click Finish to complete the setup.
10. Optional: You should be able to view and test the connection with the UniteServer database.
Enterprise Deployment Guide Intel® Corporation Confidential 25 of 53
SIGNED NDA ONLY
11. You now have installed Intel® Unite™ Server, continue to the next section to install the Hub.
5.4 Uninstalling Intel Unite
If for any reason you need to uninstall the application, you would also need to delete the UniteServer database
created previously to avoid conflict within the application.
When the installer is launched, you will have the following options:
Change: change how the features were installed
Repair: fix and repair missing or corrupted files and registry entries
Remove: Removed according to the installer you are running
26 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
1. Click on Remove to uninstall and Next to continue
2. After the un-install has ended, go to SQL Server Management Studio
3. Manually delete the UniteServer SQL Database and the UniteServiceUser account located under
Logins. See below in the highlighted areas
4. You can now repeat the installation process
Enterprise Deployment Guide Intel® Corporation Confidential 27 of 53
SIGNED NDA ONLY
6 Intel Unite Hub Deployment
6.1 Intel Unite Hub Pre-Installation
The Intel Unite executable needs an exemption in the Hub firewall to check in and communicate with the Intel
Unite Enterprise Server, since the Hub needs to be able to locate and check in with the Enterprise Server.
When you run the Hub installer, it will prompt you for server connection details and give you the option of
bypassing the manual lookup (named Specify Server in the install process) in favor of retrieve information from
the DNS Service Record. When running the Hub installer, it will edit the ServerConfig.xml.
Depending on the method chosen for PIN lock up, you need to know if you will use the Automatically Find Server
or the Specify Server selection when executing the installation.
If you know that the DNS Service record exists, then you can select Automatically Find Server, it is preferable to
use the automatic lookup to avoid mistyping errors. If unsure, use the Specify Server option (manual lookup),
where you would need to know the hostname for Intel Unite. DNS Service Record is applicable only when the
serverconfig.xml file found on a Hub or Client does not contain a value in the server field that a DNS Service
record is using.
If you have edited the ServerConfig.xml with the public key (see next section Public Key), you are not required to
input the key again for the client and hub installers.
Note: If a server is defined in the ServerConfig.xml that will take precedence over the DNS Service Record.
6.1.1 Public Key
The public key is optional, what it does is specifying how the Client will talk to the Enterprise Server. If left blank or
unspecified, the Hub and the Client will validate the root of trust. If the application does not accept the certificate
it will prompt for the user.
The public key would be used when you execute the installation of the Hub and the Client. You will need this key
when running the installers for the Hub and the Client. To obtain the public key, go to:
https://<your_server_url_here>/unite/ccservice.asmx
In the URL bar, click the lock and view the certificate information. Go to details, click show all, scroll down the field
to “Public Key”, then click public key to view. Optionally, you may copy the value out there and paste it into the
ServerConfig.xml file.
Make sure you remove the spaces from the string after you paste in the ServerConfig file. If you have edited the
ServerConfig.xml with the public key, you are not required to input the key again for the client and hub installers.
6.1.2 ServerConfig file and DSN Record content
When running the Hub installer, it will edit the ServerConfig.xml, and it will place it under Program Files/Intel/Intel
Unite/Hub. Please see below for content details.
ServerConfig.xml file content:
28 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
You must have the server host name and the public key for your server available when you start the
installation process.
DNS Service record content:
The hub or client will look for the service named _uniteservice._tcp within the DNS service records
_uniteservice._tcp.example.com 86400 IN 0 5 443 uniteserver.example.com
To add a DNS Service Record in Microsoft Windows:
i. Open DNS Manager
ii. Expand the Forward Lookup zone (left pane)
iii. Right click on the zone and select "Other New Records..."
1. In "Select a resource record type:" select "Service Location (SRV)" and select
"Create Record"
2. For "Service" enter: _uniteservice
3. For "Protocol" enter: _tcp
4. For "Port" enter: 443
5. Host offering this service: Enter the hostname/IP of the Enterprise server(s)
6.2 Intel Unite Hub Installation 1. Locate the installer folder and run the file for the Hub: Intel Unite Hub.msi
2. Click Next to continue.
Enterprise Deployment Guide Intel® Corporation Confidential 29 of 53
SIGNED NDA ONLY
3. Click Next after you check the box I accept the terms in the License Agreement.
4. In this window you must specify the PIN sever connection settings, your choices are:
Automatically Find Server: This is the most convenient choice (default)
Specify Server: In this step you need to know the hostname for Intel Unite
Enter the certificate public key: this option only be enable when you select Specify Server
Enter the certificate public key if you have it and have selected this method
30 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
5. Select your choice and click on Next.
6. The Destination Folder window will open up with the default folder where the Hub in Intel Unite will reside,
you can change the destination folder if you wish, otherwise keep the default location. In this step you can
also create a desktop icon.
7. In this step you can go back to review your settings or click on Install to continue.
8. Once the installation has ended, you will see the Completed the Intel Unite Setup Wizard window.
Enterprise Deployment Guide Intel® Corporation Confidential 31 of 53
SIGNED NDA ONLY
9. If you want to launch the application, select Launch Intel Unite and click on Finish or just click on Finish
to end the installation process.
10. When you launch the application for the first time, you will see the following Intel Unite Privacy
Statement.
11. The Intel Unite Privacy Statement function is used to collect anonymous usage data. Intel is always
looking to improve its products and would like to collect data to continue to improve the product. Please
select YES or NO and check the box if you do not want to show the dialog box again.
32 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
12. You will now see a PIN displayed in your screen or monitor. This is the PIN you will need to connect to
your client devices.
13. Verify the installation was successful by accessing the Admin Portal, following the link:
https://<yourservername>/admin (Default value: https://unite/admin)
Default admin account:
User: [email protected]
Password: Admin@1
Note: If you receive an error page when accessing the Admin Portal, which complains about a specific xml
tag in the Web.config, remove the tag from the Web.config in the top level of the portal’s virtual directory
(accessible from IIS management console).
14. Verify the Web Service installation was successful, following the link:
https://<yourservername>/unite/ccservice.asmx
Select “GetProfile”
Enter “test” in the value field and press invoke.
15. Optional: Verify that you can view the default profile in the ServerConfig.xml file as is shown below. The
file is located under the Intel Unite/ Hub directory. This indicates that the pin service can access the Unite
database and successfully retrieve data.
Enterprise Deployment Guide Intel® Corporation Confidential 33 of 53
SIGNED NDA ONLY
6.3 Intel Unite Configuration Options
The Intel Unite configuration options for Hubs is configured in the Admin Web Portal. The Admin Portal contains
a default configuration option that is applied to all Intel Unite hubs that are checking in. The configuration options
are pushed to the client after a connection from client to the Enterprise Server is established. The settings are
updated each time the hub checks in.
To access the Admin Portal, follow the link using the server name created for Intel Unite:
https://<yourservername>/admin (Default value: https://unite/admin)
Default admin account:
User: [email protected]
Password: Admin@1
6.4 Hub Best Practices
In order to ensure the best possible end user experience the hub should be configured so that it is always ready to
be used and system alerts or popups that display on the screen are suppressed. Best practices include the
following:
Microsoft Windows should automatically login the domain or user that Intel Unite will execute
Screen savers should be disabled
The system should be set to never go to standby
The system should be set never to log out
Display should be set to never turn off
System alerts should be suppressed
6.5 Hub Security
The hub administrator should ensure that best security practices are followed for each attended and unattended
hub. Intel Unite does not require administrative privileges to execute. If the local user is logged on automatically
ensure that the user does not run with administrative privileges.
6.6 Intel Unite Plugins
Intel Unite supports the use of plugins. Plugins are software elements that extend the features and capabilities of
Intel Unite, implementing user experience modalities. Plugins may be unique to each system.
Each plugin should be installed in the plugin directory within the Intel Unite installation directory ([Unite App
Root\Plugins\[PluginNamespace]Plugin.dll). Plugins are enumerated at application start. If a new plugin is added
the application will need to be restarted.
Please consult the “Intel Unite API Guide” for specific Plugin details and instructions.
34 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
7 Intel Unite Client Deployment
7.1 Intel Unite Client Pre-Installation
The Intel Unite Client needs to be able to locate and check in with the Intel Unite Enterprise Server. The Intel
Unite executable needs an exemption in the client firewall to check in and communicate with the Intel Unite
enterprise server.
When you run the Client installer, it will prompt you for server connection details and give you the option of
bypassing the manual lookup (named Specify Server in the install process) in favor of retrieve information from
the DNS Service Record. When running the installer, it will edit the ServerConfig.xml.
Depending on the method chosen for PIN lock up, you need to know if you will use the Automatically Find Server
or the Specify Server selection when executing the installation.
If you know that the DNS Service record exists, then you can select Automatically Find Server, it is preferable to
use the automatic lookup to avoid mistyping errors. If unsure, use the Specify Server option (manual lookup),
where you would need to know the hostname for Intel Unite. DNS Service Record is applicable only when the
serverconfig.xml file found on a Hub or Client does not contain a value in the server field that a DNS Service
record is using.
Note: If a server is defined in the ServerConfig.xml that will take precedence over the DNS Service Record.
7.2 Intel Unite Client Installation
1. Locate the installer folder and run the file for the Client: Intel Unite Client.msi
2. Click Next to continue.
Enterprise Deployment Guide Intel® Corporation Confidential 35 of 53
SIGNED NDA ONLY
3. Click Next after you check the box I accept the terms in the License Agreement.
4. In this window you must specify the PIN sever connection settings, your choices are:
Automatically Find Server: This is the most convenient choice (default)
Specify Server: In this step you need to know the hostname for Intel Unite
Enter the certificate public key: this option only be enable when you select Specify Server
Enter the certificate public key if you have it and have selected this method
5. Select your choice and click on Next to continue.
36 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
6. The Destination Folder window will open up with the default folder where your Client in Intel Unite will
reside, you can change the destination folder if you wish, otherwise keep the default location. In this step
you can also create a desktop icon.
7. At this point, you can go back to review your settings or click on Install to continue.
8. Once the installation has ended, you will see the Completed the Intel Unite Setup Wizard window.
Enterprise Deployment Guide Intel® Corporation Confidential 37 of 53
SIGNED NDA ONLY
9. Click on Finish and launch the installation if you wish.
7.3 Launching Intel Unite in a Client
1. Once you have installed the Client, launch Intel Unite.
2. The following Connect to a screen window appears:
3. The user then needs to enter a PIN number to connect. This PIN is the one displayed on the Hub, the user
can also request a PIN and be the hub.
4. You will see the trying to contact your server screen. The PIN changes every few minutes, every
participant can use the PIN to connect and share simultaneously.
38 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
5. Once connected, you can click on “Share” if they wish to present or show their screen.
7.3.1 Fail to launch Intel Unite in a Client In the situation when the server is using a self-signed certificate with an invalid trust chain, and when launching
the Client, the user will see the following screen:
Intel Unite has a user override for self-signed certificates on the Enterprise Server, in this case, the user has the
following options to continue: Click on View Certificate, Accept, or Cancel as displayed in the window below:
Please go to the “Intel Unite Users Guide” for additional user’s information about the Intel Unite application.
7.4 Intel Unite Client Configuration
The Intel Unite configuration options for clients is configured in the Admin Portal. The Admin Portal contains a
default configuration option that is applied to all Intel Unite Clients that are checking in. The configuration
options are pushed to the client after a connection from the Client to the Enterprise Server is established. The
settings are updated each time the Client checks in. Please refer to section 8, Profile Configuration and section 9,
Admin Portal Guide to understand your configuration options.
Enterprise Deployment Guide Intel® Corporation Confidential 39 of 53
SIGNED NDA ONLY
8 Profile Configuration
The Intel Unite Admin Portal enables Intel Unite Profile Provisioning, Alerting and Monitoring.
When Intel Unite is installed, the Clients and Hub receive a default profile when they check into the Enterprise
Server for the first time. The default values in the Profiles are specified below.
Your IT administrator can change the values to customize the application and the experience of the meeting
space.
8.1 Profile Provisioning Please note that new profiles / customization of the application can be created and or modified in the Admin
Portal with the Hubs and Clients assigned to those profiles, see section Admin Portal Guide to understand the
available menus and options you have in the Intel Unite configuration .
The table below shows the available options (Keys), followed by a description of the profile. For example, some of
the configurable options include, changing the size of the file to be transferred, text colors, show clock,
background color of the Hub, URL for download of the Client, text instructions of the Hub, etc.
To access these Keys, go to the Admin Portal, log in, under the Groups menu select Profiles, you will see a list of
the available Profile names, click on Details of the Profile you want, refer to section Groups > Profiles.
Key Description Data Type Default Value
DisplayPinSize Size in Pixels. The value is the height in pixels for the onscreen pin (larger values make the pin easier to read from across the room)
Integer 48
TileCompression JPG compression level. % of compression to apply to a changed portion of the display (tile) being transmitted over the network
Integer 80
(valid range: 5-100)
TileSize Tile size for breaking screen into chunks. The size, in pixels, for each tile. A tile is a section of the screen which is evaluated for change. Only changed tiles are transmitted
Integer 128
(valid range: 32-512)
ServiceListenPort The TCP port that the service should listen on Integer 0
(0 indicates OS assigned port)
FileMaxSize Max file size for file transfers 2000000000
(2GB)
(valid range: 0-2GB)
FileBlockedExtensions Comma separated list of blocked file extensions Integer
40 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
FullScreenRoomModeTextColor
Text color of onscreen text Integer
FullScreenRoomMode
PinColor
Text color of PIN Integer
FullScreenRoomModeTextFont
Name of font for instructions Integer
AllowFileTransfer Flag to enable/disable the ability for a hub or client to transfer a file
Boolean True
HubLockKeyboard
Lock out the following: Ctrl-Esc, Alt-Tab, Charms bar, Windows keys and Alt-F4 in Hub If set to True hub lock out is enabled. Can
override with password set in Reg Key Machine
Boolean False
HubShowClock Show clock in bottom right corner Boolean True
FullScreenRoomMode Enable/disable hub full screen
False: Pin in upper right only
True: Pin in upper right and a full screen background
Boolean True
FullScreenRoomModeBackgroundURL
Sets the Hub background to the URL or image (jpg/png) specified. Set value to True if you want this feature
Example: http://myserver.com/background.jpg
Boolean Blank
FulScreenRoomModeBackgroundColor
Background color of the Hub. Named color or html style color
Valid values are named colors or RGB values/HTML colors in the format: #000000
(For example red is #FF0000)
String Blank
FullScreenRoomModeShowPin
Show instructions. Set value to True if you want this feature.
Boolean True
FullScreenRoomModeInstructions
Text instructions to be displayed on Hub. can use {pin} and {host} as replacements
URL for download of the client. This item is displayed on the full screen room mode screen.
String Blank
VerifyPluginPublicKey Verify plugin public key before loading plugins Boolean False
Enterprise Deployment Guide Intel® Corporation Confidential 41 of 53
SIGNED NDA ONLY
8.1.1 Pin Refresh Interval
The default pin refresh interval is 5 minutes. This can be changed in 1 minute increments from 2 – 60 by
modifying the web.config file in the root of the web service site virtual directory. This is accessed via the IIS
manager.
Modify the <add key=”PinExpireTimeInMinutes” value=”5”></add> tag to the desired refresh interval.
8.2 Alerting and Monitoring
A monitoring and alerting service is installed on the Enterprise Server. This is an opt-in service and is configured
in the Admin Portal.
Any client that is configured for alerts will be monitored and if it has not checked in within the warning threshold
an email will be sent to specified users.
To opt in to receive emails about inactive clients, make sure that in your Admin Web Portal account the
Notifications role has been assigned. To opt a client into being monitored, add the key EnableReporting to its
metadata and set the value to True.
The warning threshold is configured in Management ->Server Properties. Defaults to 60 minutes.
InactiveCount: If user wants to get an immediate email in the next check it should be set to a low number.
The email address and email server must be specified in the clocktower.exe.config file, which is located in:
../productfiles/release/clocktower.exe.config
<mailSettings>
<smtp from="[email protected]" deliveryMethod="Network">
<network enableSsl="false" host="smtp.myco.com" port="25" userName="[email protected]"
password="pass" />
</smtp>
</mailSettings>
42 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
9 Admin Portal Guide
The Admin Portal is installed on the server alongside the backend database for Intel Unite, though they do not
have to be installed on the same server, as long as the portal can access the Intel Unite database.
The default administrator account created during the installation is:
User: [email protected]
Password: Admin@1
This account has complete access to the Admin Portal and it is recommended that the user changes the password
or creates their own account.
9.1 Create a new account 1. Make sure you are logged out of the web portal.
2. Click on the “Register” link at the top right of the navigation bar.
3. Fill in the form with the desired email address and password and click Register.
Enterprise Deployment Guide Intel® Corporation Confidential 43 of 53
SIGNED NDA ONLY
Or alternatively, to create a user with the default user name:
1. Log in to the Admin Portal as [email protected].
2. Click on the “Management” link in the navigation bar, and “Users” in the dropdown menu.
3. Click “Create” and enter the desired email address and password.
NOTE: Creating an account with the default username will not automatically send an email verification. To
manually verify the email address, log in to the new account, click the “Hello <your user name>!” in the top right of
the navigation bar, and hit the “Send Email Verification” button at the bottom of the page.
9.1.1 Assign access rights to the new account
1. Make sure you are logged into as [email protected]
2. Click on the “Management” link in the navigation bar, and select “Role Assignments” in the dropdown
menu.
3. Click “Create”.
4. Find and select the email address of the new account in the User ID field and select the role desired in
the Role ID field.
44 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
9.2 The Admin Portal Navigation Bar
The navigation bar will direct you to the different areas of the web portal. The web portal pages are:
Admin Portal Home Page
Devices
Groups
Management
9.2.1 Admin Portal Home page
This page contains a welcome message and provides a quick overview of all active client devices (Active Devices),
as well as client status, client name, last time they check-in, location, and details of each of them when following
the link.
Table of active devices may be filtered with multiple keywords, and each keyword will search through every
column. Columns in the table may be shown or hidden by clicking the “Edit Columns” button, but will be counted
in the filtering regardless of visibility.
Enterprise Deployment Guide Intel® Corporation Confidential 45 of 53
SIGNED NDA ONLY
NOTE: when not logged in you will see the “Register” option in the navigation bar, by clicking on it, it will direct
you to the register and log in page.
9.3 Devices page
The Devices page contains all devices currently in the database. This page allows you to select what device
information you want to see in this screen, click on “Edit Columns” to customize your page, see below for field
description.
Available fields to display in this page are:
Status – active (green icon) or inactive (yellow icon) device
Friendly Name – customized device name
Client FQDN – client name
Profile – type of access
Last Check-in – last time online
Location - to view the device location
Version – version number, if applicable
Details – detailed information of each device
You can also access a device’s details page when you click in the “Details” link, available for each device.
The Device Details page shows a detailed view including its Client properties and Client metadata. There are
several important metadata key names to note that the portal uses to populate certain areas such as the tables.
46 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
9.4 Groups page
The Groups page will give you two options in the menu:
9.4.1 Groups > Device Groups
In this page you can view Group Name, Total Devices in Group, Edit and View Devices. This page shows all created
groups and is the interface for group manipulation. You can create new groups here, as well as edit group details,
delete groups and go to a device view for devices contained in a group.
9.4.2 Groups > Profiles
This page is similar in layout and function to “Device Groups”, but contains profiles. Profiles differ in that these
contain the configuration options for Intel Unite devices. Devices may only belong to one profile, while they can
belong to many device groups. To access and edit configuration settings of profiles, click on the “Details” of a
particular profile.
Enterprise Deployment Guide Intel® Corporation Confidential 47 of 53
SIGNED NDA ONLY
9.5 Management page
The Management page drops down into several sub-pages:
Server Properties: is the portal user management, contains the interface for viewing and modifying server
keys and values.
Users: you may add, remove or manually edit any account.
Roles: will allow you to create new roles
Role Assignments: will allow you to assign users to roles.
Permissions: takes you to the page where you may edit access rights for actions on the portal.
Below are brief overviews of each page and what you can do on them.
9.5.1 Management > Server Properties
On this page you can view, create, edit and delete key values for the server. The two notable keys that the Admin
Portal uses are “InactiveCount” and “WarningThreshold”. The first is used by the Intel Unite health monitoring tool
that emails users in the “Notifications” role. The second is used to determine the threshold of when a device is
considered to be inactive, in minutes. The default is 1 hour.
48 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
9.5.2 Management > Users
This page allows you to view the current users of the Admin Portal, as well as view details such as if a user account
has been locked out, change your passwords, and manually add other users without them having to register.
By clicking “Create”; you can add a new user, an email and password are required for this action. When changing
passwords, an email address verification is required, look for a manual email verification. You may also view your
current roles and which actions on the site you are allowed to execute, and/or request higher access permission if
you do not have access.
NOTE: The email server settings for requesting permission can be modified in the web.config file in the root of
the web server folder for the Admin Portal. See Management > Permissions for additional information.
9.5.3 Management > Roles
This page shows the roles currently defined for the database. You can add new roles and delete current roles.
Roles alone do not regulate access to the portal, instead the actions on the portal (e.g. creating a user) are
restricted to roles, which are associated with sets of users. By default, the roles “Admin” and “Notifications” are
defined. The “Admin” role will have access to all actions on the portal. The “Notifications” role does not have any
access, but is used by the monitoring tool to determine which users to send email notifications.
Enterprise Deployment Guide Intel® Corporation Confidential 49 of 53
SIGNED NDA ONLY
9.5.4 Management > Role Assignments
This page will allow you to assign defined users to roles. When a user is assigned a new role, they are notified via
email.
To assign roles just click on “Create”, the following screen will open:
50 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
9.5.5 Management > Permissions
This page contains the definitions of all actions in the portal. These actions can be customized to allow a set of
roles to perform the action. If Allow Anonymous Users is checked, then any user or visitor to the portal will be able
to perform that action.
By clicking Create it will take you to the create new permission page, here you can add Activity Name, its
Description and if you choose Anonymous Users.
NOTE: The email server settings for requesting permission can be modified in the web.config file, located in the
root directory of the Intel Unite folder. The settings in the file are as follows:
<mailSettings>
<smtp from="[email protected]" deliveryMethod="Network">
<network enableSsl="false" host="smtp.myco.com" port="25" userName="[email protected]"
password="pass" />
</smtp>
</mailSettings>
Enterprise Deployment Guide Intel® Corporation Confidential 51 of 53
SIGNED NDA ONLY
10 OS and PC Security Controls When connecting to a display that has Intel Unite installed, use the following steps to display a client system’s
screen on the remote display.
10.1.1 Minimum Security Standards (MSS) All Intel® Unite™ devices are built with the Intel standard build for Windows 8.1 64 bit.
It is recommended to meet your default organization MSS standards, have an agent installed for patching, and an
antivirus / IPS / IDS and other necessary control as per the MSS specification (McAfee suite for Anti Malware, IPS,
IDS was tested for compatibility).
10.1.2 Machine Hardening Machine Unified Extensible Firmware Interface (UEFI) should be locked to boot the Windows boot loader only (so
trying to boot from a USB disk / DVD will not work), Execute disable bit enabled, Intel trusted execution
technology enabled, and settings are locked with a password.
Windows OS Hardening: As a baseline, the system is running with non-elevated user rights.
It is also recommended to remove unused software from the OS including unnecessary pre-installed software and
Windows components (PowerShell, Print and Document services, Windows location provider, XPS services).
GUI subsystem lock: Since the systems uses a non-touch screen only without keyboard or mouse it make it
harder to break out of the GUI subsystem. If an attacker tries to attach a HID device (USB keyboard/mouse) we are
programmatically blocking Alt / Tab, Ctrl Shift Esc, and The ‘Charms’ bar. If the UI crashes or the user does
connect a keyboard/mouse and manages to break outside the launcher UI, the system service restarts the UI
within a few seconds.
10.1.3 Other security controls It is recommended to lock the machine user account per specific machine account in Active Directory. If the
deployment includes a high number of units, user accounts can be locked per a designated floor of a specific
building.
Machine ownership: Each machine is recommended to have an identified owner. In case the machine goes offline
for an extended period the identified owner will get notified.
Beyond the security mechanisms provided by the Intel vPro platform and the Intel Unite software itself, it is
recommended to harden the Windows OS per Microsoft's guidelines for machine hardening, for reference, please
consult the Microsoft Security Compliance Manager (SCM) in the following link: https://technet.microsoft.com/en-
us/solutionaccelerators/cc835245.aspx
Note: information in the link contains a wizard based hardening tool, including hardening BKM’s and relevant
documentation.
52 of 53 Intel® Corporation Confidential Enterprise Deployment Guide
SIGNED NDA ONLY
11 Maintenance
Your organization and IT administrator will decide in a regular maintenance program, the following maintenance
tasks are recommended:
11.1 Nightly reboot It is recommended to reboot the machines on a daily base (preferably at night time) and prior to this reboot; run
maintenance tasks such as: wiping cached temp files and initiating the standard patching procedure.
11.2 Patching strategy If available, run your standard patching mechanism in an unattended mode (no GUI prompts) preferably before
the above mentioned nightly reboot.
11.3 Reporting Collect the machine uptime indicators and create a tailored report per your organization needs.
11.4 Monitoring Use a health tracking system based on machines heartbeat and do backend uptime analysis according to need.
11.4.1 Backend monitoring: Use standard virtual server monitoring tools to generate and send alerts to second level support.
Enterprise Deployment Guide Intel® Corporation Confidential 53 of 53
SIGNED NDA ONLY
Appendix A. Intel Unite Installation Example
The following is an example of how Intel Unite has been configured in a conference room.