feat(intel): Enable OpenAMT and FDO capabilities (#6212)

* feat(openamt): add AMT Devices information in Environments view [INT-8] (#6169) * feat(openamt): add AMT Devices Ouf of Band Managamenet actions [INT-9] (#6171) * feat(openamt): add AMT Devices KVM Connection [INT-10] (#6179) * feat(openamt): Enhance the Environments MX to activate OpenAMT on compatible environments [INT-7] (#6196) * feat(openamt): Enable KVM by default [INT-25] (#6228) * feat(fdo): implement the FDO configuration settings INT-19 (#6238) feat(fdo): implement the FDO configuration settings INT-19 * feat(fdo): implement Owner client INT-17 (#6231) feat(fdo): implement Owner client INT-17 * feat(openamt): hide wireless config in OpenAMT form (#6250) * feat(openamt): Increase OpenAMT timeouts [INT-30] (#6253) * feat(openamt): Disable the ability to use KVM and OOB actions on a MPS disconnected device [INT-36] (#6254) * feat(fdo): add import device UI [INT-20] (#6240) feat(fdo): add import device UI INT-20 * refactor(fdo): fix develop merge issues * feat(openamt): Do not fetch OpenAMT details for an unassociated Edge endpoint (#6273) * fix(intel): Fix switches params (#6282) * feat(openamt): preload existing AMT settings (#6283) * feat(openamt): Better UI/UX for AMT activation loading [INT-39] (#6290) * feat(openamt): Remove wireless config related code [INT-41] (#6291) * yarn install * feat(openamt): change kvm redirection for pop up, always enable features [INT-37] (#6292) * feat(openamt): change kvm redirection for pop up, always enable features [INT-37] (#6293) * feat(openmt): use .ts services with axios for OpenAMT (#6312) * Minor code cleanup. * fix(fdo): move the FDO client code to the hostmanagement folder INT-44 (#6345) * refactor(intel): Add Edge Compute Settings view (#6351) * feat(fdo): add FDO profiles INT-22 (#6363) feat(fdo): add FDO profiles INT-22 * fix(fdo): fix incorrect profile URL INT-45 (#6377) * fixed husky version * fix go.mod with go mod tidy * feat(edge): migrate OpenAMT devices views to Edge Devices [EE-2322] (#6373) * feat(intel): OpenAMT UI/UX adjustments (#6394) * only allow edge agent as edge device * show all edge agent environments on Edge Devices view * feat(fdo): add the ability to import multiple ownership vouchers at once EE-2324 (#6395) * fix(edge): settings edge compute alert (#6402) * remove pagination, add useMemo for devices result array (#6409) * feat(edge): minor Edge Devices (AMT) UI fixes (#6410) * chore(eslint): fix versions * chore(app): reformat codebase * change add edge agent modal behaviour, fix yarn.lock * fix use pagination * remove extractedTranslations folder * feat(edge): add FDO Profiles Datatable [EE-2406] (#6415) * feat(edge): add KVM workaround tooltip (#6441) * feat(edge): Add default FDO profile (#6450) * feat(edge): add settings to disable trust on first connect and enforce Edge ID INT-1 EE-2410 (#6429) Co-authored-by: andres-portainer <91705312+andres-portainer@users.noreply.github.com> Co-authored-by: Anthony Lapenna <anthony.lapenna@portainer.io> Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com> Co-authored-by: Chaim Lev-Ari <chiptus@gmail.com>
2025-07-24 15:59:41 +02:00 · 2022-01-23 16:48:04 -03:00 · 2022-01-23 16:48:04 -03:00 · 2c4c638f46
commit 2c4c638f46
parent 3ed92e5fee
170 changed files with 6834 additions and 819 deletions
--- a/api/http/handler/endpoints/endpoint_create.go
+++ b/api/http/handler/endpoints/endpoint_create.go
@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"

+	"github.com/gofrs/uuid"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
@ -37,6 +38,7 @@ type endpointCreatePayload struct {
 	AzureAuthenticationKey string
 	TagIDs                 []portainer.TagID
 	EdgeCheckinInterval    int
+	IsEdgeDevice           bool
 }

 type endpointCreationEnum int
@ -144,6 +146,9 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {
 	checkinInterval, _ := request.RetrieveNumericMultiPartFormValue(r, "CheckinInterval", true)
 	payload.EdgeCheckinInterval = checkinInterval

+	isEdgeDevice, _ := request.RetrieveBooleanMultiPartFormValue(r, "IsEdgeDevice", true)
+	payload.IsEdgeDevice = isEdgeDevice
+
 	return nil
 }

@ -332,6 +337,21 @@ func (handler *Handler) createEdgeAgentEndpoint(payload *endpointCreatePayload)
 		EdgeKey:             edgeKey,
 		EdgeCheckinInterval: payload.EdgeCheckinInterval,
 		Kubernetes:          portainer.KubernetesDefault(),
+		IsEdgeDevice:        payload.IsEdgeDevice,
+	}
+
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve the settings from the database", err}
+	}
+
+	if settings.EnforceEdgeID {
+		edgeID, err := uuid.NewV4()
+		if err != nil {
+			return nil, &httperror.HandlerError{http.StatusInternalServerError, "Cannot generate the Edge ID", err}
+		}
+
+		endpoint.EdgeID = edgeID.String()
 	}

 	err = handler.saveEndpointAndUpdateAuthorizations(endpoint)
@ -370,6 +390,7 @@ func (handler *Handler) createUnsecuredEndpoint(payload *endpointCreatePayload)
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.DockerSnapshot{},
 		Kubernetes:         portainer.KubernetesDefault(),
+		IsEdgeDevice:       payload.IsEdgeDevice,
 	}

 	err := handler.snapshotAndPersistEndpoint(endpoint)
@ -435,6 +456,7 @@ func (handler *Handler) createTLSSecuredEndpoint(payload *endpointCreatePayload,
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.DockerSnapshot{},
 		Kubernetes:         portainer.KubernetesDefault(),
+		IsEdgeDevice:       payload.IsEdgeDevice,
 	}

 	err := handler.storeTLSFiles(endpoint, payload)
--- a/api/http/handler/endpoints/endpoint_list.go
+++ b/api/http/handler/endpoints/endpoint_list.go
@ -89,6 +89,11 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 		filteredEndpoints = filterEndpointsByGroupID(filteredEndpoints, portainer.EndpointGroupID(groupID))
 	}

+	edgeDeviceFilter, edgeDeviceFilterErr := request.RetrieveBooleanQueryParameter(r, "edgeDeviceFilter", false)
+	if edgeDeviceFilterErr == nil {
+		filteredEndpoints = filterEndpointsByEdgeDevice(filteredEndpoints, edgeDeviceFilter)
+	}
+
 	if search != "" {
 		tags, err := handler.DataStore.Tag().Tags()
 		if err != nil {
@ -231,6 +236,17 @@ func filterEndpointsByTypes(endpoints []portainer.Endpoint, endpointTypes []int)
 	return filteredEndpoints
 }

+func filterEndpointsByEdgeDevice(endpoints []portainer.Endpoint, edgeDeviceFilter bool) []portainer.Endpoint {
+	filteredEndpoints := make([]portainer.Endpoint, 0)
+
+	for _, endpoint := range endpoints {
+		if edgeDeviceFilter == endpoint.IsEdgeDevice {
+			filteredEndpoints = append(filteredEndpoints, endpoint)
+		}
+	}
+	return filteredEndpoints
+}
+
 func convertTagIDsToTags(tagsMap map[portainer.TagID]string, tagIDs []portainer.TagID) []string {
 	tags := make([]string, 0)
 	for _, tagID := range tagIDs {
--- a/api/http/handler/endpoints/endpoint_snapshot.go
+++ b/api/http/handler/endpoints/endpoint_snapshot.go
@ -1,6 +1,7 @@
 package endpoints

 import (
+	"errors"
 	"net/http"

 	httperror "github.com/portainer/libhttp/error"
@ -37,7 +38,7 @@ func (handler *Handler) endpointSnapshot(w http.ResponseWriter, r *http.Request)
 	}

 	if !snapshot.SupportDirectSnapshot(endpoint) {
-		return &httperror.HandlerError{http.StatusBadRequest, "Snapshots not supported for this environment", err}
+		return &httperror.HandlerError{http.StatusBadRequest, "Snapshots not supported for this environment", errors.New("Snapshots not supported for this environment")}
 	}

 	snapshotError := handler.SnapshotService.SnapshotEndpoint(endpoint)
--- a/api/http/handler/endpoints/endpoint_update.go
+++ b/api/http/handler/endpoints/endpoint_update.go
@ -46,6 +46,8 @@ type endpointUpdatePayload struct {
 	EdgeCheckinInterval *int `example:"5"`
 	// Associated Kubernetes data
 	Kubernetes *portainer.KubernetesData
+	// Whether the device has been trusted or not by the user
+	UserTrusted *bool
 }

 func (payload *endpointUpdatePayload) Validate(r *http.Request) error {
@ -270,6 +272,10 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}

+	if payload.UserTrusted != nil {
+		endpoint.UserTrusted = *payload.UserTrusted
+	}
+
 	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist environment changes inside the database", err}
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@ -17,6 +17,7 @@ import (
 	"github.com/portainer/portainer/api/http/handler/endpoints"
 	"github.com/portainer/portainer/api/http/handler/file"
 	"github.com/portainer/portainer/api/http/handler/helm"
+	"github.com/portainer/portainer/api/http/handler/hostmanagement/fdo"
 	"github.com/portainer/portainer/api/http/handler/hostmanagement/openamt"
 	"github.com/portainer/portainer/api/http/handler/kubernetes"
 	"github.com/portainer/portainer/api/http/handler/ldap"
@ -64,6 +65,7 @@ type Handler struct {
 	SettingsHandler        *settings.Handler
 	SSLHandler             *ssl.Handler
 	OpenAMTHandler         *openamt.Handler
+	FDOHandler             *fdo.Handler
 	StackHandler           *stacks.Handler
 	StatusHandler          *status.Handler
 	StorybookHandler       *storybook.Handler
@ -228,9 +230,9 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	case strings.HasPrefix(r.URL.Path, "/api/ssl"):
 		http.StripPrefix("/api", h.SSLHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/open_amt"):
-		if h.OpenAMTHandler != nil {
-			http.StripPrefix("/api", h.OpenAMTHandler).ServeHTTP(w, r)
-		}
+		http.StripPrefix("/api", h.OpenAMTHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/fdo"):
+		http.StripPrefix("/api", h.FDOHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/teams"):
 		http.StripPrefix("/api", h.TeamHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/team_memberships"):
--- a/api/http/handler/hostmanagement/fdo/configure.go
+++ b/api/http/handler/hostmanagement/fdo/configure.go
@ -0,0 +1,188 @@
+package fdo
+
+import (
+	"encoding/hex"
+	"errors"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/fxamacker/cbor/v2"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	deploymentScriptName = "fdo.sh"
+)
+
+type deviceConfigurePayload struct {
+	EdgeID    string `json:"edgeID"`
+	EdgeKey   string `json:"edgeKey"`
+	Name      string `json:"name"`
+	ProfileID int    `json:"profile"`
+}
+
+func (payload *deviceConfigurePayload) Validate(r *http.Request) error {
+	if payload.EdgeID == "" {
+		return errors.New("invalid edge ID provided")
+	}
+
+	if payload.EdgeKey == "" {
+		return errors.New("invalid edge key provided")
+	}
+
+	if payload.Name == "" {
+		return errors.New("the device name cannot be empty")
+	}
+
+	if payload.ProfileID < 1 {
+		return errors.New("invalid profile id provided")
+	}
+
+	return nil
+}
+
+// @id fdoConfigureDevice
+// @summary configures an FDO device
+// @description configures an FDO device
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @param body body deviceConfigurePayload true "Device Configuration"
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access settings"
+// @failure 500 "Server error"
+// @router /fdo/configure/{guid} [post]
+func (handler *Handler) fdoConfigureDevice(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	guid, err := request.RetrieveRouteVariableValue(r, "guid")
+	if err != nil {
+		logrus.WithError(err).Info("fdoConfigureDevice: request.RetrieveRouteVariableValue()")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: guid not found", Err: err}
+	}
+
+	var payload deviceConfigurePayload
+
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		logrus.WithError(err).Error("Invalid request payload")
+		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
+	}
+
+	profile, err := handler.DataStore.FDOProfile().FDOProfile(portainer.FDOProfileID(payload.ProfileID))
+	if handler.DataStore.IsErrObjectNotFound(err) {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a FDO Profile with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a FDO Profile with the specified identifier inside the database", err}
+	}
+
+	fileContent, err := handler.FileService.GetFileContent(profile.FilePath, "")
+	if err != nil {
+		logrus.WithError(err).Info("fdoConfigureDevice: GetFileContent")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: GetFileContent", Err: err}
+	}
+
+	fdoClient, err := handler.newFDOClient()
+	if err != nil {
+		logrus.WithError(err).Info("fdoConfigureDevice: newFDOClient()")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: newFDOClient()", Err: err}
+	}
+
+	// enable fdo_sys
+	if err = fdoClient.PutDeviceSVIRaw(url.Values{
+		"guid":     []string{guid},
+		"priority": []string{"0"},
+		"module":   []string{"fdo_sys"},
+		"var":      []string{"active"},
+		"bytes":    []string{"F5"}, // this is "true" in CBOR
+	}, []byte("")); err != nil {
+		logrus.WithError(err).Info("fdoConfigureDevice: PutDeviceSVIRaw()")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw()", Err: err}
+	}
+
+	if err = fdoClient.PutDeviceSVIRaw(url.Values{
+		"guid":     []string{guid},
+		"priority": []string{"1"},
+		"module":   []string{"fdo_sys"},
+		"var":      []string{"filedesc"},
+		"filename": []string{"DEVICE_edgeid.txt"},
+	}, []byte(payload.EdgeID)); err != nil {
+		logrus.WithError(err).Info("fdoConfigureDevice: PutDeviceSVIRaw(edgeid)")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw(edgeid)", Err: err}
+	}
+
+	// write down the edgekey
+	if err = fdoClient.PutDeviceSVIRaw(url.Values{
+		"guid":     []string{guid},
+		"priority": []string{"1"},
+		"module":   []string{"fdo_sys"},
+		"var":      []string{"filedesc"},
+		"filename": []string{"DEVICE_edgekey.txt"},
+	}, []byte(payload.EdgeKey)); err != nil {
+		logrus.WithError(err).Info("fdoConfigureDevice: PutDeviceSVIRaw(edgekey)")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw(edgekey)", Err: err}
+	}
+
+	// write down the device name
+	if err = fdoClient.PutDeviceSVIRaw(url.Values{
+		"guid":     []string{guid},
+		"priority": []string{"1"},
+		"module":   []string{"fdo_sys"},
+		"var":      []string{"filedesc"},
+		"filename": []string{"DEVICE_name.txt"},
+	}, []byte(payload.Name)); err != nil {
+		logrus.WithError(err).Info("fdoConfigureDevice: PutDeviceSVIRaw(name)")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw(name)", Err: err}
+	}
+
+	// write down the device GUID - used as the EDGE_DEVICE_GUID too
+	if err = fdoClient.PutDeviceSVIRaw(url.Values{
+		"guid":     []string{guid},
+		"priority": []string{"1"},
+		"module":   []string{"fdo_sys"},
+		"var":      []string{"filedesc"},
+		"filename": []string{"DEVICE_GUID.txt"},
+	}, []byte(guid)); err != nil {
+		logrus.WithError(err).Info("fdoConfigureDevice: PutDeviceSVIRaw()")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw()", Err: err}
+	}
+
+	if err = fdoClient.PutDeviceSVIRaw(url.Values{
+		"guid":     []string{guid},
+		"priority": []string{"1"},
+		"module":   []string{"fdo_sys"},
+		"var":      []string{"filedesc"},
+		"filename": []string{deploymentScriptName},
+	}, fileContent); err != nil {
+		logrus.WithError(err).Info("fdoConfigureDevice: PutDeviceSVIRaw()")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw()", Err: err}
+	}
+
+	b, err := cbor.Marshal([]string{"/bin/sh", deploymentScriptName})
+	if err != nil {
+		logrus.WithError(err).Error("failed to marshal string to CBOR")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw() failed to encode", Err: err}
+	}
+
+	cborBytes := strings.ToUpper(hex.EncodeToString(b))
+	logrus.WithField("cbor", cborBytes).WithField("string", deploymentScriptName).Info("converted to CBOR")
+
+	if err = fdoClient.PutDeviceSVIRaw(url.Values{
+		"guid":     []string{guid},
+		"priority": []string{"2"},
+		"module":   []string{"fdo_sys"},
+		"var":      []string{"exec"},
+		"bytes":    []string{cborBytes},
+	}, []byte("")); err != nil {
+		logrus.WithError(err).Info("fdoConfigureDevice: PutDeviceSVIRaw()")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw()", Err: err}
+	}
+
+	return response.Empty(w)
+}
--- a/api/http/handler/hostmanagement/fdo/fdo.go
+++ b/api/http/handler/hostmanagement/fdo/fdo.go
@ -0,0 +1,164 @@
+package fdo
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strconv"
+	"time"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/hostmanagement/fdo"
+	"github.com/sirupsen/logrus"
+)
+
+type fdoConfigurePayload portainer.FDOConfiguration
+
+func validateURL(u string) error {
+	p, err := url.Parse(u)
+	if err != nil {
+		return err
+	}
+
+	if p.Scheme != "http" && p.Scheme != "https" {
+		return errors.New("invalid scheme provided, must be 'http' or 'https'")
+	}
+
+	if p.Host == "" {
+		return errors.New("invalid host provided")
+	}
+
+	return nil
+}
+
+func (payload *fdoConfigurePayload) Validate(r *http.Request) error {
+	if payload.Enabled {
+		if err := validateURL(payload.OwnerURL); err != nil {
+			return fmt.Errorf("owner server URL: %w", err)
+		}
+	}
+
+	return nil
+}
+
+func (handler *Handler) saveSettings(config portainer.FDOConfiguration) error {
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return err
+	}
+	settings.FDOConfiguration = config
+
+	return handler.DataStore.Settings().UpdateSettings(settings)
+}
+
+func (handler *Handler) newFDOClient() (fdo.FDOOwnerClient, error) {
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return fdo.FDOOwnerClient{}, err
+	}
+
+	return fdo.FDOOwnerClient{
+		OwnerURL: settings.FDOConfiguration.OwnerURL,
+		Username: settings.FDOConfiguration.OwnerUsername,
+		Password: settings.FDOConfiguration.OwnerPassword,
+		Timeout:  5 * time.Second,
+	}, nil
+}
+
+// @id fdoConfigure
+// @summary Enable Portainer's FDO capabilities
+// @description Enable Portainer's FDO capabilities
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @accept json
+// @produce json
+// @param body body fdoConfigurePayload true "FDO Settings"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access settings"
+// @failure 500 "Server error"
+// @router /fdo [post]
+func (handler *Handler) fdoConfigure(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload fdoConfigurePayload
+
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		logrus.WithError(err).Error("Invalid request payload")
+		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
+	}
+
+	settings := portainer.FDOConfiguration(payload)
+	if err = handler.saveSettings(settings); err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Error saving FDO settings", Err: err}
+	}
+
+	profiles, err := handler.DataStore.FDOProfile().FDOProfiles()
+	if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Error saving FDO settings", Err: err}
+	}
+	if len(profiles) == 0 {
+		err = handler.addDefaultProfile()
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
+		}
+	}
+
+	return response.Empty(w)
+}
+
+func (handler *Handler) addDefaultProfile() error {
+	profileID := handler.DataStore.FDOProfile().GetNextIdentifier()
+	profile := &portainer.FDOProfile{
+		ID:   portainer.FDOProfileID(profileID),
+		Name: "Docker Standalone + Edge",
+	}
+
+	filePath, err := handler.FileService.StoreFDOProfileFileFromBytes(strconv.Itoa(int(profile.ID)), []byte(defaultProfileFileContent))
+	if err != nil {
+		return err
+	}
+	profile.FilePath = filePath
+	profile.DateCreated = time.Now().Unix()
+
+	err = handler.DataStore.FDOProfile().Create(profile)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+const defaultProfileFileContent = `
+#!/bin/bash -ex
+
+env > env.log
+
+export AGENT_IMAGE=portainer/agent:2.11.0
+export GUID=$(cat DEVICE_GUID.txt)
+export DEVICE_NAME=$(cat DEVICE_name.txt)
+export EDGE_ID=$(cat DEVICE_edgeid.txt)
+export EDGE_KEY=$(cat DEVICE_edgekey.txt)
+export AGENTVOLUME=$(pwd)/data/portainer_agent_data/
+
+mkdir -p ${AGENTVOLUME}
+
+docker pull ${AGENT_IMAGE}
+
+docker run -d \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    -v /var/lib/docker/volumes:/var/lib/docker/volumes \
+    -v /:/host \
+    -v ${AGENTVOLUME}:/data \
+    --restart always \
+    -e EDGE=1 \
+    -e EDGE_ID=${EDGE_ID} \
+    -e EDGE_KEY=${EDGE_KEY} \
+    -e CAP_HOST_MANAGEMENT=1 \
+    -e EDGE_INSECURE_POLL=1 \
+    --name portainer_edge_agent \
+    ${AGENT_IMAGE}
+`
--- a/api/http/handler/hostmanagement/fdo/handler.go
+++ b/api/http/handler/hostmanagement/fdo/handler.go
@ -0,0 +1,40 @@
+package fdo
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+
+	httperror "github.com/portainer/libhttp/error"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/http/security"
+)
+
+type Handler struct {
+	*mux.Router
+	DataStore   dataservices.DataStore
+	FileService portainer.FileService
+}
+
+func NewHandler(bouncer *security.RequestBouncer, dataStore dataservices.DataStore, fileService portainer.FileService) *Handler {
+	h := &Handler{
+		Router:      mux.NewRouter(),
+		DataStore:   dataStore,
+		FileService: fileService,
+	}
+
+	h.Handle("/fdo/configure", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoConfigure))).Methods(http.MethodPost)
+	h.Handle("/fdo/list", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoListAll))).Methods(http.MethodGet)
+	h.Handle("/fdo/register", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoRegisterDevice))).Methods(http.MethodPost)
+	h.Handle("/fdo/configure/{guid}", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoConfigureDevice))).Methods(http.MethodPost)
+
+	h.Handle("/fdo/profiles", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoProfileList))).Methods(http.MethodGet)
+	h.Handle("/fdo/profiles", bouncer.AdminAccess(httperror.LoggerHandler(h.createProfile))).Methods(http.MethodPost)
+	h.Handle("/fdo/profiles/{id}", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoProfileInspect))).Methods(http.MethodGet)
+	h.Handle("/fdo/profiles/{id}", bouncer.AdminAccess(httperror.LoggerHandler(h.updateProfile))).Methods(http.MethodPut)
+	h.Handle("/fdo/profiles/{id}", bouncer.AdminAccess(httperror.LoggerHandler(h.deleteProfile))).Methods(http.MethodDelete)
+	h.Handle("/fdo/profiles/{id}/duplicate", bouncer.AdminAccess(httperror.LoggerHandler(h.duplicateProfile))).Methods(http.MethodPost)
+
+	return h
+}
--- a/api/http/handler/hostmanagement/fdo/list.go
+++ b/api/http/handler/hostmanagement/fdo/list.go
@ -0,0 +1,39 @@
+package fdo
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/sirupsen/logrus"
+
+	"github.com/portainer/libhttp/response"
+)
+
+// @id fdoListAll
+// @summary List all known FDO vouchers
+// @description List all known FDO vouchers
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access settings"
+// @failure 500 "Server error"
+// @router /fdo/list [get]
+func (handler *Handler) fdoListAll(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	fdoClient, err := handler.newFDOClient()
+	if err != nil {
+		logrus.WithError(err).Info("fdoListAll: newFDOClient()")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoRegisterDevice: newFDOClient()", Err: err}
+	}
+
+	// Get all vouchers
+	guids, err := fdoClient.GetVouchers()
+	if err != nil {
+		logrus.WithError(err).Info("fdoListAll: GetVouchers()")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoListAll: GetVouchers()", Err: err}
+	}
+
+	return response.JSON(w, guids)
+}
--- a/api/http/handler/hostmanagement/fdo/profile_create.go
+++ b/api/http/handler/hostmanagement/fdo/profile_create.go
@ -0,0 +1,92 @@
+package fdo
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+	"time"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+)
+
+type createProfileFromFileContentPayload struct {
+	Name               string
+	ProfileFileContent string
+}
+
+func (payload *createProfileFromFileContentPayload) Validate(r *http.Request) error {
+	if payload.Name == "" {
+		return errors.New("profile name must be provided")
+	}
+
+	if payload.ProfileFileContent == "" {
+		return errors.New("profile file content must be provided")
+	}
+
+	return nil
+}
+
+// @id createProfile
+// @summary creates a new FDO Profile
+// @description creates a new FDO Profile
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 409 "Profile name already exists"
+// @failure 500 "Server error"
+// @router /fdo/profiles [post]
+func (handler *Handler) createProfile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	method, err := request.RetrieveQueryParameter(r, "method", false)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: method", err}
+	}
+
+	switch method {
+	case "editor":
+		return handler.createFDOProfileFromFileContent(w, r)
+	}
+	return &httperror.HandlerError{http.StatusBadRequest, "Invalid method. Value must be one of: editor", errors.New("invalid method")}
+}
+
+func (handler *Handler) createFDOProfileFromFileContent(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload createProfileFromFileContentPayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	isUnique, err := handler.checkUniqueProfileName(payload.Name, -1)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
+	}
+	if !isUnique {
+		return &httperror.HandlerError{http.StatusConflict, fmt.Sprintf("A profile with the name '%s' already exists", payload.Name), errors.New("a profile already exists with this name")}
+	}
+
+	profileID := handler.DataStore.FDOProfile().GetNextIdentifier()
+	profile := &portainer.FDOProfile{
+		ID:   portainer.FDOProfileID(profileID),
+		Name: payload.Name,
+	}
+
+	filePath, err := handler.FileService.StoreFDOProfileFileFromBytes(strconv.Itoa(int(profile.ID)), []byte(payload.ProfileFileContent))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist profile file on disk", err}
+	}
+	profile.FilePath = filePath
+	profile.DateCreated = time.Now().Unix()
+
+	err = handler.DataStore.FDOProfile().Create(profile)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the profile inside the database", err}
+	}
+
+	return response.JSON(w, profile)
+}
--- a/api/http/handler/hostmanagement/fdo/profile_delete.go
+++ b/api/http/handler/hostmanagement/fdo/profile_delete.go
@ -0,0 +1,36 @@
+package fdo
+
+import (
+	"errors"
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+)
+
+// @id deleteProfile
+// @summary deletes a FDO Profile
+// @description deletes a FDO Profile
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /fdo/profiles/{id} [delete]
+func (handler *Handler) deleteProfile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	id, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Bad request", errors.New("missing 'id' query parameter")}
+	}
+
+	err = handler.DataStore.FDOProfile().Delete(portainer.FDOProfileID(id))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to delete Profile", err}
+	}
+
+	return response.Empty(w)
+}
--- a/api/http/handler/hostmanagement/fdo/profile_duplicate.go
+++ b/api/http/handler/hostmanagement/fdo/profile_duplicate.go
@ -0,0 +1,67 @@
+package fdo
+
+import (
+	"errors"
+	"fmt"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+	"net/http"
+	"strconv"
+	"time"
+)
+
+// @id duplicate
+// @summary duplicated an existing FDO Profile
+// @description duplicated an existing FDO Profile
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /fdo/profiles/{id}/duplicate [post]
+func (handler *Handler) duplicateProfile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	id, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Bad request", errors.New("missing 'id' query parameter")}
+	}
+
+	originalProfile, err := handler.DataStore.FDOProfile().FDOProfile(portainer.FDOProfileID(id))
+	if handler.DataStore.IsErrObjectNotFound(err) {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a FDO Profile with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a FDO Profile with the specified identifier inside the database", err}
+	}
+
+	fileContent, err := handler.FileService.GetFileContent(originalProfile.FilePath, "")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Profile file content", err}
+	}
+
+	profileID := handler.DataStore.FDOProfile().GetNextIdentifier()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to duplicate Profile", err}
+	}
+
+	newProfile := &portainer.FDOProfile{
+		ID:   portainer.FDOProfileID(profileID),
+		Name: fmt.Sprintf("%s - copy", originalProfile.Name),
+	}
+
+	filePath, err := handler.FileService.StoreFDOProfileFileFromBytes(strconv.Itoa(int(newProfile.ID)), fileContent)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist profile file on disk", err}
+	}
+	newProfile.FilePath = filePath
+	newProfile.DateCreated = time.Now().Unix()
+
+	err = handler.DataStore.FDOProfile().Create(newProfile)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the profile inside the database", err}
+	}
+
+	return response.JSON(w, newProfile)
+}
--- a/api/http/handler/hostmanagement/fdo/profile_inspect.go
+++ b/api/http/handler/hostmanagement/fdo/profile_inspect.go
@ -0,0 +1,49 @@
+package fdo
+
+import (
+	"errors"
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+)
+
+type fdoProfileResponse struct {
+	Name        string `json:"name"`
+	FileContent string `json:"fileContent"`
+}
+
+// @id fdoProfileInspect
+// @summary retrieves a given FDO profile information and content
+// @description retrieves a given FDO profile information and content
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /fdo/profiles/{id} [get]
+func (handler *Handler) fdoProfileInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	id, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Bad request", errors.New("missing 'id' query parameter")}
+	}
+
+	profile, err := handler.DataStore.FDOProfile().FDOProfile(portainer.FDOProfileID(id))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Profile", err}
+	}
+
+	fileContent, err := handler.FileService.GetFileContent(profile.FilePath, "")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Profile file content", err}
+	}
+
+	return response.JSON(w, fdoProfileResponse{
+		Name:        profile.Name,
+		FileContent: string(fileContent),
+	})
+}
--- a/api/http/handler/hostmanagement/fdo/profile_list.go
+++ b/api/http/handler/hostmanagement/fdo/profile_list.go
@ -0,0 +1,31 @@
+package fdo
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/response"
+)
+
+// @id fdoProfileList
+// @summary retrieves all FDO profiles
+// @description retrieves all FDO profiles
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access settings"
+// @failure 500 "Server error"
+// @failure 500 "Bad gateway"
+// @router /fdo/profiles [get]
+func (handler *Handler) fdoProfileList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+
+	profiles, err := handler.DataStore.FDOProfile().FDOProfiles()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
+	}
+
+	return response.JSON(w, profiles)
+}
--- a/api/http/handler/hostmanagement/fdo/profile_update.go
+++ b/api/http/handler/hostmanagement/fdo/profile_update.go
@ -0,0 +1,67 @@
+package fdo
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+)
+
+// @id updateProfile
+// @summary updates an existing FDO Profile
+// @description updates an existing FDO Profile
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 409 "Profile name already exists"
+// @failure 500 "Server error"
+// @router /fdo/profiles/{id} [put]
+func (handler *Handler) updateProfile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	id, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Bad request", errors.New("missing 'id' query parameter")}
+	}
+
+	var payload createProfileFromFileContentPayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	profile, err := handler.DataStore.FDOProfile().FDOProfile(portainer.FDOProfileID(id))
+	if handler.DataStore.IsErrObjectNotFound(err) {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a FDO Profile with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a FDO Profile with the specified identifier inside the database", err}
+	}
+
+	isUnique, err := handler.checkUniqueProfileName(payload.Name, id)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
+	}
+	if !isUnique {
+		return &httperror.HandlerError{http.StatusConflict, fmt.Sprintf("A profile with the name '%s' already exists", payload.Name), errors.New("a profile already exists with this name")}
+	}
+
+	filePath, err := handler.FileService.StoreFDOProfileFileFromBytes(strconv.Itoa(int(profile.ID)), []byte(payload.ProfileFileContent))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update profile", err}
+	}
+	profile.FilePath = filePath
+	profile.Name = payload.Name
+
+	err = handler.DataStore.FDOProfile().Update(profile.ID, profile)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update profile", err}
+	}
+
+	return response.JSON(w, profile)
+}
--- a/api/http/handler/hostmanagement/fdo/register.go
+++ b/api/http/handler/hostmanagement/fdo/register.go
@ -0,0 +1,49 @@
+package fdo
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	"github.com/sirupsen/logrus"
+)
+
+type registerDeviceResponse struct {
+	Guid string `json:"guid" example:"c6ea3343-229a-4c07-9096-beef7134e1d3"`
+}
+
+// @id fdoRegisterDevice
+// @summary register an FDO device
+// @description register an FDO device
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access settings"
+// @failure 500 "Server error"
+// @router /fdo/register [post]
+func (handler *Handler) fdoRegisterDevice(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	// Post a voucher
+	ov, filename, err := request.RetrieveMultiPartFormFile(r, "voucher")
+	if err != nil {
+		logrus.WithField("filename", filename).WithError(err).Info("fdoRegisterDevice: readVoucher()")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoRegisterDevice: read Voucher()", Err: err}
+	}
+
+	fdoClient, err := handler.newFDOClient()
+	if err != nil {
+		logrus.WithError(err).Info("fdoRegisterDevice: newFDOClient()")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoRegisterDevice: newFDOClient()", Err: err}
+	}
+
+	guid, err := fdoClient.PostVoucher(ov)
+	if err != nil {
+		logrus.WithError(err).Info("fdoRegisterDevice: PostVoucher()")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoRegisterDevice: PostVoucher()", Err: err}
+	}
+
+	return response.JSON(w, registerDeviceResponse{guid})
+}
--- a/api/http/handler/hostmanagement/fdo/utils.go
+++ b/api/http/handler/hostmanagement/fdo/utils.go
@ -0,0 +1,16 @@
+package fdo
+
+func (handler *Handler) checkUniqueProfileName(name string, id int) (bool, error) {
+	profiles, err := handler.DataStore.FDOProfile().FDOProfiles()
+	if err != nil {
+		return false, err
+	}
+
+	for _, profile := range profiles {
+		if profile.Name == name && (id == -1 || id != int(profile.ID)) {
+			return false, nil
+		}
+	}
+
+	return true, nil
+}
--- a/api/http/handler/hostmanagement/openamt/amtactivation.go
+++ b/api/http/handler/hostmanagement/openamt/amtactivation.go
@ -0,0 +1,73 @@
+package openamt
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+	bolterrors "github.com/portainer/portainer/api/dataservices/errors"
+	"github.com/portainer/portainer/api/internal/endpointutils"
+)
+
+// @id openAMTActivate
+// @summary Activate OpenAMT device and associate to agent endpoint
+// @description Activate OpenAMT device and associate to agent endpoint
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @param id path int true "Environment(Endpoint) identifier"
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access settings"
+// @failure 500 "Server error"
+// @router /open_amt/{id}/activate [post]
+func (handler *Handler) openAMTActivate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid environment identifier route variable", err}
+	}
+
+	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	if err == bolterrors.ErrObjectNotFound {
+		return &httperror.HandlerError{StatusCode: http.StatusNotFound, Message: "Unable to find an endpoint with the specified identifier inside the database", Err: err}
+	} else if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to find an endpoint with the specified identifier inside the database", Err: err}
+	} else if !endpointutils.IsAgentEndpoint(endpoint) {
+		errMsg := fmt.Sprintf("%s is not an agent environment", endpoint.Name)
+		return &httperror.HandlerError{http.StatusBadRequest, errMsg, errors.New(errMsg)}
+	}
+
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	}
+
+	err = handler.activateDevice(endpoint, *settings)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to activate device", err}
+	}
+
+	hostInfo, _, err := handler.getEndpointAMTInfo(endpoint)
+	if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to retrieve AMT information", Err: err}
+	}
+	if hostInfo.ControlModeRaw < 1 {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Failed to activate device", Err: errors.New("failed to activate device")}
+	}
+	if hostInfo.UUID == "" {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to retrieve device UUID", Err: errors.New("unable to retrieve device UUID")}
+	}
+
+	endpoint.AMTDeviceGUID = hostInfo.UUID
+	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist environment changes inside the database", err}
+	}
+
+	return response.Empty(w)
+}
--- a/api/http/handler/hostmanagement/openamt/amtconfiguration.go
+++ b/api/http/handler/hostmanagement/openamt/amtconfiguration.go
@ -16,23 +16,19 @@ import (
 	portainer "github.com/portainer/portainer/api"
 )

-type openAMTConfigureDefaultPayload struct {
-	EnableOpenAMT            bool
-	MPSServer                string
-	MPSUser                  string
-	MPSPassword              string
-	CertFileText             string
-	CertPassword             string
-	DomainName               string
-	UseWirelessConfig        bool
-	WifiAuthenticationMethod string
-	WifiEncryptionMethod     string
-	WifiSSID                 string
-	WifiPskPass              string
+type openAMTConfigurePayload struct {
+	Enabled          bool
+	MPSServer        string
+	MPSUser          string
+	MPSPassword      string
+	DomainName       string
+	CertFileName     string
+	CertFileContent  string
+	CertFilePassword string
 }

-func (payload *openAMTConfigureDefaultPayload) Validate(r *http.Request) error {
-	if payload.EnableOpenAMT {
+func (payload *openAMTConfigurePayload) Validate(r *http.Request) error {
+	if payload.Enabled {
 		if payload.MPSServer == "" {
 			return errors.New("MPS Server must be provided")
 		}
@ -45,32 +41,21 @@ func (payload *openAMTConfigureDefaultPayload) Validate(r *http.Request) error {
 		if payload.DomainName == "" {
 			return errors.New("domain name must be provided")
 		}
-		if payload.CertFileText == "" {
+		if payload.CertFileContent == "" {
 			return errors.New("certificate file must be provided")
 		}
-		if payload.CertPassword == "" {
-			return errors.New("certificate password must be provided")
+		if payload.CertFileName == "" {
+			return errors.New("certificate file name must be provided")
 		}
-		if payload.UseWirelessConfig {
-			if payload.WifiAuthenticationMethod == "" {
-				return errors.New("wireless authentication method must be provided")
-			}
-			if payload.WifiEncryptionMethod == "" {
-				return errors.New("wireless encryption method must be provided")
-			}
-			if payload.WifiSSID == "" {
-				return errors.New("wireless config SSID must be provided")
-			}
-			if payload.WifiPskPass == "" {
-				return errors.New("wireless config PSK passphrase must be provided")
-			}
+		if payload.CertFilePassword == "" {
+			return errors.New("certificate password must be provided")
 		}
 	}

 	return nil
 }

-// @id OpenAMTConfigureDefault
+// @id OpenAMTConfigure
 // @summary Enable Portainer's OpenAMT capabilities
 // @description Enable Portainer's OpenAMT capabilities
 // @description **Access policy**: administrator
@ -78,22 +63,22 @@ func (payload *openAMTConfigureDefaultPayload) Validate(r *http.Request) error {
 // @security jwt
 // @accept json
 // @produce json
-// @param body body openAMTConfigureDefaultPayload true "OpenAMT Settings"
+// @param body body openAMTConfigurePayload true "OpenAMT Settings"
 // @success 204 "Success"
 // @failure 400 "Invalid request"
 // @failure 403 "Permission denied to access settings"
 // @failure 500 "Server error"
 // @router /open_amt [post]
-func (handler *Handler) openAMTConfigureDefault(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	var payload openAMTConfigureDefaultPayload
+func (handler *Handler) openAMTConfigure(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload openAMTConfigurePayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)
 	if err != nil {
 		logrus.WithError(err).Error("Invalid request payload")
 		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
 	}

-	if payload.EnableOpenAMT {
-		certificateErr := validateCertificate(payload.CertFileText, payload.CertPassword)
+	if payload.Enabled {
+		certificateErr := validateCertificate(payload.CertFileContent, payload.CertFilePassword)
 		if certificateErr != nil {
 			return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Error validating certificate", Err: certificateErr}
 		}
@ -143,31 +128,19 @@ func isValidIssuer(issuer string) bool {
 		strings.Contains(formattedIssuer, "godaddy")
 }

-func (handler *Handler) enableOpenAMT(configurationPayload openAMTConfigureDefaultPayload) error {
+func (handler *Handler) enableOpenAMT(configurationPayload openAMTConfigurePayload) error {
 	configuration := portainer.OpenAMTConfiguration{
-		Enabled:   true,
-		MPSServer: configurationPayload.MPSServer,
-		Credentials: portainer.MPSCredentials{
-			MPSUser:     configurationPayload.MPSUser,
-			MPSPassword: configurationPayload.MPSPassword,
-		},
-		DomainConfiguration: portainer.DomainConfiguration{
-			CertFileText: configurationPayload.CertFileText,
-			CertPassword: configurationPayload.CertPassword,
-			DomainName:   configurationPayload.DomainName,
-		},
+		Enabled:          true,
+		MPSServer:        configurationPayload.MPSServer,
+		MPSUser:          configurationPayload.MPSUser,
+		MPSPassword:      configurationPayload.MPSPassword,
+		CertFileContent:  configurationPayload.CertFileContent,
+		CertFileName:     configurationPayload.CertFileName,
+		CertFilePassword: configurationPayload.CertFilePassword,
+		DomainName:       configurationPayload.DomainName,
 	}

-	if configurationPayload.UseWirelessConfig {
-		configuration.WirelessConfiguration = &portainer.WirelessConfiguration{
-			AuthenticationMethod: configurationPayload.WifiAuthenticationMethod,
-			EncryptionMethod:     configurationPayload.WifiEncryptionMethod,
-			SSID:                 configurationPayload.WifiSSID,
-			PskPass:              configurationPayload.WifiPskPass,
-		}
-	}
-
-	err := handler.OpenAMTService.ConfigureDefault(configuration)
+	err := handler.OpenAMTService.Configure(configuration)
 	if err != nil {
 		logrus.WithError(err).Error("error configuring OpenAMT server")
 		return err
@ -189,7 +162,7 @@ func (handler *Handler) saveConfiguration(configuration portainer.OpenAMTConfigu
 		return err
 	}

-	configuration.Credentials.MPSToken = ""
+	configuration.MPSToken = ""

 	settings.OpenAMTConfiguration = configuration
 	err = handler.DataStore.Settings().UpdateSettings(settings)
--- a/api/http/handler/hostmanagement/openamt/amtdevices.go
+++ b/api/http/handler/hostmanagement/openamt/amtdevices.go
@ -0,0 +1,178 @@
+package openamt
+
+import (
+	"errors"
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+	bolterrors "github.com/portainer/portainer/api/dataservices/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// @id OpenAMTDevices
+// @summary Fetch OpenAMT managed devices information for endpoint
+// @description Fetch OpenAMT managed devices information for endpoint
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @param id path int true "Environment(Endpoint) identifier"
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access settings"
+// @failure 500 "Server error"
+// @router /open_amt/{id}/devices [get]
+func (handler *Handler) openAMTDevices(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid environment identifier route variable", err}
+	}
+
+	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	if err == bolterrors.ErrObjectNotFound {
+		return &httperror.HandlerError{StatusCode: http.StatusNotFound, Message: "Unable to find an endpoint with the specified identifier inside the database", Err: err}
+	} else if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to find an endpoint with the specified identifier inside the database", Err: err}
+	}
+
+	if endpoint.AMTDeviceGUID == "" {
+		return response.JSON(w, []portainer.OpenAMTDeviceInformation{})
+	}
+
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	}
+
+	device, err := handler.OpenAMTService.DeviceInformation(settings.OpenAMTConfiguration, endpoint.AMTDeviceGUID)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve device information", err}
+	}
+
+	devices := []portainer.OpenAMTDeviceInformation{
+		*device,
+	}
+
+	return response.JSON(w, devices)
+}
+
+type deviceActionPayload struct {
+	Action string
+}
+
+func (payload *deviceActionPayload) Validate(r *http.Request) error {
+	if payload.Action == "" {
+		return errors.New("device action must be provided")
+	}
+	return nil
+}
+
+// @id DeviceAction
+// @summary Execute out of band action on an AMT managed device
+// @description Execute out of band action on an AMT managed device
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @accept json
+// @produce json
+// @param body body deviceActionPayload true "Device Action"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access settings"
+// @failure 500 "Server error"
+// @router /open_amt/{id}/devices/{deviceId}/action [post]
+func (handler *Handler) deviceAction(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	deviceID, err := request.RetrieveRouteVariableValue(r, "deviceId")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid device identifier route variable", err}
+	}
+
+	var payload deviceActionPayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		logrus.WithError(err).Error("Invalid request payload")
+		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
+	}
+
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	}
+
+	err = handler.OpenAMTService.ExecuteDeviceAction(settings.OpenAMTConfiguration, deviceID, payload.Action)
+	if err != nil {
+		logrus.WithError(err).Error("Error executing device action")
+		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Error executing device action", Err: err}
+	}
+
+	return response.Empty(w)
+}
+
+type deviceFeaturesPayload struct {
+	Features portainer.OpenAMTDeviceEnabledFeatures
+}
+
+func (payload *deviceFeaturesPayload) Validate(r *http.Request) error {
+	if payload.Features.UserConsent == "" {
+		return errors.New("device user consent status must be provided")
+	}
+	return nil
+}
+
+type AuthorizationResponse struct {
+	Server string
+	Token  string
+}
+
+// @id DeviceFeatures
+// @summary Enable features on an AMT managed device
+// @description Enable features on an AMT managed device
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @accept json
+// @produce json
+// @param body body deviceFeaturesPayload true "Device Features"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access settings"
+// @failure 500 "Server error"
+// @router /open_amt/{id}/devices_features/{deviceId} [post]
+func (handler *Handler) deviceFeatures(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	deviceID, err := request.RetrieveRouteVariableValue(r, "deviceId")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid device identifier route variable", err}
+	}
+
+	var payload deviceFeaturesPayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		logrus.WithError(err).Error("Invalid request payload")
+		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
+	}
+
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	}
+
+	_, err = handler.OpenAMTService.DeviceInformation(settings.OpenAMTConfiguration, deviceID)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve device information", err}
+	}
+
+	token, err := handler.OpenAMTService.EnableDeviceFeatures(settings.OpenAMTConfiguration, deviceID, payload.Features)
+	if err != nil {
+		logrus.WithError(err).Error("Error executing device action")
+		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Error executing device action", Err: err}
+	}
+
+	authorizationResponse := AuthorizationResponse{
+		Server: settings.OpenAMTConfiguration.MPSServer,
+		Token:  token,
+	}
+	return response.JSON(w, authorizationResponse)
+}
--- a/api/http/handler/hostmanagement/openamt/amtrpc.go
+++ b/api/http/handler/hostmanagement/openamt/amtrpc.go
@ -0,0 +1,278 @@
+package openamt
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/portainer/portainer/api/hostmanagement/openamt"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/filters"
+
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/client"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+	bolterrors "github.com/portainer/portainer/api/dataservices/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type HostInfo struct {
+	EndpointID     portainer.EndpointID `json:"EndpointID"`
+	RawOutput      string               `json:"RawOutput"`
+	AMT            string               `json:"AMT"`
+	UUID           string               `json:"UUID"`
+	DNSSuffix      string               `json:"DNS Suffix"`
+	BuildNumber    string               `json:"Build Number"`
+	ControlMode    string               `json:"Control Mode"`
+	ControlModeRaw int                  `json:"Control Mode (Raw)"`
+}
+
+const (
+	// TODO: this should get extracted to some configurable - don't assume Docker Hub is everyone's global namespace, or that they're allowed to pull images from the internet
+	rpcGoImageName      = "ptrrd/openamt:rpc-go-json"
+	rpcGoContainerName  = "openamt-rpc-go"
+	dockerClientTimeout = 5 * time.Minute
+)
+
+// @id OpenAMTHostInfo
+// @summary Request OpenAMT info from a node
+// @description Request OpenAMT info from a node
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access settings"
+// @failure 500 "Server error"
+// @router /open_amt/{id}/info [get]
+func (handler *Handler) openAMTHostInfo(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid environment identifier route variable", err}
+	}
+
+	logrus.WithField("endpointID", endpointID).Info("OpenAMTHostInfo")
+
+	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	if err == bolterrors.ErrObjectNotFound {
+		return &httperror.HandlerError{StatusCode: http.StatusNotFound, Message: "Unable to find an endpoint with the specified identifier inside the database", Err: err}
+	} else if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to find an endpoint with the specified identifier inside the database", Err: err}
+	}
+
+	amtInfo, output, err := handler.getEndpointAMTInfo(endpoint)
+	if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: output, Err: err}
+	}
+
+	return response.JSON(w, amtInfo)
+}
+
+func (handler *Handler) getEndpointAMTInfo(endpoint *portainer.Endpoint) (*HostInfo, string, error) {
+	ctx := context.TODO()
+
+	// pull the image so we can check if there's a new one
+	// TODO: these should be able to be over-ridden (don't hardcode the assumption that secure users can access Docker Hub, or that its even the orchestrator's "global namespace")
+	cmdLine := []string{"amtinfo", "--json"}
+	output, err := handler.PullAndRunContainer(ctx, endpoint, rpcGoImageName, rpcGoContainerName, cmdLine)
+	if err != nil {
+		return nil, output, err
+	}
+
+	amtInfo := HostInfo{}
+	_ = json.Unmarshal([]byte(output), &amtInfo)
+
+	amtInfo.EndpointID = endpoint.ID
+	amtInfo.RawOutput = output
+
+	return &amtInfo, "", nil
+}
+
+func (handler *Handler) PullAndRunContainer(ctx context.Context, endpoint *portainer.Endpoint, imageName, containerName string, cmdLine []string) (output string, err error) {
+	// TODO: this should not be Docker specific
+	// TODO: extract from this Handler into something global.
+
+	// TODO: start
+	//      docker run --rm -it --privileged ptrrd/openamt:rpc-go amtinfo
+	//		on the Docker standalone node (one per env :)
+	//		and later, on the specified node in the swarm, or kube.
+	nodeName := ""
+	timeout := dockerClientTimeout
+	docker, err := handler.DockerClientFactory.CreateClient(endpoint, nodeName, &timeout)
+	if err != nil {
+		return "Unable to create Docker Client connection", err
+	}
+	defer docker.Close()
+
+	if err := pullImage(ctx, docker, imageName); err != nil {
+		return "Could not pull image from registry", err
+	}
+
+	output, err = runContainer(ctx, docker, imageName, containerName, cmdLine)
+	if err != nil {
+		return "Could not run container", err
+	}
+	return output, nil
+}
+
+// TODO: ideally, pullImage and runContainer will become a simple version of the use compose abstraction that can be called from withing Portainer.
+// TODO: the idea being that if we have an internal struct of a parsed compose file, we can also populate that struct programmatically, and run it to get the result I'm getting here.
+// TODO: likely an upgrade and abstraction of DeployComposeStack/DeploySwarmStack/DeployKubernetesStack
+// pullImage will pull the image to the specified environment
+// TODO: add k8s implementation
+// TODO: work out registry auth
+func pullImage(ctx context.Context, docker *client.Client, imageName string) error {
+	out, err := docker.ImagePull(ctx, imageName, types.ImagePullOptions{})
+	if err != nil {
+		logrus.WithError(err).WithField("imageName", imageName).Error("Could not pull image from registry")
+		return err
+	}
+
+	defer out.Close()
+	outputBytes, err := ioutil.ReadAll(out)
+	if err != nil {
+		logrus.WithError(err).WithField("imageName", imageName).Error("Could not read image pull output")
+		return err
+	}
+
+	log.Printf("%s imaged pulled with output:\n%s", imageName, string(outputBytes))
+
+	return nil
+}
+
+// TODO: ideally, pullImage and runContainer will become a simple version of the use compose abstraction that can be called from withing Portainer.
+// runContainer should be used to run a short command that returns information to stdout
+// TODO: add k8s support
+func runContainer(ctx context.Context, docker *client.Client, imageName, containerName string, cmdLine []string) (output string, err error) {
+	opts := types.ContainerListOptions{All: true}
+	opts.Filters = filters.NewArgs()
+	opts.Filters.Add("name", containerName)
+	existingContainers, err := docker.ContainerList(ctx, opts)
+	if err != nil {
+		logrus.WithError(err).WithField("imagename", imageName).WithField("containername", containerName).Error("listing existing container")
+		return "", err
+	}
+
+	if len(existingContainers) > 0 {
+		err = docker.ContainerRemove(ctx, existingContainers[0].ID, types.ContainerRemoveOptions{Force: true})
+		if err != nil {
+			logrus.WithError(err).WithField("imagename", imageName).WithField("containername", containerName).Error("removing existing container")
+			return "", err
+		}
+	}
+
+	created, err := docker.ContainerCreate(
+		ctx,
+		&container.Config{
+			Image:        imageName,
+			Cmd:          cmdLine,
+			Env:          []string{},
+			Tty:          true,
+			OpenStdin:    true,
+			AttachStdout: true,
+			AttachStderr: true,
+		},
+		&container.HostConfig{
+			Privileged: true,
+		},
+		&network.NetworkingConfig{},
+		nil,
+		containerName,
+	)
+	if err != nil {
+		logrus.WithError(err).WithField("imagename", imageName).WithField("containername", containerName).Error("creating container")
+		return "", err
+	}
+	err = docker.ContainerStart(ctx, created.ID, types.ContainerStartOptions{})
+	if err != nil {
+		logrus.WithError(err).WithField("imagename", imageName).WithField("containername", containerName).Error("starting container")
+		return "", err
+	}
+
+	log.Printf("%s container created and started\n", containerName)
+
+	statusCh, errCh := docker.ContainerWait(ctx, created.ID, container.WaitConditionNotRunning)
+	var statusCode int64
+	select {
+	case err := <-errCh:
+		if err != nil {
+			logrus.WithError(err).WithField("imagename", imageName).WithField("containername", containerName).Error("starting container")
+			return "", err
+		}
+	case status := <-statusCh:
+		statusCode = status.StatusCode
+	}
+	logrus.WithField("status", statusCode).Debug("container wait status")
+
+	out, err := docker.ContainerLogs(ctx, created.ID, types.ContainerLogsOptions{ShowStdout: true})
+	if err != nil {
+		logrus.WithError(err).WithField("imagename", imageName).WithField("containername", containerName).Error("getting container log")
+		return "", err
+	}
+
+	err = docker.ContainerRemove(ctx, created.ID, types.ContainerRemoveOptions{})
+	if err != nil {
+		logrus.WithError(err).WithField("imagename", imageName).WithField("containername", containerName).Error("removing container")
+		return "", err
+	}
+
+	outputBytes, err := ioutil.ReadAll(out)
+	if err != nil {
+		logrus.WithError(err).WithField("imagename", imageName).WithField("containername", containerName).Error("read container output")
+		return "", err
+	}
+
+	log.Printf("%s container finished with output:\n%s", containerName, string(outputBytes))
+
+	return string(outputBytes), nil
+}
+
+func (handler *Handler) activateDevice(endpoint *portainer.Endpoint, settings portainer.Settings) error {
+	ctx := context.TODO()
+
+	config := settings.OpenAMTConfiguration
+	cmdLine := []string{
+		"activate",
+		"-n",
+		"-v",
+		"-u", fmt.Sprintf("wss://%s/activate", config.MPSServer),
+		"-profile", openamt.DefaultProfileName,
+		"-d", config.DomainName,
+		"-password", config.MPSPassword,
+	}
+
+	_, err := handler.PullAndRunContainer(ctx, endpoint, rpcGoImageName, rpcGoContainerName, cmdLine)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (handler *Handler) deactivateDevice(endpoint *portainer.Endpoint, settings portainer.Settings) error {
+	ctx := context.TODO()
+
+	config := settings.OpenAMTConfiguration
+	cmdLine := []string{
+		"deactivate",
+		"-n",
+		"-v",
+		"-u", fmt.Sprintf("wss://%s/activate", config.MPSServer),
+		"-password", config.MPSPassword,
+	}
+	_, err := handler.PullAndRunContainer(ctx, endpoint, rpcGoImageName, rpcGoContainerName, cmdLine)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/api/http/handler/hostmanagement/openamt/handler.go
+++ b/api/http/handler/hostmanagement/openamt/handler.go
@ -8,27 +8,30 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/docker"
 	"github.com/portainer/portainer/api/http/security"
 )

 // Handler is the HTTP handler used to handle OpenAMT operations.
 type Handler struct {
 	*mux.Router
-	OpenAMTService portainer.OpenAMTService
-	DataStore      dataservices.DataStore
+	OpenAMTService      portainer.OpenAMTService
+	DataStore           dataservices.DataStore
+	DockerClientFactory *docker.ClientFactory
 }

 // NewHandler returns a new Handler
-func NewHandler(bouncer *security.RequestBouncer, dataStore dataservices.DataStore) (*Handler, error) {
-	if !dataStore.Settings().IsFeatureFlagEnabled(portainer.FeatOpenAMT) {
-		return nil, nil
-	}
-
+func NewHandler(bouncer *security.RequestBouncer) *Handler {
 	h := &Handler{
 		Router: mux.NewRouter(),
 	}

-	h.Handle("/open_amt", bouncer.AdminAccess(httperror.LoggerHandler(h.openAMTConfigureDefault))).Methods(http.MethodPost)
+	h.Handle("/open_amt/configure", bouncer.AdminAccess(httperror.LoggerHandler(h.openAMTConfigure))).Methods(http.MethodPost)
+	h.Handle("/open_amt/{id}/info", bouncer.AdminAccess(httperror.LoggerHandler(h.openAMTHostInfo))).Methods(http.MethodGet)
+	h.Handle("/open_amt/{id}/activate", bouncer.AdminAccess(httperror.LoggerHandler(h.openAMTActivate))).Methods(http.MethodPost)
+	h.Handle("/open_amt/{id}/devices", bouncer.AdminAccess(httperror.LoggerHandler(h.openAMTDevices))).Methods(http.MethodGet)
+	h.Handle("/open_amt/{id}/devices/{deviceId}/action", bouncer.AdminAccess(httperror.LoggerHandler(h.deviceAction))).Methods(http.MethodPost)
+	h.Handle("/open_amt/{id}/devices/{deviceId}/features", bouncer.AdminAccess(httperror.LoggerHandler(h.deviceFeatures))).Methods(http.MethodPost)

-	return h, nil
+	return h
 }
--- a/api/http/handler/settings/settings_update.go
+++ b/api/http/handler/settings/settings_update.go
@ -42,6 +42,10 @@ type settingsUpdatePayload struct {
 	HelmRepositoryURL *string `example:"https://charts.bitnami.com/bitnami"`
 	// Kubectl Shell Image
 	KubectlShellImage *string `example:"portainer/kubectl-shell:latest"`
+	// DisableTrustOnFirstConnect makes Portainer require explicit user trust of the edge agent before accepting the connection
+	DisableTrustOnFirstConnect *bool `example:"false"`
+	// EnforceEdgeID makes Portainer store the Edge ID instead of accepting anyone
+	EnforceEdgeID *bool `example:"false"`
 }

 func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
@ -162,6 +166,14 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 		settings.EnableEdgeComputeFeatures = *payload.EnableEdgeComputeFeatures
 	}

+	if payload.DisableTrustOnFirstConnect != nil {
+		settings.DisableTrustOnFirstConnect = *payload.DisableTrustOnFirstConnect
+	}
+
+	if payload.EnforceEdgeID != nil {
+		settings.EnforceEdgeID = *payload.EnforceEdgeID
+	}
+
 	if payload.SnapshotInterval != nil && *payload.SnapshotInterval != settings.SnapshotInterval {
 		err := handler.updateSnapshotInterval(settings, *payload.SnapshotInterval)
 		if err != nil {
--- a/api/http/handler/stacks/handler.go
+++ b/api/http/handler/stacks/handler.go
@ -154,7 +154,7 @@ func (handler *Handler) checkUniqueStackNameInDocker(endpoint *portainer.Endpoin
 		return false, err
 	}

-	dockerClient, err := handler.DockerClientFactory.CreateClient(endpoint, "")
+	dockerClient, err := handler.DockerClientFactory.CreateClient(endpoint, "", nil)
 	if err != nil {
 		return false, err
 	}
--- a/api/http/handler/webhooks/webhook_execute.go
+++ b/api/http/handler/webhooks/webhook_execute.go
@ -68,7 +68,7 @@ func (handler *Handler) executeServiceWebhook(
 	registryID portainer.RegistryID,
 	imageTag string,
 ) *httperror.HandlerError {
-	dockerClient, err := handler.DockerClientFactory.CreateClient(endpoint, "")
+	dockerClient, err := handler.DockerClientFactory.CreateClient(endpoint, "", nil)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Error creating docker client", err}
 	}