Hi Jonas,
1. In order to have access to KVM from a remote console, we use VNC protocol, If you would like to remote control an Intel vPro provisioned machine, you can use VNC Viewer Plus that is able to manage the nuances of Intel AMT.
2. In theory, any VNC client can work with AMT, the biggest problem is that to initiate and establish connect that AMT is different from other VNC servers.
3. If your security threat is "unauthorized access", TLS will not significantly increase in this scenario. In order to protect from unauthorized access you may adopt kerberos (with AD integration) that is much stronger than Digest Authentication and also you can adopt Mutual Authentication using TLS.
4. Intel SCS is the on-stop-shop for vPro provisioning, you have tools inside this package that will allow you provision since a single to thousands of machines, e.g. you have ACU Wizard that allow you goes through a wizard to configure a single machine up to a Remote Configuration Server that is installed as service, with DB connection that can make your life easier for thousands machines. BTW: you may also be interested on MeshCentral
Best Regards!