Mac Endpoint Engineer (macOS + Intune)

Title: Mac Endpoint Engineer (macOS + Intune)

Project Duration: 6 months

Interview mode: Virtual 

Location: Onsite in Downers Grove, IL

Overview:

Onsite contract role (6+ months, possible extension) for a proactive engineer ready to shape macOS in a Microsoft-centric enterprise. Client is elevating macOS to first-class status and needs a hands-on Mac Endpoint Engineer to build and harden a modern Intune-managed macOS environment. You will deliver zero-touch enrollment, seamless Platform SSO (PSSO) first sign-in, large-scale macOS app packaging, configuration, compliance, automation, and a strong security posture with a goal of achieving 1:1 parity with Windows devices.

Key Responsibilities:

Design/operate zero-touch enrollment with ABM + ADE (PreStage through post-enrollment fixes).

Build a consistent first sign-in experience using PSSO + Intune.

Improve enrollment flows, bootstrap content, and post-enrollment automations.

Lead macOS app packaging for Intune (PKG/DMG + pre/post scripts, detection rules, dependencies, retries, uninstall logic).

Create a scalable third-party app deployment model with staged rings, rollback plans, and change control.

Collaborate with Packaging/QA on versioning, testing, and release notes.

Manage Intune baseline configs & compliance policies; suggest UX/reliability improvements.

Enforce CIS macOS benchmark controls (macOS 26+); own configuration/enforcement, partner with InfoSec.

Integrate/support: Entra ID, Defender for Endpoint (DLP), CrowdStrike, CyberArk EPM, Qualys, GlobalProtect ZTNA.

Automate via scripting (bash/zsh/Python; PowerShell for Graph) – provisioning, remediations, health checks, reporting.

Deliver actionable Intune dashboard metrics (enrollment success, sign-in time, compliance drift, packaging SLAs).

Write KB articles/how-tos; transfer knowledge to Support; provide occasional Tier 3 guidance (no on-call).

Partner with Identity, Security, Networking, and Support to prepare for go-live and scale across US users.

Contribute to standards, guardrails, and SOPs for long-term stability.

Environment

MDM: Microsoft Intune only (no Jamf/Kandji).

Minimum: macOS 26 (Tahoe).

Stack: Entra ID, Defender for Endpoint, CrowdStrike, CyberArk EPM, Qualys, GlobalProtect.

Standards: CIS macOS benchmark (InfoSec sets policy; you implement/operate).

Tools: ABM + ADE in place; Intune for compliance & reporting.

Required Qualifications

3–5+ years enterprise macOS MDM (Intune preferred).

Strong Intune macOS packaging expertise (PKG/DMG, scripts, detection, rings, rollback).

Hands-on ADE zero-touch + PSSO implementation.

Scripting: bash/zsh/Python (PowerShell/Graph as needed).

Experience enforcing CIS controls via Intune profiles/policies.

Familiarity with Defender, CrowdStrike, CyberArk EPM, Qualys, and GlobalProtect.

Excellent documentation & knowledge-transfer skills.

Preferred

Self-healing remediations / drift correction.

iOS/iPadOS in Intune (bonus).

Entra ID Conditional Access for macOS.

Current Apple management trends (PSSO, macOS security/privacy).

Success Looks Like

Reliable zero-touch from unbox to desktop.

Fast, frictionless PSSO sign-in.

Scalable packaging/patching with SLAs, rings, and rollback.

Trusted CIS-aligned posture with clear Intune dashboard