Senior macOS Intune Engineer (MDM/MAM)

Title: Senior macOS Intune Engineer (MDM/MAM)
Location: 3x a week Hybrid
Location: Denver, CO

Position Overview
We are seeking a Senior macOS Intune Engineer to lead the design, implementation, and management of macOS devices using Microsoft Intune (Microsoft Endpoint Manager).
This role is focused on Apple device management within the Microsoft ecosystem, leveraging:
• Apple Business Manager (ABM)
• Automated Device Enrollment (ADE)
• Microsoft Entra ID (Azure AD)
The engineer will implement advanced security, identity, and device management solutions, including:
• Passwordless authentication (Secure Enclave, passkeys)
• FileVault disk encryption
• Single Sign-On (SSO) integration
The goal is to ensure macOS devices (corporate and BYOD) are secure, compliant, and fully integrated into the enterprise identity and security framework.

Key Responsibilities
1. macOS Endpoint Management (Intune)
• Architect, deploy, and manage macOS devices using Intune MDM
• Configure configuration profiles, compliance policies, and restrictions
• Ensure devices meet enterprise security, performance, and compliance standards
________________________________________
2. Apple Business Manager (ABM) & ADE
• Integrate Intune with Apple Business Manager
• Manage Automated Device Enrollment (ADE) for zero-touch provisioning
• Configure and troubleshoot enrollment profiles and tokens
________________________________________
3. Mobile Application Management (MAM)
• Manage macOS applications via Intune (App Store + enterprise apps)
• Use Apple Volume Purchase Program (VPP)
• Implement app protection policies for corporate and BYOD devices
________________________________________
4. Passwordless Authentication & SSO
• Implement Microsoft Entra ID Platform SSO
• Deploy Microsoft Enterprise SSO plug-in for macOS
• Enable Secure Enclave-based authentication (Touch ID, passkeys)
• Link macOS accounts with Entra ID for seamless authentication
________________________________________
5. Device Security & Encryption
• Deploy and manage FileVault encryption via Intune (key escrow & recovery)
• Enforce endpoint protection and compliance policies
• Integrate Microsoft Defender for Endpoint (macOS)
• Apply device security controls (password policies, screen lock, etc.)
________________________________________
6. BYOD Management
• Define and implement BYOD strategies for macOS
• Use Intune MAM policies to protect corporate data
• Apply Conditional Access policies based on compliance
________________________________________
7. Identity & Access Integration
• Integrate macOS devices with Microsoft Entra ID
• Implement Conditional Access, MFA, and identity protection
• Support SSO across enterprise applications
________________________________________
8. Security Best Practices
• Apply Zero Trust principles and least privilege access
• Monitor and mitigate identity-based threats (e.g., password spray attacks)
• Implement identity protection and smart lockout strategies
________________________________________
9. Troubleshooting & Support
• Troubleshoot: 
o Intune enrollment issues
o SSO and authentication failures
o FileVault / SecureToken issues
• Perform root cause analysis and implement fixes
• Resolve policy conflicts and configuration issues
________________________________________
10. Documentation & Leadership
• Create runbooks, policies, and technical documentation
• Train and mentor IT support teams
• Continuously improve macOS management processes
________________________________________
Required Qualifications
Experience
• 5+ years managing macOS in enterprise environments
• 3+ years hands-on experience with Microsoft Intune (macOS focus)
________________________________________
Technical Skills
Intune & MDM
• Strong expertise in Intune MDM/MAM for macOS
• Experience with configuration profiles, compliance policies, and app protection
Apple Ecosystem
• Hands-on experience with Apple Business Manager (ABM) and ADE
• Understanding of Apple MDM protocols and macOS device management
Security & Encryption
• Experience with FileVault deployment and key management
• Knowledge of Secure Enclave, SecureToken, and macOS security features
Identity & Access Management
• Strong knowledge of Microsoft Entra ID (Azure AD)
• Experience with: 
o SSO (SAML, OAuth, OIDC, Kerberos)
o Conditional Access
o Identity Protection
Automation & Scripting
• Proficiency in Bash, PowerShell, or Python
• Experience using Microsoft Graph API for automation
________________________________________
Preferred Qualifications
• Microsoft certifications (Modern Desktop, Enterprise Admin, Identity Admin)
• Apple certifications (ACSP or equivalent)
• Microsoft Defender for Endpoint (macOS)
• Experience with Zero Trust, NIST, or CIS frameworks
• Exposure to Microsoft Sentinel or identity monitoring tools