Senior macOS Intune MDM/MAM Engineer

Title: Senior macOS Intune MDM/MAM Engineer
Location: Denver, CO(Hybrid)

Position Overview
We are seeking a highly skilled Senior Engineer to lead the management of macOS devices using Microsoft Intune (Microsoft Endpoint Manager) for both Mobile Device Management (MDM) and Mobile Application Management (MAM). 
This role focuses on Apple device management within the Microsoft technology stack, leveraging Apple Business Manager (ABM) and Automated Device Enrollment (ADE) for zero-touch Mac deployment.
The Senior Engineer will design and implement advanced macOS configuration and security policies – including passwordless authentication (using Secure Enclave and passkeys), FileVault disk encryption, and Single Sign-On (SSO) integration – to ensure that corporate and BYOD (Bring Your Own Device) Mac computers are secure, compliant, and seamlessly integrated with our Microsoft identity and security infrastructure.
The ideal candidate has deep expertise in Intune and Microsoft Entra ID (formerly Azure AD) and a proven track record of protecting devices and identities against threats like password spray attacks and unauthorized access.

Key Responsibilities
1) macOS Endpoint Management
● Architect, deploy, and manage the lifecycle of macOS devices using Microsoft Intune MDM
● Configure and maintain Intune policies, configuration profiles, and compliance rules to ensure Mac devices meet corporate standards for security, performance, and user experience

2) Apple Business Manager & ADE Integration
● Implement and oversee integration between Microsoft Intune and Apple Business Manager (ABM) for streamlined device onboarding
● Manage Automated Device Enrollment (ADE) (formerly DEP) to achieve zero-touch provisioning of corporate-owned Mac devices, enabling automatic enrollment and
configuration out-of-the-box

3) Mobile Application Management (MAM)
● Oversee application management for macOS through Intune’s MAM capabilities
● Deploy and update Mac applications (App Store and enterprise apps) using Intune – including provisioning through Apple’s Volume Purchase Program (VPP) – and enforce
app protection policies to secure corporate data within apps on both managed and BYOD macOS devices

4) Passwordless Authentication & SSO
● Configure and support passwordless login and Single Sign-On (SSO) for macOS to improve security and user convenience
● Enable Microsoft Entra ID (Azure AD) Platform SSO on macOS, leveraging the Microsoft Enterprise SSO plug-in for macOS
● Implement the Secure Enclave authentication method for Platform SSO, which uses hardware-backed keys for user authentication – similar to Windows Hello for Business – allowing users to sign into their Mac with Touch ID and obtain a Primary Refresh Token (PRT) for access to Azure AD-secured resources
● Ensure that local Mac user accounts are properly linked or synchronized with Azure AD credentials (via Platform SSO or other methods), to provide seamless access to apps and reduce password prompts

5) Device Security & Encryption
● Enforce robust security controls on all Mac endpoints
● Configure and manage FileVault full-disk encryption via Intune to protect data at rest, including setting up FileVault key escrow and recovery in Intune for lost or forgotten passwords
● Leverage Apple’s Secure Enclave and T2 / Apple Silicon security features for protecting cryptographic keys and enabling passkey credentials for authentication
● Implement Intune Endpoint Protection and compliance policies to enforce security settings (password/PIN requirements, screen lock, etc.) and integrate Microsoft
Defender for Endpoint for macOS to protect against malware and other threats

6) BYOD Management
● Develop and apply strategies for managing personal (BYOD) macOS devices alongside corporate-owned devices
● Use Intune’s app protection (MAM) policies for BYOD to secure corporate data without intruding on personal data, and apply appropriate compliance rules for conditional access
● Ensure that personal Mac devices accessing company resources are either enrolled in Intune MDM with user consent or governed via MAM and conditional access (e.g.,
requiring device compliance or app protection for access) to maintain security on non- corporate Macs

7) SSO & Identity Integration
● Oversee Single Sign-On application management for Mac devices
● Deploy and manage SSO browser and app extensions (such as Microsoft Enterprise SSO plug-in and Apple’s Extensible SSO) via Intune to streamline user authentication to company applications
● Work closely with the Identity & Access Management team to integrate macOS authentication with Microsoft Entra ID, ensuring Mac devices can leverage corporate
SSO, MFA, and conditional access policies for accessing cloud services and on- premises resources securely

8) Identity & Security Best Practices
● Implement and uphold strong identity management and security practices in the Apple device environment
● Monitor and mitigate identity-related security risks on Mac endpoints – for example, understanding how macOS authentication and saved credentials might contribute to account lockouts during password spray attacks or other brute-force attempts, and taking proactive measures to prevent such scenarios (e.g. enforcing Smart Lockout
policies and MFA requirements)
● Ensure compliance with company security policies and industry best practices for device and identity protection (adhering to Zero Trust principles, least privilege, etc.)

9) Troubleshooting & Support
● Lead advanced troubleshooting and support for macOS device issues
● Investigate and resolve complex problems related to Intune enrollment, SSO login issues, SecureToken/FileVault errors (e.g., ensuring cloud accounts receive
SecureToken to enable FileVault access), and any identity or access problems that could cause user lockouts
● Quickly identify misconfigurations or conflicts in Intune policies, compliance settings, or Apple profiles that may impact the macOS user experience
● Provide root-cause analysis for device or authentication failures (e.g. users unable to sign in after enrollment, devices stuck in lock state) and implement durable fixes

10) Policy Development & Documentation
● Design clear policies and processes for Mac device management
● Develop and maintain Intune configuration guides, runbooks, and documentation for macOS enrollment, SSO setup, passwordless authentication procedures, and incident
response (e.g., steps to recover from encryption issues or account lockouts)
● Train and mentor IT support staff in Mac device support, Intune policy management, and security best practices
● Continuously evaluate new Microsoft Endpoint Manager features and Apple platform updates to enhance macOS management and user experience

Required Qualifications & Experience
Education & Experience
● Bachelor’s degree in Computer Science, Information Technology, or related field
● 5+ years of hands-on experience managing and securing macOS devices in an enterprise environment, including at least 3+ years focused on Microsoft Intune
(Endpoint Manager) administration for device and application management 

Intune & MDM Expertise
● Extensive experience with Microsoft Intune MDM/MAM is required, specifically in deploying and managing macOS devices at scale
● Proficiency in creating and tuning Intune configuration profiles, compliance policies, and app protection policies for macOS
● Solid understanding of MDM protocols for Apple platforms and experience with Apple’s MDM capabilities (configuration profiles, restrictions, etc.)
Apple Business Manager & ADE
● Proven experience integrating and using Apple Business Manager (ABM) and Automated Device Enrollment (ADE) for corporate Mac deployment
● Ability to configure and troubleshoot ADE enrollment profiles, Device Enrollment Program tokens, and volume app distribution through ABM
macOS Security & Identity
● Strong knowledge of macOS security features and endpoint hardening
● Experience implementing FileVault disk encryption via Intune (policy creation, key escrow management, recovery processes)
● Familiarity with Apple’s Secure Enclave and SecureToken concepts for managing cryptographic keys, biometric authentication (Touch ID), and enabling non-password-
based login flows
● Understanding of passkeys and FIDO2 authentication methods, as well as passwordless authentication concepts within the Microsoft ecosystem (e.g., Windows Hello for
Business, FIDO2 security keys, or Authenticator app sign-in) and how these can be applied to macOS environments

Identity & Access Management
● Deep understanding of Microsoft Entra ID (Azure AD) and its integration with device management
● Knowledge of SSO technologies and protocols (SAML, OAuth, OIDC, Kerberos) and experience configuring SSO App Extensions or Platform SSO on macOS
● Competence in designing Conditional Access policies that tie device compliance to identity access (ensuring only trusted, compliant Macs access corporate resources)
● Familiarity with identity protection mechanisms (Azure AD Identity Protection, smart lockout policies, risk-based sign-in) to mitigate credential threats such as password spray attacks

Troubleshooting & Scripting
● Excellent diagnostic and problem-solving skills for resolving complex device, network, or security issues on macOS
● Ability to troubleshoot Intune enrollment issues, profile deployment errors, SSO login problems, and encryption/SecureToken issues in a timely manner
● Proficiency in scripting (Bash/zsh, PowerShell, or Python) to automate macOS management tasks, Intune configurations (using Microsoft Graph API), and custom
compliance or remediation scripts

Communication & Collaboration
● Strong communication skills with the ability to document solutions and train IT support teams
● Experience working collaboratively with security, identity, and networking teams to implement cross-functional solutions
● Ability to translate complex technical processes into user-friendly instructions and to lead platform-related projects or rollouts
● Proven ability to handle incidents and changes in a high-paced, enterprise environment, and to mentor junior staff

Preferred Qualifications
Certifications
● Relevant Microsoft certifications such as Microsoft 365 Certified: Modern Desktop Administrator Associate or Enterprise Administrator Expert, or Microsoft Certified: Identity and Access Administrator
● Apple IT certifications (e.g., Apple Certified Support Professional – ACSP) or related credentials demonstrating deep macOS expertise are a plus

Security & Identity Frameworks
● Familiarity with Zero Trust security principles and experience implementing device compliance in a Zero Trust model
● Knowledge of enterprise cybersecurity frameworks (NIST, CIS Benchmarks for macOS, etc.) and how they relate to endpoint and identity management

Additional Experience
● Experience with Microsoft Defender for Endpoint on macOS or similar endpoint security tools in the Microsoft security ecosystem
● Exposure to Azure AD tenant security configuration (Conditional Access, MFA, Privileged Identity Management) and monitoring identity threats (using tools like
Microsoft Sentinel or Azure AD logs)
● Prior experience managing mobile Apple devices (iPhone/iPad via Intune) or cross-platform endpoint management (Windows or mobile MDM) is helpful

Key Responsibilities and Required Skills – Summary Table
Intune MDM administration for macOS devices
● Oversee end-to-end deployment, configuration, and policy management for Macs using Microsoft Intune; ensure devices are properly enrolled and compliant
● Deep expertise in Microsoft Intune (Endpoint Manager) for macOS MDM, knowledge of Apple MDM protocols and Intune configuration profiles & compliance policies for macOS 

Apple Business Manager (ABM) & ADE integration
● Manage integration with Apple Business Manager for device enrollment and inventory; implement Automated Device Enrollment for zero-touch provisioning of corporate-owned Macs
● Experience with Apple Business Manager (ABM) portal and Device Enrollment
Program/ADE tokens; ability to configure Intune enrollment profiles and troubleshoot ADE enrollment issues on macOS Mac Security Configuration (FileVault, Secure Enclave)
● Enforce full-disk encryption and advanced security features on macOS devices and manage encryption keys and recovery
● In-depth knowledge of FileVault encryption deployment via Intune (policy creation, key escrow & recovery); familiarity with Apple Secure Enclave and SecureToken for authentication and encryption key management

Password less Authentication & SSO
● Implement and support passwordless login on Mac and configure Single Sign-On for macOS to use Microsoft Entra ID credentials
● Strong understanding of Microsoft Entra ID SSO integration on macOS (Platform SSO, SSO extensions) and knowledge of passwordless authentication technologies (FIDO2
security keys, passkeys, Windows Hello analogs) 

BYOD Mac Management & App Protection
● Develop policies for managing personal macOS devices with minimal intrusion and apply app protection (MAM) policies and conditional access
● Knowledge of Intune MAM and app protection policies for macOS apps and understanding of BYOD vs. corporate enrollment strategies

Identity Management & Security Monitoring
● Coordinate with security teams to align Mac management with identity and access controls and monitor for identity-related threats
● Expertise in Azure AD and Conditional Access policy configuration; familiarity with identity security concepts and integration of device signals into monitoring solutions

Note
This role focuses exclusively on Microsoft’s device management and security ecosystem for Apple devices. Candidates should demonstrate deep knowledge of Microsoft tools and services (Intune, Azure AD/Entra ID, Defender, etc.) as they apply to macOS management, rather than third-party MDM platforms.
The Senior macOS Intune Engineer will play a critical part in strengthening the organization’s endpoint security posture and improving the Mac end-user experience, ensuring that Apple hardware is managed with the same rigor and integration as Windows devices within a Microsoft-centric environment.