Mac Endpoint Engineer (macOS + Intune)
Soniya
HELLO,
Mac Endpoint Engineer (macOS + Intune)
Visa: USC, GC, GCEAD H4EAD
Local to Downers Grove, IL
Role Overview
Grant Thornton is seeking a hands-on Mac Endpoint Engineer to support and scale a modern, Intune-managed macOS environment in a Microsoft-centric enterprise. This is an onsite, high-impact contract role where macOS is being elevated to first-class parity with Windows.
The ideal candidate is proactive, technically strong, and experienced in building zero-touch enrollment, Platform SSO (PSSO), scalable macOS app packaging, automation, compliance, and security—without Jamf or Kandji (Intune only).
Key Responsibilities
macOS Enrollment & Identity
- Design, implement, and operate zero-touch enrollment using Apple Business Manager (ABM) + Automated Device Enrollment (ADE)
- Deliver a seamless first sign-in experience using Platform SSO (PSSO) + Intune
- Improve enrollment flows, bootstrap content, and post-enrollment automation
App Packaging & Deployment
- Lead macOS app packaging for Intune (PKG/DMG) including:
- Pre/post install scripts
- Detection rules
- Dependencies
- Retry and uninstall logic
- Build a scalable third-party app deployment model with staged rings, rollback plans, and change control
- Partner with Packaging and QA teams on testing, versioning, and release notes
Configuration, Compliance & Security
- Manage Intune baseline configurations and compliance policies
- Implement and enforce CIS macOS benchmarks (macOS 26+) in partnership with InfoSec
- Integrate and support endpoint security tools including:
- Microsoft Defender for Endpoint (DLP)
- CrowdStrike
- CyberArk EPM
- Qualys
- GlobalProtect (ZTNA)
Automation, Monitoring & Reporting
- Automate provisioning, remediations, health checks, and reporting using:
- bash / zsh / Python
- PowerShell (Microsoft Graph)
- Deliver actionable Intune dashboards and metrics:
- Enrollment success rates
- PSSO sign-in times
- Compliance drift
- Packaging and patching SLAs
Documentation & Collaboration
- Create KB articles, how-to guides, and SOPs
- Transfer knowledge to Support teams; provide occasional Tier 3 guidance (no on-call)
- Partner with Identity, Security, Networking, and Support teams to support go-live and scale across U.S. users
Environment
- MDM: Microsoft Intune only (no Jamf / Kandji)
- OS: macOS 26 (Tahoe) minimum
- Identity: Entra ID
- Security Stack: Defender, CrowdStrike, CyberArk EPM, Qualys, GlobalProtect
- Standards: CIS macOS Benchmarks
- Tools: ABM + ADE fully in place
Required Qualifications
- 6+ years of enterprise macOS MDM experience (Intune preferred)
- Strong expertise in Intune macOS app packaging (PKG/DMG, scripts, detection, rollout strategy)
- Hands-on experience with ADE zero-touch enrollment and Platform SSO (PSSO)
- Scripting skills: bash, zsh, Python (PowerShell/Graph a plus)
- Experience implementing CIS macOS security controls
- Familiarity with endpoint security tools (Defender, CrowdStrike, CyberArk EPM, Qualys, GlobalProtect)
- Excellent documentation and knowledge-transfer skills
Preferred Qualifications
- Self-healing automations and drift remediation
- iOS / iPadOS management with Intune (bonus)
- Entra ID Conditional Access for macOS
- Knowledge of current Apple management trends (PSSO, privacy, macOS security)