NEWPosted 4 hours ago

Job ID: JOB_ID_8819

Position Overview

We are seeking a highly skilled Senior Engineer to lead the management of macOS devices using Microsoft Intune (Microsoft Endpoint Manager) for both Mobile Device Management (MDM) and Mobile Application Management (MAM). This role focuses on Apple device management within the Microsoft technology stack, leveraging Apple Business Manager (ABM) and Automated Device Enrollment (ADE) for zero-touch Mac deployment.
The Senior Engineer will design and implement advanced macOS configuration and security policies including passwordless authentication (using Secure Enclave and passkeys), FileVault disk encryption, and Single Sign-On (SSO) integration to ensure that corporate and BYOD (Bring Your Own Device) Mac computers are secure, compliant, and seamlessly integrated with our Microsoft identity and security infrastructure.
The ideal candidate has deep expertise in Intune and Microsoft Entra ID (formerly Azure AD) and a proven track record of protecting devices and identities against threats like password spray attacks and unauthorized access.

Key Responsibilities

  • 1) macOS Endpoint Management
    Architect, deploy, and manage the lifecycle of macOS devices using Microsoft Intune MDM
    Configure and maintain Intune policies, configuration profiles, and compliance rules to ensure Mac devices meet corporate standards for security, performance, and user experience
  • 2) Apple Business Manager & ADE Integration
    Implement and oversee integration between Microsoft Intune and Apple Business Manager (ABM) for streamlined device onboarding
    Manage Automated Device Enrollment (ADE) (formerly DEP) to achieve zero-touch provisioning of corporate-owned Mac devices, enabling automatic enrollment and configuration out-of-the-box
  • 3) Mobile Application Management (MAM)
    Oversee application management for macOS through Intune’s MAM capabilities
    Deploy and update Mac applications (App Store and enterprise apps) using Intune including provisioning through Apple’s Volume Purchase Program (VPP), and enforce app protection policies to secure corporate data within apps on both managed and BYOD macOS devices
  • 4) Passwordless Authentication & SSO
    Configure and support passwordless login and Single Sign-On (SSO) for macOS to improve security and user convenience
    Enable Microsoft Entra ID (Azure AD) Platform SSO on macOS, leveraging the Microsoft Enterprise SSO plug-in for macOS
    Implement the Secure Enclave authentication method for Platform SSO, which uses hardware-backed keys for user authentication similar to Windows Hello for Business, allowing users to sign into their Mac with Touch ID and obtain a Primary Refresh Token (PRT) for access to Azure AD-secured resources
    Ensure that local Mac user accounts are properly linked or synchronized with Azure AD credentials (via Platform SSO or other methods), to provide seamless access to apps and reduce password prompts
  • 5) Device Security & Encryption
    Enforce robust security controls on all Mac endpoints
    Configure and manage FileVault full-disk encryption via Intune to protect data at rest, including setting up FileVault key escrow and recovery in Intune for lost or forgotten passwords
    Leverage Apple’s Secure Enclave and T2 / Apple Silicon security features for protecting cryptographic keys and enabling passkey credentials for authentication
    Implement Intune Endpoint Protection and compliance policies to enforce security settings (password/PIN requirements, screen lock, etc.) and integrate Microsoft Defender for Endpoint for macOS to protect against malware and other threats
  • 6) BYOD Management
    Develop and apply strategies for managing personal (BYOD) macOS devices alongside corporate-owned devices
    Use Intune’s app protection (MAM) policies for BYOD to secure corporate data without intruding on personal data, and apply appropriate compliance rules for conditional access
    Ensure that personal Mac devices accessing company resources are either enrolled in Intune MDM with user consent or governed via MAM and conditional access (e.g., requiring device compliance or app protection for access) to maintain security on non-corporate Macs
  • 7) SSO & Identity Integration
    Oversee Single Sign-On application management for Mac devices
    Deploy and manage SSO browser and app extensions (such as Microsoft Enterprise SSO plug-in and Apple’s Extensible SSO) via Intune to streamline user authentication to company applications
    Work closely with the Identity & Access Management team to integrate macOS authentication with Microsoft Entra ID, ensuring Mac devices can leverage corporate SSO, MFA, and conditional access policies for accessing cloud services and on-premises resources securely
  • 8) Identity & Security Best Practices
    Implement and uphold strong identity management and security practices in the Apple device environment
    Monitor and mitigate identity-related security risks on Mac endpoints for example, understanding how macOS authentication and saved credentials might contribute to account lockouts during password spray attacks or other brute-force attempts, and taking proactive measures to prevent such scenarios (e.g. enforcing Smart Lockout policies and MFA requirements)
    Ensure compliance with company security policies and industry best practices for device and identity protection (adhering to Zero Trust principles, least privilege, etc.)
  • 9) Troubleshooting & Support
    Lead advanced troubleshooting and support for macOS device issues
    Investigate and resolve complex problems related to Intune enrollment, SSO login issues, SecureToken/FileVault errors (e.g., ensuring cloud accounts receive SecureToken to enable FileVault access), and any identity or access problems that could cause user lockouts
    Quickly identify misconfigurations or conflicts in Intune policies, compliance settings, or Apple profiles that may impact the macOS user experience
    Provide root-cause analysis for device or authentication failures (e.g. users unable to sign in after enrollment, devices stuck in lock state) and implement durable fixes
  • 10) Policy Development & Documentation
    Design clear policies and processes for Mac device management
    Develop and maintain Intune configuration guides, runbooks, and documentation for macOS enrollment, SSO setup, passwordless authentication procedures, and incident response (e.g., steps to recover from encryption issues or account lockouts)
    Train and mentor IT support staff in Mac device support, Intune policy management, and security best practices
    Continuously evaluate new Microsoft Endpoint Manager features and Apple platform updates to enhance macOS management and user experience

Required Qualifications & Experience

Education & Experience

  • Bachelors degree in Computer Science, Information Technology, or related field
  • 5+ years of hands-on experience managing and securing macOS devices in an enterprise environment, including at least 3+ years focused on Microsoft Intune (Endpoint Manager) administration for device and application management

Intune & MDM Expertise

  • Extensive experience with Microsoft Intune MDM/MAM is required, specifically in deploying and managing macOS devices at scale
  • Proficiency in creating and tuning Intune configuration profiles, compliance policies, and app protection policies for macOS
  • Solid understanding of MDM protocols for Apple platforms and experience with Apple’s MDM capabilities (configuration profiles, restrictions, etc.)

Apple Business Manager & ADE

  • Proven experience integrating and using Apple Business Manager (ABM) and Automated Device Enrollment (ADE) for corporate Mac deployment
  • Ability to configure and troubleshoot ADE enrollment profiles, Device Enrollment Program tokens, and volume app distribution through ABM

macOS Security & Identity

  • Strong knowledge of macOS security features and endpoint hardening
  • Experience implementing FileVault disk encryption via Intune (policy creation, key escrow management, recovery processes)
  • Familiarity with Apple’s Secure Enclave and SecureToken concepts for managing cryptographic keys, biometric authentication (Touch ID), and enabling non-password-based login flows
  • Understanding of passkeys and FIDO2 authentication methods, as well as passwordless authentication concepts within the Microsoft ecosystem (e.g., Windows Hello for Business, FIDO2 security keys, or Authenticator app sign-in) and how these can be applied to macOS environments

Identity & Access Management

  • Deep understanding of Microsoft Entra ID (Azure AD) and its integration with device management
  • Knowledge of SSO technologies and protocols (SAML, OAuth, OIDC, Kerberos) and experience configuring SSO App Extensions or Platform SSO on macOS
  • Competence in designing Conditional Access policies that tie device compliance to identity access (ensuring only trusted, compliant Macs access corporate resources)
  • Familiarity with identity protection mechanisms (Azure AD Identity Protection, smart lockout policies, risk-based sign-in) to mitigate credential threats such as password spray attacks

Troubleshooting & Scripting

  • Excellent diagnostic and problem-solving skills for resolving complex device, network, or security issues on macOS
  • Ability to troubleshoot Intune enrollment issues, profile deployment errors, SSO login problems, and encryption/SecureToken issues in a timely manner
  • Proficiency in scripting (Bash/zsh, PowerShell, or Python) to automate macOS management tasks, Intune configurations (using Microsoft Graph API), and custom compliance or remediation scripts

Communication & Collaboration

  • Strong communication skills with the ability to document solutions and train IT support teams
  • Experience working collaboratively with security, identity, and networking teams to implement cross-functional solutions
  • Ability to translate complex technical processes into user-friendly instructions and to lead platform-related projects or rollouts
  • Proven ability to handle incidents and changes in a high-paced, enterprise environment, and to mentor junior staff

Preferred Qualifications

Certifications

  • Relevant Microsoft certifications such as Microsoft 365 Certified: Modern Desktop Administrator Associate or Enterprise Administrator Expert, or Microsoft Certified: Identity and Access Administrator
  • Apple IT certifications (e.g., Apple Certified Support Professional – ACSP) or related credentials demonstrating deep macOS expertise are a plus

Security & Identity Frameworks

  • Familiarity with Zero Trust security principles and experience implementing device compliance in a Zero Trust model
  • Knowledge of enterprise cybersecurity frameworks (NIST, CIS Benchmarks for macOS, etc.) and how they relate to endpoint and identity management

Additional Experience

  • Experience with Microsoft Defender for Endpoint on macOS or similar endpoint security tools in the Microsoft security ecosystem
  • Exposure to Azure AD tenant security configuration (Conditional Access, MFA, Privileged Identity Management) and monitoring identity threats (using tools like Microsoft Sentinel or Azure AD logs)
  • Prior experience managing mobile Apple devices (iPhone/iPad via Intune) or cross-platform endpoint management (Windows or mobile MDM)

Most urgent role, need candidate on this asap

Special Requirements

Visa: USC&GC; Interview Mode: Not specified; Screening: Not specified

Compensation & Location

Salary: $120,000 – $160,000 per year

Location: Remote

Recruiter / Company – Contact Information

Email: requirementdatabase@gmail.com

Interested in this position?
Apply via Email

Recruiter Notice:
To remove this job posting, please send an email from
requirementdatabase@gmail.com with the subject:

DELETE_JOB_ID_8819

to delete@join-this.com.