MacOS Endpoint Engineer

Job Description
Location: ONSITE 5 days/week - 3333 Finley Rd, Ste 700, Downers Grove, IL



Duration: Contract – 6 months with potential to extend




This position may be offered to a candidate authorized to work in the US for his/her/their stated employer, without any restrictions which would prevent the candidate from working on the proposed assignment for the duration of the assignment period.



Overview:

· Grant Thornton is expanding macOS as a first-class platform and looking for a Mac Endpoint Engineer to build and harden a modern, Intune managed Mac environment.

· You’ll deliver zero touch enrollment and a consistent, repeatable first sign in experience with Platform SSO (PSSO), and lead macOS application packaging for Intune at scale.

· This is a hands-on engineering role focused on stability, repeatability, and future ready automation.



Responsibilities:

Zero touch onboarding & first sign in

· Design, standardize, and operate zero touch enrollment with Apple Business Manager (ABM) + Automated Device Enrollment (ADE)—from PreStage to post enrollment remediations.

· Establish a predictable first sign in flow leveraging PSSO and Intune so every new Mac enrolls, configures, and signs in the same way every time.

· Continuously identify improvements to enrollment flows, bootstrap content, and post enrollment automations.



macOS application packaging for Intune

· Lead macOS packaging for Intune (PKG/DMG with pre/post install scripts), including detection rules, dependencies, retries, and uninstallers.

· Build a sustainable approach for third party apps at scale (staged rings, rollback plans, and change control).

· Partner with App Packaging and QA to standardize versioning, testing, and release notes.



Configuration, compliance & security posture

· Operate within established baseline configuration and compliance policies in Intune; propose optimizations where they improve reliability or user experience.

· Implement and maintain controls aligned to the CIS benchmark for macOS; partner with InfoSec (policy owners) while owning configuration and enforcement.

· Integrate and support endpoint/security agents and posture: Entra ID, Defender for Endpoint (DLP), CrowdStrike, CyberArk EPM, Qualys, and GlobalProtect ZTNA.



Automation, observability & documentation

· Use scripting (choose the right tool for macOS—e.g., bash/zsh/Python/PowerShell for Graph) to automate provisioning, remediations, health checks, and reporting.

· Leverage Intune compliance dashboards to publish actionable metrics (enrollment success, first sign in duration, compliance drift, packaging SLA).

· Produce clear KB/how to articles and contribute to knowledge transfer with Support Services; provide periodic Tier 3 guidance (no on call).



Collaboration & scale up

· Work with Identity, Security, Networking, and Support to ready the platform for go live and scale beyond the initial fleet.

· Provide feedback on standards, guardrails, and SOPs to ensure stability as adoption grows across the US user base.



Environment you’ll step into:

• Long term goal is to offer Mac at 1:1 parity with Windows devices.

• MDM: Microsoft Intune only (no Jamf/Kandji in scope); minimum supported macOS version: 26.

• Identity & Security: Entra ID, Defender for Endpoint (DLP), CrowdStrike, CyberArk EPM, Qualys, GlobalProtect ZTNA.

• Standards: CIS macOS benchmark—InfoSec dictates policies; you own configuration and operational enforcement.

• Tooling: ABM + ADE in place; Intune for compliance dashboards and reporting.



Qualifications:

• 3–5 years of enterprise macOS MDM management (e.g., Intune, Jamf, or other Apple focused MDMs).

• Demonstrated expertise in macOS app packaging for Intune (PKG/DMG, scripts, detection/uninstall logic, rings, rollback).

• Strong zero touch/ADE experience and hands on PSSO implementation for first sign in.

• Practical scripting for macOS engineering (bash/zsh/Python/PowerShell for Graph as applicable).

• Proven experience enforcing controls aligned to CIS macOS with Intune configuration/compliance policies.

• Familiarity with enterprise security agents and posture tooling: Defender for Endpoint, CrowdStrike, CyberArk EPM, Qualys, GlobalProtect.

• Excellent documentation skills; ability to produce KB/how tos and perform knowledge transfer to Support.



Preferred Qualifications:

• Experience building repeatable, self-healing remediations (post enrollment, drift correction, telemetry driven fixes).

• iOS/iPadOS management exposure (Intune/ABM/VPP)—bonus only; role remains macOS focused.

• Familiarity with Conditional Access integrations for macOS via Entra ID.

• Awareness of Apple management trends (e.g., evolving PSSO support, modern macOS security/privacy controls).



What success looks like:

• Consistent, stable zero touch from OOBE to first desktop—every time.

• Delightful first sign in with PSSO, measured by reduced time to productivity and few/no manual steps.

• Packaging/patching at scale with clear SLAs, staged rings, and rollback plans.

• CIS aligned device posture with intuitive, trustworthy Intune dashboards for leadership and Support.



Interview Process:

· 30 minute technical interview with Manager

· 30 minute interview with Director