Lead macOS Intune MDM/MAM Engineer
Evolution Cloud Services (EVOCS) · Denver, CO · 1 wk ago
Engineering$80–$85/hrFull-time
🎯 Role Overview
We’re looking for an experienced Lead macOS Intune Engineer to own Apple device management across our enterprise. You’ll architect and drive the full lifecycle of macOS endpoints, from zero-touch provisioning through Apple Business Manager all the way to advanced security hardening with FileVault, Secure Enclave, and passwordless authentication.
🧩 What you will do
macOS Endpoint Management
- Architect, deploy, and manage the lifecycle of macOS devices using Microsoft Intune MDM
- Design and tune configuration profiles, compliance policies, and security rules that keep Mac devices secure, performant, and user-friendly
Apple Business Manager & Zero-Touch Provisioning
- Own the integration between Microsoft Intune and Apple Business Manager (ABM)
- Configure Automated Device Enrollment (ADE) for zero-touch Mac provisioning — corporate devices enroll and configure themselves out of the box
Mobile Application Management (MAM)
- Manage app deployment and updates (App Store, VPP, and enterprise apps) through Intune
- Enforce app protection policies to secure corporate data on both managed and BYOD macOS devices
Passwordless Authentication & Single Sign-On
- Implement Microsoft Entra ID Platform SSO on macOS using the Enterprise SSO plug-in
- Enable Secure Enclave-based authentication (hardware-backed keys, Touch ID) to deliver a Windows Hello–equivalent experience on Mac
- Ensure cloud accounts are properly linked to local Mac accounts, eliminating repeated password prompts
Device Security & Encryption
- Manage FileVault full-disk encryption via Intune, including key escrow and recovery workflows
- Leverage Apple’s T2 / Apple Silicon security features and deploy Microsoft Defender for Endpoint on macOS
- Configure endpoint protection and compliance policies (password, screen lock, threat response)
BYOD Strategy
- Design policies that apply MAM app protection and Conditional Access to personal Macs without intruding on personal data
- Define clear enrollment and access rules for non-corporate devices accessing company resources
Identity & Security Best Practices
- Monitor and mitigate identity-related risks on Mac endpoints — password spray attacks, brute-force attempts, and unauthorized access
- Champion Zero Trust principles: least privilege, device compliance-gated access, and continuous verification
Troubleshooting & Support
- Lead root-cause analysis for complex Intune enrollment, SSO, SecureToken/FileVault, and authentication failures
- Resolve misconfigurations quickly and provide durable fixes that prevent recurrence
Documentation, Training & Continuous Improvement
- Develop and maintain runbooks, configuration guides, and incident response playbooks for macOS management
- Train and mentor IT support staff on Mac device support, Intune policy management, and security best practices
- Stay current with new Microsoft Endpoint Manager features and Apple platform updates; bring recommendations to the team
- 5+ years managing and securing macOS devices in an enterprise environment
- 3+ years hands-on with Microsoft Intune (Endpoint Manager) — deploying and managing macOS at scale
- Proven experience with Apple Business Manager (ABM) and Automated Device Enrollment (ADE)
- Strong command of Intune configuration profiles, compliance policies, and app protection policies for macOS
- Deep knowledge of FileVault encryption management via Intune — policy creation, key escrow, and recovery
- Solid understanding of Apple’s Secure Enclave, SecureToken, and related macOS security primitives
- Experience configuring Microsoft Entra ID Platform SSO and SSO extensions on macOS
- Familiarity with Conditional Access policies that tie device compliance to identity access
- Proficiency in scripting — Bash/zsh, PowerShell, and/or Python — for automation and Microsoft Graph API integrations
- Understanding of identity protection mechanisms: smart lockout, risk-based sign-in, MFA
- The posting will be active for a minimum of 3 days. The active posting will continue to extend by 3 days until the position is filled.
- All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability or protected veteran status, or any other legally protected basis, in accordance with applicable law.