Senior Digital Workspace Engineer
Oncourse Home Solutions · Naperville, IL · 1 wk ago
HybridEngineering$112k–$168k/yrFull-time
About the role
Oncourse Home Solutions is seeking a Sr. Digital Workspace Engineer to own the full lifecycle of the company's enterprise endpoint environment. This role operates at the intersection of endpoint engineering, cybersecurity, and operational delivery.
Responsibilities
- Architect, package, and deploy standardized Windows and macOS images using Autopilot, Intune, and Jamf Pro.
- Manage the full MDM lifecycle for corporate and BYOD devices across iOS, Android, and macOS — including enrollment, compliance profiles, and MAM app protection policies.
- Own Autopilot end-to-end (ESP tuning, all deployment models), zero-touch large-scale rollouts, OS update cadences, app packaging, and CIS/NIST endpoint hardening.
- Design, implement, and maintain Microsoft Entra ID Conditional Access policies aligned to Zero Trust principles.
- Manage device compliance policies, identity-based controls, and privileged access workstation (PAW) configurations.
- Administer Microsoft Defender for Endpoint (MDE) — threat and vulnerability management, ASR rules, and EDR.
- Operate Microsoft Purview for DLP, information protection labels, and eDiscovery workflows in support of legal and compliance requirements.
- Build and maintain PowerShell and Python automation scripts for endpoint provisioning, patch compliance reporting, configuration drift remediation, and security telemetry.
- Support enterprise networking functions relevant to endpoint connectivity: DNS, DHCP, VPN, NAC, and firewall policy.
- Work with network teams on Meraki wireless policy and endpoint segmentation.
- Troubleshoot certificate-based authentication issues.
- Provide engineering-level support for contact center endpoint environments — VDI, softphone/CCaaS integrations, and specialized peripherals — ensuring zero-downtime availability for customer-facing functions.
- Deliver white-glove endpoint experience for executive leadership and board-level stakeholders.
- Communicate complex technical issues clearly and professionally.
- Lead stakeholder-facing briefings on endpoint health, security posture, and platform roadmap.
- Support enterprise deployment and governance of AI productivity tools (Microsoft Copilot for M365) — ensuring endpoint readiness, data classification policy alignment, and compliance with the organization's AI governance framework.
- Own endpoint security hardening standards across all device platforms via Intune and Jamf configuration profiles.
- Remediate vulnerability scan findings.
- Support NYDFS Part 500 and PCI DSS endpoint-related control evidence collection.
- Own the full IT asset lifecycle for all managed endpoints — procurement through decommission.
- Maintain CMDB accuracy via MDM integration (Intune, Jamf), conduct asset audits, enforce software license compliance, and support hardware refresh forecasting with data-driven reporting.
- Participate in on-call rotation for after-hours critical endpoint incidents affecting contact center, executive, or production systems.
Qualifications
- 7+ years of enterprise endpoint engineering experience in mid-to-large organizations.
- Deep hands-on expertise with Microsoft Intune (MEM) — MDM and MAM policy design, compliance, app deployment, Autopilot (device registration, ESP tuning, User-Driven / Self-Deploying / Pre-Provisioning models), zero-touch large-scale rollouts, and mobile platform enrollment (iOS, Android, macOS).
- Proven MDM expertise across corporate-owned and BYOD programs — iOS, Android, and macOS enrollment, compliance policies, conditional access for mobile, and Intune App Protection Policies (MAM without enrollment).
- Deep hands-on expertise with Jamf Pro — smart groups, policies, packages, Jamf Connect, and remote management.
- Proficiency in Microsoft Entra ID: device registration, hybrid join, Conditional Access, named locations, sign-in risk policies, and Privileged Identity Management (PIM) for just-in-time administrative access governance.
- Proven expertise in M365 E5 security: Microsoft Defender for Endpoint (MDE), Microsoft Purview (DLP, Information Protection, eDiscovery), and Defender Vulnerability Management.
- Strong scripting capability in PowerShell (required) and Python (required) — endpoint automation, API integrations, compliance reporting.
- Hands-on experience with enterprise image packaging and remote OS deployment — Windows Autopilot, MDT, WDS, or equivalent macOS workflows — with capability executing large-scale device rollouts across distributed and remote workforce environments.
- Working knowledge of enterprise networking: TCP/IP, DNS, DHCP, VPN, NAC, certificate services, and firewall policy coordination.
- Experience supporting contact center or other high-availability critical-function endpoint environments.
- Demonstrated ability to manage executive and VIP stakeholders — executive-ready written, verbal, and presentation skills.
- Familiarity with AI productivity tools in enterprise environments (e.g., Microsoft Copilot for M365, AI governance frameworks).
- Strong understanding of security hardening principles: CIS Benchmarks, NIST SP 800-70, DISA STIGs, or equivalent.
- Experience in regulated industries (financial services, healthcare, or insurance) strongly preferred.
- Proven background scaling endpoint environments for remote or distributed workforces — zero-touch provisioning, remote wipe/reset, and multi-region device management.
- Hands-on ITAM and CMDB experience — device lifecycle tracking, software license compliance, asset auditing, and MDM-to-CMDB integration for automated inventory.
- Proficiency with ServiceNow (ITAM/CMDB/Asset Management modules preferred) or Jira Service Management for change governance and asset record management.
- Nice to have: Hands-on experience with Cisco Meraki wireless infrastructure (SSID policy, device tagging, network segmentation); familiarity with SIEM/EDR integrations: Microsoft Sentinel, CrowdStrike, or equivalent; experience with Microsoft Entra ID PIM (Privileged Identity Management) and PAM; exposure to Zero Trust Network Access (ZTNA) or SSE/SASE platforms.