Systems Engineer, VDI Platform
About the role
The Endpoint Engineering team at CoreWeave manages end-user compute for all employees running macOS and Windows 11 — application deployment, patching, and configuration management to keep the environment secure and reliable. We're expanding that scope with a cloud-based VDI offering (Ubuntu and Windows 11) to meet growing customer needs. This role owns that expansion as the sole DRI for the Next Gen VDI platform: the remote-compute infrastructure powering hundreds of engineers, network operators, and support teams company-wide.
Responsibilities
- Own the end-to-end VDI platform architecture—covering cloud infrastructure, access controls, OS lifecycle, security posture, and network topology.
- Drive peer review and sign-off before build commences.
- Integrate cloud infrastructure into CoreWeave’s Teleport cluster: IAM node joining, RBAC role definitions, access policies per user persona, and break-glass/OOB node setup and validation.
- Configure Okta SAML/OIDC SSO with MFA enforcement, session policy, and access review workflows for the VDI fleet.
- Build and maintain the audit logging pipeline (cloud logging → CoreWeave SIEM), legal hold and forensic snapshot-on-demand workflows, and compliance-aligned session activity retention policies.
- Own cost governance: implement instance tagging and cost center chargeback attribution, build idle detection and cleanup automation, and deliver self-service and admin portals for instance lifecycle management.
- Own the Ubuntu LTS and Windows 11 base image pipelines—code-defined builds (Packer or equivalent), automated regression test suites covering agent health, network reachability, and security posture, versioned release promotion, and rollback procedures.
- Write and maintain Chef cookbooks (or equivalent) for post-provision configuration: user setup, mounts, and toolchain.
- Bake security and network agents (CrowdStrike, Netskope, BlastShield) and the PCoIP client/agent into Ubuntu and Windows 11 base images; own group/policy configuration, fleet enrollment, and alert routing.
- Lead end-to-end integration testing (provision → auth → tool access → teardown) and platform security review prior to launch; remediate and drive sign-off.
- Sustain steady-state operations: monthly patch releases, config management updates, infrastructure health checks, incident response, and user ticket triage.
- Produce and maintain runbooks for image release, Teleport onboarding, break-glass procedures, and incident response.
Requirements
Demonstrated experience operating and automating cloud infrastructure on AWS, Azure, or GCP—compute, networking, storage, IAM, and cost tooling.
Proficiency with Linux system administration (Ubuntu preferred) and Windows 11 endpoint management, including shell/PowerShell scripting, service configuration, package management, and log analysis.
Hands-on experience with infrastructure-as-code and configuration management tooling (Terraform, Ansible, Chef, Packer, or equivalent) in a production environment.
Experience integrating enterprise identity and access management solutions—Teleport, Okta, or comparable SSO/PAM/ZTNA tooling—including RBAC design and access policy definition.
Experience building and operating OS image pipelines: code-driven builds, automated regression testing, versioned release promotion, staged rollout, and rollback.
Familiarity with endpoint and network security agent deployment (CrowdStrike, Netskope, or similar), including bake-in to base images and policy configuration.
Strong scripting and automation skills (Python, Bash, or equivalent); comfort building internal tooling and self-service workflows.
Experience with observability and logging pipelines—log forwarding, schema definition, retention policy, and SIEM integration.
Preferred Experience
With Windows 11 image management, MDM/Intune enrollment, and patch management tooling.
Familiarity with PCoIP/HP Anyware or other streaming display protocols in a VDI context.
Experience with cost attribution, tagging strategy, and chargeback reporting in multi-tenant cloud environments.
Exposure to BlastShield or other zero-trust network access (ZTNA) solutions.
Experience with legal hold, forensic imaging, or compliance workflows in a cloud environment.