MacOS Endpoint Engineer

Location: ONSITE 5 days/week - 3333 Finley Rd Ste 700 Downers Grove IL

Duration: Contract 6 months with potential to extend

This position may be offered to a candidate authorized to work in the US for his/her/their stated employer without any restrictions which would prevent the candidate from working on the proposed assignment for the duration of the assignment period.

Overview:

Grant Thornton is expanding macOS as a first-class platform and looking for a Mac Endpoint Engineer to build and harden a modern Intune managed Mac environment.

Youll deliver zero touch enrollment and a consistent repeatable first sign in experience with Platform SSO (PSSO) and lead macOS application packaging for Intune at scale.

This is a hands-on engineering role focused on stability repeatability and future ready automation.

Responsibilities:

Zero touch onboarding & first sign in

Design standardize and operate zero touch enrollment with Apple Business Manager (ABM) Automated Device Enrollment (ADE)-from PreStage to post enrollment remediations.

Establish a predictable first sign in flow leveraging PSSO and Intune so every new Mac enrolls configures and signs in the same way every time.

Continuously identify improvements to enrollment flows bootstrap content and post enrollment automations.

macOS application packaging for Intune

Lead macOS packaging for Intune (PKG/DMG with pre/post install scripts) including detection rules dependencies retries and uninstallers.

Build a sustainable approach for third party apps at scale (staged rings rollback plans and change control).

Partner with App Packaging and QA to standardize versioning testing and release notes.

Configuration compliance & security posture

Operate within established baseline configuration and compliance policies in Intune; propose optimizations where they improve reliability or user experience.

Implement and maintain controls aligned to the CIS benchmark for macOS; partner with InfoSec (policy owners) while owning configuration and enforcement.

Integrate and support endpoint/security agents and posture: Entra ID Defender for Endpoint (DLP) CrowdStrike CyberArk EPM Qualys and GlobalProtect ZTNA.

Automation observability & documentation

Use scripting (choose the right tool for macOS-e.g. bash/zsh/Python/PowerShell for Graph) to automate provisioning remediations health checks and reporting.

Leverage Intune compliance dashboards to publish actionable metrics (enrollment success first sign in duration compliance drift packaging SLA).

Produce clear KB/how to articles and contribute to knowledge transfer with Support Services; provide periodic Tier 3 guidance (no on call).

Collaboration & scale up

Work with Identity Security Networking and Support to ready the platform for go live and scale beyond the initial fleet.

Provide feedback on standards guardrails and SOPs to ensure stability as adoption grows across the US user base.

Environment youll step into:

Long term goal is to offer Mac at 1:1 parity with Windows devices.

MDM: Microsoft Intune only (no Jamf/Kandji in scope); minimum supported macOS version: 26.

Identity & Security: Entra ID Defender for Endpoint (DLP) CrowdStrike CyberArk EPM Qualys GlobalProtect ZTNA.

Standards: CIS macOS benchmark-InfoSec dictates policies; you own configuration and operational enforcement.

Tooling: ABM ADE in place; Intune for compliance dashboards and reporting.

Qualifications:

3 5 years of enterprise macOS MDM management (e.g. Intune Jamf or other Apple focused MDMs).

Demonstrated expertise in macOS app packaging for Intune (PKG/DMG scripts detection/uninstall logic rings rollback).

Strong zero touch/ADE experience and hands on PSSO implementation for first sign in.

Practical scripting for macOS engineering (bash/zsh/Python/PowerShell for Graph as applicable).

Proven experience enforcing controls aligned to CIS macOS with Intune configuration/compliance policies.

Familiarity with enterprise security agents and posture tooling: Defender for Endpoint CrowdStrike CyberArk EPM Qualys GlobalProtect.

Excellent documentation skills; ability to produce KB/how tos and perform knowledge transfer to Support.

Preferred Qualifications:

Experience building repeatable self-healing remediations (post enrollment drift correction telemetry driven fixes).

iOS/iPadOS management exposure (Intune/ABM/VPP)-bonus only; role remains macOS focused.

Familiarity with Conditional Access integrations for macOS via Entra ID.

Awareness of Apple management trends (e.g. evolving PSSO support modern macOS security/privacy controls).

What success looks like:

Consistent stable zero touch from OOBE to first desktop-every time.

Delightful first sign in with PSSO measured by reduced time to productivity and few/no manual steps.

Packaging/patching at scale with clear SLAs staged rings and rollback plans.

CIS aligned device posture with intuitive trustworthy Intune dashboards for leadership and Support.

Interview Process:

30 minute technical interview with Manager

30 minute interview with Director

Required Skills :

Basic Qualification :

Additional Skills :

Background Check : No

Drug Screen : No