Principal Service Engineer

Organization Background:

The Endpoint Engineering Services team manages all the client endpoints across our enterprise: Windows and Apple desktops, laptops, iPhones, and iPads. We are responsible for ensuring that endpoints and their software are up to date with the latest approved OS version, patched, application delivery is maintained, and overall health is maintained. We ensure a seamless experience for caregivers through a centralized tool that automates many of these transactions.

What will you be responsible for?

• The role owns end‑to‑end architecture for Apple device (IOS/IPADS/MAC) onboarding, compliance, data protection, app lifecycle, OS updates, and Zero Trust access—integrated with Entra ID (Azure AD), Defender for Endpoint, and enterprise PKI/VPN/Wi‑Fi/SSO systems.
• Intune MDM & MAM policies and configuration profiles.
• Jamf Pro for advanced macOS and iOS lifecycle management.
• Define the reference architecture for iOS/iPadOS management:
• Enrollment models: Automated Device Enrollment (ADE/DEP) via Apple Business Manager (ABM), User Enrollment, Device Enrollment, and Shared iPad for Business.
• Supervision strategy for corporate devices (Single App Mode, Home screen layout, kiosk/line-of-business scenarios).
• MAM‑WE (app protection without enrollment) for BYOD.
• Implement data protection via MAM policies: cut/copy/paste restrictions, save-as control, conditional launch, pin requirements, and organizational data wipe on app retirement
• Build touchless provisioning flows: ABM > ADE > Intune enrollment profiles; Managed Apple IDs governance; Apple Configurator workflows for special cases.
• Design Zero Trust access with Conditional Access, device compliance signals, and integration with Defender for Endpoint.
• Establish tenant segmentation patterns for global orgs, data residency, and role-based administration
• Author and maintain iOS/iPadOS configuration profiles:
• Restrictions (managed open-in, clipboard restrictions, account modification, iCloud services), App Config (managed app settings), Per App VPN, Wi Fi, eSIM/eUICC where applicable, Web Content Filter (network extension), SSO extensions, SCEP/PKCS certificates, Exchange/Google/IMAP profiles (if required).
• Hands on expertise with Microsoft Intune (Endpoint Manager) including Device Configuration profiles (Settings catalog, templates), Endpoint Security policies (Antivirus, Firewall, Disk Encryption, ASR) and Application lifecycle management (Win32, Store, LOB, M365 Apps)
• Automate device management tasks using PowerShell, Graph API, and Jamf API
• Develop automation scripts (PowerShell, Bash, Python) to streamline operations, reporting, and remediation tasks, reducing manual effort and error rates.

What would your day look like?

• Administering Microsoft Intune
• Device Onboarding & Enrollment Operations.
• Compliance & Conditional Access Monitoring.
• App Lifecycle Management - Manage Apps and Books (VPP) licenses in Apple Business Manager and ensure correct assignment.
• Policy & Configuration Management - Configuration profiles (Wi-Fi, VPN, restrictions, SSO extension, certificates). MAM App Protection Policies for BYOD. Device configuration baselines for frontline/iPad kiosk scenarios.
• Triage and manage Requests, Incidents, and Project work through ServiceNow and Azure DevOps (ADO)
• Evaluate new Microsoft/Apple roadmap features and perform POC and oversee planned rollouts.
• Monitor, report out to management various security patching-related KPI and prepare and execute corrective action plans to meet KPIs

Who are we looking for?

• 8 -12 years of experience in Intune/MDM/MAM/MECM/JAMF Technologies
• Enterprise Architecture: Endpoint Management, Security & Compliance, Identity & Access Management (Entra ID, Active Directory)
• Automation & Scripting: PowerShell, Bash, Python
• Cloud & Mobility: Microsoft Intune, Azure AD, Mobile Device Management (MDM), Mobile Application Management (MAM)
• Data & Reporting: Power BI, SQL, API Integration
• Process & Documentation: ServiceNow, Azure DevOps, Solution Design, Process Optimization based access control.