Clearance Required: Top Secret Education Required: BA/BS US Citizenship: Required Summary The Endpoint Engineer is responsible for designing, implementing, securing, and maintaining workstation and device configurations across Windows and macOS environments. The role focuses on imaging, patching, device enrollment, compliance enforcement, telemetry engineering, and lifecycle management in support of secure endpoint operations. This position does not provide routine help desk services; it delivers engineering-level solutions and support for escalated or complex endpoint issues. This position currently requires an on-site schedule. Schedule is subject to change based on company/contract requirements. This position is currently unfunded and is being posted in anticipation of a future contract award and funding approval. We are proactively identifying and engaging with qualified candidates. While candidates may be contacted for pre-screening, any hiring decisions will be contingent upon funding availability and final program requirements or client approval. Responsibilities Workstation Imaging & Configuration Engineering - Design, build, and maintain secure, standardized workstation images for Windows and macOS supporting on-site, remote, and VDI users. - Integrate security agents, authentication mechanisms, telemetry collectors, and baseline configurations into images. - Maintain image automation toolchains (Ivanti, KACE, JAMF, or equivalent), including testing, validation, rollback, and version control. - Publish image versions, maintain release documentation, and validate image integrity prior to production use. Endpoint Baseline & Compliance Management - Engineer secure macOS and Windows endpoint baselines, ensuring enforcement of approved security controls. - Use Ivanti, KACE, and Intune to manage patching, version control, configuration drift remediation, and application deployment. - Monitor endpoint compliance, detect deviations, and implement corrective actions. - Document baseline standards, deployment procedures, and remediation workflows. Patching & Vulnerability Remediation - Engineer and operate patch management workflows for OS and third-party apps. - Coordinate Intune/GPO-based patching for Windows and validate post-patch functionality (VDI connectivity, authentication, agent health, application compatibility). - Implement automation to reduce manual intervention and accelerate patch deployment (MTTR reduction). Device Enrollment, Provisioning & Lifecycle Engineering - Implement and maintain enrollment workflows for Intune, Windows Autopilot, Apple Business Manager, and JAMF. - Ensure devices meet baseline and conditional access requirements before receiving network access. - Integrate provisioning and enrollment processes with asset inventory systems to maintain accurate device-to-user associations. - Support full device lifecycle operations: provisioning, reassignment, secure wipe, and decommissioning. - Maintain or automate onboarding/offboarding checklists. Authentication & Identity-Linked Endpoint Controls - Implement passwordless authentication and hardware-backed credentials (YubiKeys, CAC, or equivalent). - Strengthen device registration, enrollment integrity, and identity/device correlation. Telemetry, Logging & Monitoring Engineering - Ensure endpoint logging and telemetry (Windows Event Logs, macOS Unified Logs, EDR/AV, network activity) are properly generated and ingested by SIEM/EDR platforms. - Maintain log-forwarding, parsing, and normalization rules to support threat detection, incident response, and forensic investigations. - Monitor health and status of imaging, patching, enrollment, and compliance workflows. - Support forensic collections and maintain audit trails for engineering changes. Engineering Documentation & Knowledge Transfer - Produce engineering runbooks for imaging, patching, enrollment troubleshooting, recovery, and remediation workflows. - Maintain a living knowledge base and provide periodic training to Service Desk, IAM, and SOC teams. - Document change activities, remediation plans, validation reports, and operational procedures. Travel Travel expectations will be confirmed upon contract award and may vary based on customer and project requirements Required Qualifications - 10+ years of professional work experience - 8+ years in IT, Endpoint Engineering, or Cybersecurity. - 6+ years engineering in enterprise environments (not help desk). - Experience with formal change control, audit, and security governance. - Windows & macOS imaging, automation, and integration with VDI, EDR, authentication, and logging agents. - Ivanti and/or KACE for patching, configuration management, drift remediation, and reporting. - Microsoft Intune and Windows Autopilot for provisioning and compliance enforcement. - JAMF Pro for macOS management. - Endpoint logging and telemetry engineering for SIEM/EDR ingestion. - Experience implementing passwordless or hardware-backed authentication. Desired Qualifications - Experience with Zero-Trust Endpoint Architecture - familiarity with modern Zero-Trust frameworks and secure endpoint access patterns (e.g., conditional access tuning, device trust scoring). - Automation & Scripting Proficiency - hands-on experience automating endpoint workflows using PowerShell, Python, Bash, or similar languages to reduce manual effort and support fleet-wide changes. - Experience with Cross-Platform Endpoint Security Hardening - demonstrated ability to interpret CIS benchmarks, DISA STIGs, or similar standards and translate them into practical, scalable workstation configurations. - Exposure to Enterprise VDI Optimization - knowledge of optimizing Windows/macOS images, agents, and policies for environments using VDI platforms such as VMware Horizon, Citrix, or Azure Virtual Desktop. - Familiarity with Large-Scale Asset Management & CMDB Accuracy Initiatives - experience contributing to asset reconciliation or device lifecycle accuracy efforts across distributed enterprises. Education Bachelor's degree in IT, Cybersecurity, or related discipline (or equivalent experience). Clearance Active Top Secret (TS) clearance. Compensation The MIL Corporation values your contributions and offers a range of benefits to support your overall well-being. We are pleased to offer a comprehensive range of benefits to our full-time employees which include health, life, disability, and retirement plans, as well as paid time off, opportunities for professional growth and tuition assistance. Additional benefits and incentives may also apply, which will be communicated during the hiring process. For this position, the projected compensation range is $143,000 - $157,000 per year. This estimate represents the typical salary range and is just one part of MIL's complete compensation package. Final salary for this position is determined based on factors such as individual qualifications, education, experience, and contractual limitations. Learn more on the MIL Careers page.