The RoleYou'll own and build Tempo's corporate IT infrastructure - identity, device management, endpoint security, and the automation that ties it all together. This is a hands-on engineering role, not a help desk seat. You'll bring software-engineering rigor to IT systems and help secure a company operating at the frontier of crypto.
Responsibilities- Architect and automate the full identity lifecycle - HRIS �12 Okta �12 SaaS apps - eliminating manual provisioning and off boarding gaps
- Complete and maintain SSO/SCIM integrations across the entire SaaS stack
- Own Jamf Pro end to end: PreStage enrollment, configuration profiles, software updates, certificate distribution
- Deploy and tune endpoint security (SentinelOne) - policy management, MDM-driven deployment, alert triage
- Expand SIEM coverage and write detection/alerting rules with a detection-as-code approach
- Build toward infrastructure-as-code management of all IT tooling (Terraform, GitHub Actions)
- Resolve hard identity, device, and access escalations that get past first-line support
- Drive SOC 2 readiness - unified audit trails across identity, device, and security systems
Qualifications- 4+ years in IT engineering roles
- Hands-on Okta administration: SSO, SCIM, SAML/OIDC integrations, lifecycle policies, Okta Workflows. Understands HRIS-as-source-of-truth (Rippling or similar)
- Production Jamf Pro experience: PreStage enrollment, configuration profiles, software update management, certificate distribution. macOS-first
- Deployed and operated an EDR platform (SentinelOne or comparable) - policy tuning, MDM deployment, alert triage
- Strong scripting (Python/Bash/Go preferred), comfortable with REST APIs, webhooks, JSON, auth flows, and event-driven workflows
- Git-based config management, CI/CD pipelines (GitHub Actions), Terraform or equivalent
- Solid grasp of DNS, certificates/PKI, ZTNA (Tailscale or similar), and modern access control models
Nice-to-Haves- Crypto/blockchain security exposure - multisig/hardware-wallet workflows (Fireblocks or similar), phishing/lookalike-domain campaigns, high-value signer threat models
- Detection-as-code: SIEM detections as version-controlled rules (Panther Python models, Sigma, or equivalent)
- Apple platform depth beyond basic Jamf - DDM, MDM protocol internals, notarization/signing/packaging, macOS security frameworks (TCC, system extensions)
- Mapped controls to SOC 2, ISO 27001, NIST CSF, or CIS - understands what audit-ready evidence looks like
- Built Slack-driven workflows, bots, or self-service internal tooling
- Public open-source contributions to IT/security tooling
