Endpoint Engineer - Modern Endpoint & Mobility

Position Summary ProAmpac, a nearly $5 billion packaging company, is seeking an Endpoint Engineer to join our Cloud & Digital Workplace Services team. This is a 100% remote, hands-on engineering role, not a helpdesk position. You will own Microsoft Intune, Windows Autopilot, mobile device management across iOS, iPadOS, and Android, and our plant-floor mobility program (SOTI MobiControl) across a rapidly growing multi-site manufacturing environment. ProAmpac is scaling through acquisition, scaling rapidly through acquisition across a large and growing number of manufacturing sites. You will be enrolling and managing thousands of mobile and plant-floor devices, driving zero-touch workstation provisioning via Autopilot, and building out mobile management standards as new sites come online. Your counterpart on the team owns Endpoint Central and packaging both engineers cross-train on each other's primary platforms for full coverage.   What You'll Do Microsoft Intune — Primary Platform - Serve as the primary Intune administrator across Windows, iOS, iPadOS, and Android: MDM/MAM policies, compliance policies, configuration profiles, and application deployment. - Administer Conditional Access compliance integration with Entra ID; monitor enrollment health and compliance dashboards and resolve failures across all supported platforms. - Manage application deployment via Intune: IntuneWin packages, Microsoft Store apps, LOB apps, and app protection policies for corporate and BYOD devices. Windows Autopilot — Zero-Touch Deployment - Design and maintain Autopilot deployment profiles and enrollment flows for zero-touch workstation provisioning across a growing fleet. - Manage device registration, hardware hash import, and profile assignment; coordinate with procurement and the Service Desk for new device intake. - Troubleshoot Autopilot enrollment failures and maintain runbooks for common failure scenarios. - Collaborate with the UEM & Packaging Engineer on app sequencing during provisioning to ensure a complete, compliant out-of-box experience. Mobile Device Management — iOS, iPadOS & Android - Administer Intune MDM/MAM for iOS, iPadOS, and Android corporate and BYOD devices: enrollment, policy, app deployment, compliance, and remote actions. - Manage Apple Business Manager integration with Intune; maintain DEP enrollment profiles and VPP app licensing. - Configure app protection policies for BYOD scenarios; manage mobile device lifecycle from provisioning through retirement. - Troubleshoot mobile enrollment and compliance issues; coordinate with Networking on WiFi and connectivity dependencies. SOTI MobiControl — Plant-Floor Mobility - Administer SOTI MobiControl for rugged Android handhelds, RF scanners, and terminals used in manufacturing and warehouse operations. - Manage enrollment, configuration profiles, app deployment, and kiosk policies for plant-floor device groups. - Troubleshoot plant-floor device issues; coordinate with plant operations and Networking on WiFi coverage and VLAN requirements. - Support device staging for new site openings and plant expansions. macOS Management — Jamf Pro - Administer Jamf Pro for ~100 Mac devices: enrollment, configuration profiles, patch management, application deployment, and compliance reporting. - Provide Tier 2/3 support for macOS issues; maintain macOS packaging workflows and runbooks. Thin Client Management — IGEL OS - Manage IGEL OS thin client configuration, policy, and patching in coordination with the Networking & Hardware Services team. - Support thin client deployments for new sites; maintain configuration standards and deployment runbooks. Endpoint Security Configuration - Deploy and maintain endpoint security agents, encryption policy and key escrow, local administrator password management, and device control policies across managed devices. - Apply and maintain endpoint hardening baselines across Windows, macOS, and mobile platforms; coordinate with InfoSec on gap remediation. Digital Signage — Skykit - Support management of the enterprise digital signage platform (Skykit): device enrollment, content policy, and operational support across ProAmpac sites. Asset Management - Own endpoint asset data quality in Lansweeper for all assigned device types; drive asset management process adherence by the Service Desk. Application Packaging — Cross-Training - Maintain working proficiency in application packaging (MSI, IntuneWin) to build and deploy packages via Intune independently and to cover your counterpart when needed. Documentation & On-Call - Create and maintain runbooks, SOPs, and change records in ServiceDesk Plus; participate in the Change Advisory Board (CAB). - Participate in the Endpoint Engineering on-call rotation (~20% of the time) and provide Tier 2/3 escalation support.   What You'll Bring - 3–5 years of enterprise endpoint engineering or systems administration experience focused on MDM, UEM, or modern device management platforms. - Strong Microsoft Intune experience: MDM/MAM policy design, compliance policies, configuration profiles, and application deployment across Windows and mobile platforms. - Hands-on Windows Autopilot experience: deployment profile design, enrollment flows, and troubleshooting in an enterprise environment. - Experience managing iOS/iPadOS and Android devices in an enterprise MDM environment, including Apple Business Manager and DEP enrollment. - Working application packaging experience for Intune: IntuneWin format and LOB app deployment at minimum. - Proficiency in PowerShell scripting for automation, reporting, and operational workflows. - Experience with encryption management, local administrator password management, and endpoint hardening baseline configuration. - Strong troubleshooting skills across Windows 10/11, iOS, and Android platforms. - Self-motivated, detail-oriented, and able to manage concurrent tasks independently. - Bachelor's degree in Information Technology, Computer Science, or a related field, or equivalent work experience. - Preferred: Microsoft MD-102 (Endpoint Administrator Associate) certification or actively working toward it. - Preferred: experience with Jamf Pro for macOS device management. - Preferred: experience with SOTI MobiControl or comparable plant-floor/rugged device management platforms. - Preferred: experience with IGEL OS or thin client management platforms. - Preferred: experience supporting manufacturing or multi-site industrial environments.   Why ProAmpac   - Join a nearly $5 billion packaging company scaling rapidly through acquisition with a major infrastructure modernization underway. - Own a packaging practice and server patching program that will scale dramatically, this is a build role, not a maintain role. - Clear path for skill development as our environment grows, you will work on real scale, not a stable steady-state environment. - Professional development support including training and certification opportunities.   Location and Work Arrangement This is a 100% remote position. Candidates must be based in the United States and able to work during US business hours. Eastern or Central time zones are preferred for team collaboration. Travel: This position may require occasional travel (up to 20%) for site support and team meetings.   Additional Information This role includes participation in a rotating on-call schedule to support endpoint infrastructure. Escalations for service-impacting issues may occur outside standard business hours (8am–6pm). ProAmpac is an equal opportunity employer and does not discriminate on the basis of any characteristic protected by applicable law. EEO – M/F/Disability/Vets To apply, please submit your resume and cover letter.     #CORP