Engineering for IT Service Desk - Top Secret (TS) security clearance

Job Description

Job Description:\n\nJob Description Clearance: Top Secret (TS) security clearance Objectives CBO requires IT Engineering Support Services to design, implement, and maintain technical controls to reduce the risk of unauthorized initial discovery and lateral movement, malicious credential use and defense evasion, and persistence via machine key and related system-abuse techniques within CBO’s environment. The engineering services will also enable secure endpoint, identity, and device lifecycle operations in support of CBO’s threat detection and mitigation strategy. This scope does not include routine end-user help desk support, but rather engineering tasks to resolve issues arising from complex or escalated tickets. The objectives of this effort are:Establish and maintain secure, standardized workstation images for macOS and Windows that support both on-site and remote access, including VDI connectivity.Implement and maintain endpoint configuration baselines, patching, and version control using approved enterprise tools to reduce configuration drift and security risk.Strengthen device registration, enrollment, and asset inventory accuracy to ensure visibility into users, devices, and access across the environment.Enhance logging, telemetry, and monitoring capabilities to support detection, investigation, and response to suspicious or unauthorized activity on endpoints and networks.Reduce the likelihood and impact of lateral movement and credential misuse through hardened configurations, secure authentication mechanisms, and consistent enforcement of baseline controls. The Contractor shall provide engineering support by designing and maintaining technical controls, implementing approved configurations, and producing documentation and operational playbooks necessary to support IRM&TS operations, Service Desk engineering escalations, and the incident response function. Scope of Work This document refers to “Engineer” singularly, but it is expected that the Contractor will provide multiple personnel to fill the roles required by this scope of work. The Contractor employees will be responsible for implementing new solutions and leveraging existing tools within the architecture to support logging and auditing of security controls, as well as necessary upgrades and feature enhancements. The team will also assist in administering all information security functions for the Windows and macOS baselines, including updates, upgrades, policy administration, and validation for special access to CBO’s segmented environments (both cloud and non-cloud). The scope of work includes, but is not limited to, the following activities:Assist CBO in building, maintaining, and securing existing standard workstation images that enable access to the VDI environment for remote users on both macOS and Windows platforms.Assist CBO in building, maintaining, and securing existing standard workstation images that enable access to the VDI environment for on-site users on both macOS and Windows platforms.Maintain operating system and application patching, version control, and lifecycle management for supported applications. Ensure that new and updated applications are delivered through approved mechanisms such as a company application store, Intune, or Group Policy (GPO), as appropriate based on user role and access level.Support Microsoft Intune registration and Windows Autopilot for desktops, laptops, and CBO-issued mobile devices, including implementation of passwordless authentication, hardware security keys (e.g., YubiKeys), and other protections for privileged and sensitive accounts.Implement and maintain logging, monitoring, and audit capabilities to track device enrollment, user authentication activity, network access, and endpoint behavior to determine which users and devices are connected to the network and what activity is occurring. Initial Discovery and Strengthening Secure System Posture The Engineer shall design, implement, and tune engineering controls to detect and limit initial compromise and lateral movement. These activities shall be integrated into workstation imaging, device registration, and user registration processes to ensure secure baseline enforcement and accurate asset inventory management. The Engineer shall perform the following tasks:Design and maintain secure standard workstation images that enable access to the VDI environment for remote users on both macOS and Windows platforms.Design and maintain secure standard workstation images that enable access to the VDI environment for on-site users on both macOS and Windows platforms.Engineer and maintain operating system and application patching, version control, and lifecycle management for supported applications, ensuring delivery through approvedmechanisms such as a company application store, Microsoft Intune, or Group Policy Objects (GPO) based on user role and access level.Engineer and support Microsoft Intune registration and Windows Autopilot for desktops, laptops, and CBO-issued mobile devices, including passwordless authentication and hardware-backed credentials (e.g., YubiKeys, CAC cards, or software-based keys) for privileged and sensitive accounts.Engineer and maintain logging, monitoring, and audit capabilities to track device enrollment, user authentication, network access, and endpoint activity to determine which users and devices are connected to the network and what activity is occurring. Endpoint Configuration, Baseline, and Device Lifecycle Management The Engineer shall design, implement, and maintain standardized endpoint configurations to ensure the security, compliance, and integrity of user devices and associated assets throughout their lifecycle. This work shall be performed using approved endpoint management and deployment tools, including Ivanti, KACE, Microsoft Intune, and Windows Autopilot, as applicable. Responsibilities include, but are not limited to:Engineering and maintaining secure baseline configurations for macOS and Windows endpoints to support both on-site and remote access use cases.Using Ivanti and KACE to manage operating system and application patching, version control, deployment workflows, and remediation of configuration drift.Leveraging Microsoft Intune to enforce device compliance, configuration profiles, security policies, and conditional access requirements based on user role and device posture.Supporting Windows Autopilot for automated device provisioning, registration, and lifecycle management to ensure devices are securely configured at first use.Integrating device registration and user association processes to ensure accurate asset inventory, ownership tracking, and lifecycle visibility.Ensuring that endpoint configurations support secure authentication methods, including passwordless authentication and hardware-backed credentials, where approved.Monitoring endpoint configuration and compliance status to identify deviations from approved baselines and implementing corrective actions as necessary.Documenting baseline standards, deployment procedures, and remediation workflows to support operational continuity and audit requirements. Imaging, Patching, and Automation (Engineering) The Engineer shall own engineering design, validation, and lifecycle maintenance of imaging and patching processes to ensure consistent, secure workstation builds and timely vulnerability remediation. The Engineer shall assess and harden machine identity artifacts, engineer detection for persistence mechanisms, and develop remediation and recovery runbooks. Responsibilities include:Design, build, and maintain standardized, division-specific workstation images for macOS and Windows that incorporate approved baseline security controls and required VDI/remote access clients.Maintain imaging toolchains and automation scripts (Ivanti, KACE, JAMF, or equivalent) used for image creation, testing, and deployment; validate image integrity prior to production release.Engineer and operate patch management processes using Ivanti (or equivalent) for OS and third-party application patching; coordinate Intune/GPO-based patch orchestration for Windows endpoints.Implement automation for image deployment, patch orchestration, post-patch validation, and rollback procedures to minimize manual intervention and reduce MTTR.Maintain version control and a formal image-release process (build → test → signoff → release); publish image versions and changes to the COR and affected stakeholder groups.Develop and execute validation tests after imaging or major patch cycles to confirm endpoint functionality (connectivity to VDI, authentication, application compatibility, and security agents).Document imaging and patch runbooks, recovery procedures, and rollback steps; retain change records in the official project repository. Device Enrollment, Provisioning, and Asset Management The Engineer shall ensure secure, consistent device enrollment and accurate asset tracking across the estate. The Contractor shall produce engineering documentation, operational playbooks, and conduct knowledge transfer sessions. Responsibilities include:Implement and maintain enrollment workflows for Intune, Autopilot (Windows), and Apple Business Manager / JAMF for macOS and iOS devices.Ensure device provisioning enforces baseline profiles and security posture prior to granting network access (conditional access integration with Entra/AD).Integrate enrollment and provisioning with asset-inventory systems so that each device is associated with owner, role, location, and lifecycle state.Support lifecycle operations: provisioning, reassignment, decommission, and secure wipe; ensure proper escrow of recovery keys (e.g., FileVault) and custody records.Maintain an onboarding/offboarding checklist and automate steps where feasible to reduce human error and accelerate device readiness Monitoring, Logging, and Audit Engineering The Engineer shall ensure endpoints produce the telemetry required for detection, troubleshooting, and forensics and that telemetry flows to central systems in a reliable and auditable manner. Responsibilities include:Ensure endpoint agents (EDR, AV, logging agents) are installed and reporting, and that logs (Windows Event, macOS Unified Logs, application logs) are forwarded to the SIEM/EDR platform according to documented schemas.Configure and maintain log-forwarding, parsing, and normalization rules so that security-relevant events are usable for detection and incident response.Implement monitoring of enrollment, imaging, patch status, and compliance posture; publish alert thresholds for operational failures (e.g., image deployment failures, patch rollback events, agent offline).Provide engineering support for forensic collections when required (artifact collection playbooks, preservation steps, and non-production test validations).Maintain audit trails of configuration changes, image releases, and remediation actions for compliance and post-incident review. Assessment → Recommendation → Implementation Workflow All work will be assigned by the COR following an assessment-to-remediation workflow. All change activities shall be documented and retained; emergency changes shall follow expedited approval processes agreed with the COR. To ensure findings produce fixes, the Engineer shall follow a formal workflow:Assess: Perform technical assessment; produce a Findings Report that captures risk, impacted assets, and priority.Recommend: Submit a written Remediation Plan with implementation steps, validation criteria, rollback procedures, resource needs, and proposed change window.Approve: Obtain COR and CO approvals as required by CBO change control and procurement policies.Implement: Execute the approved remediation during the agreed change window with full documentation of changes.Validate: Perform post-change validation and publish a Validation Report. Key Personnel & Requirements Core Engineering Experience (Required for All Roles)Eight (8) years of experience in Information Technology, Endpoint Engineering, or Cybersecurity.Six (6) years of experience performing engineering (not help desk) functions in enterprise environments.Experience working under formal change control, audit, and security governance processes. Endpoint Imaging and Automation EngineeringExperience building and maintaining Windows and macOS workstation images.Experience with image automation, validation, rollback, and version control.Experience integrating images with VDI, EDR, authentication, and logging agents. Patch and Configuration Management Engineering (Ivanti / KACE)Hands-on experience using Ivanti and/or KACE for OS and application patching.Experience managing configuration drift, remediation workflows, and reporting.Experience validating patches post-deployment and supporting rollback. Device Enrollment and Identity Engineering (Intune / Autopilot / JAMF)Experience with Microsoft Intune and Windows Autopilot for provisioning and compliance enforcement.Experience using JAMF Pro for macOS endpoint management (macOS only; not iOS unless directed).Experience implementing passwordless authentication and hardware-backed credentials (YubiKey, CAC, software keys). Logging, Monitoring, and Telemetry EngineeringExperience configuring endpoint logging (Windows Event Logs, macOS Unified Logs).Experience forwarding and validating logs into SIEM/EDR platforms such as MS Sentinel (not limited).Experience supporting forensic collection and audit readiness. Preferred Education: Bachelor’s degree in Information Technology, Cybersecurity, or a related field (or equivalent experience).\n\nCompany Description:\n\nOhm Systems, Inc. specializes in IT and Healthcare staffing services, dedicated to linking highly skilled professionals with our public and private clients across the United States. Our track record showcases our commitment to delivering outstanding staffing and consultancy solutions to our clients. We prioritize diversity and inclusivity and take pride in being an employer that promotes equal opportunities and affirmative action. Our goal is to foster an inclusive work environment that embraces individuals from all backgrounds, irrespective of their gender, race, or orientation.

Company Description

Ohm Systems, Inc. specializes in IT and Healthcare staffing services, dedicated to linking highly skilled professionals with our public and private clients across the United States. Our track record showcases our commitment to delivering outstanding staffing and consultancy solutions to our clients. We prioritize diversity and inclusivity and take pride in being an employer that promotes equal opportunities and affirmative action. Our goal is to foster an inclusive work environment that embraces individuals from all backgrounds, irrespective of their gender, race, or orientation.