Systems Administrator, Endpoint Configuration and Patch Management

Position Department: Enterprise Infrastructure

Position Type: Staff Full-Time

The Systems Administrator, Endpoint Configuration and Patch Management, is responsible for the configuration, deployment, patching, and security compliance of University-owned endpoints across Windows and macOS. This is a hands-on position with responsibility for imaging and provisioning new devices (Microsoft Intune / Windows Autopilot, Jamf Pro / Apple Business Manager), software distribution and patch deployment across endpoints, including lab environments, and servers, configuration baseline enforcement, and partnering with Information Security on vulnerability remediation driven by Tenable.io findings and Microsoft Defender for Endpoint posture. The role ensures compliance with the University's Information Technology patch management and endpoint security policies across all University-owned computer systems and devices, and supports identity-integrated device management.

• Patch and software distribution management across endpoints, servers, and infrastructure using Microsoft Intune, Microsoft Configuration Manager (SCCM), WSUS, and Jamf Pro, including third-party application patching. Develop PowerShell, Bash, and shell scripts to automate configuration management, software packaging, and patch deployment.
• Imaging, provisioning, and deployment of Windows and macOS endpoints, including Windows Autopilot (User-Driven and Pre-Provisioning / White Glove), SCCM task sequences for lab environments, and Jamf Pro Automated Device Enrollment via Apple Business Manager. Maintain provisioning workflows, Enrollment Status Page configuration, and OS upgrade pipelines.
• Vulnerability management and remediation in partnership with Information Security: triage Tenable.io scan findings, prioritize remediation, drive resolution through patching, configuration changes, or compensating controls.
• Configuration management and endpoint security baseline enforcement through Microsoft Intune, Group Policy, and Jamf Pro configuration profiles. Manage Microsoft Defender for Endpoint policy and partner with Information Security on Microsoft Sentinel detection content
• Maintain accurate inventory of network-connected devices (PCs, Macs, servers, switches, routers, printers, telecommunications, building controls, etc.) across multiple tools. Ensure patch and configuration schedules are followed, identify and report deviations,
• Perform routine system and configuration backups and monitor daily job completion. Participate in business continuity and disaster recovery infrastructure testing.
• Other duties as assigned.

• Bachelor’s Degree in Computer Science, Information Science or a related field preferred.
• 3–5 years of professional experience deploying, patching, and managing endpoints across Windows and macOS using modern endpoint management platforms is preferred.
• Required:
• Hands-on experience with Microsoft Intune (Endpoint Manager) and Microsoft Configuration Manager (SCCM), including co-management scenarios.
• Hands-on experience with Windows Autopilot provisioning.
• Working knowledge of Microsoft Entra ID (formerly Azure AD), including device join states (Entra-joined, hybrid-joined), Conditional Access basics, and dynamic device groups.
• Experience with Microsoft Defender for Endpoint policy management and posture reporting.
• Working knowledge of Microsoft Sentinel for investigation and reporting.
• Experience with vulnerability management platforms such as Tenable.io, including driving remediation workflows from scan results.
• Experience with PowerShell, Bash/Zsh, and scripting tools to automate endpoint configuration, application packaging, and patch deployment.
• Working knowledge of Group Policy (GPO) and modern management equivalents.
• Working knowledge of TCP/IP networking topology, protocols, and services (TCP/UDP, DNS, DHCP, certificate-based authentication, etc.).
• Demonstrated ability to partner with Information Security and Identity teams to translate policy and vulnerability findings into deployable endpoint configurations.
• Preferred:
• Experience with backup/recovery software (Veeam or similar).
• Familiarity with WSUS, third-party patching solutions, and software packaging (MSI, MSIX, PKG, Win32 .intunewin).
• Experience with PKI, EAP-TLS / certificate-based device authentication, and SCEP/NDES integration.
• Hands-on experience with Jamf Pro and Apple Business Manager / Automated Device Enrollment for macOS deployment.
• Ability to work in a self-directed manner, as well as part of a team is required.
• Strong analytical and problem solving skills are required.
• Strong interpersonal and customer service skills are required.
• Strong verbal and written communication skills are required.
• Strong organizational skills, an ability to multi-task, and an ability to thrive in a busy and changing environment.
• Flexibility to work off-hours during scheduled maintenance windows.
• Valid driver's license or the ability to have reliable transportation to travel on behalf of the university.

Exemption Status: Exempt

Act 153 Clearance Required: No

Required To Pass a Motor Vehicle Report Check (If driving on behalf of the University): Yes

Required to Pass a Credit Check: No

Additional Posting Information: None

Special Applicant Instructions: None

RMU complies with all applicable federal, state and local laws and provides equal opportunity in all educational programs and activities, admission of students and conditions of employment for all qualified individuals regardless of race, color, sex, religion, age, disability, sexual orientation, or national origin.

Federal law requires employers to provide reasonable accommodations to qualified individuals with disabilities. Please email humanresources@rmu.edu or call us at (412) 397-6270 if you require a reasonable accommodation to apply for a job or to perform your job.