Endpoint Architect (Bilingual) – SCCM, MS Intune

       Project Context

Historically, the majority of media workstations (control rooms, studios, radio) for the client have  been unmanaged, managed manually by local teams or via fragmented tools (such as Ivanti or PDQ  Deploy). This creates a heavy operational burden and disparities in cybersecurity posture.

The project aims to integrate these critical workstations into the enterprise Unified Endpoint Management  (UEM) ecosystem by leveraging existing Microsoft licenses (Intune and SCCM). The transition must be  executed without any disruption to content creation and live broadcast operations.

       Engagement Objectives

• Standardization:  Integrate media workstations into  Intune and SCCM to align them with  enterprise standards.
• Security:  Apply centralized security, configuration,  and compliance policies tailored to media  environments.
• Operational Efficiency:  Reduce the manual management  burden on local teams and retire  legacy management tools (e.g., Ivanti).
• Optimized Deployment:  Reduce media workstation deployment  and imaging time through  automation and image standardization.

 Scope of Work (Responsibilities)

 The consultant will act as the Lead Endpoint Architect for technical design and implementation authority for the project. Responsibilities include:

• Discovery and Inventory Profiling:  Lead the effort  to identify and map currently unmanaged or locally managed media workstations. This includes an exhaustive inventory of hardware (make, model), operating systems, proprietary software, vendor proprietary dependencies/warranties, and the exact purpose of each workstation.
• Analysis and Strategy:  Assess the unique media use  cases (Radio, Studio, Master Control Room) based on the inventory data and design a tailored Intune and SCCM co-management  architecture
• Role-Based Access Control (RBAC) Design & Delegation:  Analyze the daily operational  requirements of regional maintenance and IT teams. Design and implement a granular RBAC model within Intune and SCCM that provides local teams with the exact permissions needed to   manage, support, and troubleshoot media workstations efficiently, without granting unnecessary  enterprise-wide administrative rights.
• Third-Party Vendor Collaboration:  Liaise with proprietary  broadcast software and hardware  vendors to validate compatibility, understand support constraints, and ensure that applied security  policies do not void vendor warranties or service level agreements.
• Technical Validation (POC & Pilots):  Lead rigorous  testing and pilot deployments to ensure  security and compliance policies (EDR, Defender, updates) have zero negative impact on live  broadcast performance.
• Implementation and Regional Rollout:  Execute the migration  plan by building and configuring  the SCCM/Intune environments according to the approved architecture. Oversee and execute the  phased enrollment of media workstations across all regions, ensuring seamless operational  continuity.
• Documentation Governance:  Author detailed architectural  documentation and ensure  knowledge transfer to regional maintenance teams.
• Change Management Technical Support:  Partner with  the Project Manager by providing clear  technical impact assessments, deployment timelines, and the technical narrative needed to  support end-user communications and training materials.
• Strategic Leadership:  Act as the technical bridge between corporate cybersecurity standards  and the operational requirements of broadcast engineers.

 Key Deliverables

1. Equipment Inventory and Profiling Matrix:  A detailed  registry documenting the current state of  media workstations (hardware, specialized software, external vendor requirements, and network  connectivity).
2. Media Use-Case Analysis Report:  Identification of  technical and operational constraints by  environment type (air-gapped, latency-sensitive, etc.).
3. RBAC Matrix and Delegation Model:  A documented access  control framework detailing the specific roles, scope tags, and permissions assigned to regional IT staff within the Intune and  SCCM administrative consoles. 
4. Detailed Architecture Document (High & Low Level Design):        Design of the SCCM/Intune  co-management solution adapted for media workstations.
5. Migration and Decommissioning Plan:  Strategy for retiring  local tools (Ivanti/PDQ Deploy) and  integrating into the Microsoft ecosystem.
6. Proof of Concept (POC) and Pilot Testing Report:  Validation  of configurations in isolated  environments prior to general deployment.
7. Configured Production Environment:  A fully functional,  tested, and secured Intune/SCCM  co-management infrastructure configured specifically for media workloads.
8. Completed Regional Rollouts:  Successful enrollment  of the targeted media workstations into  the new UEM platform, followed by the decommissioning of legacy tools (e.g., Ivanti).
9. Operational Documentation (Runbooks):  Deployment and  maintenance guides for local  support teams.

 Work Modalities and Logistics

• Work Location:  Hybrid model, based out of the Montreal  or Toronto offices.
• On-site Presence:  In-office presence is required two  (2) days per week. (This condition is  negotiable and may vary depending on critical project phases).
• Travel:  The consultant may be required to travel occasionally  across the country based on  deployment needs or local infrastructure analysis.

Governance and Reporting

• Reporting Structure:  The consultant will report directly  to Mathieu Leboeuf, Senior Manager,  Endpoint Technology.
• Operational Tracking:  Weekly status meetings will  be established to evaluate project progress.

 Qualifications required :

• Education:  University degree, or college diploma,  in the field of computer science or an  equivalent combination of education and relevant experience.
• Experience:  7+ years in a technical leadership or  systems architect role, with a demonstrated  focus on enterprise endpoint technologies.
• Technological Expertise:  Deep, hands-on technical  working experience with Microsoft Intune,  SCCM, Autopilot, Active Directory, Azure/Entra ID, and Group Policy Management (GPO).
• Automation:  Strong knowledge of scripting languages  (PowerShell, Bash) for automation and  non-intrusive policy deployment.
• Soft Skills & Leadership:  Strong communication, collaboration,  and leadership abilities,  specifically in managing technical change with specialized stakeholders. Excellent  problem-solving, analytical, and troubleshooting skills. Highly self-motivated, directed, and able to  exercise sound judgment, work independently, and take initiative.
• Critical Context:  Sensitivity to, or direct experience with, high-availability, mission-critical, or   broadcast/media IT environments where system interruption is not an option.
• Assets:
• Experience with legacy deployment and management tools (such as Ivanti or PDQ  Deploy).
• Bilingualism (French/English).
• Specific knowledge of broadcast or media IT production environments and proprietary  media software/hardware constraints.