Role Description We are looking for a Staff Endpoint Security Engineer with deep expertise across Windows, macOS, and Linux environments to lead and mature our endpoint security programme. You will be responsible for the design, deployment, and continuous improvement of our endpoint protection, detection, and response capabilities, as well as our Mobile Device Management (MDM) infrastructure. Working closely with IT, security operations, and compliance teams, you will ensure that every managed device across the organisation meets the highest security standards — from first enrolment to decommission. What You Will Bring to ChargePoint - Endpoint Protection & Hardening - Define, implement, and enforce endpoint security baselines and hardening standards across Windows, macOS, and Linux platforms in alignment with CIS Benchmarks, NIST guidelines, and organisational policy. - Deploy, manage, and tune Endpoint Detection and Response (EDR) solutions (e.g., CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, or equivalent) across all device types. - Implement and maintain antivirus, anti-malware, host-based firewall, application allowlisting/blocklisting, and data loss prevention (DLP) controls. - Conduct regular endpoint vulnerability assessments and drive timely remediation in coordination with IT and asset owners. - Manage full-disk encryption across platforms — BitLocker (Windows), FileVault (macOS), and LUKS/dm-crypt (Linux). - Mobile Device Management (MDM) - Architect, deploy, and manage enterprise MDM solutions — including Jamf Pro (macOS/iOS), Microsoft Intune, VMware Workspace ONE, or equivalent platforms — across the organisation's full device fleet. - Design and enforce MDM enrolment workflows, device compliance policies, configuration profiles, and conditional access rules. - Manage application lifecycle through MDM — packaging, deployment, patching, and removal across managed endpoints. - Manage certificate lifecycle and PKI integration for device authentication and Wi-Fi/VPN access. - Windows Endpoint Security - Manage and harden Windows endpoints using Group Policy (GPO), Microsoft Endpoint Configuration Manager (MECM/SCCM), and Microsoft Intune. - Implement and maintain Windows Defender suite — Defender Antivirus, Defender for Endpoint, Defender Firewall, and Attack Surface Reduction (ASR) rules. - Oversee Windows patch management processes ensuring timely deployment of OS and application updates. - Configure and monitor Windows Event Logging, Sysmon, and audit policies for comprehensive endpoint telemetry. - macOS Endpoint Security - Manage macOS fleet security using Jamf Pro — configuration profiles, extension attributes, smart groups, policies, and patch management. - Implement macOS security controls including system integrity protection (SIP), Gatekeeper, TCC (Transparency, Consent & Control), and secure boot settings. - Develop and maintain custom Jamf scripts (Bash, Python, Swift) for automation, remediation, and compliance reporting. - Manage macOS MDM enrolment via Apple Business Manager (ABM) / Apple School Manager (ASM) and DEP/ADE workflows. - Linux Endpoint Security - Harden Linux endpoints (Ubuntu, RHEL, CentOS, Debian, or equivalent) using industry-standard security frameworks and configuration management tools (Ansible, Chef, Puppet, or similar). - Implement and manage SELinux / AppArmor policies, auditd configurations, and host-based intrusion detection (OSSEC, Wazuh, or equivalent). - Manage Linux patch management and software inventory using tools such as Landscape, Ansible, or Satellite. - Monitor and respond to Linux endpoint security events using EDR agents and SIEM integrations. - Threat Detection & Incident Response - Triage and respond to endpoint security alerts and incidents — containment, investigation, eradication, and recovery. - Perform endpoint forensic analysis including memory forensics, disk imaging, and log analysis during security incidents. - Develop and maintain endpoint-specific detection rules, threat hunting queries, and playbooks. - Collaborate with the SOC/SIEM team to enrich endpoint telemetry and improve detection coverage. - Compliance & Governance - Ensure endpoint security posture meets compliance requirements for relevant frameworks (SOC 2, ISO 27001, CIS Controls, NIST CSF, PCI-DSS, HIPAA where applicable). - Maintain endpoint asset inventory and configuration management database (CMDB) accuracy. - Produce regular endpoint compliance and health reports for security leadership and audit purposes. - Develop and enforce acceptable use, BYOD, and device security policies. - Leadership & Collaboration - Mentor junior and mid-level endpoint security engineers and IT operations staff. - Define endpoint security roadmap and drive continuous improvement initiatives. - Evaluate and onboard new endpoint security tooling; manage vendor relationships. - Collaborate with HR and IT on joiners/movers/leavers processes to ensure secure device provisioning and deprovisioning. Qualifications - 7–9 years of hands-on experience in endpoint security, systems administration, or a closely related field. - Expert-level knowledge of Windows endpoint security — Group Policy, Intune, SCCM/MECM, Defender for Endpoint, and Windows hardening. - Expert-level knowledge of macOS endpoint security — Jamf Pro, Apple Business Manager, configuration profiles, and macOS security controls. - Solid experience with Linux endpoint security — hardening, SELinux/AppArmor, auditd, and Linux-based EDR/HIDS solutions. - Deep, proven experience with enterprise MDM platforms (Jamf Pro, Microsoft Intune, Workspace ONE, or equivalent) in a large-scale environment. - Hands-on experience with EDR/EPP platforms (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, or equivalent). - Strong scripting skills for automation and endpoint management — Bash, PowerShell, Python, and/or Swift. - Solid understanding of PKI, certificate management, and secure authentication (SAML, OAuth, SCIM, conditional access). - Familiarity with SIEM platforms and endpoint telemetry integration (Splunk, Microsoft Sentinel, Elastic, or equivalent). - Strong knowledge of endpoint security frameworks: CIS Benchmarks, NIST SP 800-70, DISA STIGs. Nice to Have - Experience with Zero Trust Network Access (ZTNA) and integration of MDM compliance with identity providers (Okta, Azure AD, Ping Identity). - Familiarity with privileged access management (PAM) tools (CyberArk, BeyondTrust, or similar). - Exposure to mobile security (iOS, Android) within an MDM context. - Experience with vulnerability management platforms (Tenable, Qualys, Rapid7). - Knowledge of macOS and Linux forensics tooling (osquery, Velociraptor, or similar). - Relevant certifications: CISSP, CISM, CompTIA Security+, CEH, Microsoft SC-300/MD-102, Jamf Certified Admin/Expert, CrowdStrike CCFA/CCFR, or equivalent. - Experience in regulated industries (FinTech, Healthcare, Legal, or Enterprise SaaS). Location Gurgaon/Remote Company Description We are committed to an inclusive and diverse team. ChargePoint is an equal opportunity employer. We do not discriminate based on race, color, ethnicity, ancestry, national origin, religion, sex, gender, gender identity, gender expression, sexual orientation, age, disability, veteran status, genetic information, marital status or any legally protected status. If there is a match between your experiences/skills and the Company needs, we will contact you directly. ChargePoint is committed to fostering an inclusive workplace that welcomes and supports all qualified individuals. In alignment with this commitment, we ensure that persons with disabilities are provided with reasonable accommodations throughout the employment process. If you need a reasonable accommodation to participate in the application or interview process, to perform essential job functions, or to access any other benefits and privileges of employment, please contact us at accommodations@chargepoint.com. ChargePoint is an equal opportunity employer. Applicants only - Recruiting agencies do not contact.