Spain)

Crossmint

15h•Remote

About The Position

We are looking for a hands-on, generalist IT / Client Platform Engineer to own day-to-day IT operations while building scalable foundations across identity, access, device management, and onboarding/offboarding. This is not just a help desk role. While you will support employees directly, your primary mission is to design and implement automated, secure, and scalable IT systems, especially around identity (SSO/SCIM), Mac fleet management, and AWS access. You’ll be the backbone of our internal IT platform, ensuring employees have seamless access to what they need, securely and efficiently.

Requirements

10+ years of experience in IT Operations / Client Platform / Endpoint Engineering in a modern company (startup experience or MacAdmins-style environments strongly preferred).
Strong hands-on macOS administration experience in company environments.
Experience managing Mac MDM solutions (Kandji, Jamf, Rippling MDM, Workspace ONE, Intune, etc.).
Experience with Apple zero-touch deployment (Apple Business Manager / Automated Device Enrollment).
Strong Google Workspace administration experience.
Working knowledge of: SAML SSO (setup and troubleshooting) SCIM provisioning (setup and troubleshooting) IAM fundamentals (groups, roles, least privilege, audits)
Hands-on experience with AWS IAM (policies, roles, access troubleshooting).
Comfortable providing direct support to non-technical users.
Strong ownership mindset: you can build processes from scratch, document them clearly, and continuously improve them.
Scripting and automation skills (Bash, Python) to reduce manual work.

Nice To Haves

OIDC knowledge.
Experience with Munki and/or AutoPkg for macOS software deployment.
Light tooling skills (Golang or JavaScript) to reduce repetitive manual workflows.
Experience managing IT tooling at SaaS scale (100–500 employees, many apps).
Familiarity with security and compliance practices (SOC 2 controls in practice: access reviews, device encryption, logging, disciplined offboarding).
Experience with device telemetry / visibility tools (e.g., osquery, Fleet).
Interest in using automation and AI features within modern IT tools to reduce repetitive work.
Experience (or curiosity) with AI-powered service desk tools or virtual agents.
Ability to design self-service flows (software access requests, password reset guidance, troubleshooting workflows) using low/no-code automation.
Exposure to AI-assisted SaaS management (shadow IT discovery, license insights, contract tracking).
Awareness of modern identity threats (phishing, session hijacking, credential stuffing) and interest in evolving toward risk-based or continuous identity security models.

Responsibilities

Own Google Workspace administration (email, groups, security settings, user lifecycle).
Manage and improve SSO integrations across SaaS apps (primarily SAML-based).
Troubleshoot authentication issues (SSO, MFA, sessions, login failures).
Implement and improve SCIM provisioning (automated create/update/deprovision flows).
Drive clean and automated joiner / mover / leaver processes.
Maintain a structured SaaS inventory (owners, licenses, criticality, usage).
Run periodic access reviews and enforce least-privilege access by default.
Own Mac fleet management end-to-end (primarily macOS).
Manage MDM solutions (Rippling MDM; Kandji experience highly relevant).
Implement and maintain zero-touch deployment via Apple Business Manager / Automated Device Enrollment.
Standardize device configuration (FileVault, OS updates, security baselines, Wi-Fi/VPN profiles).
Manage software packaging and deployment (Munki and/or AutoPkg are a plus).
Maintain asset inventory, lifecycle tracking, compliance, and secure offboarding wipes.
Manage AWS IAM access (federated access, users, roles, policies).
Support AWS account administration and permissions troubleshooting.
Enforce secure access practices: MFA, key rotation, role-based access, minimizing long-lived credentials.
Support audits and access reviews related to AWS environments.
Provide L1/L2 support for employees (accounts, laptops, SaaS issues).
Own internal ticket flow (prioritization, response times, documentation).
Create and maintain clear runbooks, onboarding guides, and internal “how-to” documentation.
Partner with Security, Engineering, and People Ops to deliver a smooth employee experience.

Benefits

Extensive access to leading AI tools and subscriptions, with AI actively encouraged and integrated into daily workflows.
Stock options program.
We conduct two performance reviews annually. The first addresses performance ratings, bonuses, and promotions. The second encompasses these elements along with salary adjustments reflecting inflation and market conditions.
Unlimited, flexible PTO.
Flexible work schedule.
Company laptop and allowance for any necessary home equipment.
Daily stipend for commuting to the office.
Company-paid trips for annual off-sites and onsites.
Insurance covered by Crossmint.
401(k) Plan (US only).