Projects

Selected delivery work.

Representative builds combining endpoint scripting, cybersecurity operations, Docker/virtualization infrastructure, configuration-as-code pipelines, and deployment governance across GitHub Actions and Azure DevOps.

Cross-Platform Endpoint Script Platform

Challenge
Large script estate across Windows and macOS needed consistent structure, safer execution, and lower maintenance overhead.
Approach
Standardized templates, module bootstrap patterns, run-requirement gating, and CI checks for contract drift and script inventory integrity.
Stack
PowerShell, zsh/bash, Microsoft Intune remediation scripts, GitHub Actions guardrails, Azure DevOps pipeline integrations.
Outcome
Consistent execution model across a 900+ file endpoint repo with stronger reliability and faster rollout of shared improvements.

Intune Configuration-as-Code Backup Automation

Challenge
Needed a repeatable and auditable way to capture tenant configuration drift without manual exports.
Approach
Implemented daily Azure DevOps backup pipeline using IntuneCD: export JSON, detect changes, commit with context, tag, and generate markdown documentation. Added GitHub Actions checks for script and config contracts on pull requests.
Stack
Azure DevOps YAML, GitHub Actions, IntuneCD, PowerShell/Bash, Microsoft Graph integrations.
Outcome
Reliable configuration history with automated change tracking and stronger governance for endpoint policy evolution.

Markdown-Driven Intune App Lifecycle

Challenge
App onboarding/offboarding and assignment management created operational friction and manual group handling.
Approach
Built pipelines that parse markdown app definitions, package/deploy Intune apps, auto-create assignment groups, and support controlled offboarding.
Stack
PowerShell, Azure DevOps, GitHub Actions, Intune Win32 app workflows, Entra ID group automation.
Outcome
Faster and more consistent app delivery with reduced manual errors in assignment and publishing flow.

Device Attribute Orchestration for Update Rings

Challenge
Patch/update targeting depends on accurate user, location, and device-type attributes that change over time.
Approach
Implemented scheduled device-attribute pipelines (every 12 hours) across Windows and macOS to continuously align targeting metadata.
Stack
PowerShell 7, Microsoft Graph device APIs, Azure DevOps scheduled jobs, GitHub Actions validation workflows.
Outcome
More reliable policy and ring assignment behavior as devices and primary-user contexts evolve.

Endpoint Security Operations at Scale

Challenge
Public transit infrastructure required continuous endpoint security posture enforcement across a large, distributed device fleet with strict compliance requirements.
Approach
Operated cybersecurity tooling for endpoint hardening, compliance policy enforcement, zero-trust access controls, and security incident response across managed devices. Ensured alignment with organizational security guidelines and audit requirements.
Stack
Microsoft Intune compliance policies, Conditional Access, Microsoft Defender for Endpoint, Entra ID, PowerShell remediation scripts.
Outcome
Maintained security posture across the endpoint fleet with automated compliance enforcement and faster incident response capability.

Fractional IT Operations for Small Organizations

Challenge
Small organizations needed reliable technology operations — device setup, user management, helpdesk, and security — without the overhead of a full-time IT hire.
Approach
Provided ongoing fractional IT support including device provisioning, user account lifecycle management, network troubleshooting, security camera systems, and administrative workflow automation.
Stack
Microsoft 365, Entra ID, Intune, cloud document management, communications platforms, physical security systems.
Outcome
Consistent, responsive technology operations with clear documentation and handoff-ready systems for organizations with 10–200 users.

Home Infrastructure and Private AI Operations

Challenge
Needed a single self-hosted platform for secure access, observability, media services, and AI-assisted workflows without sending sensitive data to external SaaS tools.
Approach
Built a multi-host Docker Compose environment with 30+ containers spanning reverse proxy, media automation, monitoring, and local AI inference. Zero-trust ingress via Cloudflare Tunnel with SWAG NGINX handling TLS termination, subdomain routing, and auth.
Stack
Docker Compose, Portainer, SWAG NGINX, Cloudflare Tunnel/Access, Prometheus/Grafana/Loki, Plex/Radarr/Sonarr, local model serving (Ollama, Open WebUI), and shell automation.
Outcome
Unified private platform running 30+ services with automated updates, centralized logging, and tighter control over data residency. Serves as a live proving ground for container orchestration patterns applied to client work.

Virtualization & Container Migration

Challenge
Client environments running legacy VMware/Omnissa vSphere and Hyper-V workloads needed modernization — some to containerized stacks, others to right-sized VM infrastructure with better lifecycle management.
Approach
Assessed existing virtual machine sprawl, identified workloads suitable for Docker containerization, and migrated services incrementally with rollback plans. For workloads that needed to stay on VMs, consolidated hosts and implemented backup/snapshot automation.
Stack
VMware vSphere/ESXi, Omnissa (formerly Workspace ONE), Hyper-V, Docker Compose, Portainer, PowerShell automation, backup scripting.
Outcome
Reduced VM count, faster service recovery times, and a clear separation between workloads that belong in containers versus those that need full VM isolation.

Docker-Based Service Delivery for Small Organizations

Challenge
Small organizations and schools needed self-hosted services (file sharing, internal tools, monitoring) but lacked the budget or expertise for traditional server infrastructure.
Approach
Deployed Docker Compose stacks on low-cost hardware or cloud VMs with automated updates, health checks, and backup-to-cloud routines. Documented everything for handoff to non-technical staff.
Stack
Docker Compose, Watchtower, NGINX reverse proxy, Let's Encrypt TLS, cloud backup scripts, Portainer for management UI.
Outcome
Production-ready self-hosted services running reliably with minimal maintenance overhead and clear runbooks for the client's team.

Daily CIO Portfolio Workbench

Challenge
Wanted a portfolio decision tool that could reason over holdings without requiring brokerage integrations.
Approach
Built a root-domain workbench that accepts manual positions, pasted exports, or OCR from screenshots, then passes an auditable snapshot into a guardrailed local CIO agent.
Stack
Static site UX on SWAG, client-side OCR, FastAPI CIO backend, local finance file ingestion, and Qdrant-backed retrieval.
Outcome
A fast, privacy-preserving daily brief workflow that turns local portfolio context into ranked, citable recommendations.

Want to see this kind of
delivery in your environment?

I help teams build endpoint systems that are reliable, governed, and ready to hand off.

Start a Conversation →