Skip to main content

Enforcing Google SSO at Mac Login

Swif’s Apple Platform SSO Policy lets you replace the local macOS login window with Google Workspace Single Sign-On. Users authenticate with their Google credentials, and Swif provisions (or verifies) the matching local account before sign-in completes.

If you want to tightly control device passwords on managed macOS devices using Google SSO, learn more at Apple Platform SSO & Apple User Authorization Policy.


Prerequisites

Requirement

Details

macOS 11 Big Sur or later

Ensure the Swif Agent v1.235.0+ is installed.

Google Workspace tenant

Admin rights to create an OAuth 2.0 client. Application Type: Web Application.

Swif Org Admin

Ability to create policies and deploy to Mac devices.

Google 2FA

Google SSO 2FA works but passkey (eg. touch ID) doesn't allow at Apple Platform SSO.


Create a Google Workspace OAuth Client

  1. Go to Google Cloud Console → APIs & Services → Credentials.

  2. Click Create Credentials → OAuth client ID →Application Type: Web Application.

  3. Authorized redirect URI → add https://127.0.0.1/ (loopback).

  4. Save → copy the Client ID and Client secret.


Create an Platform SSO Policy in Swif

  1. Policies → Create New Policy → Platform SSO Policy.

  2. Fill the fields:

Field

Example

Description

Client ID

XXXXXXXX-…apps.googleusercontent.com

Your Google OAuth Client ID.

Client Secret

GOCSPX-yyy…

Google OAuth Client Secret.

Discovery URL

https://accounts.google.com/.well-known/openid-configuration

Google’s OIDC metadata URL.

Redirect URI

https://127.0.0.1/

Loopback redirect the macOS agent listens on.

Scopes

openid email profile

Minimum scopes for ID token + profile.

Should Set Google Access Type To Offline

true

Requests a refresh token (keeps login valid offline).

Create Admin User

true

If the local macOS user doesn’t exist, create it with admin rights.

Map First Name / Map Last Name

given_name / family_name

JWT claims → macOS record fields.

Map Username / Map Full Username

name

Maps entire Google address to macOS short user name.

Save the policy.


Assign the Policy to Devices

  1. Choose the Mac devices or Smart Group that should enforce Google SSO.

  2. Click Deploy.

  3. Swif pushes a configuration profile that replaces the standard macOS login window.


User Flow

  1. At startup, the login window shows a Sign in with Google button (or username field if cached).

  2. The user’s browser opens to accounts.google.com, prompting Google credentials and MFA.

  3. On success, Swif:

    1. Parses the ID-token claims.

    2. Creates (or unlocks) the local macOS account.

    3. Logs the user in—all without storing the Google password locally.


Troubleshooting

Issue

Resolution

Blank login window

Verify profile installed (System Settings → Privacy & Security → Profiles).

OAuth loop fails

Confirm the redirect https://127.0.0.1/ in Google console and policy.

Offline Mac can’t authenticate

Ensure shouldSetGoogleAccessTypeToOffline = true (refresh token).

User not found

Check mapping fields—mapUsername should match the short name format you expect.

Error setting local password to cloud password

There is a conflict with your password policy. You can change the cloud password or remove the password policy from the device.


Security Notes

  • Setting Create Admin User = true grants local-admin rights—use only if required.

  • Enforced SSO means local passwords no longer unlock the Mac; keep Google MFA enabled for best security.

Deploying the Platform SSO Policy ensures every macOS sign-in is backed by Google Workspace, closing credential gaps and aligning device access to your IdP. For assistance, contact Swif Support.

Did this answer your question?