Swif’s Platform SSO Policy lets you replace the local macOS login window with Google Workspace Single Sign-On. Users authenticate with their Google credentials, and Swif provisions (or verifies) the matching local account before sign-in completes.
1 Prerequisites
Requirement | Details |
macOS 11 Big Sur or later | Ensure the Swif Agent v1.235.0+ is installed. |
Google Workspace tenant | Admin rights to create an OAuth 2.0 client. Application Type: Web Application. |
Swif Org Admin | Ability to create policies and deploy to Mac devices. |
2 Create a Google Workspace OAuth Client
Go to Google Cloud Console → APIs & Services → Credentials.
Click Create Credentials → OAuth client ID →Application Type: Web Application.
Authorized redirect URI → add
https://127.0.0.1/
(loopback).Save → copy the Client ID and Client secret.
3 Create an Platform SSO Policy in Swif
Policies → Create New Policy → Platform SSO Policy.
Fill the fields:
Field | Example | Description |
Client ID |
| Your Google OAuth Client ID. |
Client Secret |
| Google OAuth Client Secret. |
Discovery URL |
| Google’s OIDC metadata URL. |
Redirect URI |
| Loopback redirect the macOS agent listens on. |
Scopes |
| Minimum scopes for ID token + profile. |
Should Set Google Access Type To Offline |
| Requests a refresh token (keeps login valid offline). |
Create Admin User |
| If the local macOS user doesn’t exist, create it with admin rights. |
Map First Name / Map Last Name |
| JWT claims → macOS record fields. |
Map Username / Map Full Username |
| Maps entire Google address to macOS short user name. |
Save the policy.
4 Assign the Policy to Devices
Choose the Mac devices or Smart Group that should enforce Google SSO.
Click Deploy.
Swif pushes a configuration profile that replaces the standard macOS login window.
5 User Flow
At startup, the login window shows a Sign in with Google button (or username field if cached).
The user’s browser opens to
accounts.google.com
, prompting Google credentials and MFA.On success, Swif:
Parses the ID-token claims.
Creates (or unlocks) the local macOS account.
Logs the user in—all without storing the Google password locally.
6 Troubleshooting
Issue | Resolution |
Blank login window | Verify profile installed (System Settings → Privacy & Security → Profiles). |
OAuth loop fails | Confirm the redirect |
Offline Mac can’t authenticate | Ensure shouldSetGoogleAccessTypeToOffline = true (refresh token). |
User not found | Check mapping fields— |
Error setting local password to cloud password | There is a conflict with your password policy. You can change the cloud password or remove the password policy from the device. |
7 Security Notes
Setting Create Admin User = true grants local-admin rights—use only if required.
Enforced SSO means local passwords no longer unlock the Mac; keep Google MFA enabled for best security.
Deploying the Platform SSO Policy ensures every macOS sign-in is backed by Google Workspace, closing credential gaps and aligning device access to your IdP. For assistance, contact Swif Support.