Swif’s Apple Platform SSO Policy lets you replace the local macOS login window with Google Workspace Single Sign-On. Users authenticate with their Google credentials, and Swif provisions (or verifies) the matching local account before sign-in completes.
If you want to tightly control device passwords on managed macOS devices using Google SSO, learn more at Apple Platform SSO & Apple User Authorization Policy.
Prerequisites
Requirement | Details |
macOS 11 Big Sur or later | Ensure the Swif Agent v1.235.0+ is installed. |
Google Workspace tenant | Admin rights to create an OAuth 2.0 client. Application Type: Web Application. |
Swif Org Admin | Ability to create policies and deploy to Mac devices. |
Google 2FA | Google SSO 2FA works but passkey (eg. touch ID) doesn't allow at Apple Platform SSO (because the underlying library doesn't support due to the security and network reason during system startup) |
Create a Google Workspace OAuth Client
Go to Google Cloud Console → APIs & Services → Credentials.
Click Create Credentials → OAuth client ID →Application Type: Web Application.
Authorized redirect URI → add
https://127.0.0.1/(loopback).Save → copy the Client ID and Client secret.
Create an Platform SSO Policy in Swif
Policies → Create New Policy → Platform SSO Policy.
Fill the fields:
Field | Example | Description |
Client ID |
| Your Google OAuth Client ID. |
Client Secret |
| Google OAuth Client Secret. |
Discovery URL |
| Google’s OIDC metadata URL. |
Redirect URI |
| Loopback redirect the macOS agent listens on. |
Scopes |
| Minimum scopes for ID token + profile. |
Should Set Google Access Type To Offline |
| Requests a refresh token (keeps login valid offline). |
Create Admin User |
| If the local macOS user doesn’t exist, create it with admin rights. |
Map First Name / Map Last Name |
| JWT claims → macOS record fields. |
Map Username / Map Full Username |
| Maps entire Google address to macOS short user name. |
Save the policy.
Assign the Policy to Devices
Choose the Mac devices or Smart Group that should enforce Google SSO.
Click Deploy.
Swif pushes a configuration profile that replaces the standard macOS login window.
User Flow
At startup, the login window shows a Sign in with Google button (or username field if cached).
The user’s browser opens to
accounts.google.com, prompting Google credentials and MFA.On success, Swif:
Parses the ID-token claims.
Creates (or unlocks) the local macOS account.
Logs the user in—all without storing the Google password locally.
Troubleshooting
Issue | Resolution |
Blank login window | Verify profile installed (System Settings → Privacy & Security → Profiles). |
OAuth loop fails | Confirm the redirect |
Offline Mac can’t authenticate | Ensure shouldSetGoogleAccessTypeToOffline = true (refresh token). |
User not found | Check mapping fields— |
Error setting local password to cloud password | There is a conflict with your password policy. You can change the cloud password or remove the password policy from the device. |
Security Notes
Setting Create Admin User = true grants local-admin rights—use only if required.
Enforced SSO means local passwords no longer unlock the Mac; keep Google MFA enabled for best security.
Deploying the Platform SSO Policy ensures every macOS sign-in is backed by Google Workspace, closing credential gaps and aligning device access to your IdP. For assistance, contact Swif Support.


