Swif’s Identity Login Policy lets you replace the local macOS login window with Google Workspace Single Sign-On. Users authenticate with their Google credentials, and Swif provisions (or verifies) the matching local account before sign-in completes.
1 Prerequisites
Requirement | Details |
macOS 11 Big Sur or later | Ensure the Swif Agent v1.235.0+ is installed. |
Google Workspace tenant | Admin rights to create an OAuth 2.0 client. Application Type: Web Application. |
Swif Org Admin | Ability to create policies and deploy to Mac devices. |
2 Create a Google Workspace OAuth Client
Go to Google Cloud Console → APIs & Services → Credentials.
Click Create Credentials → OAuth client ID →Application Type: Web Application.
Authorized redirect URI → add
https://127.0.0.1/(loopback).Save → copy the Client ID and Client secret.
3 Create an Identity Login Policy in Swif
Policies → Create New Policy → Identity Login Policy.
Fill the fields:
Field | Example | Description |
clientId |
| Your Google OAuth Client ID. |
clientSecret |
| Google OAuth Client Secret. |
discoveryURL |
| Google’s OIDC metadata URL. |
redirectURI |
| Loopback redirect the macOS agent listens on. |
scopes |
| Minimum scopes for ID token + profile. |
shouldSetGoogleAccessTypeToOffline |
| Requests a refresh token (keeps login valid offline). |
createAdminUser |
| If the local macOS user doesn’t exist, create it with admin rights. |
mapFirstname / mapLastname |
| JWT claims → macOS record fields. |
mapUsername / mapFullusername |
| Maps entire Google address to macOS short user name. |
Tip: Leave onlineAuthenticationGracePeriod blank—macOS login already requires fresh Google auth each boot.
Save the policy.
4 Assign the Policy to Devices
Choose the Mac devices or Smart Group that should enforce Google SSO.
Click Deploy.
Swif pushes a configuration profile that replaces the standard macOS login window.
5 User Flow
At startup, the login window shows a Sign in with Google button (or username field if cached).
The user’s browser opens to
accounts.google.com, prompting Google credentials and MFA.On success, Swif:
Parses the ID-token claims.
Creates (or unlocks) the local macOS account.
Logs the user in—all without storing the Google password locally.
6 Troubleshooting
Issue | Resolution |
Blank login window | Verify profile installed (System Settings → Privacy & Security → Profiles). |
OAuth loop fails | Confirm redirect |
Offline Mac can’t authenticate | Ensure shouldSetGoogleAccessTypeToOffline = true (refresh token). |
User not found | Check mapping fields— |
7 Security Notes
Setting createAdminUser = true grants local-admin rights—use only if required.
Enforced SSO means local passwords no longer unlock the Mac; keep Google MFA enabled for best security.
Deploying the Identity Login Policy ensures every macOS sign-in is backed by Google Workspace—closing credential gaps and aligning device access to your IdP. For assistance, contact Swif Support.