This article explains how to:
Block local users from changing their own device password on macOS, Windows, and Linux using Swif policies, and
Have employees use Swif (web Employee Portal + Desktop app) as the only way to reset their device password.
This setup centralizes password changes behind Swif, improves auditability, and reduces conflicts between local and cloud credentials.
1. Why Centralize Password Resets in Swif?
With Swif:
Employees reset passwords through Swif (web portal or desktop app), protected by MFA and your security policies.
Local password changes are blocked or reverted, depending on OS and policy.
IT gets visibility and control over when and how passwords are changed.
This aligns with the model described in the Employee Portal guide:
https://help.swif.ai/en/articles/10542477-how-to-use-swif-s-employee-portal#h_1895a11582
2. High-Level Setup
To enforce “no local password change; only via Swif”:
Block (or effectively undo) local password changes via:
Apple User Authorization Policy (macOS)
https://help.swif.ai/en/articles/10333873-apple-user-authorization-policy#h_aeb16449f0Windows User Authorization Policy (Windows)
https://help.swif.ai/en/articles/11049019-windows-user-authorization-policy#h_87e7ed04b4Linux User Authorization Policy (Linux)
https://help.swif.ai/en/articles/13365412-linux-user-authorization-policy#h_1eeee88618
Tell users to change their password only through Swif:
Employee Portal (web) – documented here:
https://help.swif.ai/en/articles/10542477-how-to-use-swif-s-employee-portal#h_1895a11582Swif Desktop App (Employee Portal at Desktop App) – same reset flow, accessible from the device.
3. Configure macOS: Block Local Password Changes
Use the Apple User Authorization Policy to control password modification:
https://help.swif.ai/en/articles/10333873-apple-user-authorization-policy#h_aeb16449f0
3.1 What the macOS Policy Does
Passcode Modification Control
True: Users can change their macOS password locally.
False: Users are restricted from modifying their password locally.
Note: If a user uses another admin account on the Mac to reset a password, Swif cannot fully prevent that. You should still restrict who has admin rights on devices.
3.2 How to Configure (macOS)
Go to Policies
Log in to the Swif Admin Dashboard.
Navigate to: Device Management → Policies.
Create or Edit an Apple User Authorization Policy
Create a new policy or edit an existing one.
Ensure macOS is selected in the Target Devices.
Set Passcode Modification
In the policy configuration, set:
Passcode Modification to False
→ This prevents users from modifying their device password locally.
(Optional) User Addition Control
You can also set User Addition to False to prevent users from adding new accounts.
Assign the Policy
Assign the policy to the relevant macOS device groups or users.
Click Save / Apply to enforce.
3.3 Best Practice for macOS
Keep Passcode Modification = False for company-owned Macs.
In your internal documentation / onboarding, clearly instruct employees:
“You cannot change your Mac password from System Settings. Use Swif (web or desktop app) to reset your password.”
4. Configure Windows: Block Local Password Changes for Standard Users
Use the Windows User Authorization Policy:
https://help.swif.ai/en/articles/11049019-windows-user-authorization-policy#h_87e7ed04b4
4.1 What the Windows Policy Does
Allow Passcode Modification (for standard users):
Enabled: Standard Windows users can change their local password.
Disabled: Standard Windows users cannot change their password locally.
Admin accounts are not affected – admins can always change their own password.
This is ideal when you want standard users locked down, but still allow IT/admin accounts full control.
4.2 Requirements
From the policy article:
OS: Windows 10 or later
Restricted on BYOD devices
Swif Agent: Installed and up to date on target devices.
4.3 How to Configure (Windows)
Go to Policies
Open the Swif Admin Console.
Go to Device Management → Policy.
Create or Edit a Windows User Authorization Policy
Click Create New Policy or edit an existing one.
Select User Authorization Policy for Windows.
Configure “Allow Passcode Modification”
Set Allow Passcode Modification to Disabled for your target devices.
Optionally name it clearly, e.g., “Block local password changes for standard users”.
Assign the Policy
Choose Windows 10+ devices or device groups to apply it to.
Review and click Save/Finish.
4.4 Verifying on Windows
Log in as a standard user on a managed device.
Go to Settings → Accounts → Sign-in options and try to change the password.
If policy is Disabled:
The user should see an error or be blocked from changing their password.
Log in as an administrator:
The admin should still be able to change passwords (unchanged behavior).
5. Configure Linux: Enforce Swif-Managed Password (Undo Local Changes)
Use the Linux User Authorization Policy:
https://help.swif.ai/en/articles/13365412-linux-user-authorization-policy#h_1eeee88618
5.1 How Enforcement Works on Linux
Linux behaves differently:
Swif stores the last known password for the managed account (the “cloud password”).
On the device:
Swif reads the local password salt + hash.
Recomputes a hash using cloudPassword + localSalt.
If the recomputed hash doesn’t match the stored local hash, Swif concludes the local password changed.
When enforcement is enabled and a mismatch is detected:
Swif resets the local Linux password back to the Swif-managed password.
Important: Swif does not block the password change action itself. It detects and reverts any unauthorized change after the fact.
5.2 Policy Field: allowPasswordModification
Key field from the policy article:
Field name:
allowPasswordModificationDisplay name: Allow Password Modification
Type: Boolean
Default:
false
Behavior:
allowPasswordModification = false(default, recommended to centralize):Swif enforces the cloud password.
If user changes local password:
Swif detects mismatch.
Swif resets the password back to the Swif-managed value.
From the user’s perspective, local changes “don’t stick”.
allowPasswordModification = true:Swif does not reset local passwords.
User’s local password changes remain in effect.
5.3 Recommended Linux Setup to Prevent Local Divergence
For “Swif is the source of truth”:
Ensure a Linux User Authorization Policy is created and assigned.
Keep Allow Password Modification (
allowPasswordModification) = false.That way, if a user tries to change their Linux password:
The Swif agent will revert it back to the password managed in Swif.
6. How Employees Should Reset Their Password via Swif
Once local password changes are blocked or enforced:
Employees must use:
Swif Employee Portal (web), or
Swif Desktop App (Employee Portal at Desktop App)
to reset their device passwords.
The web-based flow is described here:
https://help.swif.ai/en/articles/10542477-how-to-use-swif-s-employee-portal#h_1895a11582
6.1 Using the Employee Portal (Web) to Change Password
From the Employee Portal article (section “Changing Your Device User Password”):
Access the Employee Portal
Go to app.swif.ai (or your organization’s custom Swif domain).
Log in with your Swif credentials (MFA may be required).
If you are also an admin, use the Portal Switcher in the bottom-left to switch to Employee Portal.
Select Your Device
On the dashboard, select the device where you want to change the password.
Open Accounts
Go to Accounts.
Hover over the account you want to change the password for.
Reset Password
Click Reset Password.
Enter your new password, following your organization’s policy (length, complexity, etc.).
Confirm the new password.
Click Save / Update.
Password Propagation
Within minutes, the local device user account password is updated.
The next time you log in, use your new password.
This centralizes password resets and ensures they’re logged and protected by MFA.
6.2 Using the Swif Desktop App to Reset the Local Password
In addition to the web portal, users can reset their local password via the Swif Desktop App, which exposes the same Employee Portal capabilities directly on the device.
Typical flow (aligned with the web steps):
Open the Swif Desktop App
Launch the Swif app on your Mac, Windows, or Linux device.
Sign in with your Swif account (MFA may apply).
Go to the Employee / Device View
Make sure you are in the Employee view (not Admin).
Select your device from the device list if needed.
Open the Account / Password Section
Navigate to Accounts (or a similar section in the desktop app).
Choose the local user account whose password you need to change.
Reset the Password
Click Reset Password.
Enter and confirm your new password, following your team’s password policy.
Submit the change.
Log In with Your New Password
Once the reset completes, your local device user password is updated.
Log out or lock your machine, then sign back in using the new password.
With the policies above configured, users cannot (or cannot effectively) bypass this flow by changing the password directly in system settings—the Swif-managed password remains the source of truth.
7. Recommended Policy Combinations by Scenario
Scenario A: Company-Owned Devices – Fully Centralized
Goal: Users never maintain a different password locally than in Swif.
macOS:
Apple User Authorization Policy
Passcode Modification = False
Windows:
Windows User Authorization Policy
Allow Passcode Modification = Disabled (for standard users)
Linux:
Linux User Authorization Policy
Allow Password Modification (
allowPasswordModification) = false
User guidance:
“To change your device password, always use Swif – either:
Employee Portal (web): https://help.swif.ai/en/articles/10542477-how-to-use-swif-s-employee-portal#h_1895a11582
Swif Desktop App on your device.”
Scenario B: BYOD / Less Strict Devices
Goal: Centralize where possible, but allow some flexibility.
macOS / Windows:
You may choose to enable local passcode modification, or apply the policy only to certain device groups.
Linux:
Set
allowPasswordModification = trueif you allow local flexibility.
User guidance:
Recommend Swif-based resets as the preferred path, but document that local changes may still be allowed in certain contexts.
8. Summary
By combining:
Apple User Authorization Policy (macOS)
https://help.swif.ai/en/articles/10333873-apple-user-authorization-policy#h_aeb16449f0Windows User Authorization Policy (Windows)
https://help.swif.ai/en/articles/11049019-windows-user-authorization-policy#h_87e7ed04b4Linux User Authorization Policy (Linux)
Linux User Authorization Policy | Help Center | Swif.aiAnd the Employee Portal password reset workflow (web + desktop app)
How to Use Swif’s Employee Portal | Help Center | Swif.ai
you can:
Prevent or undo local password changes on macOS, Windows, and Linux, and
Require users to reset passwords only through Swif, with MFA and centralized auditing.