Overview
The Swif agent is a system-level endpoint management service installed on managed devices. It runs in the background and allows Swif to enforce device management, compliance, and security actions issued by authorized team administrators.
The agent is used to perform actions such as:
Applying security policies
Resetting local account passwords
Enforcing password and screen-lock requirements
Managing device encryption workflows
Running approved administrative commands
Supporting remote troubleshooting
Reporting device status back to Swif
Because these actions modify operating system settings, the Swif agent runs with elevated privileges where required by the operating system.
Why the Agent Requires Elevated Privileges
Swif is an MDM and endpoint security platform. Many device management actions require administrator or root-level permissions.
For example:
Resetting a local account password requires privileged access
Enforcing disk encryption requires access to system encryption tools
Applying OS-level security policies requires administrative permissions
Installing or removing managed software may require elevated permissions
Collecting some security posture information requires access outside the user session
Because of this, the Swif agent should be treated as a trusted privileged endpoint management component, similar to other MDM, EDR, or device security agents.
The agent is not designed to run as a low-privilege desktop application. It is designed to securely manage enrolled devices on behalf of authorized Swif administrators.
What Exactly Can the Swif Agent Do?
The Swif agent includes a command execution system that allows authorized Swif administrators to perform device management and troubleshooting actions on enrolled devices.
Because the agent is responsible for endpoint management, compliance enforcement, software deployment, encryption workflows, account management, and remote troubleshooting, it may execute commands with administrator or root-level privileges when required by the operating system. This is why the agent must be treated as a privileged endpoint management component, similar to an MDM, EDR, or remote management agent.
Examples of actions the agent may perform include:
Apply operating system security policies
Install, update, or remove managed software
Run approved scripts or administrative commands
Reset local user passwords
Manage device encryption workflows
Collect device posture and compliance information
Support Live Terminal or remote troubleshooting workflows
Enforce Swif admin account behavior on managed devices
Commands that require system-level access may run with root privileges. This level of access is required for legitimate MDM workflows such as configuring authentication, enforcing security settings, managing packages, and troubleshooting system services.
On Mac, Swif commands are executed under the
LaunchDaemonsuser who already has root permissions. This allows you to run commandssudowithout additional configuration. (help.swif.ai)On Windows, the Swif agent operates under the SYSTEM user, which possesses administrative rights. This setup ensures that all commands executed by the agent are within the administrative scope, eliminating the necessity for manual elevation to administrator status, as one might do in Windows PowerShell. (help.swif.ai)
On Linux, commands are executed using a privileged system context (root or sudo-capable service account) (help.swif.ai)
Because privileged command execution is powerful, misuse of this capability could impact the device. For example, any platform or administrator with root-level command execution could install software, modify system configuration, or affect device availability. For this reason, Swif treats agent execution, administrator access, and supply-chain protection as security-critical areas.
Swif reduces risk through:
Admin authorization — device actions are initiated by authorized Swif administrators, not end users.
Device scoping — actions are applied to selected devices or device groups.
Command visibility — admins can review command activity from Device Details > Commands.
Swif admin separation — the Swif admin account is separate from regular user accounts and is used for managed administrative workflows.
Customer-controlled enrollment — the agent can only manage devices enrolled into the customer’s Swif environment.
This Swif agent article already explains that the agent is a system-level endpoint service used to enforce device management, compliance, and security actions, and that those actions may require elevated privileges. It also notes that admins can review device command activity from Device Details > Commands.
How the Agent Runs on Devices
The Swif agent runs independently of the logged-in user.
This means:
The agent can start before a user logs in
The agent can continue running when no user session is active
Device policies can still be enforced in the background
Admin-issued actions can be applied without requiring end-user interaction
On macOS, communication may not occur immediately after reboot if networking is not yet available. Once the network becomes available, the agent resumes communication with Swif.
On Linux/Windows, the agent may initialize early in the boot process so it can support device management and compliance enforcement before the user session starts.
Privilege Model and Containment Boundaries
The Swif agent uses elevated permissions only because managed-device operations require them.
Swif reduces risk through several operational boundaries:
Admin Authorization
Device actions must be initiated by authorized Swif administrators. End users do not receive agent-level privileges.
Device-Scoped Execution
Actions are scoped to the selected device or device group. Admins should use device groups, staged rollouts, and test devices before applying high-impact actions broadly.
Command Visibility
Admins can review command activity from:
Device Details > Commands
This helps administrators understand which commands were sent, which commands are still running, and whether a command succeeded or failed.
Separation from End-User Accounts
The Swif agent runs independently of the end user. It does not grant the user local administrator rights.
Swif Admin Account Separation
For certain workflows, Swif may use a dedicated Swif admin account. This account is separate from normal user accounts and is used for administrative management tasks.
Swif Admin User Behavior
When a device is managed by Swif, Swif may create a dedicated administrative account called Swif admin. Its behavior depends on the operating system and device ownership type.
On macOS, the Swif admin account is hidden by default and is used for privileged actions such as account recovery, password resets, FileVault recovery, Secure Token management, and troubleshooting.
On Linux, the Swif admin account is also used for administrative and remote management tasks. The account may be hidden by default, and the Swif agent monitors and enforces the Swif admin password to match the value stored in Swif.
If the Swif admin password is changed locally outside of Swif, the agent can automatically reset it to the server value and report the event to Swif. This helps keep the administrative account consistent and controlled across managed Linux devices. (help.swif.ai)
For more details, see Swif Admin User Behavior on Managed Devices. (help.swif.ai)
Supply Chain and Code Security Safeguards
Dependency and Supply Chain Security
The Swif agent and related MDM services use third-party libraries and dependencies, as is common for modern endpoint software. Swif evaluates dependencies carefully before using them.
When selecting libraries, Swif considers signals such as:
Project maturity
Maintainer activity
Community adoption
Security history
Release frequency
Compatibility with Swif’s architecture
High community adoption, such as a project having thousands of GitHub stars, can be a useful signal, but it is not treated as the only security control. Popular libraries can still contain vulnerabilities, so Swif also uses automated security scanning and remediation workflows.
Swif uses multiple scanning tools across its software development lifecycle:
SonarQube for source code inspection and detection of bugs, code smells, and security vulnerabilities. It is integrated with Swif GitLab repositories and runs through automated CI pipelines. (Swif.ai Help Center)
Trivy for scanning Docker images, system packages, application dependencies, file systems, and Git repositories. Swif runs Trivy on production builds for API, jobs, and MDM services. (Swif.ai Help Center)
kube-bench for auditing Kubernetes clusters against the CIS Kubernetes Benchmark and validating secure cluster configuration. (Swif.ai Help Center)
Swif’s scanning practices are automated across code, containers, and infrastructure. Code scans run on commits, container scans run during CI/CD builds, and Kubernetes scans run quarterly or after major upgrades. Developers are expected to address newly detected vulnerabilities. (Swif.ai Help Center)
These controls reduce the likelihood that vulnerable code, dependencies, containers, or infrastructure configurations are introduced into Swif production services. They do not eliminate all supply-chain risk, which is why customers should also restrict Swif administrator access to trusted personnel and review command activity for sensitive devices.
For more details, see Security Scanning Tools at Swif.ai. (Swif.ai Help Center)
What Admins Can Do to Reduce Risk
To operate the Swif agent securely, administrators should follow these practices:
Limit Swif administrator access to trusted IT or security personnel
Use role-based access controls where available
Test high-impact policies or scripts on a small device group first
Review command history in Device Details > Commands
Monitor Swif admin account behavior on managed devices
Avoid enrolling systems that should not be centrally managed
Keep devices online so agent updates and policy changes can be applied
Contact Swif support if agent behavior appears unexpected
For sensitive Linux environments, including hardened production systems, admins should:
Test Swif policies and scripts on a small device group first
Limit access to Live Terminal and custom command execution
Review Device Details > Commands after privileged actions
Use least-privilege access for Swif administrators
Enroll only devices that are approved for centralized management
Monitor Swif admin account behavior on managed Linux devices
The Swif admin user article explains that Swif may create a dedicated administrative account for managed devices and that this account is used for administrative and remote management tasks. (Swif.ai Help Center)
How to Check the Installed Swif Agent Version
You can check the installed Swif agent version directly from the device.
Linux
/usr/bin/swifteam -version
Example output:
1.242.0
macOS
/usr/local/swifteam/swifteam -version
Example output:
1.242.0
Windows
Check the version file:
C:\Program Files\Swifteam\version.txt
Example output:
1.242.0
Why Version Checks Matter
Checking the agent version helps admins:
Confirm the agent is installed correctly
Verify that agent updates are being applied
Confirm whether a device has support for newer Swif features
Provide useful information when contacting Swif support
If the agent binary or version file is missing, the agent may be missing, corrupted, or not installed correctly. Reinstall the latest package from the Swif console.
Notes
The Swif agent is a privileged management service because endpoint security and MDM workflows require privileged access.
End users do not receive agent-level privileges.
The Swif admin account is separate from normal user accounts and is used for managed administrative workflows.
Agent actions should be controlled through Swif administrator permissions, device scoping, and command review.
Swif uses code, container, and infrastructure scanning to reduce supply-chain and software security risk.
Related Articles
Security Scanning Tools at Swif.ai (help.swif.ai)
Swif Admin User Behavior on Managed Devices (help.swif.ai)
Enrollment Methods for All OSs (help.swif.ai)