Swif allows administrators to securely reset an employee’s device password for managed devices. This is commonly used when an employee forgets their password, is locked out, or during security incidents and offboarding.
Password reset behavior varies by operating system. On macOS, Swif uses a dedicated Swif Admin account to perform password changes securely and audibly.
Before You Begin
Ensure the following before resetting a password:
The device is enrolled and active in Swif
The device is online
You have admin permissions in Swif
The target user account exists on the device
macOS Password Reset (How It Works)
On macOS devices, Swif does not bypass system security. Instead:
Swif creates and manages a Swif Admin account on the device
This admin account is used to authorize password changes
The reset action follows native macOS security rules
The user’s existing password is replaced immediately
This approach ensures:
Full auditability
Compatibility with FileVault
No unsupported system modifications
ℹ️ For security reasons, macOS may require admin authentication when password reset requests occur frequently.
How to Reset a Password
Step 1: Open the Device
Go to Device Management → Devices
Select the employee’s Mac
Open the Accounts tab
Step 2: Select the User Account
Locate the user whose password needs to be reset
Click the ⋮ (More actions) menu
Select Reset Password
Step 3: Authenticate the Action
You will see a Reset Password dialog with a step-by-step flow:
1. Authentication
Enter the Swif Admin account credentials
In some cases, the current user password may also be required
This step ensures the reset is authorized by macOS
You may see a message such as:
“For security reasons, an admin account password is required to reset the password.”
2. Set New Password
Enter the new password for the user
Password policies configured in Swif will be enforced
3. Share Password
Securely share the new password with the employee
Recommend changing it after first login
Click Proceed → Save Changes to complete the reset.
What Happens After the Reset
The previous password is immediately invalid
The user can log in with the new password
The action is recorded in Audit Trails
Device compliance status updates automatically
FileVault Notes (macOS)
If FileVault is enabled:
The user may need to log in once to fully unlock disk access
No data loss occurs
Supported Platforms
Platform | Password Reset Support |
macOS | ✅ Supported (via Swif Admin) |
Windows | ✅ Supported |
Linux | ✅ Supported |
Mobile (iOS/iPadOS) | ❌ Not supported – device wipe may be required |
Android | ✅ Supported. Learn more → |
Enforce password policy on device user password reset
Swif can enforce your configured password policy at the time you reset a local user’s password. This prevents admins from setting passwords that are too weak or that violate your compliance rules.
When you reset a password for a local user account on a managed device:
Swif checks the new password against the password policy you’ve assigned to that device.
If no password policy is assigned to the device, the reset behaves as a normal command and is not rejected by policy checks.
If a password policy is assigned, the new password must comply with all configured rules before the reset command is accepted.
What is validated
Swif validates the new password against the policy fields you’ve configured, including (depending on your policy setup):
Minimum password length
Password complexity / character variety (e.g., mix of upper/lowercase, numbers, symbols)
Password strength / entropy (measured in bits)
Password history / reuse prevention (cannot reuse recent passwords, where applicable)
Expiration / maximum age rules (when relevant at reset time)
Lockout-related constraints, where applicable
Any password constraints defined in the policy
These checks are performed before the command is sent to the device.
What you’ll see in Swif
When you issue a password reset that does not meet the policy:
The command is rejected by Swif (it is not dispatched to the device).
The API returns a 400 error with a structured validation error (for example, error code PASSWORD_POLICY_VALIDATION).
In the Commands / Command tab, the result is clearly shown as a policy validation failure, not a device-execution error.
Example of a policy validation message:
Password does not meet policy: minimum entropy is 48 bits (current: 23.3). Use more unique characters and/or greater length.
When the new password does meet policy:
The command is accepted and sent to the device.
The password is changed on the device once the command executes successfully.
The action is recorded in logs/audit as usual.
How to make sure policy enforcement is active
For example, to ensure password resets are enforced by policy on Windows:
Assign a Windows password policy to the device (or to a group that includes the device).
Include your desired requirements, such as:
Minimum length
Minimum complexity / entropy
Any other Windows password constraints your organization needs
Confirm that the device is managed and online in Swif before triggering the reset.
If you attempt a reset with a password that doesn’t meet policy, you’ll see a clear error, and you can adjust the password (e.g., increase length or add more varied characters) and try again.
Security Best Practices
Verify user identity before resetting passwords
Use temporary passwords when possible
Encourage users to rotate passwords after login
Review reset actions in Audit Trails
Combine with temporary admin elevation if troubleshooting is required
Troubleshooting
Reset option unavailable
Device may be offline
User still can’t log in
Confirm correct account was reset
Check FileVault status
Retry the reset after device check-in
Summary
Swif provides a secure, OS-native way to reset employee device passwords.
On macOS, the Swif Admin account ensures:
Secure authorization
Full compliance with Apple security controls
Complete audit visibility
This approach minimizes downtime while maintaining enterprise-grade security.