MDM restrictions for Apple Vision Pro devices
You can set restrictions for Apple Vision Pro devices enrolled in a mobile device management (MDM) solution. The default state for all restrictions listed below is on unless the words “Default is off” are in the Restriction Functionality column.
Note: Not all restrictions are available in all MDM solutions, and they have the ability to change the default state for any restriction. To learn more about MDM restriction availability for your devices, consult your MDM vendor’s documentation.
Setting | Minimum supported operating systems | Supervised | Restriction functionality | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Use of cameras | visionOS 2.0 | No | Cameras are disabled and the Camera icon is removed from the Home Screen. Users can’t take photographs or videos. | ||||||||
Install apps | visionOS 2.0 | Yes | App Store is disabled and its icon is removed from the Home Screen. Users can’t install or update apps. MDM app commands can still be used. Note: If native visionOS system apps are removed, they can be reinstalled. | ||||||||
Install apps using App Store | visionOS 2.0 | Yes | App Store is disabled and its icon is removed from the Home Screen. Users can’t install or update apps. MDM app commands can still be used. | ||||||||
Modify account settings | visionOS 2.0 | Yes | Users can’t create new accounts or change their user name, password, or other settings associated with their account. | ||||||||
Force on-device-only dictation | visionOS 2.0 | No | Prevents dictated content from being sent to Siri servers for processing. Default is off. | ||||||||
Modify device name | visionOS 2.0 | Yes | Users can’t change the name of the device as shown in Settings > General > About. | ||||||||
Siri | visionOS 2.0 | No | Siri can’t be used. | ||||||||
Modify biometric authentication | visionOS 2.0(Optic ID) | Yes | Users can’t add or remove existing biometric information. | ||||||||
Install a configuration profile | visionOS 2.0 | Yes | Users can’t manually install configuration profiles in Settings. | ||||||||
iCloud Private Relay | visionOS 2.0 | No | Prevents the user from turning on iCloud Private Relay. | ||||||||
Managed pasteboard | visionOS 2.0 | No | Helps control the pasting of content from an app that’s using Open In management by following the Managed Open In restrictions in force. Apple apps that work with the managed pasteboard include Calendar, Files, Mail, and Notes. Third-party apps are controlled based on whether they’re managed. When a user attempts to paste content where it isn’t permitted, a Paste Not Allowed notice appears along with the organization’s name (which can be changed using the Settings command). Apps also can’t request items from the pasteboard when this restriction is used and the content crosses the managed boundary. Default is off. | ||||||||
Allow personalized ads delivered by Apple | visionOS 2.0 | No | Users’ data won’t be used by the Apple advertising platform to deliver personalized ads. | ||||||||
Allow network drive connections | visionOS 2.0 | Yes | Users can’t connect to network drives in the Files app. | ||||||||
Share passwords over AirDrop | visionOS 2.0 | Yes | Users can’t share their passwords over AirDrop. | ||||||||
Unmanaged apps to read managed contacts | visionOS 2.0 | No | Unmanaged apps can read contacts from managed accounts, even if unmanaged apps are prevented from reading to managed destinations. Default is off. | ||||||||
Managed Apps to edit unmanaged contacts | visionOS 2.0 | No | Managed Apps can edit contacts to unmanaged accounts, even if Managed Apps are prevented from editing unmanaged destinations. Default is off. | ||||||||
Password AutoFill | visionOS 2.0 | Yes | Users can’t use AutoFill Passwords, and no prompt is shown to pick a saved password from iCloud Keychain or third-party password managers. | ||||||||
Turn on “Set Automatically” in Date and Time settings | visionOS 2.0 | Yes | Set Automatically is turned on, and users can’t turn it off. Default is off. | ||||||||
Modify restrictions or Screen Time settings | visionOS 2.0 | Yes | Users can’t set their own restrictions on their device for iOS 11.4.1 or earlier. Users can’t set their own Screen Time settings on their device for iOS 12 or later. | ||||||||
Remove system apps | iOS 11 iPadOS 13.1 visionOS 2.0 | Yes | Users can’t remove native Apple apps. | ||||||||
Add VPN configurations | iOS 11 iPadOS 13.1 visionOS 2.0 | Yes | Users and third-party apps can’t create and add VPN configurations. | ||||||||
Require biometric authentication for AutoFill | visionOS 2.0 | Yes | Users are required to authenticate with biometric authentication, or passcode to automatically fill password and credit card information. Default is off. | ||||||||
Use biometric authentication to unlock device | visionOS 2.0 | No | Users must use a passcode to unlock the device. | ||||||||
Join only Wi-Fi networks installed by a Wi-Fi payload | visionOS 2.0 | Yes | Devices that have this restriction can join only the Wi-Fi networks added to the Wi-Fi payload. Default is off. Important: If the Wi-Fi network isn’t available, the device can’t be managed. | ||||||||
Modify diagnostic settings | visionOS 2.0 | Yes | Modifying diagnostic data settings isn’t permitted. | ||||||||
Modify Notifications settings | visionOS 2.0 | Yes | Users can’t change the configuration of any Notifications settings. | ||||||||
Modify passcode or password | visionOS 2.0 | Yes | Users can’t change the passcode or password. | ||||||||
iCloud Photos | visionOS 2.0 | No | Users can’t use their iCloud Photos. | ||||||||
Trust new proprietary in-house app developers | visionOS 2.0 | No | Users can’t allow new proprietary in-house app developers to be trusted, which prohibits apps from those developers from launching. | ||||||||
Treat AirDrop as unmanaged destination | visionOS 2.0 | No | Users see AirDrop as an option from a Managed App. For this restriction to work when it’s enabled, you must also disable “Allow documents from managed sources in unmanaged destinations.”
Default is off. | ||||||||
Managed App’s stored data in iCloud | visionOS 2.0 | No | Users can’t store data from Managed Apps in iCloud. | ||||||||
Handoff | visionOS 2.0 | No | Users can’t use Handoff with their Apple devices. | ||||||||
Erase All Content and Settings | visionOS 2.0 | Yes | Users can’t erase their device and reset it to factory defaults. | ||||||||
iCloud Keychain | visionOS 2.0 | No | iCloud Keychain can’t be used. | ||||||||
AirDrop | visionOS 2.0 | Yes | Users can’t use AirDrop. | ||||||||
Documents from managed sources appear in unmanaged destinations | visionOS 2.0 | No | Documents created or downloaded from managed sources can’t be opened in unmanaged destinations.
| ||||||||
Documents from unmanaged sources appear in managed destinations | visionOS 2.0 | No | Documents created or downloaded from unmanaged sources can’t be opened in managed destinations.
| ||||||||
Send diagnostic and usage data to Apple | visionOS 2.0 | No | Users can’t choose to send diagnostic information to Apple. | ||||||||
iCloud Documents and Data | visionOS 2.0 | Yes | Documents and data aren’t added to iCloud. | ||||||||
iCloud Backup | visionOS 2.0 | No | Device backup can’t be performed. | ||||||||
FaceTime | visionOS 2.0 | Yes | Users can’t place or receive FaceTime audio or video calls. | ||||||||
Screenshots and screen recordings | visionOS 2.0 | No | Users can’t save a screenshot or recording of the screen. | ||||||||
Safari AutoFill | visionOS 2.0 | Yes | Safari doesn’t keep track of what users enter in web forms. | ||||||||
Users accept untrusted TLS certificates | visionOS 1.1 | No | Users aren’t asked if they want to trust certificates that can’t be verified. This setting applies to Safari, Mail, Contacts, and Calendar accounts. When this option is on, only certificates with trusted root certificates are accepted without a prompt. To view the root CAs accepted, see the Apple Support article List of available trusted root certificates in iOS 17, iPadOS 17, macOS 14, tvOS 17, and watchOS 10. |