
Device management restrictions for Apple Vision Pro devices
You can set restrictions for Apple Vision Pro devices that enrol in a device management service. The default state for all restrictions listed below is on unless the words “Default is off” are in the Restriction Functionality column.
Note: Not all restrictions are available in all device management services, and they have the ability to change the default state for any restriction. To learn more about device management restriction availability for your devices, consult your developer’s device management service documentation.
| Setting | Minimum supported operating system | Supervised | Restriction functionality | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Allow Safari summary | visionOS 2.4 | Yes | Prevents the ability to summarise content in Safari. | ||||||||
| Allow Mail smart replies | visionOS 2.4 | Yes | Prevents smart replies in Mail. | ||||||||
| Allow external intelligence workspace IDs | visionOS 2.4 | Yes | If present, Apple Intelligence allows only the given external integration workspace ID to be used, and requires a sign-in in order to make requests; the user needs to sign in to integrations that support signing in. This is an array of strings but is currently restricted to a single element. Multiple payloads are combined using an intersect operation. This means the allowed set of workspace IDs can become the empty set if conflicting values are specified in multiple payloads. | ||||||||
| Allow signing in to external intelligence integrations | visionOS 2.4 | No | Forces external intelligence providers into anonymous mode. If a user is already signed in to an external intelligence provider, applying this restriction signs them out. | ||||||||
| Allow external intelligence integrations | visionOS 2.4 | No Note: In a future release, this restriction will require supervision and will be ignored on non-supervised devices. | Prevents the use of external, cloud-based intelligence services with Siri. This currently includes ChatGPT and Google Lens (visual intelligence). | ||||||||
| Allow writing tools | visionOS 2.4 | Yes | Prevents Apple Intelligence writing tools. | ||||||||
| Allow Image Playground | visionOS 2.4 | Yes | Prevents users from using Image Playground. | ||||||||
| Allow Genmoji | visionOS 2.4 | Yes | Prevents users from creating a Genmoji. | ||||||||
| Allow default browser modification | visionOS 2.2 | No | Prevents the default browser preference modification. The  | ||||||||
| Use of cameras | visionOS 2.0 | No | Cameras are disabled and the Camera icon is removed from the Home Screen. Users can’t take photographs or videos. | ||||||||
| Install apps | visionOS 2.0 | Yes | App Store is disabled and its icon doesn’t appear on the Home Screen. Users can’t install or update apps. App commands are still available for use. Note: If native visionOS system apps are removed, they can be reinstalled. | ||||||||
| Install apps using App Store | visionOS 2.0 | Yes | App Store is disabled and its icon doesn’t appear on the Home Screen. Users can’t install or update apps. App commands are still available for use. | ||||||||
| Modify account settings | visionOS 2.0 | Yes | Users can’t create new accounts or change their username, password, or other settings associated with their account. | ||||||||
| Force on-device-only dictation | visionOS 2.0 | No | Prevents dictated content from being sent to Siri servers for processing. Default is off. | ||||||||
| Modify device name | visionOS 2.0 | Yes | Users can’t change the name of the device as shown in Settings > General > About. | ||||||||
| Siri | visionOS 2.0 | No | Siri can’t be used. | ||||||||
| Modify biometric authentication | visionOS 2.0 (Optic ID) | Yes | Users can’t add or remove existing biometric information. | ||||||||
| Install a configuration profile | visionOS 2.0 | Yes | Users can’t manually install configuration profiles in Settings. | ||||||||
| iCloud Private Relay | visionOS 2.0 | Yes | Prevents the user from turning on iCloud Private Relay. | ||||||||
| Managed pasteboard | visionOS 2.0 | No | Helps control the pasting of content from an app that’s using Open In management by following the Managed Open In restrictions in force. Apple apps that work with the managed pasteboard include Calendar, Files, Mail and Notes. Third-party apps are controlled based on whether they’re managed. When a user attempts to paste content where it isn’t permitted, a Paste Not Allowed notice appears along with the organisation’s name (which can be changed using the Settings command). Apps also can’t request items from the pasteboard when this restriction is used and the content crosses the managed boundary. Default is off. | ||||||||
| Allow personalised ads delivered by Apple | visionOS 2.0 | No | Users’ data won’t be used by the Apple advertising platform to deliver personalised ads. | ||||||||
| Allow network drive connections | visionOS 2.0 | Yes | Users can’t connect to network drives in the Files app. | ||||||||
| Share passwords over AirDrop | visionOS 2.0 | Yes | Users can’t share their passwords over AirDrop. | ||||||||
| Unmanaged apps to read managed contacts | visionOS 2.0 | No | Unmanaged apps can read contacts from managed accounts, even if unmanaged apps are prevented from reading to managed destinations. Default is off. | ||||||||
| Managed Apps to edit unmanaged contacts | visionOS 2.0 | No | Managed Apps can edit contacts to unmanaged accounts, even if Managed Apps are prevented from editing unmanaged destinations. Default is off. | ||||||||
| Password AutoFill | visionOS 2.0 | Yes | Users can’t use AutoFill Passwords, and no prompt is shown to pick a saved password from iCloud Keychain or third-party password managers. | ||||||||
| Turn on “Set Automatically” in Date and Time settings | visionOS 2.0 | Yes | Set Automatically is turned on, and users can’t turn it off. Default is off. | ||||||||
| Modify restrictions or Screen Time settings | visionOS 2.0 | Yes | Users can’t set their own restrictions on their device for iOS 11.4.1 or earlier. Users can’t set their own Screen Time settings on their device for iOS 12 or later. | ||||||||
| Remove system apps | iOS 11 iPadOS 13.1 visionOS 2.0 | Yes | Users can’t remove native Apple apps. | ||||||||
| Add VPN configurations | iOS 11 iPadOS 13.1 visionOS 2.0 | Yes | Users and third-party apps can’t create and add VPN configurations. | ||||||||
| Require biometric authentication for AutoFill | visionOS 2.0 | Yes | Users are required to authenticate with biometric authentication or a passcode to automatically fill password and credit card information. Default is off. | ||||||||
| Use biometric authentication to unlock device | visionOS 2.0 | No | Users need to use a passcode to unlock the device. | ||||||||
| Join only Wi-Fi networks installed by a Wi-Fi payload | visionOS 2.0 | Yes | Devices that have this restriction can join only the Wi-Fi networks added to the Wi-Fi payload. Default is off. Important: If the Wi-Fi network isn’t available, the device can’t be managed. | ||||||||
| Modify diagnostic settings | visionOS 2.0 | Yes | Modifying diagnostic data settings isn’t permitted. | ||||||||
| Modify Notifications settings | visionOS 2.0 | Yes | Users can’t change the configuration of any Notifications settings. | ||||||||
| Modify passcode or password | visionOS 2.0 | Yes | Users can’t change the passcode or password. | ||||||||
| iCloud Photos | visionOS 2.0 | No | Users can’t use their iCloud Photos. | ||||||||
| Trust new proprietary in-house app developers | visionOS 2.0 | No | Users can’t allow new proprietary in-house app developers to be trusted, which prohibits apps from those developers from launching. | ||||||||
| Treat AirDrop as unmanaged destination | visionOS 2.0 | No | Users see AirDrop as an option from a Managed App. For this restriction to work when it’s enabled, you also need to disable “Allow documents from managed sources in unmanaged destinations”. 
 Default is off. | ||||||||
| Managed App’s stored data in iCloud | visionOS 2.0 | No | Users can’t store data from Managed Apps in iCloud. | ||||||||
| Handoff | visionOS 2.0 | No | Users can’t use Handoff with their Apple devices. | ||||||||
| Erase All Content and Settings | visionOS 2.0 | Yes | Users can’t erase their device and reset it to factory defaults. | ||||||||
| iCloud Keychain | visionOS 2.0 | No | iCloud Keychain can’t be used. | ||||||||
| AirDrop | visionOS 2.0 | Yes | Users can’t use AirDrop. | ||||||||
| Documents from managed sources appear in unmanaged destinations | visionOS 2.0 | No | Documents created or downloaded from managed sources can’t be opened in unmanaged destinations. 
 | ||||||||
| Documents from unmanaged sources appear in managed destinations | visionOS 2.0 | No | Documents created or downloaded from unmanaged sources can’t be opened in managed destinations. 
 | ||||||||
| Send diagnostic and usage data to Apple | visionOS 2.0 | No | Users can’t choose to send diagnostic information to Apple. | ||||||||
| iCloud Documents and Data | visionOS 2.0 | Yes | Documents and data aren’t added to iCloud. | ||||||||
| iCloud Backup | visionOS 2.0 | No | Device backup can’t be performed. | ||||||||
| FaceTime | visionOS 2.0 | Yes | Users can’t place or receive FaceTime audio or video calls. | ||||||||
| Screenshots and screen recordings | visionOS 2.0 | No | Users can’t save a screenshot or recording of the screen. | ||||||||
| Safari AutoFill | visionOS 2.0 | Yes | Safari doesn’t keep track of what users enter in web forms. | ||||||||
| Users accept untrusted TLS certificates | visionOS 1.1 | No | Users aren’t asked if they want to trust certificates that can’t be verified. This setting applies to Safari, Mail, Contacts and Calendar accounts. When this option is on, only certificates with trusted root certificates are accepted without a prompt. To view the root CAs accepted, see the Apple Support article List of available root certificates in iOS 18, iPadOS 18, macOS 15, tvOS 18, visionOS 2 and watchOS 11. | ||||||||