The AutoFill functionality in browsers and applications allows the user to complete a form that contains sensitive information, such as Personally Identifiable Information, without previous knowledge of the information. By allowing the use of the AutoFill functionality, an adversary who learns a user's Vision Pro passcode, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the AutoFill feature to provide information unknown to the adversary. Disabling the AutoFill functionality significantly mitigates the risk of an adversary gaining further information about the device's user or compromising other systems.
SFR ID: FMT_SMF.1.1 #47
Check
This is a supervised-only control. If the Vision Pro being reviewed is not supervised by the MDM, this control is automatically a finding.
If the Vision Pro being reviewed is supervised by the MDM, review configuration settings to confirm "Password AutoFill is not allowed" is disabled.
This check procedure is performed on both the visionOS device management tool and the Vision Pro.
Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.
In the visionOS management tool, verify "Password AutoFill is not allowed" is unchecked.
On the Vision Pro: 1. Open the Settings app. 2. Tap "General". 3. Tap "VPN & Device Management". 4. Tap the Configuration Profile from the visionOS management tool containing the restrictions policy. 5. Tap "Restrictions". 6. Verify "Password AutoFill is not allowed" is listed.
If "Password AutoFill is not allowed" is not enabled in the visionOS management tool and on the Apple device, this is a finding.
Fix
Install a configuration profile to disable allow Password AutoFill in the management tool. This is a supervised-only control.