Apple visionOS 2 must disable "Password AutoFill" in browsers and applications.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-276405	PP-MDF-993300	AVOS-02-012700	SV-276405r1146711_rule	2025-09-30	1

Description
The AutoFill functionality in browsers and applications allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing using the AutoFill functionality, an adversary who learns a user's Vision Pro passcode, or who otherwise can unlock the device, may be able to further breach other systems by relying on the AutoFill feature to provide information unknown to the adversary. By disabling the AutoFill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated. SFR ID: FMT_SMF.1.1 #47

Description

The AutoFill functionality in browsers and applications allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing using the AutoFill functionality, an adversary who learns a user's Vision Pro passcode, or who otherwise can unlock the device, may be able to further breach other systems by relying on the AutoFill feature to provide information unknown to the adversary. By disabling the AutoFill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated. SFR ID: FMT_SMF.1.1 #47

ℹ️ Check
This is a supervised-only control. If the Vision Pro being reviewed is not supervised by the MDM, this control is automatically a finding. If the Vision Pro being reviewed is supervised by the MDM, review configuration settings to confirm "Password AutoFill is not allowed" is disabled. This check procedure is performed on both the visionOS device management tool and the Vision Pro. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the visionOS management tool, verify "Password AutoFill is not allowed" is unchecked. On the Vision Pro: 1. Open the Settings app. 2. Tap "General". 3. Tap "VPN & Device Management". 4. Tap the configuration profile from the visionOS management tool containing the restrictions policy. 5. Tap "Restrictions". 6. Verify "Password AutoFill is not allowed" is listed. If "Password AutoFill is not allowed" is not enabled in the visionOS management tool and on the Apple device, this is a finding.

ℹ️ Check

This is a supervised-only control. If the Vision Pro being reviewed is not supervised by the MDM, this control is automatically a finding. If the Vision Pro being reviewed is supervised by the MDM, review configuration settings to confirm "Password AutoFill is not allowed" is disabled. This check procedure is performed on both the visionOS device management tool and the Vision Pro. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the visionOS management tool, verify "Password AutoFill is not allowed" is unchecked. On the Vision Pro: 1. Open the Settings app. 2. Tap "General". 3. Tap "VPN & Device Management". 4. Tap the configuration profile from the visionOS management tool containing the restrictions policy. 5. Tap "Restrictions". 6. Verify "Password AutoFill is not allowed" is listed. If "Password AutoFill is not allowed" is not enabled in the visionOS management tool and on the Apple device, this is a finding.

✔️ Fix
Install a configuration profile to disable allow Password AutoFill in the management tool. This is a supervised-only control.