The Apple visionOS 2 must be supervised by the MDM.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-276407	PP-MDF-993300	AVOS-02-013200	SV-276407r1146717_rule	2025-09-30	1

Description
When visionOS is not supervised, the DOD mobile service provider cannot control when new visionOS updates are installed on site-managed devices. Most updates should be installed immediately to mitigate new security vulnerabilities, while some sites need to test each update prior to installation to ensure critical missions are not adversely impacted by the update. Several password and data protection controls can be implemented only when an Apple device is supervised. SFR ID: FMT_SMF.1.1 #47

Description

When visionOS is not supervised, the DOD mobile service provider cannot control when new visionOS updates are installed on site-managed devices. Most updates should be installed immediately to mitigate new security vulnerabilities, while some sites need to test each update prior to installation to ensure critical missions are not adversely impacted by the update. Several password and data protection controls can be implemented only when an Apple device is supervised. SFR ID: FMT_SMF.1.1 #47

ℹ️ Check
Review configuration settings to confirm site-managed visionOS devices are supervised. This check procedure is performed on both the Apple visionOS management tool and the Vision Pro. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the visionOS management tool, verify all managed Apple devices are supervised (verification procedure will vary by MDM product). Note: If the Apple device is not managed by an MDM and supervision is set up via Apple Configurator, this procedure is not applicable. On the Vision Pro: 1. Open the Settings app. 2. Verify a message similar to the following appears on the screen: "This AVP is supervised by (name of site DOD mobile service provider)." If site-managed visionOS devices are not supervised, this is a finding.

ℹ️ Check

Review configuration settings to confirm site-managed visionOS devices are supervised. This check procedure is performed on both the Apple visionOS management tool and the Vision Pro. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the visionOS management tool, verify all managed Apple devices are supervised (verification procedure will vary by MDM product). Note: If the Apple device is not managed by an MDM and supervision is set up via Apple Configurator, this procedure is not applicable. On the Vision Pro: 1. Open the Settings app. 2. Verify a message similar to the following appears on the screen: "This AVP is supervised by (name of site DOD mobile service provider)." If site-managed visionOS devices are not supervised, this is a finding.

✔️ Fix
Use one of the following methods to supervise visionOS devices managed by the DOD mobile service provider. Method 1: - Register all current and new visionOS devices in the DOD mobile service provider's Automated Device Management/Apple Business Manager (ABM) account. - Enable supervision of managed visionOS devices in the MDM. Method 2: - Configure each visionOS device using the Apple Configurator tool for Supervision. - This method is usually only appropriate when MDM management of the DOD Apple device is not appropriate or an older device cannot be registered in ABM.

✔️ Fix

Use one of the following methods to supervise visionOS devices managed by the DOD mobile service provider. Method 1: - Register all current and new visionOS devices in the DOD mobile service provider's Automated Device Management/Apple Business Manager (ABM) account. - Enable supervision of managed visionOS devices in the MDM. Method 2: - Configure each visionOS device using the Apple Configurator tool for Supervision. - This method is usually only appropriate when MDM management of the DOD Apple device is not appropriate or an older device cannot be registered in ABM.