Skip to main content

Disabling automatic command approval in Copilot clients

Disable YOLO mode to stop agents from running commands without approval.

Who can use this feature?

Enterprise owners

Note

This feature is in public preview and subject to change.

You can prevent users from enabling bypass mode (also known as "YOLO mode") in Copilot CLI and VS Code. Bypass mode lets an agent run commands, access files, and fetch URLs without asking for approval. By disabling it for your enterprise, you ensure that a person reviews each of these actions.

What disabling bypass mode prevents

The disableBypassPermissionsMode setting is defined in your enterprise's managed-settings.json file and applies to users on your enterprise's Copilot plan.

When you set disableBypassPermissionsMode to "disable", users cannot turn on YOLO mode in either client:

  • In Copilot CLI, the --yolo, --allow-all, --allow-all-tools, --allow-all-paths, and --allow-all-urls command-line options and the /yolo and /allow-all slash commands are blocked.
  • In VS Code, the global auto-approve setting (chat.tools.global.autoApprove), also known as "YOLO mode," is turned off and cannot be re-enabled.

Disabling bypass mode for your enterprise

  1. In your enterprise's .github-private repository, create the managed settings file at copilot/managed-settings.json. If you haven't set a .github-private repository as your enterprise's source of agent configuration, see Creating a .github-private repository.

    The legacy path (.github/copilot/settings.json) is also supported.

  2. Add the following property.

    JSON
    {
      "permissions": {
        "disableBypassPermissionsMode": "disable"
      }
    }