Categories: Mac OS X

Mac OS X El Capitan – How to manage SIP (System Integrity Protection)

Apple new system Mac OS X El Capitan brings its newest and the most secure system protection on the market. Or so they say…

System Integrity Protection — also known as “rootless” — functions by restricting the root account so that the operating system kernel puts checks on the root user’s access and won’t allow it to do certain things, such as modify protected locations or inject code into protected system processes.

All kernel extensions must be signed, and you can’t disable System Integrity Protection from within Mac OS X itself. Applications with elevated root permissions can no longer tamper with system files. While it's a good thing for a standard user it's not necessary a win-win scenario for those more advanced users who like to play with their systems or install plugins that require a bit more permissions.

Solution

Managing SIP requires you to boot into recovery mode by restarting your Mac OS X El Capitan and using terminal commands to control the System Integrity Protection.

To boot into recovery mode, restart your Mac OS X and hold Command+R until system enters Recovery Mode. By doing this you enter the recovery environment which features an ability to disable SIP without too much effort.

While inside Recovery Mode click the “Utilities” menu and select “Terminal” to open a terminal window.

 

The command that does all the heavy lifting is called csrutil. While it's available for execution within normal mode commands that we will be using require Recovery OS.

usage: csrutil <command>

Modify the System Integrity Protection configuration. All configuration changes apply to the entire machine.

Available commands:

    clear

             Clear the existing configuration. Only available in Recovery OS.

    disable

             Disable the protection on the machine. Only available in Recovery OS.

    enable

             Enable the protection on the machine. Only available in Recovery OS.

    status

             Display the current configuration.

    netboot

        add <address>

               Insert a new IPv4 address in the list of allowed NetBoot sources.

        list

               Print the list of allowed NetBoot sources.

        remove <address>

                Remove an IPv4 address from the list of allowed NetBoot sources.

Type the following command into the terminal and execute following command to verify the status of System Integrity Protection.

csrutil status

System Integrity Protection status: enabled.

or

csrutil status

System Integrity Protection status: disabled.

After verifying whether System Integrity Protection is enabled or not you can make your decision and either disable or enable SIP.

To disable SIP just type in the command and press ENTER

csrutil disable

Successfully disabled System Integrity Protection. Please restart the machine for the changes to take effect.

Restart your Mac OS X El Capitan and your new System Integrity Protection setting will take effect. The root user will now have its full, unrestricted access to the entire operating system and every file, just like it used to in Mac OS X Yosemite.

To enable SIP back just type in the command and press ENTER

csrutil enable 

Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.

And you're ready to go “rootless” again.

This post was last modified on %s = human-readable time difference 12:24

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Share
Published by
Przemyslaw Klys

Recent Posts

Upgrade Azure Active Directory Connect fails with unexpected error

Today, I made the decision to upgrade my test environment and update the version of…

1 month ago

Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster

Have you ever looked at your Active Directory and wondered, "Why do I still have…

2 months ago

Active Directory Replication Summary to your Email or Microsoft Teams

Active Directory replication is a critical process that ensures the consistent and up-to-date state of…

7 months ago

Syncing Global Address List (GAL) to personal contacts and between Office 365 tenants with PowerShell

Hey there! Today, I wanted to introduce you to one of the small but excellent…

11 months ago

Active Directory Health Check using Microsoft Entra Connect Health Service

Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…

1 year ago

Seamless HTML Report Creation: Harness the Power of Markdown with PSWriteHTML PowerShell Module

In today's digital age, the ability to create compelling and informative HTML reports and documents…

1 year ago