How to Manage System Integrity Protection (aka rootless) on Mac OS Sierra

This article outlines some common questions and their answers related to System Integrity Protection (SIP) like how to check the status of it, how, why, and when to enable and disable it in Mac OS Sierra and other supported versions.

System Integrity Protection feature, which is also known as rootless in unofficial documents, was introduced in OS X El Capitan. The primary purpose of it is to prevent the third-party software from changing and modifying the main System files.

What is System Integrity Protection (SIP)?

As we all know that we can make different types of user accounts on our Mac OS powered PCs, like Admin user, Standard user, and a guest user. Besides these, some accounts are already there by default which are usually hidden. One of these is root user or superuser. Prior to El Capitan, root user was awarded unrestricted status to change the system files which are usually not accessible by other normal accounts. In SIP, the root user is also restricted to modify the protected parts of the Mac operating system.

The Directories Protected Under SIP

Apple applied SIP to only those directories and paths which they considered are used by the system and are not needed by a common user.

The top directories include:

• /System
• /user
• /bin
• /sbin
• and applications preinstalled with macOS

The following directories are still available for write by the users, third-party applications and different types of installers.

• /Appications
• /Library
• /user/local

Besides these restricted locations, some files outside of these locations are also protected by SIP. Even in these protected directories, some files are excepted too.

The list of these restricted and excepted files can be found in the rootless.conf file.

How to Manage SIP?

The configurations of the SIP are stored in NVRAM rather than in the file system. It means it is configurable only when the system is in recovery mode.

When we log into the local environment with the standard user account, we can’t modify the contents of SIP.

However, the apps signed by Apple can be bundled with the privileges to change the contents of the blocked folders.

The only thing we can perform when we are logged in is to check its status and get the help page of SIP.

An important thing to know is the changes made to SIP settings by a user in the recovery mode persist even if we re-install the operating system. If you disabled/enabled it in the past and now re-installed the updated Mac OS, please check its current status before installing any third-party software.

How to Check the Status?

If you want to check the status whether System Integrity Protection is enabled on your MacBook or not, follow these steps.

Step 1: Go to Applications > Utilities and open Terminal.

Alternatively, you can also fire up Terminal app after finding it using the Spotlight Search option.

Step 2: In the Terminal, type the following command:

csrutil status

This command will tell us if the MacBook is already protected by this feature or not.

If you simply type the “csrutil” command without “status”, it will pull up the help page.

How and Why to Disable SIP?

Most of the apps don’t need the access to those SIP protected files. But, there are certain third-party apps which don’t run properly or crash upon launching when SIP is enabled on the PC. It happens because they can’t get access to the needed files present in the restricted directories.

In such cases, when you want to run a special app or modify some system files locked by SIP, here is the method to turn it off.

Step 1: Shut down the Mac.

Step 2: Turn it on but hold down the “Command + R” keys on the keyboard as soon as you hear the startup chime. You can leave the keys when you see Apple logo.

The system will boot into Recovery Mode.

Step 3: When the macOS Utilities menu appears, left-click the “Utilities” and then click the “Terminal”.

Step 4: In the Terminal, write the following command:

csrutil disable

A confirmatory message will appear next to the command stating “Successfully disabled System Integrity Protection. Please restart the machine for the changes to take effect.”

Step 5: Now write “reboot” to restart your Mac computer.

How to Enable Rootless:

After you have performed the specific task, it is always recommended to enable SIP (aka rootless) as soon as possible so that any third-party app doesn’t change the default structure of the protected files.

Here is how you can enable SIP.

Step 1: Reboot your Mac in the recovery mode as we shown above.

Step 2: Type the following command in the Terminal:

csrutil enable

Reboot the PC for the necessary changes to take effect.

Selectively Enable SIP:

We can also enable SIP while disabling some of its aspects.

The following configurations can be disabled individually while keeping the SIP enabled.

1. Apple Internal
2. Kext Signing
3. Filesystem Protections
4. Debugging Restrictions
5. DTrace Restrictions
6. NVRAM Protections

Before listing the actual commands, it is very important to know that these settings are for advanced users only who know what they are doing. You are cautioned that your Mac may behave abnormally after applying such changes.

1. Enable SIP and allow installation of unsigned kernel extensions

csrutil enable –without kext

2. Keep SIP enabled while to disable filesystem protections

csrutil enable –without fs

3. Enable the SIP but disable debugging restrictions

csrutil enable –without debugging

4. Disable DTrace restrictions but keep the other aspects of SIP enabled

csrutil enable –without dtrace

5. Keep the SIP enabled but disable NVRAM restrictions

csrutil enable –without nvram

All these commands are run in the recovery mode.

How to Reset SIP:

The csrutil tool can also reset all the custom configurations back to the defaults values.

If you want to reset the settings, simply type the following command in Terminal after entering recovery mode.

csrutil clear

Conclusion:

System Integrity Protection is a great feature to safeguard the system files against unnecessary, unwanted and harmful changes by the third party applications. A common user should always keep it enabled. The advanced users or those who want to run some special type of programs can disable it.

Enter email to get Updates in your inbox: