System Integrity Protection (often abbreviated as SIP) is a critical and foundational component of modern macOS security. At its core, SIP restricts all users of the system (even the root user) from modifying files that are part of the OS.
When SIP is enabled the following folders have this write protection that prevent them from being modified:
- Most pre-installed macOS apps
Additionally, SIP goes beyond write protection and can actually prevent you (and software that you run) from reading or even listing certain sensitive or protected files. For example, the DB file that contains all of the information that powers the Screen Time feature is completely inaccessible, even as root.
~/Library/Application Support/Knowledge/knowledgeC.dbyou can’t even tell it’s there
Once enabled, the only apps which can modify and read files protected under SIP are ones that are signed by Apple and contain specific entitlements.
Checking the status of System Integrity Protection can be done from the terminal
using the utility
csrutilcommand can be used to determine the status of SIP but cannot be used to enable/disable unless you are booted into Recovery Mode
You can also use an open-source tool like osquery to determine the status of the macOS’ SIP.
SELECT * FROM sip_config;
+----------------------------+---------+---------------+ | config_flag | enabled | enabled_nvram | +----------------------------+---------+---------------+ | sip | 1 | 1 | | allow_apple_internal | 0 | 0 | | allow_device_configuration | 0 | 0 | | allow_kernel_debugger | 0 | 0 | | allow_task_for_pid | 0 | 0 | | allow_unrestricted_dtrace | 0 | 0 | | allow_unrestricted_fs | 0 | 0 | | allow_unrestricted_nvram | 0 | 0 | | allow_untrusted_kexts | 0 | 0 | +----------------------------+---------+---------------+
System Integrity Protection is such an important security feature, it’s hard to imagine any valid scenarios where it would be turned off intentionally. That said, there are a few situations where this happens:
For a short-time in late 2016, Apple accidentally shipped its recently re-designed Macbook Pros with System Integrity Protection Disabled. This was an error, but if you have a Macbook Pro from this time-period it is possible for SIP to still be disabled.
Software that dramatically alters the functions of macOS or interfaces with non-standard hardware (devices not designed to be used with PCs) often asks end-users to disable SIP.
Often the ask to disable SIP is temporary, but most end-users never remember (or don’t see the value) in re-enabling it.
Developers who are building macOS System Extensions will likely need to disable SIP and other essential macOS security capabilities to perform testing and debugging.
- Click on the Apple Logo at the far left of your Mac’s Menu bar.
- Click on Restart.
- During Restart Hold down CMD + R during reboot to enter Recovery Mode.
- Click on the Utilities Menu and launch Terminal.
- Type in
- Restart your Mac again.
For more information, please refer to Apple’s Support Article
This problem cannot be remediated through traditional automation with tools like an MDM. You need to be able to reach out to users who have devices that fail this check, and then give them precise instructions on how to resolve the problem.
Kolide's Slack app does exactly that. After enrolling devices, Kolide will automatically determine the primary user, introduce itself, and then reach out via Slack when a user's device fails this check. From there, it provides step-by-step instructions on how to fix it and gives them tools to verify they did it correctly.
System Integrity Protection is a security feature of macOS which enforces protection of system-owned files and directories against modification by processes. Fully or partially disabling SIP can expose your device to risk of system instability and malicious changes to critical files.
SIP can only be enabled and disabled via the command-line when the device is booted into Recovery Mode. It is advisable to reach out to your administrator for help configuring System Integrity Protection. The following steps should be performed by an administrator:
- Click on the Apple Logo at the far left of your Mac's Menubar.
- Click on Restart.
- Hold down CMD + R during reboot to enter Recovery Mode.
- Click on the Utilities Menu.
- Launch Terminal.
- Type in
- Restart your Mac again
For more info please refer to Apple’s Support Article