View Other Checks

Contents

View Other Checks

How to Find Macs With SIP Disabled and Enable It

SIP protects Macs by preventing them from running unauthorized code. It should be enabled.

What Is System Integrity Protection?

System Integrity Protection (often abbreviated as SIP) is a critical and foundational component of modern macOS security. At its core, SIP restricts all users of the system (even the root user) from modifying files that are part of the OS.

When SIP is enabled the following folders have this write protection that prevent them from being modified:

  • /System
  • /usr
  • /bin
  • /sbin
  • /var
  • Most pre-installed macOS apps

Additionally, SIP goes beyond write protection and can actually prevent you (and software that you run) from reading or even listing certain sensitive or protected files. For example, the DB file that contains all of the information that powers the Screen Time feature is completely inaccessible, even as root.

With SIP enabled, not only can you not read a sensitive file like ~/Library/Application Support/Knowledge/knowledgeC.db you can’t even tell it’s there

Once enabled, the only apps which can modify and read files protected under SIP are ones that are signed by Apple and contain specific entitlements.

How Do I Detect if SIP Is Enabled?

Using the Terminal

Checking the status of System Integrity Protection can be done from the terminal using the utility csrutil.

csrutil status

The csrutil command can be used to determine the status of SIP but cannot be used to enable/disable unless you are booted into Recovery Mode

Using Osquery

You can also use an open-source tool like osquery to determine the status of the macOS’ SIP.

SELECT * FROM sip_config;
+----------------------------+---------+---------------+
| config_flag                | enabled | enabled_nvram |
+----------------------------+---------+---------------+
| sip                        | 1       | 1             |
| allow_apple_internal       | 0       | 0             |
| allow_device_configuration | 0       | 0             |
| allow_kernel_debugger      | 0       | 0             |
| allow_task_for_pid         | 0       | 0             |
| allow_unrestricted_dtrace  | 0       | 0             |
| allow_unrestricted_fs      | 0       | 0             |
| allow_unrestricted_nvram   | 0       | 0             |
| allow_untrusted_kexts      | 0       | 0             |
+----------------------------+---------+---------------+

Why Would System Integrity Detection Be Disabled?

System Integrity Protection is such an important security feature, it’s hard to imagine any valid scenarios where it would be turned off intentionally. That said, there are a few situations where this happens:

Erroneously Turned Off at the Factory

For a short-time in late 2016, Apple accidentally shipped its recently re-designed Macbook Pros with System Integrity Protection Disabled. This was an error, but if you have a Macbook Pro from this time-period it is possible for SIP to still be disabled.

Disabled Intentionally by End-Users

Software that dramatically alters the functions of macOS or interfaces with non-standard hardware (devices not designed to be used with PCs) often asks end-users to disable SIP.

Yabai a popular tiling window manager for the Mac requires users to disable SIP

Often the ask to disable SIP is temporary, but most end-users never remember (or don’t see the value) in re-enabling it.

Disabled Intentionally by a Developer

Developers who are building macOS System Extensions will likely need to disable SIP and other essential macOS security capabilities to perform testing and debugging.

Apple’s documentation recommends developers temporarily disabling SIP for testing System Extensions

How To Enable System Integrity Protection

  1. Click on the Apple Logo at the far left of your Mac’s Menu bar.
  2. Click on Restart.
  3. During Restart Hold down CMD + R during reboot to enter Recovery Mode.
  4. Click on the Utilities Menu and launch Terminal.
  5. Type in csrutil enable.
  6. Restart your Mac again.

For more information, please refer to Apple’s Support Article

How Does Kolide Remediate This Problem?

This problem cannot be remediated through traditional automation with tools like an MDM. You need to be able to reach out to users who have devices that fail this check, and then give them precise instructions on how to resolve the problem.

Kolide's Slack app does exactly that. After enrolling devices, Kolide will automatically determine the primary user, introduce itself, and then reach out via Slack when a user's device experiences this problem. From there, it provides step-by-step instructions on how to fix it and gives them tools to verify they did it correctly.

Kolide
Home
Messages
About
9:41
Quin's Macbook • MacBook Pro (16-inch, 2021)
Failing Check: System Integrity Protection (SIP)
Reason: System Integrity Protection (SIP) Disabled

Why is this a Problem?

System Integrity Protection is a security feature of macOS which enforces protection of system-owned files and directories against modification by processes. Fully or partially disabling SIP can expose your device to risk of system instability and malicious changes to critical files.

Required Action:

SIP can only be enabled and disabled via the command-line when the device is booted into Recovery Mode. It is advisable to reach out to your administrator for help configuring System Integrity Protection. The following steps should be performed by an administrator:

  1. Click on the Apple Logo at the far left of your Mac's Menubar.
  2. Click on Restart.
  3. Hold down CMD + R during reboot to enter Recovery Mode.
  4. Click on the Utilities Menu.
  5. Launch Terminal.
  6. Type in csrutil enable.
  7. Restart your Mac again

For more info please refer to Apple’s Support Article

I've fixed it. Check again
Contact Admin for help
Want to start delivering this notification automatically to your end-users?
Sign Up With Slack

Share this story:

Related Device Checks:

Find Unencrypted SSH Keys and Encrypt Them

ssh, developers, unencrypted-credentials, no-mdm-resolution

Ensure Ubuntu’s Unattended Upgrades Are Turned On

os-updates, patching, debian, ubuntu, no-mdm-resolution

Find and Secure Plain-Text GitHub 2FA Backup Codes

github, two-factor-codes, unencrypted-credentials, no-mdm-resolution
View More of Kolide's Checks
Try Kolide Free
Try Kolide Free