Each new release of Apple’s desktop operating system seems to place more restrictions on users than the last. System Integration Protection (or SIP for short) might be the biggest change yet.
There’s little reason to disable it at all (but we’ll show you how, if you really want to).
What Is System Integrity Protection?
This is likely a response to the growing number of Mac malware threats that put your Mac at risk. In contrast to the days when Apple relied on the “I’m a Mac, and I’m a PC” advertising line, the Mac and is now a much bigger target for malware. It’s not hard to find ransomware, spyware, keyloggers or plain old adware aimed at Apple’s platform.
SIP protects a few core areas of the drive where the operating system is installed, including
/usr (but not
/usr/local). Some symbolic links from
/var are also protected, though the target directories themselves are not. The safety measure prevents processes without sufficient privileges (including admin users with root access) from writing to these folders and the files stored within.
The technology also prevents other “risky” operations too, like code injection. Apple is concerned that changes made to these parts of your system could put your Mac at risk and cause damage to the OS. Locking out root admin access safeguards your Mac against sudo-level commands executed remotely and locally.
So Why Disable It?
If you want to use software that depends on such a modification to work, you’re going to have to disable SIP first. There’s no way to make an exception for a certain app if it lacks the required privileges. This has led to speculation that the change will affect smaller developers, who lack the means of working with Apple to ensure their software continues to function.
Not all apps have undergone a complete rewrite and some still need SIP to be disabled to work. Fortunately, this is often a temporary arrangement, like in the case of Winclone. This Boot Camp cloning and backup solution requires the user to disable SIP in order to write to protected areas of the drive. The feature can be enabled again afterwards.
SwitchResX is another such app that requires SIP to be disabled. It provides enhanced control over external displays, which relies on a specific resolution being specified in a protected file. Once the display has been configured, the user can restore SIP until they need to make another change. Other apps like XtraFinder (and many more applications that change the appearance and functionality of Finder) require the feature be enabled with a code injection workaround (using the command
csrutil enable --without debug).
Because of the change, some apps have ceased development entirely. Others get away with advising users to only disable of SIP temporarily, then re-enable it again. The key here is to be weary of apps that modify your system’s appearance or behavior, a built-in app or feature (like Finder, Spotlight or the dock), before you buy. Much of the time a quick Google search or a glance at the FAQ will suffice.
How to Disable System Integrity Protection
If you do decide to disable SIP, be aware that your Mac is technically just as secure as it was when you were running OS X 10.10 Mavericks. You’ll still need to supply root access to write to certain areas of the drive, which requires admin privileges. It’s also possible to re-enable SIP easily if you decide to do so later.
Most Mac users will never have the need to disable SIP. Also, it’s worth leaving the feature enabled unless you run into a hurdle. If you need to make changes to a protected folder or use software that lacks the privileges to do so, here’s what to do:
- Restart your Mac by clicking the Apple logo in the top left and choosing Restart.
- Hold down Command + R while your Mac boots to enter Recovery Mode.
- Once your Mac has booted, head to Utilities and launch Terminal.
csrutil disableand hit Enter.
- Restart your Mac as normal.
All done! You can easily re-enable the feature by booting back into Recovery Mode, launching Terminal and typing
csrutil clear followed by Enter.
Have You Disabled SIP?
Maybe you’re willing to take your chances and turn SIP off. Perhaps you’d rather Apple didn’t dictate what you can and can’t change. Maybe, an app requires SIP to be disabled. Or, you are someone who enjoys tweaking the system. If you have disabled the feature, we’d love to hear why.
There’s little reason to turn the feature off until you find the need to do so. Remember, reinstalling macOS is likely to re-enable the feature. It’s also likely Apple will keep introducing security features and permission controls with each new macOS release.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.