Mac Security

How to Disable System Integrity Protection (and Why You Shouldn’t)

Tim Brookes 28-12-2016

Each new release of Apple’s desktop operating system seems to place more restrictions on users than the last. System Integration Protection (or SIP for short) might be the biggest change yet.


Introduced with OS X 10.11 El Capitan, SIP places restrictions on a user’s ability to modify certain folders altogether. While some condemned Apple’s latest security technology as a means of taking control away from the user Is Apple's macOS Rebrand More Than Just a Name Change? Dropping the OS X moniker, something Apple has been using for 15 years, feels like a big deal. But is it just the name that's changing? Read More , it’s there for good reason.

There’s little reason to disable it at all (but we’ll show you how, if you really want to).

What Is System Integrity Protection?

SIP is a security feature designed to protect the most vulnerable parts of your operating system. In short, it prevents even a user with root access (by means of the sudo command) from modifying certain locations on your primary partition. It’s meant to keep Mac users safe, just like previous software restrictions introduced by Gatekeeper What Is GateKeeper & How Does It Help Protect My Mac? [MakeUseOf Explains] Will your favorite programs ever run again? Certain programs won't load anymore - a message about Unidentified Developers shows up instead. There isn't even an obvious option to run the app. Gatekeeper just might be... Read More .

This is likely a response to the growing number of Mac malware threats 5 Easy Ways to Infect Your Mac With Malware Malware can definitely affect Mac devices! Avoid making these mistakes or else you'll end up getting your Mac infected. Read More that put your Mac at risk. In contrast to the days when Apple relied on the “I’m a Mac, and I’m a PC” advertising line, the Mac and is now a much bigger target for malware. It’s not hard to find ransomware, spyware, keyloggers or plain old adware aimed at Apple’s platform.

mac el capitan


SIP protects a few core areas of the drive where the operating system is installed, including /System, /bin, /sbin, /usr (but not /usr/local). Some symbolic links from /etc, /tmp, and /var are also protected, though the target directories themselves are not. The safety measure prevents processes without sufficient privileges (including admin users with root access) from writing to these folders and the files stored within.

The technology also prevents other “risky” operations too, like code injection. Apple is concerned that changes made to these parts of your system could put your Mac at risk and cause damage to the OS. Locking out root admin access safeguards your Mac against sudo-level commands executed remotely and locally.

So Why Disable It?

When the feature was first introduced, some apps that relied on modifying certain protected system folders or files no longer worked. As a rule, these are quite “intrusive” modifications that change the way many core OS elements and first party apps function El Capitan Means The End Of Mac Themes & Deep System Tweaks If you like customizing your Mac, Yosemite might be the last version of OS X that works for you. And that's too bad. Read More . Certain backup and restoration tools, and apps that dealt specifically with the behavior of other devices were also affected.

If you want to use software that depends on such a modification to work, you’re going to have to disable SIP first. There’s no way to make an exception for a certain app if it lacks the required privileges. This has led to speculation that the change will affect smaller developers, who lack the means of working with Apple to ensure their software continues to function.


default folder x sip

While this may be true, many applications that initially wouldn’t work under El Capitan have been rewritten to do so by now. Bartender is one such app, which provides a way to tidy up Mac menu bar icons How To Customize & Tidy Your Mac Menu Bar Nothing makes OS X look cluttered faster than unwanted menubar icons. Read More . The original Bartender only works with OS X 10.10 and below, while Bartender 2 works with El Capitan and above. Default Folder X is another tweak designed to enhance Open and Save dialogs which had to be completely rewritten for El Capitan and later. It now works flawlessly.

Not all apps have undergone a complete rewrite and some still need SIP to be disabled to work. Fortunately, this is often a temporary arrangement, like in the case of Winclone. This Boot Camp cloning and backup solution 5 Local Mac Backup Solutions That Aren't Time Machine There are lots of Mac backup options out there, and many of them have features that Apple's default backup app just can't compete with. Read More requires the user to disable SIP in order to write to protected areas of the drive. The feature can be enabled again afterwards.

xtra finder sip


SwitchResX is another such app that requires SIP to be disabled. It provides enhanced control over external displays, which relies on a specific resolution being specified in a protected file. Once the display has been configured, the user can restore SIP until they need to make another change. Other apps like XtraFinder (and many more applications that change the appearance and functionality of Finder) require the feature be enabled with a code injection workaround (using the command csrutil enable --without debug).

Because of the change, some apps have ceased development entirely. Others get away with advising users to only disable of SIP temporarily, then re-enable it again. The key here is to be weary of apps that modify your system’s appearance or behavior, a built-in app or feature (like Finder, Spotlight or the dock), before you buy. Much of the time a quick Google search or a glance at the FAQ will suffice.

How to Disable System Integrity Protection

If you do decide to disable SIP, be aware that your Mac is technically just as secure as it was when you were running OS X 10.10 Mavericks. You’ll still need to supply root access to write to certain areas of the drive, which requires admin privileges. It’s also possible to re-enable SIP easily if you decide to do so later.

Most Mac users will never have the need to disable SIP. Also, it’s worth leaving the feature enabled unless you run into a hurdle. If you need to make changes to a protected folder or use software that lacks the privileges to do so, here’s what to do:

  1. Restart your Mac by clicking the Apple logo in the top left and choosing Restart.
  2. Hold down Command + R while your Mac boots to enter Recovery Mode.
  3. Once your Mac has booted, head to Utilities and launch Terminal.
  4. Type csrutil disable and hit Enter.
  5. Restart your Mac as normal.

All done! You can easily re-enable the feature by booting back into Recovery Mode, launching Terminal and typing csrutil clear followed by Enter.

Have You Disabled SIP?

Maybe you’re willing to take your chances and turn SIP off. Perhaps you’d rather Apple didn’t dictate what you can and can’t change. Maybe, an app requires SIP to be disabled. Or, you are someone who enjoys tweaking the system. If you have disabled the feature, we’d love to hear why.

There’s little reason to turn the feature off until you find the need to do so. Remember, reinstalling macOS is likely to re-enable the feature. It’s also likely Apple will keep introducing security features and permission controls with each new macOS release.

To SIP or not to SIP? Let us know in the comments below.

Image Credit: Issarawat Tattong via

Related topics: Anti-Malware, Computer Security, macOS Sierra, OS X El Capitan.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Vehbi Gencay
    March 28, 2017 at 11:39 am

    USB Ethernet adapter is not working. Disabling and then enabling SIP is claimed to solve the problem.

  2. Ronald M.
    March 25, 2017 at 3:22 am

    I have never used Spotlight from OS X 10.4 onward. I disabled SIP in order to uninstall the Spotlight databases, the menubar icon, the caches and the Spotlight preference pane in System Preferences. I will most likely do the same with Time Machine, and other default OS X system apps in 10.11. SIP protects many system applications like Photos, FaceTime and iCloud. Of course, I have reenabled SIP and will disable and reenable as needed in the future.

    • Tim Brookes
      March 28, 2017 at 12:03 am

      Why remove one of the most useful parts of the operating system? Furthermore, why bother removing these core components when they'll only be installed again every time you update your OS. Seems like a losing battle to me.

      • mematron
        October 24, 2017 at 3:35 pm

        Because the hardcore mac users aren't frikkin' n00bs like the current generation that lack creativity.

        I use the command line daily and write my own applications when I need something to do what I need it to do my way.

        SIP is should be called HIP (Hipster Integrity Protection) or OSX N00b 1.0

  3. David R.
    February 7, 2017 at 7:05 am

    In order to be able to delete a time machine backup from a client's computer, I needed to disable SIP. It Worked like a charm, I recovered those valuable TB's and re-enabled it. I'm happy now, MANY thanks for the helpful article. :)

    • Tim Brookes
      February 17, 2017 at 2:56 am

      Hi David,

      Glad the guide helped you out. Thanks for letting us know why you needed to disable SIP, I hadn't considered that scenario before.


    • glee217
      July 28, 2017 at 2:40 am

      I have os 10.12.5 Sierra so is it safe to follow this guide?

    • Glee217
      July 28, 2017 at 2:54 am

      Yep just did it on os 10.12.5 saved a few gigs for old backups that I dont need for time machine. Thanks for both!