Each new release of Apple’s desktop operating system seems to place more restrictions on users than the last. System Integration Protection (or SIP for short) might be the biggest change yet.
Introduced with OS X 10.11 El Capitan, SIP places restrictions on a user’s ability to modify certain folders altogether. While some condemned Apple’s latest security technology as a means of taking control away from the user, it’s there for good reason.
There’s little reason to disable it at all (but we’ll show you how, if you really want to).
What Is System Integrity Protection?
SIP is a security feature designed to protect the most vulnerable parts of your operating system. In short, it prevents even a user with root access (by means of the
sudo command) from modifying certain locations on your primary partition. It’s meant to keep Mac users safe, just like previous software restrictions introduced by Gatekeeper.
This is likely a response to the growing number of Mac malware threats that put your Mac at risk. In contrast to the days when Apple relied on the “I’m a Mac, and I’m a PC” advertising line, the Mac and is now a much bigger target for malware. It’s not hard to find ransomware, spyware, keyloggers or plain old adware aimed at Apple’s platform.
SIP protects a few core areas of the drive where the operating system is installed, including
/usr (but not
/usr/local). Some symbolic links from
/var are also protected, though the target directories themselves are not. The safety measure prevents processes without sufficient privileges (including admin users with root access) from writing to these folders and the files stored within.
The technology also prevents other “risky” operations too, like code injection. Apple is concerned that changes made to these parts of your system could put your Mac at risk and cause damage to the OS. Locking out root admin access safeguards your Mac against sudo-level commands executed remotely and locally.
So Why Disable It?
When the feature was first introduced, some apps that relied on modifying certain protected system folders or files no longer worked. As a rule, these are quite “intrusive” modifications that change the way many core OS elements and first party apps function. Certain backup and restoration tools, and apps that dealt specifically with the behavior of other devices were also affected.
If you want to use software that depends on such a modification to work, you’re going to have to disable SIP first. There’s no way to make an exception for a certain app if it lacks the required privileges. This has led to speculation that the change will affect smaller developers, who lack the means of working with Apple to ensure their software continues to function.
While this may be true, many applications that initially wouldn’t work under El Capitan have been rewritten to do so by now. Bartender is one such app, which provides a way to tidy up Mac menu bar icons. The original Bartender only works with OS X 10.10 and below, while Bartender 2 works with El Capitan and above. Default Folder X is another tweak designed to enhance Open and Save dialogs which had to be completely rewritten for El Capitan and later. It now works flawlessly.
Not all apps have undergone a complete rewrite and some still need SIP to be disabled to work. Fortunately, this is often a temporary arrangement, like in the case of Winclone. This Boot Camp cloning and backup solution requires the user to disable SIP in order to write to protected areas of the drive. The feature can be enabled again afterwards.
SwitchResX is another such app that requires SIP to be disabled. It provides enhanced control over external displays, which relies on a specific resolution being specified in a protected file. Once the display has been configured, the user can restore SIP until they need to make another change. Other apps like XtraFinder (and many more applications that change the appearance and functionality of Finder) require the feature be enabled with a code injection workaround (using the command
csrutil enable --without debug).
Because of the change, some apps have ceased development entirely. Others get away with advising users to only disable of SIP temporarily, then re-enable it again. The key here is to be weary of apps that modify your system’s appearance or behavior, a built-in app or feature (like Finder, Spotlight or the dock), before you buy. Much of the time a quick Google search or a glance at the FAQ will suffice.
How to Disable System Integrity Protection
If you do decide to disable SIP, be aware that your Mac is technically just as secure as it was when you were running OS X 10.10 Mavericks. You’ll still need to supply root access to write to certain areas of the drive, which requires admin privileges. It’s also possible to re-enable SIP easily if you decide to do so later.
Most Mac users will never have the need to disable SIP. Also, it’s worth leaving the feature enabled unless you run into a hurdle. If you need to make changes to a protected folder or use software that lacks the privileges to do so, here’s what to do:
- Restart your Mac by clicking the Apple logo in the top left and choosing Restart.
- Hold down Command + R while your Mac boots to enter Recovery Mode.
- Once your Mac has booted, head to Utilities and launch Terminal.
csrutil disableand hit Enter.
- Restart your Mac as normal.
All done! You can easily re-enable the feature by booting back into Recovery Mode, launching Terminal and typing
csrutil clear followed by Enter.
Have You Disabled SIP?
Maybe you’re willing to take your chances and turn SIP off. Perhaps you’d rather Apple didn’t dictate what you can and can’t change. Maybe, an app requires SIP to be disabled. Or, you are someone who enjoys tweaking the system. If you have disabled the feature, we’d love to hear why.
Disabling System Integrity Protection allowed me to chmod -x Siri, which fixed my problem of it popping up whenever I pressed my headset btn
— Brian by Santana ft (@brianloveswords) November 28, 2016
There’s little reason to turn the feature off until you find the need to do so. Remember, reinstalling macOS is likely to re-enable the feature. It’s also likely Apple will keep introducing security features and permission controls with each new macOS release.
To SIP or not to SIP? Let us know in the comments below.
Image Credit: Issarawat Tattong via Shutterstock.com