How to Disable System Integrity Protection (rootless) in OS X El Capitan

Oct 5, 2015 - 57 Comments

Enable or Disable System Integrity Protection Rootless in Mac OS X

Apple has enabled a new default security oriented featured called System Integrity Protection, often called rootless, in OS X 10.11 onward. The rootless feature is aimed at preventing Mac OS X compromise by malicious code, whether intentionally or accidentally, and essentially what SIP does is lock down specific system level locations in the file system while simultaneously preventing certain processes from attaching to system-level processes.

While the System Integrity Protection security feature is effective and the vast majority of Mac users should leave rootless enabled, some advanced Mac users may find rootless to be overly protective. Thus, if you’re in the group of advanced Mac users who do not want SIP rootless enabled on their OS X installation, we’ll show you how to turn this security feature off.

For those wondering, System Integrity Protection locks down the following system level directories in OS X:

/usr (with the exception of /usr/local subdirectory)

Accordingly, rootless may cause some apps, utilities, and scripts to not function at all, even with sudo privelege, root user enabled, or admin access.

Turning Off Rootless System Integrity Protection in OS X El Capitan 10.11 +

Again, the vast majority of Mac users should not disable rootless. Disabling rootless is aimed exclusively at advanced Mac users. Do so at your own risk, this is not specifically recommended.

  1. Reboot the Mac and hold down Command + R keys simultaneously after you hear the startup chime, this will boot OS X into Recovery Mode
  2. When the “OS X Utilities” screen appears, pull down the ‘Utilities’ menu at the top of the screen instead, and choose “Terminal”
  3. Type the following command into the terminal then hit return:
  4. csrutil disable; reboot

  5. You’ll see a message saying that System Integrity Protection has been disabled and the Mac needs to restart for changes to take effect, and the Mac will then reboot itself automatically, just let it boot up as normal

You can also issue the command by itself without the automatic reboot like so:

csrutil disable

By the way, if you’re interested in disabling rootless, you may also want to disable Gatekeeper while you’re in the command line too.

If you plan on doing something else in the Terminal or OS X Utilities screen you may want to leave off the auto-reboot command at the end, and yes, in case you were wondering, this is the same recovery mode used to reinstall OS X with Internet Recovery.

Once the Mac boots up again, System Integrity Protection will be disabled entirely in OS X.

Checking the Status of Rootless / System Integrity Protection in OS X

If you want to know the status of rootless before rebooting or without rebooting the Mac into recovery mode, just issue the following command into the Terminal:

csrutil status

You’ll either see one of two messages, enabled indi:

$ csrutil status
System Integrity Protection status: enabled.


$ csrutil status
System Integrity Protection status: disabled

If at any time you wish to change the status of rootless, another reboot into Recovery Mode is required.

How to Re-Enable Rootless System Integrity Protection in OS X

Simply reboot the Mac again into Recovery Mode as directed above, but at the command line use the following syntax instead:

csrutil enable

Just as before, a reboot of the Mac is required for changes to take effect.

As previously stated, the vast majority of Mac users should leave rootless enabled and embrace System Integrity Protection, as most OS X users have no business in the system level directories anyway. Adjusting this feature is really aimed at advanced Mac users, whether IT, sysadmins, network administrators, developers, tinkerers, security operations, and other related highly technical fields.

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Paul Horowitz in Command Line, Mac OS X, Security, Tips & Tricks


» Comments RSS Feed

  1. 49ers says:

    I had to turn off SIP so that Homebrew would work properly in OS X after updating. I think any developer is going to want SIP turned off. It’s useful for the typical user, yes, but for those who know what they’re doing, it’s very a bit nanny-like.

    I suspect each subsequent OS X update will re-enable SIP, so be prepared to make this adjustment after any update, OS X 10.11.1, OS X 10.11.2, OS X 10.11.3, OS X 10.11.4, OS X 10.11.5, etc

  2. Andrew says:

    I really hope this feature will expand more in the future. Rootless is very limited but useful, but I can imagine a lot of users including not so tech savvy ones disabling it for one or two apps. It needs something more flexible akin to how SELinux or RBAC works on Linux, complete with policies that can be deployed network-wide.

    For me as a developer, I have no problem going back to no rootless mode, as well as disabling other new security features. But I would not want people not so tech savvy to disable such features.

  3. vdiv says:

    Had to turn it off to get the Microsoft Intellipoint software to work, can’t live without that mouse back button.

    • Dick says:

      vdiv, did turning off System Integrity Protection get your Intellipoint working? Is it still working? I have done that and re-installed Intellipoint but I still can’t change the pointer speed, or get Intellipoint to work. Very frustrating.

      MacBook Pro Retina 15″ (mid-2014) 2.5 GHz Intel Core i7
      OS X 10.11.2
      Memory: 16 GB
      Graphics NVIDIA GeForce GT 750M 2048 MB
      Intellimouse Optical

  4. Alex says:

    Maybe a developer can answer this.

    If an app that worked in Yosemite, but doesn’t in EC and you turn off SIP, reinstall the app then reenable SIP, would it break the app again?

    • Winter says:

      Depends what the app is doing in the protected directories. Using Homebrew, for example, needs to have a user accessible /usr/local/ directory to run properly and install in /usr/local/bin/ etc

      • Sharmanshik says:

        No need to disable SIP for Homebrew, at least since one of latest, running homebrew pretty well, you can manage permissions on /usr/local with SIP enabled

      • Bryan says:

        The permissions on /usr/local/bin and /usr/local/share keep reverting to root:wheel on each reboot, and thus brew upgrades will fail until I change it back to $(whoami):admin.

        Are there permanent solutions to this other than disabling SIP or running sudo chown -R $(whoami):admin /usr/local after every reboot?

  5. PJALM says:

    Wow, I am a dev and I would never disable it. If an app requires it to be disabled then that app is not worth running to me.

    • Alex says:

      Correctly if I’m wrong on this thought, but I thought BOM files were written to a file in private/var and now is off limits or is my understanding totally messed up.

    • Flavors is just a simple “look and feel” app – it is VERY worth running to me and the ability to change the look and feel of the default OS is HUGE for one app I used daily for 4 months – with Flavors OFF, I cannot see if the 500 layers in the app are checked or not as the app chooses a very subtle color for the check boxes…

    • vistalite says:

      Effectively, basic application with no particular need will work with SIP, but a lot of application need to access all your computer. Root is already here to protect this files, and if there is a security problem with root, then fix it, but what apple are doing is like put band-aid on a water leak, rather than repair the pipe.
      And what will be the next update, no access to your filesystem like in ios? By doing this, yeah people can not make any mistake but it’s only because they can not do anything, and no one will know how it’s working, or will be free to do what application they want, change what they want.

    • Gustavo Costa says:

      Are TotalFinder, Aspesis and LiteIcon worthless running to you? A bigoted apologist fanboy.

  6. Pierre Merineau says:

    Would SIP prevent uTorrent to open?

  7. Leafsley says:


    How about figuring out how to get the Debug menu back in El Cap’s Disk Utility?

    • Paul says:

      Just realized the existing debug command doesn’t work for Disk Utility in 10.11+, will look into it, if you find something beforehand do send and email or tweet!

  8. I think developers need to reconfigure their apps to not use these protected directories. I work at lot with Casper, and I noted that with their latest update, they moved the JAMF process from /usr/sbin to usr/local. That proves that this can be done. Let’s make things better for the end user, not easier for the developer. I prefer to have more security instead of developers who don’t want to get with the program.

  9. Bert Visscher says:

    I found the word “featured” which should be “feature”.

  10. Inhab says:

    Does this procedure allows you to delete OS apps like FontBook or GameCenter? I could do it in previous OS, but in El Capitan it is not possible to change the privileges of these apps (from the ‘get info’ window) to be able to erase them.

    • Inhiba says:

      Yes, it does! Make sure you empty the trash bin before you enable the SIP again, otherwise the deleted apps remain in the bin and refuse to leave.

  11. Werner Tebelmann says:

    I just tried this on my iMac 27 inch running OS X 10.11
    (15A284). After “csrutil disable” I checked with “csrutil status” and got ‘System Integrity Protection status: enabled’

    However, after reboot, status showed ‘disabled’

    Any ideas?

    • som says:

      Yes, you need to reboot for change to take effect.

      But really, you should not disable this feature, it is going to help most users.

    • LBaily says:

      That’s what is supposed to happen. Exactly as stated in this article.

      Rule 1 if you don’t understand the cause and effect of what you are doing don’t do it….. So unless you have a specific reason to disable SIP then again as suggested in this article don’t do it….

  12. DG says:

    Ok, so.
    I understand that CSRUTIL is stored in the NVRAM and is persistent across reboots.
    If you install EL Cap and then decide to revert to and earlier OS, (even as far back as 10.7), does this setting cause any conflict?
    I know that the command is has no ‘man’ entries.

  13. maddogpom says:

    Found this most useful :) as I hate iTunes and some other apps that Apple insist on installing. Once you have disabled csrutil you can delete the bloat. But recommend enabling csrutil after you have finished.

  14. Orlando says:

    SIP is yet another way for Apple to control what software you have installed, what you can do with your system. And the Apple apologist on this thread will swear by it.

    SIP has single handily ruined development for a lot of smaller developers. What a joke.

    • LA-TONIA says:

      Yes, Orlando. I found this to be true. None of my third party wireless adapter drivers (and some applications), are working anymore. SIP has gotta go! Protection is one thing, but forgetting your brand identity and implementing countless invasive features at the root level with each OS X upgrade, is mind boggling. #noSIP

  15. Myron Gochnauer says:

    As an ordinary end-user I happy with most changes to increase security, but it seems to SIP permanently disables TotalFinder, a utility that makes Finder much more convenient for me. Rats!

  16. Paulo says:

    I have a audio interface M-AUDIO OZONIC FIREWIRE. Whit SIP enabled its dont work. When SIP disabled…Works fine….Suggestions ? Or ok to work with SIP disabled.

  17. Manulife says:

    I tryed to disable SIP. This causes kernel panic after reboot.
    Any ideas about?

    • Photographer333 says:

      I had the same issue. When you see the text overlay for the kernel panic over the normal startup screen, take a picture of it. It has information about which kext file is causing it. Mine was caused by the kext file kudsnetgear.kext (Part of the Netgear Genie Application). I moved the kext file to the trash (Kept a backup elsewhere), restarted in recovery, disabled SIP, restarted, and it worked perfectly.

  18. Dj Mafia (DiGodFada) says:

    Yes this work 100% in fixing the problem, Ater i disable i was able to delete the file. now system working fast again on batter and kernel_task is not taking up too much speed.

    try 12-10-2015 at 1:02 p.m Jamaica time.

    Thanks for this easy fix.

  19. Chris says:

    So… I disabled SIP as instructed in order to get a node.js script to work. It did not solve the issue and when I run csrutil status, I get the following message:

    System Integrity Protection status: enabled (Custom Configuration).

    Apple Internal: disabled
    Kext Signing: disabled
    Filesystem Protections: disabled
    Debugging Restrictions: disabled
    DTrace Restrictions: disabled
    NVRAM Protections: disabled

    • David says:

      Same here – Are you also running OSX on a custom fusion drive?

      It seems one HAS to have the Recovery HD inside of the system drive. My Recovery HD is a part of the SSD but not included in the fusion drive. If I boot into the recovery and ask for the csrutil status it says it’s disabled but as soon as I boot up into the normal system it’s still enabled.

  20. Andrew says:


    I did as state in the explanation, but I get:


    And cannot change in any way the SIP to disable it.

    Can anybody help me to solve it?

    If anybody wishes to know why I need to disable it, it is because Winclone cannot make my copied windows in a external SSD disk bootable.

    • exan says:

      Hi Andrew,

      I have the same problem.

      Did you fix it ? If yes can you tell me how to fix it ?

      Thank you


    • Ronny Schenkels says:

      I encountered the same problem : command not found

      When checking the Recovery HD, the basesystem.dmg still is using OS X 10.10 (Yosemite), so that is why the csrutil command is not available.

      Now checking on how to ‘upgrade’ the REcovery HD basesystem.dmg to OS X 10.11 (El Capitan)

    • h says:

      Same problem here. Internet recovery mode and command not found (macbook).

    • Kon says:

      Did you use Command-Option-R or Command-R
      I used the former and got the same COMMAND NOT FOUND problem.
      Then I tried the later, the command was found and executed like normal :)

  21. Mkassis says:

    This work 100%
    Thank you very much :)

  22. K says:

    Just want to confirm that this is a positive fix with osx 10.11 and M-Audio/Ozonic and Native Instruments/Ableton Live … I am running a macbook Pro mid-2010 13″. Hope it works for you too! Wahoo! I thought I was completely screwed.

    • Fa says:

      I am having a huge problem with Ableton Live 9 on the just works if I disable the SIP or do I have to do another setup?
      I am fighting with El capitan

  23. Logic Pro MIDI Hub says:

    Just wanted to say that I managed to get my old Firewire 1814 working again, running OS 10.11.3 (Beta). At first I was a little disappointed that I couldn’t get the 1814’s Mixer to work but I found out that I get the same controls in Audio/MIDI Setup so it’s all good. I’ll continue using my 1814 until it is no longer functioning (which I hope will not be anytime in the not too distant future). It sucks that M-Audio discontinued support so soon for their Firewire devices.. I’ll never get why they did that especially since the devices are still functioning correctly.

  24. Rickson says:

    I have problem with my m- audio in Cubase 2626 8 My sound does not start ! Only when I change the sample rate and soon to go again! It is impossible to work! I need urgent help my studio is stopped ! HELP ME

    My Hackintosh Yosemite 10.10.5
    Firewire PCI texas instruments
    Core Q9550 2quad 2.83 8G DDR 2800 GTX 750ti 2048mb

    • ITN says:

      This is about disabling SIP rootless protection in OS X El Capitan, it has nothing to do with Cubase or Yosemite or using “Hackintosh” hardware that is not supported by Apple.

      Buy a Mac and ask Apple for help.

      In related unrelated news, I can’t believe the price of homes nowadays!

  25. DJmpb says:

    I can’t seem to to get csrutil to work. I boot into Recovery mode with command R. I run /Volumes/Macintosh\ /HD/usr/bin/csrutil and it says operation not supported. I see the file but I cannot run it.

  26. John says:

    Yes, those are worthless. The poster’s point, which I agree with as a multiple-OS user working in information security, is any app requiring this kind of privilege needs a real business justification, not look & feel garbage. You want running-lights and a wing, good for you. I want my stuff to work and I won’t run shoddy code written by lazy developers using workarounds to make something work, and likewise won’t run code written by good developers changing protected parts of my system. This is the same whether I’m running Windows, Linux or OS X.

    Aside from that, a developer writing and testing their code on a system with SIP disabled leaves the real possibility that they write their software such that it won’t run with SIP, which will affect 99% of their customers. That’s their choice of course, and yours to disable it as well, but there’s immense safety (and freedom to mess with everything else) when you leave protection technology like this in place. Again, in Windows, Linux and OS X alike.

  27. Pablo says:

    Hi! I have a problem, PT works fine but I can’t turn off my computer. Do you know what’s going on? How can I fix it?

  28. anonmouse says:

    Wanna tinker with your system?

    Why not just install parallels and run Gentoo and play and tinker with all the system files you like, for days on end and then compile and compile and compile for months nonstop?

    Can’t do without macs?

    Easy….install Gentoo Prefix on your mac… can compile, install and run the apps in the Gentoo repository on your mac.

    And you get to tinker in that prefix directory all you want too… is like having two operating system running on your mac natively at the same time!

  29. Tommy says:

    How can I temporarily disable SIP on a mac installed on 2 SSDs in a RAID1 Mirror? Meaning I have no recovery to boot into (not compatible with RAID os drives)…can i boot off a usb installer and run the command and hope it sticks?

    • John Sawyer says:

      I just tried this, on a Mid 2009 Macbook running 10.11.4. I booted the Macbook from a USB stick that contains the El Capitan installer, and from the Installer’s Utilities menu, I selected Terminal, entered the ‘csrutil disable’ command, and it worked fine–SIP was still off after I restarted the Macbook from its internal hard drive. So apparently the setting is stored in NVRAM (which is something to remember if you reset the NVRAM later).

Leave a Reply


Shop for Apple & Mac Deals on

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates