How to Disable System Integrity Protection (rootless) in OS X El Capitan

Oct 5, 2015 - 73 Comments

Enable or Disable System Integrity Protection Rootless in Mac OS X

Apple has enabled a new default security oriented featured called System Integrity Protection, often called rootless, in OS X 10.11 onward. The rootless feature is aimed at preventing Mac OS X compromise by malicious code, whether intentionally or accidentally, and essentially what SIP does is lock down specific system level locations in the file system while simultaneously preventing certain processes from attaching to system-level processes.

While the System Integrity Protection security feature is effective and the vast majority of Mac users should leave rootless enabled, some advanced Mac users may find rootless to be overly protective. Thus, if you’re in the group of advanced Mac users who do not want SIP rootless enabled on their OS X installation, we’ll show you how to turn this security feature off.

For those wondering, System Integrity Protection locks down the following system level directories in OS X:

/usr (with the exception of /usr/local subdirectory)

Accordingly, rootless may cause some apps, utilities, and scripts to not function at all, even with sudo privelege, root user enabled, or admin access.

Turning Off Rootless System Integrity Protection in OS X El Capitan 10.11 +

Again, the vast majority of Mac users should not disable rootless. Disabling rootless is aimed exclusively at advanced Mac users. Do so at your own risk, this is not specifically recommended.

  1. Reboot the Mac and hold down Command + R keys simultaneously after you hear the startup chime, this will boot OS X into Recovery Mode
  2. When the “OS X Utilities” screen appears, pull down the ‘Utilities’ menu at the top of the screen instead, and choose “Terminal”
  3. Type the following command into the terminal then hit return:
  4. csrutil disable; reboot

  5. You’ll see a message saying that System Integrity Protection has been disabled and the Mac needs to restart for changes to take effect, and the Mac will then reboot itself automatically, just let it boot up as normal

You can also issue the command by itself without the automatic reboot like so:

csrutil disable

By the way, if you’re interested in disabling rootless, you may also want to disable Gatekeeper while you’re in the command line too.

If you plan on doing something else in the Terminal or OS X Utilities screen you may want to leave off the auto-reboot command at the end, and yes, in case you were wondering, this is the same recovery mode used to reinstall OS X with Internet Recovery.

Once the Mac boots up again, System Integrity Protection will be disabled entirely in OS X.

Checking the Status of Rootless / System Integrity Protection in OS X

If you want to know the status of rootless before rebooting or without rebooting the Mac into recovery mode, just issue the following command into the Terminal:

csrutil status

You’ll either see one of two messages, enabled indi:

$ csrutil status
System Integrity Protection status: enabled.


$ csrutil status
System Integrity Protection status: disabled

If at any time you wish to change the status of rootless, another reboot into Recovery Mode is required.

How to Re-Enable Rootless System Integrity Protection in OS X

Simply reboot the Mac again into Recovery Mode as directed above, but at the command line use the following syntax instead:

csrutil enable

Just as before, a reboot of the Mac is required for changes to take effect.

As previously stated, the vast majority of Mac users should leave rootless enabled and embrace System Integrity Protection, as most OS X users have no business in the system level directories anyway. Adjusting this feature is really aimed at advanced Mac users, whether IT, sysadmins, network administrators, developers, tinkerers, security operations, and other related highly technical fields.

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Paul Horowitz in Command Line, Mac OS X, Security, Tips & Tricks


» Comments RSS Feed

  1. 49ers says:

    I had to turn off SIP so that Homebrew would work properly in OS X after updating. I think any developer is going to want SIP turned off. It’s useful for the typical user, yes, but for those who know what they’re doing, it’s very a bit nanny-like.

    I suspect each subsequent OS X update will re-enable SIP, so be prepared to make this adjustment after any update, OS X 10.11.1, OS X 10.11.2, OS X 10.11.3, OS X 10.11.4, OS X 10.11.5, etc

    • ProbabilityMoon says:

      Homebrew works fine for me after updating. I just had to reinstall XCode console tools. SIP is enabled.

    • FLIR31207 says:

      sudo chown -R $(whoami):admin /usr/local
      should be enough to make homebrew work with SIP enabled

    • David Pennell says:

      Our VPN client was broken by this. After updating to Sierra, it wouldn’t load the .kexts in the Resource folder of the app. A pretty new version of the app, too. In the past I would have just turned of .kext signing check if it was breaking something we bought. Now I had to disable the csrutility vs. doing just sudo nvram boot-args= and just targeting kexts. This is like SELinux – making your security so unwieldy people want to turn it off is not more secure.

  2. Andrew says:

    I really hope this feature will expand more in the future. Rootless is very limited but useful, but I can imagine a lot of users including not so tech savvy ones disabling it for one or two apps. It needs something more flexible akin to how SELinux or RBAC works on Linux, complete with policies that can be deployed network-wide.

    For me as a developer, I have no problem going back to no rootless mode, as well as disabling other new security features. But I would not want people not so tech savvy to disable such features.

  3. vdiv says:

    Had to turn it off to get the Microsoft Intellipoint software to work, can’t live without that mouse back button.

    • Dick says:

      vdiv, did turning off System Integrity Protection get your Intellipoint working? Is it still working? I have done that and re-installed Intellipoint but I still can’t change the pointer speed, or get Intellipoint to work. Very frustrating.

      MacBook Pro Retina 15″ (mid-2014) 2.5 GHz Intel Core i7
      OS X 10.11.2
      Memory: 16 GB
      Graphics NVIDIA GeForce GT 750M 2048 MB
      Intellimouse Optical

  4. Alex says:

    Maybe a developer can answer this.

    If an app that worked in Yosemite, but doesn’t in EC and you turn off SIP, reinstall the app then reenable SIP, would it break the app again?

    • Winter says:

      Depends what the app is doing in the protected directories. Using Homebrew, for example, needs to have a user accessible /usr/local/ directory to run properly and install in /usr/local/bin/ etc

      • Sharmanshik says:

        No need to disable SIP for Homebrew, at least since one of latest, running homebrew pretty well, you can manage permissions on /usr/local with SIP enabled

      • Bryan says:

        The permissions on /usr/local/bin and /usr/local/share keep reverting to root:wheel on each reboot, and thus brew upgrades will fail until I change it back to $(whoami):admin.

        Are there permanent solutions to this other than disabling SIP or running sudo chown -R $(whoami):admin /usr/local after every reboot?

  5. PJALM says:

    Wow, I am a dev and I would never disable it. If an app requires it to be disabled then that app is not worth running to me.

    • Alex says:

      Correctly if I’m wrong on this thought, but I thought BOM files were written to a file in private/var and now is off limits or is my understanding totally messed up.

    • Flavors is just a simple “look and feel” app – it is VERY worth running to me and the ability to change the look and feel of the default OS is HUGE for one app I used daily for 4 months – with Flavors OFF, I cannot see if the 500 layers in the app are checked or not as the app chooses a very subtle color for the check boxes…

    • vistalite says:

      Effectively, basic application with no particular need will work with SIP, but a lot of application need to access all your computer. Root is already here to protect this files, and if there is a security problem with root, then fix it, but what apple are doing is like put band-aid on a water leak, rather than repair the pipe.
      And what will be the next update, no access to your filesystem like in ios? By doing this, yeah people can not make any mistake but it’s only because they can not do anything, and no one will know how it’s working, or will be free to do what application they want, change what they want.

    • Gustavo Costa says:

      Are TotalFinder, Aspesis and LiteIcon worthless running to you? A bigoted apologist fanboy.

  6. Pierre Merineau says:

    Would SIP prevent uTorrent to open?

  7. Leafsley says:


    How about figuring out how to get the Debug menu back in El Cap’s Disk Utility?

    • Paul says:

      Just realized the existing debug command doesn’t work for Disk Utility in 10.11+, will look into it, if you find something beforehand do send and email or tweet!

  8. I think developers need to reconfigure their apps to not use these protected directories. I work at lot with Casper, and I noted that with their latest update, they moved the JAMF process from /usr/sbin to usr/local. That proves that this can be done. Let’s make things better for the end user, not easier for the developer. I prefer to have more security instead of developers who don’t want to get with the program.

  9. Bert Visscher says:

    I found the word “featured” which should be “feature”.

  10. Inhab says:

    Does this procedure allows you to delete OS apps like FontBook or GameCenter? I could do it in previous OS, but in El Capitan it is not possible to change the privileges of these apps (from the ‘get info’ window) to be able to erase them.

    • Inhiba says:

      Yes, it does! Make sure you empty the trash bin before you enable the SIP again, otherwise the deleted apps remain in the bin and refuse to leave.

  11. Werner Tebelmann says:

    I just tried this on my iMac 27 inch running OS X 10.11
    (15A284). After “csrutil disable” I checked with “csrutil status” and got ‘System Integrity Protection status: enabled’

    However, after reboot, status showed ‘disabled’

    Any ideas?

    • som says:

      Yes, you need to reboot for change to take effect.

      But really, you should not disable this feature, it is going to help most users.

    • LBaily says:

      That’s what is supposed to happen. Exactly as stated in this article.

      Rule 1 if you don’t understand the cause and effect of what you are doing don’t do it….. So unless you have a specific reason to disable SIP then again as suggested in this article don’t do it….

  12. DG says:

    Ok, so.
    I understand that CSRUTIL is stored in the NVRAM and is persistent across reboots.
    If you install EL Cap and then decide to revert to and earlier OS, (even as far back as 10.7), does this setting cause any conflict?
    I know that the command is has no ‘man’ entries.

  13. maddogpom says:

    Found this most useful :) as I hate iTunes and some other apps that Apple insist on installing. Once you have disabled csrutil you can delete the bloat. But recommend enabling csrutil after you have finished.

  14. Orlando says:

    SIP is yet another way for Apple to control what software you have installed, what you can do with your system. And the Apple apologist on this thread will swear by it.

    SIP has single handily ruined development for a lot of smaller developers. What a joke.

    • LA-TONIA says:

      Yes, Orlando. I found this to be true. None of my third party wireless adapter drivers (and some applications), are working anymore. SIP has gotta go! Protection is one thing, but forgetting your brand identity and implementing countless invasive features at the root level with each OS X upgrade, is mind boggling. #noSIP

      • David Pennell says:

        I agree completely. Again, the posture is “I don’t want your VPN to work. So, no VPN for you. I’ll say one of its libraries isn’t signed correctly.” “Fine, I’ll turn off your kext signing check until they catch up with your latest hoop.” “Nope, I fixed it so you can’t pick-and-choose. You either have all my rules, including those that break your computer and prevent you from doing your job, OR you get nothing!” “*Click*”

  15. Myron Gochnauer says:

    As an ordinary end-user I happy with most changes to increase security, but it seems to SIP permanently disables TotalFinder, a utility that makes Finder much more convenient for me. Rats!

  16. Paulo says:

    I have a audio interface M-AUDIO OZONIC FIREWIRE. Whit SIP enabled its dont work. When SIP disabled…Works fine….Suggestions ? Or ok to work with SIP disabled.

  17. Manulife says:

    I tryed to disable SIP. This causes kernel panic after reboot.
    Any ideas about?

    • Photographer333 says:

      I had the same issue. When you see the text overlay for the kernel panic over the normal startup screen, take a picture of it. It has information about which kext file is causing it. Mine was caused by the kext file kudsnetgear.kext (Part of the Netgear Genie Application). I moved the kext file to the trash (Kept a backup elsewhere), restarted in recovery, disabled SIP, restarted, and it worked perfectly.

  18. Dj Mafia (DiGodFada) says:

    Yes this work 100% in fixing the problem, Ater i disable i was able to delete the file. now system working fast again on batter and kernel_task is not taking up too much speed.

    try 12-10-2015 at 1:02 p.m Jamaica time.

    Thanks for this easy fix.

  19. Chris says:

    So… I disabled SIP as instructed in order to get a node.js script to work. It did not solve the issue and when I run csrutil status, I get the following message:

    System Integrity Protection status: enabled (Custom Configuration).

    Apple Internal: disabled
    Kext Signing: disabled
    Filesystem Protections: disabled
    Debugging Restrictions: disabled
    DTrace Restrictions: disabled
    NVRAM Protections: disabled

    • David says:

      Same here – Are you also running OSX on a custom fusion drive?

      It seems one HAS to have the Recovery HD inside of the system drive. My Recovery HD is a part of the SSD but not included in the fusion drive. If I boot into the recovery and ask for the csrutil status it says it’s disabled but as soon as I boot up into the normal system it’s still enabled.

  20. Andrew says:


    I did as state in the explanation, but I get:


    And cannot change in any way the SIP to disable it.

    Can anybody help me to solve it?

    If anybody wishes to know why I need to disable it, it is because Winclone cannot make my copied windows in a external SSD disk bootable.

    • exan says:

      Hi Andrew,

      I have the same problem.

      Did you fix it ? If yes can you tell me how to fix it ?

      Thank you


    • Ronny Schenkels says:

      I encountered the same problem : command not found

      When checking the Recovery HD, the basesystem.dmg still is using OS X 10.10 (Yosemite), so that is why the csrutil command is not available.

      Now checking on how to ‘upgrade’ the REcovery HD basesystem.dmg to OS X 10.11 (El Capitan)

    • h says:

      Same problem here. Internet recovery mode and command not found (macbook).

    • Kon says:

      Did you use Command-Option-R or Command-R
      I used the former and got the same COMMAND NOT FOUND problem.
      Then I tried the later, the command was found and executed like normal :)

  21. Mkassis says:

    This work 100%
    Thank you very much :)

  22. K says:

    Just want to confirm that this is a positive fix with osx 10.11 and M-Audio/Ozonic and Native Instruments/Ableton Live … I am running a macbook Pro mid-2010 13″. Hope it works for you too! Wahoo! I thought I was completely screwed.

    • Fa says:

      I am having a huge problem with Ableton Live 9 on the just works if I disable the SIP or do I have to do another setup?
      I am fighting with El capitan

  23. Logic Pro MIDI Hub says:

    Just wanted to say that I managed to get my old Firewire 1814 working again, running OS 10.11.3 (Beta). At first I was a little disappointed that I couldn’t get the 1814’s Mixer to work but I found out that I get the same controls in Audio/MIDI Setup so it’s all good. I’ll continue using my 1814 until it is no longer functioning (which I hope will not be anytime in the not too distant future). It sucks that M-Audio discontinued support so soon for their Firewire devices.. I’ll never get why they did that especially since the devices are still functioning correctly.

  24. Rickson says:

    I have problem with my m- audio in Cubase 2626 8 My sound does not start ! Only when I change the sample rate and soon to go again! It is impossible to work! I need urgent help my studio is stopped ! HELP ME

    My Hackintosh Yosemite 10.10.5
    Firewire PCI texas instruments
    Core Q9550 2quad 2.83 8G DDR 2800 GTX 750ti 2048mb

    • ITN says:

      This is about disabling SIP rootless protection in OS X El Capitan, it has nothing to do with Cubase or Yosemite or using “Hackintosh” hardware that is not supported by Apple.

      Buy a Mac and ask Apple for help.

      In related unrelated news, I can’t believe the price of homes nowadays!

  25. DJmpb says:

    I can’t seem to to get csrutil to work. I boot into Recovery mode with command R. I run /Volumes/Macintosh\ /HD/usr/bin/csrutil and it says operation not supported. I see the file but I cannot run it.

  26. John says:

    Yes, those are worthless. The poster’s point, which I agree with as a multiple-OS user working in information security, is any app requiring this kind of privilege needs a real business justification, not look & feel garbage. You want running-lights and a wing, good for you. I want my stuff to work and I won’t run shoddy code written by lazy developers using workarounds to make something work, and likewise won’t run code written by good developers changing protected parts of my system. This is the same whether I’m running Windows, Linux or OS X.

    Aside from that, a developer writing and testing their code on a system with SIP disabled leaves the real possibility that they write their software such that it won’t run with SIP, which will affect 99% of their customers. That’s their choice of course, and yours to disable it as well, but there’s immense safety (and freedom to mess with everything else) when you leave protection technology like this in place. Again, in Windows, Linux and OS X alike.

  27. Pablo says:

    Hi! I have a problem, PT works fine but I can’t turn off my computer. Do you know what’s going on? How can I fix it?

  28. anonmouse says:

    Wanna tinker with your system?

    Why not just install parallels and run Gentoo and play and tinker with all the system files you like, for days on end and then compile and compile and compile for months nonstop?

    Can’t do without macs?

    Easy….install Gentoo Prefix on your mac… can compile, install and run the apps in the Gentoo repository on your mac.

    And you get to tinker in that prefix directory all you want too… is like having two operating system running on your mac natively at the same time!

  29. Tommy says:

    How can I temporarily disable SIP on a mac installed on 2 SSDs in a RAID1 Mirror? Meaning I have no recovery to boot into (not compatible with RAID os drives)…can i boot off a usb installer and run the command and hope it sticks?

    • John Sawyer says:

      I just tried this, on a Mid 2009 Macbook running 10.11.4. I booted the Macbook from a USB stick that contains the El Capitan installer, and from the Installer’s Utilities menu, I selected Terminal, entered the ‘csrutil disable’ command, and it worked fine–SIP was still off after I restarted the Macbook from its internal hard drive. So apparently the setting is stored in NVRAM (which is something to remember if you reset the NVRAM later).

  30. Jim says:

    My recommendation for step 3:

    csrutil disable && reboot

    By using “&&” instead of “;” the reboot command will only be executed if csrutil doesn’t throw an error. With “;” both commands will be executed no matter what. I’ve never actually had csrutil throw an error when executed without flags, but if it did I’d certainly want to catch it before committing to a reboot.

  31. Ian Oliver says:

    Thank you for the fine instructions. I’m a real novice, but I managed to get rid of a lot of clutter – I hope without too many problems.
    But I have two backups, just in case…

  32. S7ntax says:

    This needs to be disabled in order to run legacy drivers for my M-Audio firewire interface. OSX seems to be enabling it again on reboot so each time I want to use my interface I have to disable it again. M-Audio have not updated their driver for many versions of OSX so until I can get a newer interface this is my only option and it also runs with limited features. Otherwise I wouldn’t switch it off but I can’t live without the audio interface for now.

  33. Pulceblue says:

    Dear all,
    I’d like to temporarily disable SIP to let winclone restore a system image of my bootcamp partition. However, it seems that I’m not able to properly disable SIP.
    I indeed reboot in the recovery mode and run the command “csrutil disable”.
    I get the message that the SIP has been disabled and I need to reboot the machine for the changes to take effect.
    I then reboot the machine normally but the SIP is not disabled. Winclone does not let me recover my system image and if run in terminal the command “csrutil status” it says that SIP is enabled.
    Any idea how to solve this?

    • Ing Oing says:

      use sudo as a prefix

      “sudo csrutil disable”

      You may have FileVault enabled on the drive too, which would prevent a system image from being created.

      • Pulceblue says:

        thanks for your reply. I don’t have FileVault on.
        Should i run the “sudo csrutil disable” when i am the recovery mode?
        I’m not fully sure to get the logic of your suggestion, i have already created a system image of my bootcamp but i cannot restore it on a new drive because SIP is preventing it.

        • Ing Oing says:

          Yes using “sudo csrutil disable” from single user mode or recovery mode will disable SIP. The sudo prefix allows admin access.

          But I am puzzled by your dilemma, are you trying to restore a Mac drive from an image of another drive? That would wipe the initial drive clean and put the image on it instead, you could do that by formatting the target drive first and you won’t need to mess with SIP at all. ALso if it is Time Machine backup image, you can just restore it with Recovery mode directly.

          • Pulceblue says:

            I tried what you suggested but it didn’t work.
            The “sudo csrutil disable” command is not recognized in terminal in recovery mode.
            I know that the “csrutil disable” command works because I get the message that the SIP is disabled and that the system requires a restart for changes to take effect. My problem is that after restart the changes are lost and the SIP is again enabled.
            I want to upgrade my hard drive to SSD and transfer also my Win7 Bootcamp. By looking on the net I gathered that the easiest solution is using winclone. With this i can create a system image of the bootcamp but need to disable SIP to be able to copy it to the drive.

          • Ing Oing says:

            I am not sure that disabling SIP is going to help your install, and you shouldn’t need to alter System Integrity Protection to use Boot Camp or install Windows. I think you have a somewhat unique situation trying to clone Bootcamp partitions which I know from experience can be challenging, I’ve had to reinstall Windows in similar situations myself.

            Stepping away from SIP and csrutil commands, I think you will have a better result by doing the following:

            – Install the SSD as usual, and create and install Mac OS X on that drive (this will create Macintosh HD which could be a restored image, but you need to be sure you have the Recovery HD partition as well which comes with installing)

            – After Mac OS X is done installing on SSD, then create a new partition for Windows 7 Bootcamp as usual

            – Restore the Windows 7 bootcamp image to that new partition

            That should work, but it’s possible you would need to just go through the process of reinstalling Windows 7 on the Boot Camp side too.

            In other words, rather than messing with SIP, if you simply backup the Mac side, then separately backup the Windows side, and restore each separately, it should work. It’s not quite as simple as the image restore idea, but with a dual OS situation I think that may be the most reliable option.

  34. imacconvert says:

    Spare time for s new boy.
    I am unable to update Java and after deselecting Yahoo home page – Next nothing happens.
    Might be due to new iMac, new Apple update, TBH unsure.

    If I disable SIP and go ahead with Java instal and update etc. Is it a case of enabling again?
    Any further updates and follow the same process?
    I seem to feel this may not be the way forward on getting Java, so asking for help … please.

  35. GreatJob says:

    This worked perfect for me. Thanks so much.

  36. FYI:

    We aren’t recommending disabling System Integrity Protection for long-term application work arounds, but for our environment and until we migrate to a new client management system we needed to disable it and we didn’t want to touch every computer to boot into the Recovery Partition and disable SIP. So, we found a automated method that we implemented on our 800+ computers that can be done programmatically or remotely.

    System Integrity Protection restricts file modifications to specific locations it conflicts with our our current management system. This is a great feature in OS X “El Capitan” that adds additional system protection, but in our environment it restricts area’s of the file system that we manage with radmind, which runs as a tripwire to catch any suspicious files and replace them. SIP breaks our current management system and we needed to deploy “El Capitan” for our computer rollout. We decided to temporarily turn SIP off on all of our computers until we migrate over completely to JAMF’s Casper Suite.

    This post outlines the process of automatically disabling System Integrity Protection when upgrading to OS X El Capitan.

  37. Natalie says:

    Thank you. I was having trouble deleting old time machine backups manually. After installing MacOS 10.12 I actually got to the point where I had a partially deleted backup stuck in the trash can unable to delete and unable to put back. This is the kind of half ass feature that bugs the everlasting heck out of me. Disabling it allowed me to keep time machine going but to be able to delete the old backups I needed to.

Leave a Reply


Shop for Apple & Mac Deals on

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates