How to Enable System Integrity Protection in Mac OS

Aug 9, 2018 - 3 Comments

How to Enable SIP System Integrity Protection on Mac

Modern versions of Mac OS ship with System Integrity Protection (SIP) enabled by default, which aims to protect critical system folders by locking them down, and the vast majority of Mac users should always keep SIP enabled for that added protection. Nonetheless sometimes Mac users must disable SIP in Mac OS in order to modify something within a protected system directory for various reasons, and some may leave the feature off either intentionally or accidentally. All Mac users should have SIP enabled for the security benefits it offers, thus if you need to turn on the System Integrity Protection feature, you’re in the right place.

This tutorial will show you how to enable System Integrity Protection (SIP) in MacOS.


Note: unless you (or someone else) had previously turned off System Integrity Protection, then SIP is almost certainly enabled by default on your Mac. Specifically, SIP is enabled by default on macOS Mojave, High Sierra, MacOS Sierra, and Mac OS X El Capitan, and presumably in all future software versions as well. If you aren’t sure whether or not SIP is enabled or disabled on a particular Mac, you can check SIP status manually before beginning. There is obviously no point in trying to enable SIP if SIP is already enabled.

How to Enable SIP / System Integrity Protection on Mac

Enabling System Integrity Protection on a Mac requires rebooting the computer into Recovery Mode, here are the steps:

  1. Restart the Mac by going to the  Apple menu and choosing “Restart”
  2. Upon reboot, immediately hold down COMMAND + R keys concurrently and continue holding those keys until you see the  Apple logo and a little loading indicator to start booting into Recovery Mode
  3. At the “macOS Utilities” (or “OS X Utilities”) screen, pull down the “Utilities” menu and choose “Terminal”
  4. In the Terminal window, type the following command syntax at the command line prompt:
  5. csrutil enable; reboot

  6. Hit the return/enter key to execute the command to enable SIP and then reboot the Mac again

The Mac will now reboot as usual, starting back up with SIP enabled again.

Once MacOS boots up, SIP should be enabled. You can confirm this by checking the System Integrity Protection status via command line, or through the System Information tools. If it’s not enabled, you likely entered the syntax incorrectly or followed some other step wrong.

Note: if you want to enable SIP but not reboot immediately out of Recovery Mode, you can also just type:

csrutil enable

Just remember, the Mac must reboot before SIP is actually enabled again.

What does System Integrity Protection in MacOS do?

System Integrity Protection, or SIP, and sometimes called “rootless”, locks down several system level directories in Mac OS to prevent modification of important system files, components, apps, and resources, even if the user account has administrator or root access (thus the occasional ‘rootless’ reference). Thus, SIP aims to increase security and privacy on the Mac, and to prevent unauthorized or unintentional access or modification of critical system files and components.

The system directories that are protected and locked down by SIP in macOS include: /System/, /usr/ with the exception of /usr/local/, /sbin/, /bin/, and /Applications/ for apps that are preinstalled by default in macOS and necessary for the usage of the operating system including apps like Safari, Terminal, Console, Activity Monitor, Calendar, etc.

From a practical standpoint, SIP prevents users from accidentally deleting core system files, from deleting default applications, and from various apps or scripts from being able to install, modify, or delete things in places where they shouldn’t be. When SIP is enabled, those activities can not take place. However, any Mac user can disable SIP protection by using a similar method to what is described above, though that’s usually only necessary for advanced Mac users for very specific reasons.

So SIP should always be left enabled, but it’s not the only security feature the Mac has that should be used. Keeping the stricter default Gatekeeper settings in place, using strong passwords, avoiding sketchy software and sketchy websites, and using Filevault encryption are also all important security precautions to take on a Mac. And don’t forget to use Time Machine for regular backups as well!

Do you have have any tips, suggestions, or thoughts about System Integrity Protection for Macs? Share them with us!

.

Related articles:

Posted by: Paul Horowitz in Mac OS, Security, Tips & Tricks

3 Comments

» Comments RSS Feed

  1. Joe Specter says:

    If you are using a mounted image (Big Sur patch for older Macs) then terminal may open to bash without the FS loaded.

    In this case use “csrutil enable; reboot” not just “csrutil enable” then restart.

    Not sure why, but it didn’t like 2 steps and preferred the 1 liner in a few cases I have come across.

  2. Mark Heath says:

    SIP also prevents the running of dtrace, which is an essential system administration tool to debug faults in applications.

  3. Konigawa says:

    SIP should be enabled by default in all new Macs.

    And almost nobody should turn off SIP, it just opens them up to risks without any benefit

    The only people who should be messing with Mac SIP settings are sysadmins and super pro users.

    Keep SIP on and don’t turn it off! Trust me, it’s for your own good!

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site