How to Check if System Integrity Protection (SIP) is Enabled on Mac
System Integrity Protection (SIP) locks down certain Mac OS system folders to prevent modification, execution, and deletion of critical system-level files on the Mac, even with a root user account. While the SIP security feature is enabled by default on all modern Mac OS releases, you may find yourself in various situations where you need to check SIP status to find out if it is enabled or disabled on a particular Mac, or to otherwise confirm the SIP status on any Mac.
There are two ways to check System Integrity Protection status; by using the command line, and by using the System Information profiler tool.
This article will show you both methods to see how to determine if System Integrity Protection / SIP is enabled or disabled on a Mac.
How to Check if System Integrity Protection is Enabled on Mac with Terminal
You can check any Mac for SIP protection by using the command line. This is particularly great if you need to remotely check SIP status through ssh, for example.
- Launch the Terminal application in Mac OS, it’s located in the /Applications/Utilities/ directory
- Type the following into the command line, then hit return:
- You will see one of the following messages, indicating the status of SIP on that Mac:
- If SIP is on – “System Integrity Protection status: enabled.”
- If SIP is off – “System Integrity Protection status: disabled.”
If SIP is enabled, you likely want to keep it that way. Nonetheless, some advanced users may want to disable System Integrity Protection in Mac OS for various reasons. If SIP is disabled, you will likely want to turn it back on.
How to Check SIP Status on a Mac from System Information
Mac users can also check if System Integrity Protection is enabled or disabled by referring to the System Information tool found in MacOS:
- Open the /Applications/ folder and then go to /Utilities/
- Open the “System Information” application (you can also get there by holding Option key and clicking the Apple menu to choose “System Information”)
- Scroll down the left side list and choose “Software”
- Look for “System Integrity Protection” on the right side, and whether or not you see an “Enabled” or “Disabled” message alongside that
Again, if SIP is enabled, you almost certainly want to keep it that way. And if SIP is disabled, you likely want to turn it back on again to enjoy the protection that SIP offers.
What Folders Does SIP Protect in Mac OS?
In case you are wondering what directories and folders are protected by System Integrity Protection, the current list is as follows:
* /usr is protected with the exception of /usr/local subdirectory, which is often used by tools like Homebrew
** /Applications is protected for apps that are pre-installed with Mac OS (Calendar, Photos, Safari, Terminal, Console, App Store, Notes, etc)
(Note that most of those SIP protected system folders are hidden from user view by default, though if you use a trick to show hidden files in MacOS like a keystroke or defaults command, you will be able to see those otherwise hidden system directories from the Finder)
Those directories are protected from modification (adding, deleting, modifying, editing, moving, etc) from any administrator account and even root accounts, the latter of which is perhaps why SIP is sometimes called ‘rootless’. Only if System Integrity Protection is manually disabled can you have modification privileges of those directories, and disabling SIP requires an admin password and boot access to a Mac.
Aside from the security benefits offered by SIP, it also can prevent deletion of system files and system resources in Mac OS (whether intentional or accidental) since those critical files and folders do not have modification access while the feature is turned on. Again, don’t turn SIP off unless you have a really compelling reason to do so, and even then then you’ll almost certainly want to quickly turn it back on again.
As previously mentioned, SIP is enabled by default on all modern Mac OS software releases. This includes macOS Mojave, macOS High Sierra, MacOS Sierra, and Mac OS X El Capitan, and it’s safe to assume all future Mac OS system software versions will have SIP enabled by default as well. If the version of Mac OS is older than what SIP supports, the feature will not be available, and neither will be the ability to check the status of SIP with the csrutil command, or the System Information method.
If you have any other methods of checking SIP status on a Mac, or any comments, thoughts, tips, tricks, or other noteworthy info about System Integrity Protection, share with us in the comments below!