How to Disable System Integrity Protection (rootless) in Mac OS X
Apple has enabled a new default security oriented featured called System Integrity Protection, often called rootless or SIP, in Mac OS from versions 10.11 onward. The SIP / rootless feature is aimed at preventing Mac OS X compromise by malicious code, whether intentionally or accidentally, and essentially what SIP does is lock down specific system level locations in the file system while simultaneously preventing certain processes from attaching to system-level processes.
While the System Integrity Protection security feature is effective and the vast majority of Mac users should leave rootless enabled, some advanced Mac users may find rootless to be overly protective. Thus, if you’re in the group of advanced Mac users who do not want SIP rootless enabled on their Mac OS X installation, we’ll show you how to turn this security feature off.
What Directories Does SIP Protect?
Before getting started on disabling SIP, you may be wondering which directories SIP / rootless protects from modification. Currently, System Integrity Protection locks down the following system level directories in Mac OS X:
/System
/sbin
/bin
/usr (with the exception of /usr/local subdirectory)
/Applications for apps that are preinstalled with Mac OS (Terminal, Safari, etc)
Accordingly, rootless may cause some apps, utilities, and scripts to not function at all, even with sudo privelege, root user enabled, or admin access.
Turning Off Rootless System Integrity Protection in Mac OS X
Again, the vast majority of Mac users should not disable rootless. Disabling rootless is aimed exclusively at advanced Mac users. Do so at your own risk, this is not specifically recommended.
- Reboot the Mac and hold down Command + R keys simultaneously after you hear the startup chime, this will boot Mac OS X into Recovery Mode
- When the “MacOS Utilities” / “OS X Utilities” screen appears, pull down the ‘Utilities’ menu at the top of the screen instead, and choose “Terminal”
- Type the following command into the terminal then hit return:
- You’ll see a message saying that System Integrity Protection has been disabled and the Mac needs to restart for changes to take effect, and the Mac will then reboot itself automatically, just let it boot up as normal
csrutil disable; reboot
You can also issue the command by itself without the automatic reboot like so:
csrutil disable
By the way, if you’re interested in disabling rootless, you may also want to disable Gatekeeper while you’re in the command line too.
If you plan on doing something else in the Terminal or Mac OS Utilities screen you may want to leave off the auto-reboot command at the end, and yes, in case you were wondering, this is the same recovery mode used to reinstall Mac OS X with Internet Recovery.
Once the Mac boots up again, System Integrity Protection will be disabled entirely in Mac OS X, thereby allowing full access to the protected folders outlined above.
Checking the Status of Rootless / System Integrity Protection in Mac OS X
If you want to know the status of rootless before rebooting or without rebooting the Mac into recovery mode, just issue the following command into the Terminal:
csrutil status
You’ll either see one of two messages, enabled indi:
$ csrutil status
System Integrity Protection status: enabled.
or
$ csrutil status
System Integrity Protection status: disabled
If at any time you wish to change the status of rootless, another reboot into Recovery Mode is required.
How to Re-Enable Rootless System Integrity Protection in Mac OS X
Simply reboot the Mac again into Recovery Mode as directed above, but at the command line use the following syntax instead:
csrutil enable
Just as before, a reboot of the Mac is required for changes to take effect.
As previously stated, the vast majority of Mac users should leave rootless enabled and embrace System Integrity Protection, as most Mac OS X users have no business in the system level directories anyway. Adjusting this feature is really aimed at advanced Mac users, whether IT, sysadmins, network administrators, developers, tinkerers, security operations, and other related highly technical fields.
Yes, Thank you for your information! So far yesterday 12/31/2018, I booted back into Sierra 10.12.6 from a Windows 10 drive restart. It was a hassle to get my main macOS to boot again. Taking forever to come back to a desktop. Not everything was working right including most of my drives in my 2010 5,1 cMP where not there. fearing the worst that my CalDigit USB3/eSATA card had gone bad. But I also notice BootRunner wasn’t working first, I am running an earlier 2.X version because it is more compatible (NOT SIP Compatible) for Maverick/Lion. After an hour of hassling I opened BootRunners Config App directly finding that something in the repair boot had switched on the SIP enable. Wow did not realize that CalDigit hardware was not SIP compatible all this time. Guessing this one of my many reasons not to use SIP.
Thank you for the clear explanation
i am sorry to say, i needed to do this to get a usb to serial device (rs232) to work
unless apple provides support for legacy devices, the security is worthless, imho
keywords: arduino prolific pl2303
Had to disable SIP to empty trash after deleting stalled time machine backup file from ext HD. The error message was driving me bonkers when trying to empty trash…
Re-enabled SIP after trash emptied and incomplete Time Machine backup file was gone… For ever!
Thanks for the tip!!
Thank you. I was having trouble deleting old time machine backups manually. After installing MacOS 10.12 I actually got to the point where I had a partially deleted backup stuck in the trash can unable to delete and unable to put back. This is the kind of half ass feature that bugs the everlasting heck out of me. Disabling it allowed me to keep time machine going but to be able to delete the old backups I needed to.
FYI:
We aren’t recommending disabling System Integrity Protection for long-term application work arounds, but for our environment and until we migrate to a new client management system we needed to disable it and we didn’t want to touch every computer to boot into the Recovery Partition and disable SIP. So, we found a automated method that we implemented on our 800+ computers that can be done programmatically or remotely.
System Integrity Protection restricts file modifications to specific locations it conflicts with our our current management system. This is a great feature in OS X “El Capitan” that adds additional system protection, but in our environment it restricts area’s of the file system that we manage with radmind, which runs as a tripwire to catch any suspicious files and replace them. SIP breaks our current management system and we needed to deploy “El Capitan” for our computer rollout. We decided to temporarily turn SIP off on all of our computers until we migrate over completely to JAMF’s Casper Suite.
This post outlines the process of automatically disabling System Integrity Protection when upgrading to OS X El Capitan.
https://apple.lib.utah.edu/?p=1444
This worked perfect for me. Thanks so much.
Guys,
Spare time for s new boy.
I am unable to update Java and after deselecting Yahoo home page – Next nothing happens.
Might be due to new iMac, new Apple update, TBH unsure.
If I disable SIP and go ahead with Java instal and update etc. Is it a case of enabling again?
Any further updates and follow the same process?
I seem to feel this may not be the way forward on getting Java, so asking for help … please.
Dear all,
I’d like to temporarily disable SIP to let winclone restore a system image of my bootcamp partition. However, it seems that I’m not able to properly disable SIP.
I indeed reboot in the recovery mode and run the command “csrutil disable”.
I get the message that the SIP has been disabled and I need to reboot the machine for the changes to take effect.
I then reboot the machine normally but the SIP is not disabled. Winclone does not let me recover my system image and if run in terminal the command “csrutil status” it says that SIP is enabled.
Any idea how to solve this?
use sudo as a prefix
“sudo csrutil disable”
You may have FileVault enabled on the drive too, which would prevent a system image from being created.
Hi,
thanks for your reply. I don’t have FileVault on.
Should i run the “sudo csrutil disable” when i am the recovery mode?
I’m not fully sure to get the logic of your suggestion, i have already created a system image of my bootcamp but i cannot restore it on a new drive because SIP is preventing it.
Yes using “sudo csrutil disable” from single user mode or recovery mode will disable SIP. The sudo prefix allows admin access.
But I am puzzled by your dilemma, are you trying to restore a Mac drive from an image of another drive? That would wipe the initial drive clean and put the image on it instead, you could do that by formatting the target drive first and you won’t need to mess with SIP at all. ALso if it is Time Machine backup image, you can just restore it with Recovery mode directly.
Hi,
I tried what you suggested but it didn’t work.
The “sudo csrutil disable” command is not recognized in terminal in recovery mode.
I know that the “csrutil disable” command works because I get the message that the SIP is disabled and that the system requires a restart for changes to take effect. My problem is that after restart the changes are lost and the SIP is again enabled.
I want to upgrade my hard drive to SSD and transfer also my Win7 Bootcamp. By looking on the net I gathered that the easiest solution is using winclone. With this i can create a system image of the bootcamp but need to disable SIP to be able to copy it to the drive.
I am not sure that disabling SIP is going to help your install, and you shouldn’t need to alter System Integrity Protection to use Boot Camp or install Windows. I think you have a somewhat unique situation trying to clone Bootcamp partitions which I know from experience can be challenging, I’ve had to reinstall Windows in similar situations myself.
Stepping away from SIP and csrutil commands, I think you will have a better result by doing the following:
– Install the SSD as usual, and create and install Mac OS X on that drive (this will create Macintosh HD which could be a restored image, but you need to be sure you have the Recovery HD partition as well which comes with installing)
– After Mac OS X is done installing on SSD, then create a new partition for Windows 7 Bootcamp as usual
– Restore the Windows 7 bootcamp image to that new partition
That should work, but it’s possible you would need to just go through the process of reinstalling Windows 7 on the Boot Camp side too.
In other words, rather than messing with SIP, if you simply backup the Mac side, then separately backup the Windows side, and restore each separately, it should work. It’s not quite as simple as the image restore idea, but with a dual OS situation I think that may be the most reliable option.
This needs to be disabled in order to run legacy drivers for my M-Audio firewire interface. OSX seems to be enabling it again on reboot so each time I want to use my interface I have to disable it again. M-Audio have not updated their driver for many versions of OSX so until I can get a newer interface this is my only option and it also runs with limited features. Otherwise I wouldn’t switch it off but I can’t live without the audio interface for now.
Thank you for the fine instructions. I’m a real novice, but I managed to get rid of a lot of clutter – I hope without too many problems.
But I have two backups, just in case…
My recommendation for step 3:
csrutil disable && reboot
By using “&&” instead of “;” the reboot command will only be executed if csrutil doesn’t throw an error. With “;” both commands will be executed no matter what. I’ve never actually had csrutil throw an error when executed without flags, but if it did I’d certainly want to catch it before committing to a reboot.
How can I temporarily disable SIP on a mac installed on 2 SSDs in a RAID1 Mirror? Meaning I have no recovery to boot into (not compatible with RAID os drives)…can i boot off a usb installer and run the command and hope it sticks?
I just tried this, on a Mid 2009 Macbook running 10.11.4. I booted the Macbook from a USB stick that contains the El Capitan installer, and from the Installer’s Utilities menu, I selected Terminal, entered the ‘csrutil disable’ command, and it worked fine–SIP was still off after I restarted the Macbook from its internal hard drive. So apparently the setting is stored in NVRAM (which is something to remember if you reset the NVRAM later).
Wanna tinker with your system?
Why not just install parallels and run Gentoo and play and tinker with all the system files you like, for days on end and then compile and compile and compile for months nonstop?
Can’t do without macs?
Easy….install Gentoo Prefix on your mac…..it can compile, install and run the apps in the Gentoo repository on your mac.
And you get to tinker in that prefix directory all you want too…..it is like having two operating system running on your mac natively at the same time!
Hi! I have a problem, PT works fine but I can’t turn off my computer. Do you know what’s going on? How can I fix it?
Yes, those are worthless. The poster’s point, which I agree with as a multiple-OS user working in information security, is any app requiring this kind of privilege needs a real business justification, not look & feel garbage. You want running-lights and a wing, good for you. I want my stuff to work and I won’t run shoddy code written by lazy developers using workarounds to make something work, and likewise won’t run code written by good developers changing protected parts of my system. This is the same whether I’m running Windows, Linux or OS X.
Aside from that, a developer writing and testing their code on a system with SIP disabled leaves the real possibility that they write their software such that it won’t run with SIP, which will affect 99% of their customers. That’s their choice of course, and yours to disable it as well, but there’s immense safety (and freedom to mess with everything else) when you leave protection technology like this in place. Again, in Windows, Linux and OS X alike.
You loser, the reason these “workarounds” exist is because of the OS and the file system. Maybe if MacOS was not designed to be restrictive, one would not have to do this. SIP is called BS
I can’t seem to to get csrutil to work. I boot into Recovery mode with command R. I run /Volumes/Macintosh\ /HD/usr/bin/csrutil and it says operation not supported. I see the file but I cannot run it.
I have this very same issue. Jesus Apple!!!
I have problem with my m- audio in Cubase 2626 8 My sound does not start ! Only when I change the sample rate and soon to go again! It is impossible to work! I need urgent help my studio is stopped ! HELP ME
My Hackintosh Yosemite 10.10.5
Firewire PCI texas instruments
Core Q9550 2quad 2.83 8G DDR 2800 GTX 750ti 2048mb
This is about disabling SIP rootless protection in OS X El Capitan, it has nothing to do with Cubase or Yosemite or using “Hackintosh” hardware that is not supported by Apple.
Buy a Mac and ask Apple for help.
In related unrelated news, I can’t believe the price of homes nowadays!
Just wanted to say that I managed to get my old Firewire 1814 working again, running OS 10.11.3 (Beta). At first I was a little disappointed that I couldn’t get the 1814’s Mixer to work but I found out that I get the same controls in Audio/MIDI Setup so it’s all good. I’ll continue using my 1814 until it is no longer functioning (which I hope will not be anytime in the not too distant future). It sucks that M-Audio discontinued support so soon for their Firewire devices.. I’ll never get why they did that especially since the devices are still functioning correctly.
Just want to confirm that this is a positive fix with osx 10.11 and M-Audio/Ozonic and Native Instruments/Ableton Live … I am running a macbook Pro mid-2010 13″. Hope it works for you too! Wahoo! I thought I was completely screwed.
I am having a huge problem with Ableton Live 9 on the startup..it just works if I disable the SIP or do I have to do another setup?
I am fighting with El capitan
This work 100%
Thank you very much :)
Hi:
I did as state in the explanation, but I get:
“COMMAND NOT FOUND”, why?
And cannot change in any way the SIP to disable it.
Can anybody help me to solve it?
If anybody wishes to know why I need to disable it, it is because Winclone cannot make my copied windows in a external SSD disk bootable.
Hi Andrew,
I have the same problem.
Did you fix it ? If yes can you tell me how to fix it ?
Thank you
Exan
I encountered the same problem : command not found
When checking the Recovery HD, the basesystem.dmg still is using OS X 10.10 (Yosemite), so that is why the csrutil command is not available.
Now checking on how to ‘upgrade’ the REcovery HD basesystem.dmg to OS X 10.11 (El Capitan)
Same problem here. Internet recovery mode and command not found (macbook).
Did you use Command-Option-R or Command-R
I used the former and got the same COMMAND NOT FOUND problem.
Then I tried the later, the command was found and executed like normal :)
So… I disabled SIP as instructed in order to get a node.js script to work. It did not solve the issue and when I run csrutil status, I get the following message:
System Integrity Protection status: enabled (Custom Configuration).
Configuration:
Apple Internal: disabled
Kext Signing: disabled
Filesystem Protections: disabled
Debugging Restrictions: disabled
DTrace Restrictions: disabled
NVRAM Protections: disabled
Same here – Are you also running OSX on a custom fusion drive?
It seems one HAS to have the Recovery HD inside of the system drive. My Recovery HD is a part of the SSD but not included in the fusion drive. If I boot into the recovery and ask for the csrutil status it says it’s disabled but as soon as I boot up into the normal system it’s still enabled.
Yes this work 100% in fixing the problem, Ater i disable i was able to delete the file. now system working fast again on batter and kernel_task is not taking up too much speed.
try 12-10-2015 at 1:02 p.m Jamaica time.
Thanks for this easy fix.
I tryed to disable SIP. This causes kernel panic after reboot.
Any ideas about?
I had the same issue. When you see the text overlay for the kernel panic over the normal startup screen, take a picture of it. It has information about which kext file is causing it. Mine was caused by the kext file kudsnetgear.kext (Part of the Netgear Genie Application). I moved the kext file to the trash (Kept a backup elsewhere), restarted in recovery, disabled SIP, restarted, and it worked perfectly.
I have a audio interface M-AUDIO OZONIC FIREWIRE. Whit SIP enabled its dont work. When SIP disabled…Works fine….Suggestions ? Or ok to work with SIP disabled.
As an ordinary end-user I happy with most changes to increase security, but it seems to SIP permanently disables TotalFinder, a utility that makes Finder much more convenient for me. Rats!
SIP is yet another way for Apple to control what software you have installed, what you can do with your system. And the Apple apologist on this thread will swear by it.
SIP has single handily ruined development for a lot of smaller developers. What a joke.
Yes, Orlando. I found this to be true. None of my third party wireless adapter drivers (and some applications), are working anymore. SIP has gotta go! Protection is one thing, but forgetting your brand identity and implementing countless invasive features at the root level with each OS X upgrade, is mind boggling. #noSIP
I agree completely. Again, the posture is “I don’t want your VPN to work. So, no VPN for you. I’ll say one of its libraries isn’t signed correctly.” “Fine, I’ll turn off your kext signing check until they catch up with your latest hoop.” “Nope, I fixed it so you can’t pick-and-choose. You either have all my rules, including those that break your computer and prevent you from doing your job, OR you get nothing!” “*Click*”
Found this most useful :) as I hate iTunes and some other apps that Apple insist on installing. Once you have disabled csrutil you can delete the bloat. But recommend enabling csrutil after you have finished.
Ok, so.
I understand that CSRUTIL is stored in the NVRAM and is persistent across reboots.
If you install EL Cap and then decide to revert to and earlier OS, (even as far back as 10.7), does this setting cause any conflict?
I know that the command is has no ‘man’ entries.
I just tried this on my iMac 27 inch running OS X 10.11
(15A284). After “csrutil disable” I checked with “csrutil status” and got ‘System Integrity Protection status: enabled’
However, after reboot, status showed ‘disabled’
Any ideas?
Yes, you need to reboot for change to take effect.
But really, you should not disable this feature, it is going to help most users.
That’s what is supposed to happen. Exactly as stated in this article.
Rule 1 if you don’t understand the cause and effect of what you are doing don’t do it….. So unless you have a specific reason to disable SIP then again as suggested in this article don’t do it….
Does this procedure allows you to delete OS apps like FontBook or GameCenter? I could do it in previous OS, but in El Capitan it is not possible to change the privileges of these apps (from the ‘get info’ window) to be able to erase them.
Yes, it does! Make sure you empty the trash bin before you enable the SIP again, otherwise the deleted apps remain in the bin and refuse to leave.
I found the word “featured” which should be “feature”.
I think developers need to reconfigure their apps to not use these protected directories. I work at lot with Casper, and I noted that with their latest update, they moved the JAMF process from /usr/sbin to usr/local. That proves that this can be done. Let’s make things better for the end user, not easier for the developer. I prefer to have more security instead of developers who don’t want to get with the program.
Ignorant fool. There are very legitimate reasons to use these directories.
Paul,
How about figuring out how to get the Debug menu back in El Cap’s Disk Utility?
Just realized the existing debug command doesn’t work for Disk Utility in 10.11+, will look into it, if you find something beforehand do send and email or tweet!
Would SIP prevent uTorrent to open?
no
Wow, I am a dev and I would never disable it. If an app requires it to be disabled then that app is not worth running to me.
Correctly if I’m wrong on this thought, but I thought BOM files were written to a file in private/var and now is off limits or is my understanding totally messed up.
Flavors is just a simple “look and feel” app – it is VERY worth running to me and the ability to change the look and feel of the default OS is HUGE for one app I used daily for 4 months – with Flavors OFF, I cannot see if the 500 layers in the app are checked or not as the app chooses a very subtle color for the check boxes…
Did you ever get Flavors working after making this modification?
Effectively, basic application with no particular need will work with SIP, but a lot of application need to access all your computer. Root is already here to protect this files, and if there is a security problem with root, then fix it, but what apple are doing is like put band-aid on a water leak, rather than repair the pipe.
And what will be the next update, no access to your filesystem like in ios? By doing this, yeah people can not make any mistake but it’s only because they can not do anything, and no one will know how it’s working, or will be free to do what application they want, change what they want.
It is part of security best practice to use mandatory access controls, and security in depth.
There have been numerous flaws which allow privilege escalation over the life of Unix. This is another barrier in the way.
We must realise that the vast majority of users are regular consumers and will not be affected negatively in any way by this, the few who might need to disable this feature will have the technical capacity to do so.
Are TotalFinder, Aspesis and LiteIcon worthless running to you? A bigoted apologist fanboy.
PJLAM you obviously lack imagination (If I was lord vader, I would have you dead by the hour lol.)
Have you considered the app is MODIFYING SYSTEM FILES because THATS WHAT THE APP NEEDS TO DO?
Apple like the crap they are, put all their OS files in these protected directories. Unlike windows, where themes can be put in relatively freely, apple themes require modification of system files. So for an app like say flavours or any other legitimate theming utility this is detrimental.
Maybe a developer can answer this.
If an app that worked in Yosemite, but doesn’t in EC and you turn off SIP, reinstall the app then reenable SIP, would it break the app again?
Depends what the app is doing in the protected directories. Using Homebrew, for example, needs to have a user accessible /usr/local/ directory to run properly and install in /usr/local/bin/ etc
No need to disable SIP for Homebrew, at least since one of latest, running homebrew pretty well, you can manage permissions on /usr/local with SIP enabled
The permissions on /usr/local/bin and /usr/local/share keep reverting to root:wheel on each reboot, and thus brew upgrades will fail until I change it back to $(whoami):admin.
Are there permanent solutions to this other than disabling SIP or running sudo chown -R $(whoami):admin /usr/local after every reboot?
Had to turn it off to get the Microsoft Intellipoint software to work, can’t live without that mouse back button.
vdiv, did turning off System Integrity Protection get your Intellipoint working? Is it still working? I have done that and re-installed Intellipoint but I still can’t change the pointer speed, or get Intellipoint to work. Very frustrating.
MacBook Pro Retina 15″ (mid-2014) 2.5 GHz Intel Core i7
OS X 10.11.2
Memory: 16 GB
Graphics NVIDIA GeForce GT 750M 2048 MB
Intellimouse Optical
I really hope this feature will expand more in the future. Rootless is very limited but useful, but I can imagine a lot of users including not so tech savvy ones disabling it for one or two apps. It needs something more flexible akin to how SELinux or RBAC works on Linux, complete with policies that can be deployed network-wide.
For me as a developer, I have no problem going back to no rootless mode, as well as disabling other new security features. But I would not want people not so tech savvy to disable such features.
I had to turn off SIP so that Homebrew would work properly in OS X after updating. I think any developer is going to want SIP turned off. It’s useful for the typical user, yes, but for those who know what they’re doing, it’s very a bit nanny-like.
I suspect each subsequent OS X update will re-enable SIP, so be prepared to make this adjustment after any update, OS X 10.11.1, OS X 10.11.2, OS X 10.11.3, OS X 10.11.4, OS X 10.11.5, etc
Homebrew works fine for me after updating. I just had to reinstall XCode console tools. SIP is enabled.
sudo chown -R $(whoami):admin /usr/local
should be enough to make homebrew work with SIP enabled
Disable rootless from the command line with this too, I think:
sudo nvram boot-args="rootless=0"If anyone can confirm
This does not work, it was possible early on but Apple removed these flags from release versions.
Our VPN client was broken by this. After updating to Sierra, it wouldn’t load the .kexts in the Resource folder of the app. A pretty new version of the app, too. In the past I would have just turned of .kext signing check if it was breaking something we bought. Now I had to disable the csrutility vs. doing just sudo nvram boot-args= and just targeting kexts. This is like SELinux – making your security so unwieldy people want to turn it off is not more secure.