Enabling and Disabling SIP in MacOS

SIP stands for System Integrity Protection. It is a feature in MacOS that enhances the security of the operating system. It was first implemented in 2015 with the release of El Capitan which is the name for Mac OS X 10.11. Intended to prevent malware and other viruses from gaining access to the system files and other critical areas of the operating system, SIP places limitations on the root user account and limits its access to and control over the OS. A root user account is a master account of sorts that has complete read/write access over every file and folder on the system. With SIP enabled, even the root account has many restrictions. Apps that are installed by default with the OS in the Applications folder cannot be modified, files and folders in the “var”, “bin” and “system” directories are protected, third party apps are no longer allowed to change the startup disk and much more. SIP ensures that only apps and processes that are digitally signed by Apple with special permissions will be able to make changes to these elements of the OS. This way, Apple software updates and critical OS updates can still be installed without problems.

SIP does not interfere with any general user operations, software installation, web browsing, etc. So if you are just doing your usual computer stuff there is no need to tamper with it. It is best left enabled to be honest. But if you know what you are doing and you run into a crippling security problem that is prevented you from doing some advanced operations you may need to turn it off. Maybe you are writing code or developing software in the MacOS environment and need control over some critical files or folders. Maybe you want to attempt to remove or mod a certain app that is protected. You may be modifying your EFI partition, making changes to the boot sequence, trying to bless OpenCore, etc. SIP will need to be disabled for all such tasks and more. So let’s get to it.

To check whether SIP is enabled or not…

1: Open a terminal window.

The Terminal app can be found inside the “Utilities” folder, which is inside the Applications folder.

/Applications/Utilities/Terminal.app

4. In the Terminal window, type csrutil statusand press ENTER.

The terminal will respond with “System Integrity Protection Status”, showing either “enabled” or “disabled”, which is self-explanatory.

You cannot change the SIP status from inside the regular MacOS environment. You must follow the steps below.

1: Boot to your recovery partition.

2: Select your language.

3: Click ‘Utilities’ in the top bar and select ‘Terminal’.

4. Type csrutil disableand press ENTER.

A message will appear: “Successfully disabled System Integrity Protection. Please restart the machine for the changes to take effect”.

5: Type reboot and press ENTER.

6: Let MacOS boot normally and confirm the SIP state using the CHECK SIP STATUS guide above.

You cannot change the SIP status from inside the regular MacOS environment. You must follow the steps below.

1: Boot to your recovery partition.

2: Select your language.

3: Click ‘Utilities’ in the top bar and select ‘Terminal’.

4. Type csrutil enableand press ENTER.

A message will appear: “Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect”.

5: Type reboot and press ENTER.

6: Let MacOS boot normally and confirm the SIP state using the CHECK SIP STATUS guide above.