How to disable OS X El Capitan’s System Integrity Protection

“Apple has included a new security feature in OS X ‘El Capitan’ to aid in maintaining system security,” Jesus Vigo writes for TechRepublic. “Dubbed System Integrity Protection (SIP), this technology minimizes the possibility of malware or known vulnerabilities from compromising a system due to unrestricted root access.”

“The concept is sometimes referred to as “rootless” by preventing changes, even though the user who is logged in may have root privileges on the device,” Vigo writes. “This mitigates security threats, for example, by preventing the installation of malware to a protected directory or denying unauthorized user access to modify a system file.”

“Why would you ever want to disable this? Well, it doesn’t affect the majority of OS X users — including power users — but the technology may disallow the installation of a particular update or software application that has been flagged as a false positive,” Vigo writes. “It is in these specific, yet rare instances that SIP could be disabled temporarily to allow for the process to proceed.”

Read more in the full article here.

MacDailyNews Take: Almost nobody will need this, so leave SIP alone unless you understand exactly why you want to temporarily disable it.

31 Comments

  1. It’s kind of scary that the protection can be disabled from the Recovery disk. If I recall, no passwords are needed for that, unless FileVault is enabled? That just gives me more weight to using FileVault on all systems.

    1. Well if someone has physical access to your Mac you have much bigger problems than disabled SIP to worry about…

      Furthermore its important to have a way to disable SIP if necessary and to my knowledge placing it in Recovery mode is much safer than if SIP could be disabled while booted into OS X.

    1. My laptop bag sets off that stupid alarm in my car… I can temp disable it in my truck, but not the car. Have to connect the seat belt behind the bag.

      While disabling stuff like this is NOT for everyone, there are valid reasons for *some*

      But odds are 99% will not need to, ever.

  2. No one should disable this. If you have software that won’t work, tell the developer to get off their ass and update. They obviously don’t want you as a customer if they refuse to do so. FYI to everyone who decides to disable SIP, resetting the NVRAM will turn SIP back on. The setting is stored in NVRAM. To keep people from disabling it, you can use a firmware password.

    1. …BOOT CHAMP

      The excellent little bit of software called Boot Champ that enables your Mac OSX to boot straight into Windows Boot Camp does not work, and will never work with SIP, no matter how much they want it to work an everyone to be a customer.

      The only way it could work is for Apple to add exceptions lists to SIP. And they are not going to do that.

            1. Often software requires access to areas blocked by SIP. For instance CDock relies on SIMBL, as do many other pieces of software. SIMBL doesn’t seem to be compatible with SIP and until it is made compatible or an alternative is developed, any software that depends on SIMBL needs to be installed with SIP disabled. After installation SIP can be reenabled and the software will run fine.

              Personally I feel that Apple is locking down the OS too tightly without allowing easy access to legitimate benign software. They went too far too fast to allow developers to react. Software that I’ve counted on for years, i.e. Menu Meters was rendered inoperable by the introduction of SIP and I preferred to stay with Yosemite than do without some of my favorite utilities (and other reasons not related to SIP). I like the idea of SIP but feel that Apple was too heavy-handed in its implementation. If Apple keeps going in this direction, we may start losing the ability of any software not purchased from the Mac App Store. I refuse to live in that world and will switch to Windows if that’s their ultimate goal.

              10.11 is not ready for prime time and I’d rather stick with Yosemite, which I already think is a downgrade from Mavericks.

            2. Bottom line. I care more about security than someone’s pet project UI mod. Period. If it’s that important to you, then live with less security. Just keep in mind that SIP will likely be re-enabled after every software update. And if you reset NVRAM, it will be turned back on. I don’t think Apple was too heavy handed at all. Don’t like it? Don’t upgrade to El Capitan.

  3. I like how the author doesn’t give examples of needing this. To those who said they’ve needed to, get in touch with the manufacturers and ask about this. You may need to find another solution, because this isn’t going to go away.

  4. the technology may disallow the installation of a particular update or software application that has been flagged as a false positive

    No, not exactly. The bigger problem is applications that have not been updated to fit within Apple’s allowed feature set (limiting or killing off system access) or have not been fitted with a proper security certificate approved by Apple.

    IOW: Many applications that worked in Mavericks and/or Yosemite are now broken, UNLESS you turn off System Integrity Protection.

    I’m going to dare to say that: At this point it time, it is not a big deal to turn off System Integrity Protection. There isn’t anything out-in-the-wild (that I personally know of) that’s going to PWN your Mac if this is off, as long as you:
    – NEVER install WAREZ software
    – ALWAYS verify the integrity of software you download and install.
    – Only download from Apple, the Mac App Store or directly from a verified trustworthy developer or vendor.
    – NEVER use off-sight download mirrors (which frequently infect installers with adware, ad nauseam).
    – STAY AWAY from known adware/malware infesting software download websites. That includes the likes of C|NET’s Download.com, which is a hell hole of adware.\

    IOW: The usual safe user practices.

    AND as ever: Always make regular full backups or your Mac. Time Machine plus an encrypted cloud backup qualify. Making a backup is the #1 Rule of Computing & Computer Security. If you don’t back up, you get what you deserve, which is eventually going to be hell. Sorry, but that’s the way it is.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.