System Integrity Protection, or SIP, is one of the new features of macOS El Capitan that is designed to protect the integrity of the system. What it is and why it needs to be disabled, we will explain in this article.
What is SIP
In OS X, as in any Unix-like OS, ordinary users have limited rights to modify system files. Nevertheless, most of us use the administrator account as the main account and, accordingly, knowing the root password can “break the fire”. With the release of OS X El Capitan, Apple tightened the security policy even more, and now, even with full access, users (and applications on their behalf) cannot modify the system files and settings.
In other words, SIP is an equivalent of a sandbox. Third-party applications can not interfere with the system, change protected files on disk and in memory. Such rights are only for Apple applications and installers of Sofware Update, which have the appropriate signature.
Why turn it off
Since this is such a cool thing that protects the security of the system and cares about the welfare of users, why turn it off, you ask. Theoretically, this is the case, but there is one “but”.
Due to SIP, some third-party applications and utilities lose some of their functionality, or even stop working altogether. This is not about applications from the Mac App Store, everything will be fine with them, but about programs that are distributed beyond its limits due to the limitations of the Apple app store. As an example, I will give Bartender and iStat Menus utilities that are popular among Macs. Both work incorrectly because it is impossible to reorder system icons in the menu bar.
Some developers rewrote the code of their programs so that they can work in OS X El Capitan with SIP, for example, the Trim Enabler application, which includes support for trim in third-party SSDs, as well as Super Duper backup tools! and Carbon Copy Cloner. However, there are applications that still do not work due to System Integrity Protection. If you encounter this problem, then there is a solution – SIP can be disabled.
How to disable
SIP can be disabled only from recovery mode (otherwise, why is such protection needed if it breaks directly from the system?). That is, we have to reboot, get access to the “Terminal” and enter the shutdown command. It is done this way.
Turning off our Mac and when turned on we hold down the ⌘R (Command R) keys.
After loading we get to the recovery menu. Open the “Utilities” section and launch the “Terminal”.
It remains to enter one small command, but you will have to type it manually, so be careful:
csrutil disableReboot the Mac via the menu to make the settings take effect.
It’s all. If any of the applications did not work for you, it will work immediately after the reboot. For example, my Bartender could not hide the icons of Spotlight and the Notification Center – after disabling SIP, they immediately disappeared from the menu bar.
For those who are concerned about Mac security, there is good news. SIP does not have to be turned off permanently, you can simply disable it, restart non-working applications and enable protection again. To do this, we also boot into recovery mode and enter the following command into the Terminal:
iStat Menus and Bartender after I turn on SIP work fine for me. It is possible, however, that when changing settings in other applications, the shutdown / on procedure will have to be repeated.