How to modify System Integrity Protection in El Capitan

In case you have software hindered by it.

El Capitan ships with a new OS X feature: System Integrity Protection (SIP), also known as “rootless” mode. This reduces the attack surface for malware that relies on modifying system files by preventing any user, whether with system administrator (“root”) privileges or not from modifying a number of operating system directories and files.

It doesn’t eliminate the possibility of malware or folks finding a way to subvert this mode, but it does increase the difficulty of finding a hole to penetrate. All such changes discourage those who hack for profit or destruction, because the more time it takes and the less likely successful, the more often they turn to other operating systems and targets.

However, a few system-modifying and system-extending software programs can’t work properly under SIP, as I discussed back in July in covering this feature and a simple workaround available in the public betas. The golden master (final release candidate) and shipping version of El Capitan have a minor change that make it harder, but not impossible, to turn SIP off.

Early reports of problems with rootless mode seemed to indicate that a wider set of software might be unable to work with the restriction enabled, such as SuperDuper! from Shirt Pocket Software. However, Apple made changes during beta testing that resolved concerns with that app and others. (Shirt Pocket had to update SuperDuper! to deal with the omission of an open-source program, which breaks scheduled updates; those have to be re-created in the El Capitan-compatible release.)

At the moment, only a few widely used utilities won’t work with SIP enabled:

  • Default Folder 4.7 from St. Clair Software. However, developer is hard at work on version 5, which won’t need to bypass SIP. It’s expected out as early as the end of October, and is free to new purchasers of 4.7 from this point on.

  • BinaryAge will discontinue new development on its TotalFinder software that enhances the Finder, which will have some features missing. It will keep supporting TotalSpace2, a desktop spaces manager, but that app will require disabling SIP to function.

Rogue Amoeba has opted to discontinue Intermission, which it says wasn’t one of its big sellers, as it is incompatible with SIP, and incorporated its functionality into Audio Hijack.

There were previously concerns about a few utilities that have been resolved:

  • Surtees Studio’s Bartender 1.3—a menu bar app organizer—could work with SIP using a round-trip to Recovery with two restarts (disable, install, enable), but the developers were able to finish Bartender 2.0 in time for El Capitan’s release. The new version is fully compliant within SIP.

  • Disk Sensei 1.2 and Trim Enabler 3.1 from Cindori now work without rootless turned off; earlier versions did not.

  • Both SuperDuper! and Carbon Copy Cloner work with SIP enabled.

Disabling rootless mode in El Capitan beta required just selecting a menu item after booting into the Recovery disk. Now, it’s slightly more involved with El Capitan.

Warning: The point of SIP is to prevent malware and other unwanted modifications into system files. Consider whether or not you want to dispense with this protection.

For the following to work, you must have a proper and up to date Recovery partition on your boot drive. While that should be a given, it’s possible to clone a startup volume without Recovery installed.

rootless launch recovery terminal

From the Utilities menu in Recovery select Terminal.

rootless terminal command recovery

Use the Terminal in Recovery to enter the SIP-disabling command.

Follow these steps to disable SIP:

  1. Restart your Mac.
  2. Before OS X starts up, hold down Command-R and keep it held down until you see an Apple icon and a progress bar. Release. This boots you into Recovery.
  3. From the Utilities menu, select Terminal.
  4. At the prompt type exactly the following and then press Return: csrutil disable
  5. Terminal should display a message that SIP was disabled.
  6. From the  menu, select Restart.

You can re-enable SIP by following the above steps, but using csrutil enable instead.

Join the CSO newsletter!

Error: Please check your email address.

Tags OS X El Capitansecuritymalware

More about AppleBartenderPocket Software

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts