Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Can not disable SIP on my new Mac mini M1
- Thread starter vwlinkan
- Start date
- Sort by reaction score
To answer DimaVR: Just that was impossible to do, only got error messages. But now the problem i solved by my Service Provider. But Apple did not want to pay for it:
"Restore via Apple Confugurator 2. Provides both new firmware and OS.
Software defects that are not included in Apple's warranty commitment but feels unreasonable to charge for when it's a new computer so we offer it (we do not receive any compensation from Apple)."
Now I "only" have to wait for Xtrafinder to be ready for M1 Macs
"Restore via Apple Confugurator 2. Provides both new firmware and OS.
Software defects that are not included in Apple's warranty commitment but feels unreasonable to charge for when it's a new computer so we offer it (we do not receive any compensation from Apple)."
Now I "only" have to wait for Xtrafinder to be ready for M1 Macs
That’s on you man, if you didn’t know that you needed latest Mac OS 11.2 RC atleast to try this and set to less secure boot and you had to pay or bring to a shop that’s on you. No skill set thanTo answer DimaVR: Just that was impossible to do, only got error messages. But now the problem i solved by my Service Provider. But Apple did not want to pay for it:
"Restore via Apple Confugurator 2. Provides both new firmware and OS.
Software defects that are not included in Apple's warranty commitment but feels unreasonable to charge for when it's a new computer so we offer it (we do not receive any compensation from Apple)."
Now I "only" have to wait for Xtrafinder to be ready for M1 Macs
If the point of disabling SIP is to modify System files on M1 - unfortunatelly its lot more difficult than that and involves disabling SSR.
Check this article (and comments)
eclecticlight.co
Check this article (and comments)
Big Sur’s Signed System Volume: added security protection
From SIP to a protected read-only System volume, macOS 11 takes system protection a big step further with cryptographic verification.
eclecticlight.co
How does xtrafinder injects its payload into the finder? If it’s via scripting additions (which is how TotalFinder works) disabling SIP won’t fix the issue.
The totalfinder dev talks about the issue in this support thread.
The totalfinder dev talks about the issue in this support thread.
Yes and no, they have the features and cores that were in the T2 chip built directly into the SOC now. The secure enclave is now built-in.
I am having the same issue(s) you’ve described here. I utilized all of the same
Methods. When I attempt to change the boot security to reduced I get the same error (I think bc I speak English). I tried csrutil clear reboot, nothing. I tried csrutil enable, all good with that then status then csrutil disable again same thing failed to create local policy. What does that message even mean? People seem
Not to be attempting to help resolve the problem and are indicating youre doing something wrong. I don’t think you are. Sadly I’m only trying to do this so I can get a game pad configuration updated on steam so I can use my PS4 controller to play games on steam. Always states the update for this failed. It states on various forums to disable SIP and I end up with all of this. I’m not this technologically savvy and I don’t want to accidentally break my Mac lol
The most likely cause of this issue is that recoveryOS is not entered in an expected way for BootPolicy to detect that recoveryOS as "true" (1TR in short).
Please ensure that you enter recoveryOS as follows:
- shutdown the machine normally
- press and hold the power button until you see "Loading startup options". Make sure not to release the power button prematurely, nor press and release it several times, do it all in one press and hold.
- click "Options" and "Continue" to enter recoveryOS.
There are several ways to determine if your recoveryOS is 1TR:
- starting with 11.3 betas, open Terminal and run "bputil -d", it will show the current OS environment. The expected one is "one true recoveryOS", if you see "ordinary recoveryOS", you are not in 1TR.
- in any version, open Terminal and run "bputil -k" (this will attempt to enable support for 3rd-party kexts). If the command fails with error 11 (AP boot mode), you are not in 1TR.
- Try enabling user-controlled 3rd-party kexts (requires Reduced Security mode) using Startup Security Utility. If an attempt to enable it fails with error 11, you are not in 1TR.
Once you determine that you indeed are in 1TR, "csrutil disable" should work as expected.
Please ensure that you enter recoveryOS as follows:
- shutdown the machine normally
- press and hold the power button until you see "Loading startup options". Make sure not to release the power button prematurely, nor press and release it several times, do it all in one press and hold.
- click "Options" and "Continue" to enter recoveryOS.
There are several ways to determine if your recoveryOS is 1TR:
- starting with 11.3 betas, open Terminal and run "bputil -d", it will show the current OS environment. The expected one is "one true recoveryOS", if you see "ordinary recoveryOS", you are not in 1TR.
- in any version, open Terminal and run "bputil -k" (this will attempt to enable support for 3rd-party kexts). If the command fails with error 11 (AP boot mode), you are not in 1TR.
- Try enabling user-controlled 3rd-party kexts (requires Reduced Security mode) using Startup Security Utility. If an attempt to enable it fails with error 11, you are not in 1TR.
Once you determine that you indeed are in 1TR, "csrutil disable" should work as expected.
I'm not sure there is any other way to get into recovery on an M1.
If you're in recovery then it must be 1TR unless 1TR has somehow failed and the backup ordinary recovery system has been loaded. The ordinary recovery system appears from the article below to be on the Data volume and so is unbootable in any normal way. (Read from after the booting diagrams).
Or maybe I've misunderstood?
https://eclecticlight.co/2021/01/14/m1-macs-radically-change-boot-and-recovery/
1TR is defined as "primary recoveryOS + physical presence flag set by iBoot if power button is held correctly".
This is a relevant bit from bputil manpage:
What I'm suggesting is that somehow some users indeed end up in primary recoveryOS, but iBoot doesn't set the required physical presence flag for some reason (power button released too early, jitter, trying to force shutdown by holding power button, and then initiate boot into rOS, something else).
This is a relevant bit from bputil manpage:
What I'm suggesting is that somehow some users indeed end up in primary recoveryOS, but iBoot doesn't set the required physical presence flag for some reason (power button released too early, jitter, trying to force shutdown by holding power button, and then initiate boot into rOS, something else).
It’s great that Apple, in the name of security, has succeeded in locking down the mac to such an extent that owners are unable to gain access to, or control, their own machines.
I think it is both a bit buggy and a documentation issue. They'll straighten it out soon. Already some of the documentation is getting better. The M1s have been out for less than 4 months.