Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Disable SIP

timelessbeing

timelessbeing

macrumors 6502
Original poster
Oct 15, 2009
450
131
How do I disable SIP in Sonoma on my M2 MBP?
I tried the old method of booting in recovery mode, and punching "csrutil disable" into terminal, but it's giving me some bs about
"The OS environment does not allow changing security configuration options.
Ensure that the system was booted into Recovery OS via the standard user action."

Has the procedure changed on Apple Silicon? How do you disable SIP?
 
The "old" method is still how it's done. I suspect your machine is managed by an IT department.
 
Well it's not. Old method is old. You don't hold cmd-R anymore, and the boot options look different.

And another nope. fresh new computer bought from apple store.

Is there anybody who's actually done this on a modern machine?
 
Perhaps you’re not in recovery mode. Press and hold the power button to get there.
 
Last edited:
Here is the usage from terminal:

xxxxxxxxx ~ % csrutil
usage: csrutil <command>
Modify the System Integrity Protection configuration.
Available commands:

clear
Clear the existing configuration.
disable
Disable the protection of the OS installation. Only available in Recovery OS.
enable
Enable the protection of the OS installation. Only available in Recovery OS.
status
In Recovery OS, displays the configuration for each OS installation.
In macOS, displays the configuration of the running OS.

authenticated-root
status
Show the current authenticated root setting.
disable
Allow booting from non-sealed system snapshots. Only available in Recovery OS.
enable
Only allow booting from sealed system snapshots. Only available in Recovery OS.
 
Well I tried it again and it magically worked.
Turns out there might be different recovery modes.
One if you power on AND THEN hold the power button.
another if you just press and hold power button from off state.
They look absolutely identical so you will never know which mode you are in.
Just bloody stupid!
 
  • Like
Reactions: rmadsen3 and chabig
There are two recovery modes, and they serve different purposes.

1. Recovery - press and hold the power button
2. Fallback recovery - Press, release, press and hold the power button. This mode does not have the capability to change the system security state.

You must have been booting to fallback recovery at first.

eclecticlight.co

How to recover Recovery

There’s a problem with your Mac, so you try starting it up in Recovery. But that doesn’t work. What should try next? Intel and Apple silicon Macs are then quite different.
eclecticlight.co eclecticlight.co
 
Last edited:
  • Like
Reactions: rmadsen3 and kitKAC
Apple's surveillance of users has reached new heights on Apple Silicon. You can not disable/enable SIP without being connected to the Internet.
csrutil status.jpg
 
  • Like
Reactions: 212rikanmofo and rmadsen3
In Recovery, choose Reduced Security in Startup Security. Apply the changes to get around this.
 
  • Like
Reactions: rmadsen3
I turn it off temporarily, do what I need to do, and then turn it back on. And it's rare that I need to. Once every couple of years maybe.

I enjoy having a stable operating system.
 
  • Like
Reactions: majus and gank41
timelessbeing said:
I turn it off temporarily, do what I need to do, and then turn it back on. And it's rare that I need to. Once every couple of years maybe.

I enjoy having a stable operating system.
Click to expand...
Linux systems survive just fine without this security theater. Apple does this because they want you to use your computer as an appliance, no changes beyond what they permit and you must adapt to new “features“ they give you with new releases.
 
  • Like
  • Love
Reactions: 212rikanmofo and rmadsen3
bogdanw said:
Apple's surveillance of users has reached new heights on Apple Silicon. You can not disable/enable SIP without being connected to the Internet.
View attachment 2361651
Click to expand...

I noticed starting with I think the T2 macs (but certainly my Intel MacBook Air 2020) that you also can't install a new OS without first connecting to the Internet. For example if you receive a new laptop and want to reinstall with a known good OS from a flash drive, you have to startup the laptop on the installed OS and connect to Wifi. Only then can you reboot and install from the flash drive.

This would be problematic if the shipped OS contained a security vulnerability being exploited by a worm. Or perhaps in some security-specific environments that required all systems to be on a specific gold master configuration before being connected to the internet. Or if the Mac was to be used in an offline environment.
 
ifxf said:
Linux systems survive just fine without this security theater. Apple does this because they want you to use your computer as an appliance, no changes beyond what they permit and you must adapt to new “features“ they give you with new releases.
Click to expand...
I agree with you but I don't Like it...
 
bzgnyc2 said:
I noticed starting with I think the T2 macs (but certainly my Intel MacBook Air 2020) that you also can't install a new OS without first connecting to the Internet.
Click to expand...
It’s insane what we’ve come to accept as normal. We buy computers, but we can’t use them until big brother says we can.
Conveniently for Apple, the documentation doesn’t mention the activation requirement
https://support.apple.com/guide/macbook-air/apd831707cb3/2024/

Nor the Internet requirement for SIP.
Disabling and Enabling System Integrity Protection https://developer.apple.com/documen...ling_and_enabling_system_integrity_protection

I have few hopes that recent pressure will change things, but at least it’s out in the open:
“Apple wraps itself in a cloak of privacy, security, and consumer preferences to justify its anticompetitive conduct. Indeed, it spends billions on marketing and branding to promote the self-serving premise that only Apple can safeguard consumers’ privacy and security interests. Apple selectively compromises privacy and security interests when doing so is in Apple’s own financial interest—such as degrading the security of text messages, offering governments and certain companies the chance to access more private and secure versions of app stores, or accepting billions of dollars each year for choosing Google as its default search engine when more private options are available. In the end, Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple’s financial and business interests.
Apple File Stamped Complaint 03.21.24 https://www.justice.gov/opa/media/1344546/dl?inline
 
  • Like
  • Love
Reactions: 212rikanmofo, rmadsen3, gilby101 and 1 other person
ifxf said:
Linux systems survive just fine without this security theater. Apple does this because they want you to use your computer as an appliance, no changes beyond what they permit and you must adapt to new “features“ they give you with new releases.
Click to expand...

That hasn't been my experience, but you are entitled to your opinion, and can use your computer however you like :)
 
  • Like
Reactions: kitKAC
bzgnyc2 said:
I noticed starting with I think the T2 macs (but certainly my Intel MacBook Air 2020) that you also can't install a new OS without first connecting to the Internet. ....
Click to expand...

Completely unrelated to my question. Maybe you should start your own topic ....
 
  • Like
Reactions: kitKAC
timelessbeing said:
OK ...kernel mechanism that verifies the integrity of the system content at runtime and rejects any data—code and noncode—without a valid cryptographic signature from Apple
Just like I said. You can put the foil hat away.
Click to expand...
That's the Signed system volume, not the System Integrity Protection.
Disabling SIP does not alter the integrity of the Signed system volume.
 
  • Like
Reactions: auxbuss
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back