If you disable SIP, all you iOS apps will stop working on your M1.

[walterpaisley]

For anyone who was wondering, I figured out why "sideloaded" iOS apps weren't launching. It turns out you need to explicitly export them from iMazing for the apps to successfully launch. I was digging into the App Support folder and installing them there which wasn't working.

 

[CICT]

For anyone who was wondering, I figured out why "sideloaded" iOS apps weren't launching. It turns out you need to explicitly export them from iMazing for the apps to successfully launch. I was digging into the App Support folder and installing them there which wasn't working.

Hi. Could you be a bit more specific. I’ve an M1 MacBook Pro, SIP is enabled, I’ve exported the IPA file from Manage Applications, Library within iMazing, but am still getting the fairplay errors in Console and the app is not loading. Is there another export option in iMazing that I’m missing? Thanks

 

[CICT]

Hi. Could you be a bit more specific. I’ve an M1 MacBook Pro, SIP is enabled, I’ve exported the IPA file from Manage Applications, Library within iMazing, but am still getting the fairplay errors in Console and the app is not loading. Is there another export option in iMazing that I’m missing? Thanks

I’ve resolved this, but with no understanding why as yet. I repeated exporting the IPA file and could not get the app to load. However, as a last ditch attempt I picked another small IOS app installed on my iPad in iMazing, exported the IPA file, installed and it launched immediately. I then reverted to my original app that was already in the Applications folder and it also launched. It doesn’t make much sense, but it has worked (for now).

 

[walterpaisley]

Out of curiosity where did you export the IPA to? I saved them to my Downloads folder. Not sure if that's a consideration or not but anything is worth a shot.

 

[gank41]

I’ve resolved this, but with no understanding why as yet. I repeated exporting the IPA file and could not get the app to load. However, as a last ditch attempt I picked another small IOS app installed on my iPad in iMazing, exported the IPA file, installed and it launched immediately. I then reverted to my original app that was already in the Applications folder and it also launched. It doesn’t make much sense, but it has worked (for now).

So if I am understanding correctly, the .ipa file exported from iMazing literally opens like any other .app macOS App opens? Or does the .ipa file mount like a .dmg file does, and then You drag the app from there to your Applications Folder?

 

[CICT]

So if I am understanding correctly, the .ipa file exported from iMazing literally opens like any other .app macOS App opens? Or does the .ipa file mount like a .dmg file does, and then You drag the app from there to your Applications Folder?

None of the above. It installs the app into the Applications folder using the IOS Installer

 

[CICT]

Out of curiosity where did you export the IPA to? I saved them to my Downloads folder. Not sure if that's a consideration or not but anything is worth a shot.

I also exported to the Downloads folder.

 

[gank41]

None of the above. It installs the app into the Applications folder using the IOS Installer

So you take the .ipa file in your Downloads Folder and double click on it, and it “installs” the app? Does it take the app and place it in your Applications Folder or does it continue to run it from that .ipa file in your Downloads Folder?

 

[bousozoku]

You have to boot in recovery mode ... tinkering. System integration protection, security feature.

So, it's just there for people who tinker and screw things up. ?

 

[toxotis700]

I tried to delete several apps via terminal like chest, stocks etc and couldn't , after disabling SIP in my M1 air.
Any idea why ?

 

[Wowfunhappy]

I tried to delete several apps via terminal like chest, stocks etc and couldn't , after disabling SIP in my M1 air.
Any idea why ?

Yes, look up Big Sur signed system volume. You can absolutely still do it, but it requires a bit more than just disabling SIP.

 

[Fishrrman]

I don't have an m1 Mac yet.

But...
I DISABLE:
- SIP
- Gatekeeper
- Startup Security
... on my 2018 Mini, and SIP/Gatekeeper on my other Macs, as well.

As a matter of course.
I have great distaste for such "roadblocks" thrown up in front of me.

If I ever get an m1 Mac (uncertain at this point), I'll do the same, if it can be done.

 

[MK500]

I don't have an m1 Mac yet.

But...
I DISABLE:
- SIP
- Gatekeeper
- Startup Security
... on my 2018 Mini, and SIP/Gatekeeper on my other Macs, as well.

As a matter of course.
I have great distaste for such "roadblocks" thrown up in front of me.

If I ever get an m1 Mac (uncertain at this point), I'll do the same, if it can be done.

Yes, many people do this. If you are a developer or IT expert; you don’t need the same security level as a general user.

I just wanted to make sure everyone was aware that for the first time Apple is disabling a major piece of functionality for those who do. You will not be allowed to run any iOS apps on your Mac. This is a pretty valuable feature to me; as many iOS apps are superior to the Mac equivalent. An example for me is using a financial iOS app that verifies identity through Touch ID at each launch vs. using Safari. This also avoids any potential “leakage” of my financial activities to other sites I visit in Safari (Amazon, Google, etc.).

 

[gank41]

Yes, many people do this. If you are a developer or IT expert; you don’t need the same security level as a general user.

I just wanted to make sure everyone was aware that for the first time Apple is disabling a major piece of functionality for those who do. You will not be allowed to run any iOS apps on your Mac. This is a pretty valuable feature to me; as many iOS apps are superior to the Mac equivalent. An example for me is using a financial iOS app that verifies identity through Touch ID at each launch vs. using Safari. This also avoids any potential “leakage” of my financial activities to other sites I visit in Safari (Amazon, Google, etc.).

I’m curious if enabling Kernal Extensions (not disabling SIP) also has a negative effect?

 

[ADGrant]

Yes, many people do this. If you are a developer or IT expert; you don’t need the same security level as a general user.

I disagree, I am a developer and I keep my Macs locked down as much as possible. I also use two different browsers, Chrome for development work and Safari for everything else.

I never disable a security feature unless I have a specific reason. I re-enable as soon as possible.

 

[seek3r]

I disagree, I am a developer and I keep my Macs locked down as much as possible. I also use two different browsers, Chrome for development work and Safari for everything else.

I never disable a security feature unless I have a specific reason. I re-enable as soon as possible.

Same, I turn things off when I need to, and I want to always have that option because I do do so, I do need the ability to turn things off, but if I don't need it off it goes back on, being a dev doesnt mean I don't need security features.

 

[Wowfunhappy]

Personally, I think SIP is great for casual computer users, but unnecessary if you actually know what you're doing.

A core concept in UNIX is that the root user has access to everything, and then normal accounts are given fewer privileges as needed. By giving a program your admin password, you're telling the OS you want it to have root access to your entire system—and if you don't want it to have that access, you absolutely should not ever give it that admin password! This is true whether or not SIP has been disabled—programs with root privledges can do plenty of nasty things even with SIP turned on.

If SIP never gets in your way, but all means leave it on, I think turning it off temporarily to do one thing and then switching it on again is way too much work. SIP didn't exist at all prior to El Capitan, and we all got along fine.

 

[MK500]

I disagree, I am a developer and I keep my Macs locked down as much as possible. I also use two different browsers, Chrome for development work and Safari for everything else.

I never disable a security feature unless I have a specific reason. I re-enable as soon as possible.

I hear you. It’s good practice to secure your system if you are out and about, or doing a project where the scope allows it.

I’m just saying that for SOME segment of the population — running in a properly secured environment — it‘s reasonable to choose to run at a reduced security level. It is at least something that should be allowed without disabling critical features.

I‘m certainly not saying all developers should run this way.

Security is important. Privacy is important. The right to make choices about tools and equipment you own is important.

 

[ADGrant]

I hear you. It’s good practice to secure your system if you are out and about, or doing a project where the scope allows it.

I’m just saying that for SOME segment of the population — running in a properly secured environment — it‘s reasonable to choose to run at a reduced security level. It is at least something that should be allowed without disabling critical features.

I‘m certainly not saying all developers should run this way.

Security is important. Privacy is important. The right to make choices about tools and equipment you own is important.

My view is if you are using a web browser that connects to the public internet you are running in an insecure environment.

The more extreme view (held by the professional InfoSec people) is if your computer is connected to any network it is at risk. Another computer on the same network could have been comprised.

 

[Wowfunhappy]

I hear you. It’s good practice to secure your system if you are out and about, or doing a project where the scope allows it.

My view is if you are using a web browser that connects to the public internet you are running in an insecure environment.

I think both of these posts are missing what SIP actually does.

SIP is not an extra level of protection against, say, browser exploits—if some web page has managed to inject code into Finder (eek!), it doesn't matter whether apps are normally allowed to inject into Finder, because the evil web page has already bypassed all of that.

Defense in depth is a good concept, but only when each layer of protection is designed to distrust one another, in case one of those layers gets broken. SIP isn't really designed that way. SIP distrusts the user of the machine and prevents the user from performing certain actions.

And a lot of users should be distrusted. How many casual Mac buyers understand the significance of entering their admin password? But if you know what SIP is, and how to turn it off, you probably aren't one of those people. There's no equivalent of SIP in most Linux distributions, and the closest equivalent in Windows is far more lenient (except with regard to drivers/kexts, Windows is a downright pain about those).

I really can't say I understand all the concern about SIP, and I frankly think there's an awful lot of FUD going around.

 

[ADGrant]

I think both of these posts are missing what SIP actually does.

SIP is not an extra level of protect against, say, browser exploits—if some web page has managed to inject code into Finder (eek!), it doesn't matter whether apps are normally allowed to inject into Finder, because the evil web page has already bypassed all of that.

Defense in depth is a good concept, but only when each layer of protection is designed to distrust one another, in case one of those layers gets broken. SIP isn't really designed that way. SIP distrusts the user of the machine and prevents the user from performing certain actions.

And a lot of users should be distrusted. How many casual Mac buyers understand the significance of entering their admin password? But if you know what SIP is, and how to turn it off, you probably aren't one of those people. There's no equivalent of SIP in most Linux distributions, and the closest thing Windows has to an equivalent system is far more lenient (except with regard to drivers/kexts, Windows is a downright pain about those).

I really can't say I understand all the concern about SIP, and I frankly think an awful lot of FUD has been spread over the years.

The user is the weakest point in any security model. To turn the question around, what is SIP doing that prevents you from using your Mac? What are you trying to achieve by disabling it?

 

[S G]

I wish I had seen this thread before spending two hours with Apple to figure out why iOS apps would not open on my brand new M1 MacBook Air (they look like they do but nothing happens). I disabled csrutil because I wanted my tagged Finder files and folders to be entirely highlighted throughout their icons and names, like in older systems thanks to the extension TotalFinder. Unfortunately, TotalFinder requires SIP to be off, but even then, it does not work on M1 Macs yet. After the call, I remembered that turning off SIP was the only thing that was unusual about my setup. I reenabled csrutil and the iOS apps could finally open. This post confirms all of it. The one unusual thing I can add is that enabling csrutil now requires internet access, which I don't remember it needed before... So long then, TotalFinder - I will miss the color labels... I hate the monochrome/uniform trend in recent operating systems, and absence of color cues; and no, the tiny dot from tags is not enough.

 

[ADGrant]

I wish I had seen this thread before spending two hours with Apple to figure out why iOS apps would not open on my brand new M1 MacBook Air (they look like they do but nothing happens). I disabled csrutil because I wanted my tagged Finder files and folders to be entirely highlighted throughout their icons and names, like in older systems thanks to the extension TotalFinder. Unfortunately, TotalFinder requires SIP to be off, but even then, it does not work on M1 Macs yet. After the call, I remembered that turning off SIP was the only thing that was unusual about my setup. I reenabled csrutil and the iOS apps could finally open. This post confirms all of it. The one unusual thing I can add is that enabling csrutil now requires internet access, which I don't remember it needed before... So long then, TotalFinder - I will miss the color labels... I hate the monochrome/uniform trend in recent operating systems, and absence of color cues; and no, the tiny dot from tags is not enough.

I understand why you might not be happy with monochrome look but I personally would not be comfortable with installing a UI tweak that required me to disable any system protections. You are putting a lot of trust in the provider of that software.

 

[vjava]

I disabled SIP on my M1 Mac by using csrutil disable. All my iOS apps no longer launch. So I re-enabled SIP and they are all working again.

So be aware that SIP seems to be required for iOS apps to function.

How do you re-enable SIP on new M1 macs?

 

[MK500]

How do you re-enable SIP on new M1 macs?

csrutil enable