How to disable and enable System Integrity Protection

Apple invented System Integrity Protection, usually referred to as SIP, to keep your Mac protected from any harmful modifications. This security feature is designed to make it even more difficult for malware to modify system processes, locations, and Kernel extensions.

SIP prevents malware attacks from completion. Disabling it will instantly raise macOS vulnerability. Note, that this is for experienced users or developers and you normally shouldn’t turn SIP off. 

But like anything that creates restrictions, this security feature has its drawbacks. So if you need to disable System Integrity Protection to fix an issue, there is a way to do that.

What is System Integrity Protection

What is System Integrity Protection?

Originally introduced with OS X El Capitan, System Integrity Protection is a security technology developed to guard files and folders on your Mac against potentially malicious software.  

Before the SIP release, the root user account had full access to the entire operating system: any system folder or app on your Mac. Malware that got root permission could use it to destroy the low-level operating system files.

Today, Mac System Integrity Protection, also known as ‘rootless’, restricts the root user and won’t allow it to perform specific actions, such as adding code into system processes or managing protected locations. This is good news. Software with granted root permission can no longer tamper with system files.

Parts of the system protected by SIP

System Integrity Protection is effective at defending the following system locations:

  • /System
  • /urs
  • /bin
  • /sbin
  • /var
  • Apps that come preinstalled with macOS

If you try to tamper with one of such protected parts, you’ll see the message: “Operation not permitted while System Integrity Protection is engaged”. Only Apple-signed processes, such as authorized Apple installers or software updates, have privileges to write to system files. 

Tip:

Find the full list of protected locations at: /System/Library/Sandbox/rootless.conf.

Why you may need to disable System Integrity Protection

The most common issue with ‘rootless’ is it breaks apps. Some apps might fail to install or function correctly, even after they are installed. That’s when users see “Cannot attach to process due to System Integrity Protection” message. 

These app-specific errors are largely a thing of the past. Since  time, most developers have updated their software to comply with the latest macOS versions. Of course, there are still exceptions.

Note that the blame for these problems doesn’t lie on SIP alone. It’s also the responsibility of developers who failed to adjust their apps properly.

Note:

There is also a problem related to emptying Trash on Mac. If you get an error, “Some items in the trash cannot be deleted because of System Integrity Protection,” use the instruction below.

Is it safe to turn off SIP?

Although Apple recommends keeping System Integrity Protection turned on all the time, it can be disabled and enabled as needed. Remember, that this may cause serious security issues. 

Before turning SIP off, make Time Machine backup of your Mac to restore your computer just in case something goes wrong . Double-check that software you want to install comes from a reliable source.

To be on the safe side while SIP is disabled, it’s a good practice to use an anti-malware tool. I always rely on CleanMyMac X since Apple notarized it on macOS Catalina. That means it was submitted for checking and officially doesn’t contain viruses itself.

With its Malware Removal module, you can perform a deep scan and eliminate any malware you may have caught in the past.

Is it safe to turn off SIP

Here is how it works:

  1. Grab a copy of CleanMyMac X and launch it — here you can get a version.
  2. Choose Malware Removal.
  3. Press Scan and wait for a few seconds.
  4. If anything suspicious is found, press Remove to get rid of it.

To activate the non-stop scan, allow the real-time monitor to run on the background. Go to CleanMyMac X menu > Preferences > Protection and check the box next to the feature.

How to disable System Integrity Protection

SIP on macOS Catalina has minor differences with the previous versions, but the basics of how to turn it on/off remain the same. Let’s see how to do that.

Warning:

Once again, don’t disable SIP unless you have a solid reason to do that. Make sure you’ve activated some alternative protection layer for your Mac.

  1. Click the Apple logo on the Menu bar > Restart.
  2. Hold down Command-R to reboot into Recovery Mode.
  3. Go to Utilities > Terminal
  4. Type csrutil disable and press Return or Enter on the keyboard.
  5. Click the Apple logo > Restart.

Once you fix an issue, turn on System Integrity Protection right away.

How to enable System Integrity Protection

To switch  SIP back to its full power, follow the first four steps once again. Enter csrutil enable in the Terminal and restart your Mac for the changes to take effect.

  • Open Terminal app
  • Paste in: csrutil enable.
  • Hit Enter

Most apps and their installers run smoothly with SIP turned on. Still, there might be situations when disabling it is the only option. If so, we’ve just told you what to do. Always keep your macOS updated and pick an anti-virus for your Mac if you haven’t got one yet. We are using CleanMyMac X but there are many other good options too. 

CleanMyMac X
CleanMyMac X

Your Mac. As good as new.