How to disable and enable System Integrity Protection

Apple invented System Integrity Protection, usually referred to as SIP, to keep your Mac protected from any harmful modifications. This security feature is designed to make it even more difficult for malware to modify system processes, locations, and Kernel extensions.

SIP prevents malware attacks from completion. Disabling it will instantly raise macOS vulnerability. Note that this is for experienced users or developers, and you normally shouldn’t turn SIP off. 

But like anything that creates restrictions, this security feature has its drawbacks. So if you need to disable System Integrity Protection to fix an issue, there is a way to do that.

What is System Integrity Protection?

System Integrity Protection is a security technology developed to guard files and folders on your Mac against potentially malicious software.  

Before the SIP release, the root user account had full access to the entire operating system: any system folder or app on your Mac. Malware that got root permission could use it to destroy the low-level operating system files.

Today, Mac System Integrity Protection, also known as ‘rootless,’ restricts the root user and won’t allow it to perform specific actions, such as adding code into system processes or managing protected locations. This is good news. Software with granted root permission can no longer tamper with system files.

Parts of the system protected by SIP

System Integrity Protection is effective at defending the following system locations:

  • /System
  • /usr
  • /bin
  • /sbin
  • /var
  • Apps that come preinstalled with macOS

If you try to tamper with one of such protected parts, you’ll see the message: “Operation not permitted.” Only Apple-signed processes, such as authorized Apple installers or software updates, have privileges to write to system files. 


Find the full list of protected locations at: /System/Library/Sandbox/rootless.conf.

Why you may need to disable System Integrity Protection

The most common issue with ‘rootless’ is it breaks apps. Some apps might fail to install or function correctly, even after they are installed. That’s when users see the “Cannot attach to process due to System Integrity Protection” message. 

These app-specific errors are largely a thing of the past. Since time, most developers have updated their software to comply with the latest macOS versions. Of course, there are still exceptions.

Note that the blame for these problems doesn’t lie on SIP alone. It’s also the responsibility of developers who failed to adjust their apps properly.


There is also a problem related to emptying Trash on Mac. If you get an error, “Some items in the trash cannot be deleted because of System Integrity Protection,” use the instruction below.

Is it safe to turn off SIP?

Although Apple recommends keeping System Integrity Protection turned on all the time, it can be disabled and enabled as needed. Remember that this may cause serious security issues. 

Before turning SIP off, make a Time Machine backup of your Mac to restore your computer just in case something goes wrong. Double-check that the software you want to install comes from a reliable source.

To be on the safe side while SIP is disabled, it’s a good practice to use an anti-malware tool. I always rely on CleanMyMac X since Apple notarized it. That means it was submitted for checking and officially doesn’t contain viruses itself.

With its Malware Removal module, you can perform a deep scan and eliminate any malware you may have caught in the past.

Malware removal module of CleanMyMacX

Here is how it works:

  1. Grab a copy of CleanMyMac X and launch it — here, you can get a version.
  2. Choose Malware Removal.
  3. Press Scan and wait for a few seconds.
  4. If anything suspicious is found, press Remove to get rid of it.

To activate the non-stop scan, allow the real-time monitor to run in the background. Go to CleanMyMac X menu > Preferences > Protection and check the box next to the feature.

How to disable System Integrity Protection

SIP on the latest macOS has minor differences with the previous versions, but the basics of turning it on/off remain the same. Let’s see how to do that.


Once again, don’t disable SIP unless you have a solid reason to do that. Make sure you’ve activated some alternative protection layer for your Mac.

  1. Click the Apple logo on the Menu bar > Restart.
  2. Hold down Command-R as your Mac starts up to reboot into Recovery Mode.
  3. Go to Utilities > Terminal
  4. Type csrutil disable and press Return or Enter on the keyboard.
  5. Click the Apple logo > Restart.

Once you fix an issue, turn on System Integrity Protection right away.

How to enable System Integrity Protection

To switch  SIP back to its full power, follow the first four steps once again. Enter csrutil enable in the Terminal and restart your Mac for the changes to take effect.

  • Restart your Mac in Recovery Mode
  • Open Terminal app
  • Paste in: csrutil enable
  • Hit Enter
  • Restart your Mac 

Most apps and their installers run smoothly with SIP turned on. Still, there might be situations when disabling it is the only option. If so, we’ve just told you what to do. Always keep your macOS updated and pick an anti-virus for your Mac if you haven’t got one yet. We are using CleanMyMac X, but there are many other good options too. 

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.