Some brand new Macs, MacBook Pro models no less, have apparently shipped to users with System Integrity Protection (SIP) disabled, which means that their macOS files, particularly the very sensitive /System/Library folder, are vulnerable to malware, tampering, etc.
It is easy to tell whether SIP is enabled on your Mac: open Terminal, type in the command line
and press Return.
If SIP is enabled (correct, secure), the message
System Integrity Protection status: enabled.
will then appear. Close Terminal, and breathe a sigh of relief.
If the text instead reads
System Integrity Protection status: disabled.
or anything else (it is possible to partially enable it), you will need to enable SIP.
The classic method of enabling SIP, which applies to Sierra 10.12 and 10.12.1, requires you to restart into Recovery mode, open Terminal there, and type in the command
and press Return. Then close Terminal and restart normally.
However if you update to Sierra 10.12.2, which is claimed in itself to enable SIP but may still not do so on all MacBook Pros, you can do this without entering Recovery mode. Open Terminal, and type
sudo csrutil clear
You will then need to enter your admin password at the prompt. Once that has been done, restart your Mac and check SIP again: it should be enabled. If that does not work, then you should contact Apple support immediately.
To make it easier still for you to check whether SIP is enabled, I have put together a litle AppleScript app (which is signed, but still requires you to use the Finder Open command the first time, to open it) to test it. Simply download the app from here: checksip
Then unzip it, and double-click it. It will report your Mac’s SIP status without your having to open Terminal.
I hope that helps. The app is free, and can be distributed freely, and should run on any Mac (new or old) running macOS Sierra (if you really want an El Cap version, please ask). I hope that it is entirely self-explanatory.
Revised 13 December 2016 in the light of changes in Sierra 10.12.2.