What is SIP and when is it safe to turn it off?

System Integrity Protection – SIP – is one of the primary mechanisms which macOS uses to protect itself. Introduced relatively recently in El Capitan (2015), you’ll find various recommendations that to fix problems with macOS or even with some apps, you should turn SIP off first. I hope in this article to convince you that it’s never safe to turn it off, and that Catalina makes that even more important with its new read-only system volume.

In earlier days of Mac OS X, it wasn’t uncommon for key system files to become damaged or corrupted. Sometimes it was put down to disk errors, other times to an out-of-control extension or app, but we never wanted to think that it might have been deliberate. For once any malicious software gained access to the system, that Mac was doomed.

Before El Capitan, the only thing standing between system files and an attacker was the need to gain root privileges. SIP took all those system files out of reach of even the root user (consequently being referred to as rootless): using a combination of the rootless.conf file stored in /System/Library/Sandbox and the com.apple.rootless extended attribute, the contents of most system folders came under SIP’s protection. The only way that a user can circumvent this is by turning SIP off when booted into Recovery mode (or from a bootable macOS installer) and using the csrutil command from there.

Since El Capitan, Apple has steadily increased SIP’s coverage to include all its bundled apps and tools, but even in Mojave, they remain on the same volume as the rest of your startup folders, including the main Applications folder and user Home folders. This is changing with macOS 10.15 Catalina: when you install that, a new read-only volume is created and all those system files and folders are stored on that, set apart from Applications, your top-level Library folder, and user Home folders.

Remember that in APFS, volumes within the same Container share free space, so you don’t have to worry about managing free space between them. This further enhances protection, and to ensure that apps and other software can still find the system files that they might rely on, Catalina uses a form of bi-directional symbolic link, termed a firmlink, to make it appear that the two new volumes are still one.

The mechanism which enforces SIP has also grown other functions over this period, and one which is becoming prominent in Mojave 10.14.5 and Catalina is the hardening required for notarization of third-party apps: Jeff Johnson revealed this late last year. SIP is also responsible for enforcing strict security restrictions on kernel extensions, which are now required to be both specially signed and notarized (for those signed from 7 April 2019 onwards).

Before these recent changes to SIP, disabling it was often recommended as a first step when attempting to fix problems in macOS which were blamed on damaged services or Property Lists. I have had a steady succession of advanced users who have turned SIP off and then tried to repair what they thought were corrupted components within macOS. None of them, as far as I recall, was ever successful in tinkering in this way, and every case became rapidly worse once SIP was disabled and they started fiddling around with what should have been protected files.

If you think that, despite SIP being turned on, system files have become corrupted, the best solution is to reinstall them, either using the latest Combo updater for that version of macOS, or by reinstalling the whole of macOS. Then the installer takes control of SIP, and when it’s finished should leave it turned on for you.

With SIP enforcing security on kernel extensions and the protection of hardening which accompanies notarization, some may now start recommending that SIP is turned off to work around problems with third-party kernel extensions or apps. As with manually trying to patch macOS, this is a bit like smelling smoke in the building and responding by disabling the automatic sprinkler system in case it goes off. When you’ve got a problem, don’t turn the safety systems off, as that’s just when you need them most.

If you’re experiencing problems with kernel extensions or other software which are supposed now to be hardened and notarized, the problem isn’t with SIP, it’s with that third party software, and that is what you need to get fixed.

There may be, just may be, very rare circumstances in which turning SIP off might enable you to fix something critical. I can’t think of any situation, and have never turned SIP off myself. But if you really are absolutely certain it’s the only way forward, get a brightly-coloured sticky note, write in bold black letters SIP DISABLED, and stick it on the display of that Mac. Leave it there until you have not only turned SIP back on again, but have checked that it is properly enabled using LockRattler or a similar utility. You’d be surprised at the number of LockRattler users who only realised that they’d forgotten to turn SIP back on some weeks ago when they came to check using that utility.

And if any software vendor suggests that you should run your Mac with SIP disabled so that their software works, don’t trust them in the slightest. Look for an alternative product. Would you trust a mechanic who fixed a problem with your car by disabling the airbags and removing the seatbelts?