When SIP status is unknown, SilentKnight and silnite can be foxed

No matter how well we think we know our Macs, sometimes they spring little surprises. I’m very grateful to Mark for telling me how he was caught out by SIP, and how SilentKnight let him down.

When he was experiencing problems with iCloud sync on his MacBook Pro 2018 (Intel T2), Mark logged out of iCloud then logged back in again, a manoeuvre many of us try. Although this fixed his iCloud issues, he then had to add his credit cards back to his Apple Wallet. However, he was next warned that Apple Pay couldn’t be set up, as the security settings of that Mac had been modified.

Alas, SilentKnight reported nothing amiss, and specifically told him “SIP & SSV enabled”. However, that wasn’t the case, and csrutil status returned:
System Integrity Protection status: unknown (Custom Configuration).
Apple Internal: disabled
Kext Signing: disabled
Filesystem Protections: disabled
Debugging Restrictions: disabled
NVRAM Protections: disabled
BaseSystem Verification: enabled
This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

Mark then tried enabling SIP in Recovery mode, but csrutil status still returned unknown, although more of its components had been enabled this time. He finally rectified this by resetting SMC and NVRAM, which resolved the problem, returned SIP to fully enabled, and allowed him to add his cards back.

I’ve been investigating why SilentKnight should have returned such a wrong result when it checked his Mac’s SIP status. As a result, I have new versions of SilentKnight and silnite to deal better with this unusual situation.

As Apple silicon Macs have quite different security settings, which the app checks in a different way, this problem should be confined to Intel Macs.

SilentKnight 2.1, for Catalina and later, addresses this flaw, and is available now from here: silentknight201
from Downloads above, from its Product Page, and via its auto-update mechanism.

Checking the source code of silnite, I realised that it too could be prone to this error, but only if you rely on its plain text output; JSONised XML and proper JSON output aren’t affected, as they contain the full results from the csrutil status command.

silnite version 9 should fix that text output, and is available now from here: silnite9
from Downloads above, and from its Product Page.

What remains a mystery is how SIP on Mark’s MacBook Pro became so deranged that even macOS declared its status as “unknown”, but that’s a problem for Apple to solve, not me. Should you ever run into the same problem, you know now to turn SIP back on in Recovery mode, then reset the SMC and NVRAM.

Thanks to Mark for providing so much useful information, and for solving his problem so effectively.