What is SIP?

System Integrity Protection (SIP) in macOS protects the entire system by preventing the execution of unauthorized code. The system automatically authorizes apps that the user downloads from the App Store. The system also authorizes apps that a developer notarizes and distributes directly to users. The system prevents the launching of all other apps by default.

During development, it may be necessary for you to disable SIP temporarily to install and test your code. You don’t need to disable SIP to run and debug apps from Xcode, but you might need to disable it to install system extensions, such as DriverKit drivers.

Why do I need to disable SIP?

Sometimes you might need to run an application or a kernel extension (kext) file that isn’t developed by an identified developer so SIP won’t allow the app or the kext to run or you just might have deleted some files from your TimeMachine backup disk and you’re unable to empty the Trash because macOS has locked the files, so you have to disable the SIP to be able to empty the Trash.

Here’s how to disable and enable the SIP:

Disable System Integrity Protection Temporarily

To disable SIP, do the following:

  1. Restart your computer in Recovery mode by holding down the Command+R combination while system is booting.
  2. One the system has booted into the recovery mode launch Terminal from the Utilities menu.
  3. Run the command csrutil disable and press enter.
  4. You will see a message that “Successfully disabled System Integrity Protection. Please restart the machine for changes to take effect.
  5. Restart your computer.

Enable System Integrity Protection

To reenable SIP, do the following:

  1. Restart your computer in Recovery mode by holding down the Command+R combination while system is booting
  2. One the system has booted into the recovery mode launch Terminal from the Utilities menu.
  3. Run the command csrutil enable.
  4. You will see a message that "Successfully enabled System Integrity Protection. Please restart the machine for changes to take effect.
  5. Restart your computer.

You can check the status of SIP by running the command csrutil status in Terminal to see the current state of SIP.

If SIP is enabled you will see “System Integrity Protection status: enabled” and if SIP is disabled you will see “System Integrity Protection status: enabled.”

Warning

Disable SIP only temporarily to perform necessary tasks, and reenable it as soon as possible. Failure to reenable SIP when you are done testing leaves your computer vulnerable to malicious code.

Source: apple.com